Skip to content

5.1 ‐ Detection Naming Convention

Jump to bottom
Nasreddine Bencherchali edited this page Feb 12, 2025 · 2 revisions

Summary

Every time a Splunk Security Content analytic is created it should follow the naming convention below. This convention provides us consistent naming as well as organization for our different security content components.

Format

<platform> <short_summary>

Where

  • <platform>: Should represent the platform the detection is targeting AWS, GCP, Linux, Windows, MacOS, Splunk, etc.
  • <short_summary>: A short and precise summary of the detection, ideally referencing the tooling or technique being detected. See names should be for limitations.

Example

  • Windows Registry Dump Via Reg
  • Windows Network Scan Via Nmap
  • Windows Potential Credential Dumping Activity
  • Linux Auditd New User Added
  • AWS Multi-Factor Authentication Disabled

Names should:

  • Be limited to 64 characters.
  • Avoid starting with the word "detect".
  • Be as clear and precise as possible in highlighting what the rule is trying to detect.
Clone this wiki locally