splunk/security_content — reverse-engineered prompt

Build me a Splunk security content repo for our security team so we can manage detections as code. I want it to include analytic stories, detection YAML files, macros, lookups, dashboards, response templates, playbooks, and docs in a clean structure that matches how Splunk Security Content works.

Make it easy for an analyst to add a new detection, fill in the required fields, map it to MITRE ATT&CK, Cyber Kill Chain, and CIS Controls where appropriate, then validate it and build a Splunk Enterprise Security content update app. Please wire it up to use contentctl for creating, validating, testing, and building the content, and include clear getting started instructions for someone who is comfortable with Splunk but not a developer.

Also add sensible examples so we can see how a detection, story, macro, and lookup should look. If you need exact schema details, look up the current Splunk Security Content and contentctl docs online.