Skip to content

total_replay_doc #1309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 28, 2025
Merged

total_replay_doc #1309

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a222c61
total_replay_doc
t-contreras Nov 25, 2025
64da3eb
Add 8088 port to AWS network
Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/source/Total_Replay.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# TOTAL-REPLAY

## Description

This lightweight tool helps you make the most of Splunk’s [Security Content](https://github.com/splunk/security_content) metadata, such as detection names, analytic stories, and more, by replaying relevant test event logs or attack data from either the [Splunk Attack Data](https://github.com/splunk/attack_data) or [Splunk Attack Range](https://github.com/splunk/attack_range) projects.


## MAC/LINUX:

1. Clone the Splunk Security Content github repo. We recommend to follow this steps [Security Content Getting Started](https://github.com/splunk/security_content).

2. We recommend following the instructions in the [Attack Range Getting Started](https://github.com/splunk/attack_range)
guide. Once Attack Range is installed and its virtual environment (managed via Poetry) is activated, TOTAL-REPLAY is almost ready to use — you just need to configure it.

3. In total_replay->configuration->config.yml, add the folder path of the Splunk Attack Data repo and the detection folder path in Splunk Security Content.

```
settings:
security_content_detection_path: ~/path/to/your/security_content/detections
attack_range_dir_path: ~/path/to/your/attack_range
```

4. enable the `attack_range_version_on` config setting in total_replay->configuration->config.yml:
**NOTE: You can enable either `attack_range_version_on` or `attack_data_version_on` settings**
```
attack_range_version_on: True
```
5. if you encounter problem with colorama python library just update it.
```
poetry update colorama
```

### Windows OS:

We recommend using the Windows Subsystem for Linux (WSL). You can find a tutorial [here](https://learn.microsoft.com/en-us/windows/wsl/install). After installing WSL, you can follow the steps described in the Linux section.


for more information please visit the [Splunk Attack Data Repo](https://github.com/splunk/attack_data/)
1 change: 1 addition & 0 deletions docs/source/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,6 @@ Attack Data <Attack_Data>
Attack Range Features <Attack_Range_Features>
CapAttack <Cap_Attack>
Cost Explorer <Cost_Explorer>
Total_Replay <Total_Replay>

```
7 changes: 7 additions & 0 deletions terraform/aws/modules/network/resources.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,13 @@ resource "aws_security_group" "default" {
cidr_blocks = split(",", var.general.ip_whitelist)
}

ingress {
from_port = 8088
to_port = 8088
protocol = "tcp"
cidr_blocks = split(",", var.general.ip_whitelist)
}

ingress {
from_port = 8443
to_port = 8443
Expand Down