Splunk® Security Essentials

Develop Custom Content in Splunk Security Essentials

Add custom fields to Splunk Security Essentials

As a third-party developer, it might be helpful to provide users with details about your company. You can create custom fields, such as name and description, so that users can see that content. Here is an example of added custom fields and how they appear in the code:


{
    "company_description": "Buttercup Labs is the premier distributor of Pony-related security analytics. We have been protecting organizations from bad ponies for over 10 years now.\n\\n\\n\nEnjoy our freely available content for detecting bad ponies in your environment, and reach out to us for a demo or trial license of our premium Pony Detection app!\n\\n\\n\nHave you successfully found bad ponies in your own environment? Buttercup Labs is hiring! We are a wholly owned subsidiary of Buttercup Games.",
    "company_link": "http://buttercupgames.com/",
    "company_logo": "https://image.slidesharecdn.com/splunklivesfhowtoalignyourdailysplunkactivitiesbreakoutsession-160317192319/95/how-to-align-your-daily-splunk-activities-breakout-session-23-638.jpg?cb=1458242654",
    "company_logo_height": 250,
    "company_logo_width": 444,
    "company_name": "Buttercup Labs"
}

Use included hard-coded fields

Splunk Security Essentials (SSE) includes the following hard-coded fields:

  • Search
  • Known False Positives
  • How to Implement
  • How to Respond
  • Help
  • Company Information

All of these fields appear as dedicated accordions on the Custom Content page. If you need additional categories, you can define those categories in the additional_context file, which is an array of objects. Each object shows up as a new accordion in the UI and contains up to five of the following fields:

Field name Description
title Use this field to name the accordion. If left empty, the title defaults to "Additional Context." This field is text-only.
open_panel Use this field to determine whether the accordion is open by default. Set it to true or false.
detail Use this field for an optional Markdown text block.
link Use this field for an optional URL users can follow to learn more. When filled, a button appears with the label Learn More....
search_label Use this field to label the search immediately before the pre tag. If left empty, the label defaults to "Search." This field is text-only.
search_lang Use this field to define what language the code is in. If you're using Splunk Search Processing Language (SPL), you can leave this field blank or provide the information as conf if you want to print file options. If you need to print options like Python, the default languages for highlight.js are supported. Valid options include properties, Python, Rust, Less, Perl, diff, SCSS, Bash, Shell, Makefile, JSON, INI, HTTP, CoffeeScript, CSS, Objective C, Ruby, YAML, Java, SQL, Apache, Kotlin, XML, Markdown, Swift, Plaintext, TypeScript, NGINX, Go, Javascript, PHP, CS, Lua, and CPP.
search Use this field for SPL or any other raw code.

The following code is an example of how to implement the search field:


{
    "additional_context": [
        {
            "search": "index=* sourcetype=ponies",
            "open_panel": true,
            "title": "Additional Potential Search",
            "link": "https://www.splunk.com/blog/2016/09/28/buttercup-games.html",
            "detail": "### Background\n* You might want to look at all data regarding ponies.\n* Here you can find all of the detail produced by Buttercup Labs Pony Monitoring."
        },
        {
            "title": "Conf file for Adding a New SSE Channel",
            "search": "[ButtercupLabs]\nchannel=ButtercupLabs\nname=Buttercup Labs\ndescription=Buttercup Labs produces high-quality security analytics run through the Splunk platform. While Buttercup sells a commercial threat analytics app, they have also released a variety of community content. All is available through Splunk Security Essentials.\ntype=app\napp_context=Splunk_Security_Essentials\ncontent_download_url=https://go.splunksecurityessentials.com/myContentLocation",
            "detail": "Adding this file and restarting Splunk registers a new content source into SSE.",
            "search_lang": "conf",
            "search_label": "Example Configuration",
            "open_panel": true
        }
    ]
}

If you're using SPL, an Open In Search button appears below the following code:


if(additional_context[num].search){
    output += $("<div>").append($("<pre>").attr("class", "search").append($("<code>").attr("class", lang).text(obj.search))).html()
}

Last modified on 20 January, 2023
Integrate third-party content in Splunk Security Essentials   Best practices for integrating content with Splunk Security Essentials

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters