/
SplunkPy.yml
646 lines (646 loc) · 25.4 KB
/
SplunkPy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
category: Analytics & SIEM
commonfields:
id: SplunkPy
version: -1
sectionOrder:
- Connect
- Collect
configuration:
- display: Host - IP (x.x.x.x)
name: host
required: true
type: 0
section: Connect
- display: Username
name: authentication
required: true
type: 9
section: Connect
- defaultvalue: '8089'
display: Port
name: port
required: true
type: 0
section: Connect
- additionalinfo: The Splunk search query by which to fetch events. The default query fetches ES notable events. You can edit this query to fetch other types of events. Note, that to fetch ES notable events, make sure to include the \`notable\` macro in your query.
defaultvalue: search `notable` | eval rule_name=if(isnull(rule_name),source,rule_name) | eval rule_title=if(isnull(rule_title),rule_name,rule_title) | `get_urgency` | `risk_correlation` | eval rule_description=if(isnull(rule_description),source,rule_description) | eval security_domain=if(isnull(security_domain),source,security_domain) | expandtoken
display: Fetch events query
name: fetchQuery
required: false
type: 0
- defaultvalue: '50'
display: Fetch Limit (Max.- 200, Recommended less than 50)
name: fetch_limit
required: false
type: 0
section: Collect
- display: Fetch incidents
name: isFetch
required: false
type: 8
section: Collect
- display: Incident type
name: incidentType
required: false
type: 13
section: Connect
- defaultvalue: 'true'
display: Use Splunk Clock Time For Fetch
name: useSplunkTime
required: false
type: 8
section: Collect
advanced: true
- defaultvalue: 'false'
display: Parse Raw Part of Notable Events
name: parseNotableEventsRaw
required: false
type: 8
section: Collect
advanced: true
- defaultvalue: 'false'
display: Replace with Underscore in Incident Fields
name: replaceKeys
required: false
type: 8
section: Collect
advanced: true
- display: Timezone of the Splunk server, in minutes. For example, if GMT is gmt +3, set timezone to +180. For UTC, set the timezone to 0. (Set only if the Splunk server is different than the Cortex XSOAR server.) Relevant only for fetching and mirroring notable events.
name: timezone
required: false
type: 0
section: Collect
advanced: true
- additionalinfo: The amount of time to go back when performing the first fetch, or when creating a mapping using the Select Schema option.
defaultvalue: 10 minutes
display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
name: fetch_time
required: false
type: 0
section: Collect
- display: Extract Fields - CSV fields that will be parsed out of _raw notable events
name: extractFields
required: false
type: 12
section: Collect
advanced: true
- additionalinfo: Used only for mapping with the Select Schema option. The name of the field that contains the type of the event or alert. The default value is "source", which is a good option for notable events. However, you may choose any custom field.
defaultvalue: source
display: Event Type Field
name: type_field
required: false
type: 0
section: Collect
advanced: true
- additionalinfo: If selected, when creating a mapper using the `Select Schema` feature (supported from Cortex XSOAR V6.0), the Splunk CIM field will be pulled. See https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview for more information.
defaultvalue: 'false'
display: Use CIM Schemas for Mapping
name: use_cim
required: false
type: 8
section: Collect
advanced: true
- additionalinfo: 'Choose the direction to mirror the incident: Incoming (from Splunk to Cortex XSOAR), Outgoing (from Cortex XSOAR to Splunk), or Incoming and Outgoing (from/to Cortex XSOAR and Splunk).'
defaultvalue: None
display: Incident Mirroring Direction
name: mirror_direction
options:
- None
- Incoming
- Outgoing
- Incoming And Outgoing
required: false
type: 15
section: Collect
hidden:
- marketplacev2
- additionalinfo: When selected, closing the Splunk notable event with a "Closed" status will close the Cortex XSOAR incident.
defaultvalue: 'false'
display: Close Mirrored Cortex XSOAR Incidents (Incoming Mirroring)
name: close_incident
required: false
type: 8
section: Collect
advanced: true
hidden:
- marketplacev2
- display: Additional Splunk status labels to close on mirror (Incoming Mirroring)
name: close_extra_labels
required: false
type: 0
section: Collect
additionalinfo: "A comma-separated list of Splunk status labels to mirror as closed Cortex XSOAR incident (Example: Resolved,False-Positive)."
- additionalinfo: When selected, Splunk Notable Events with a status that is marked as "End Status" will close the Cortex XSOAR incident.
defaultvalue: 'false'
display: Enable Splunk statuses marked as "End Status" to close on mirror (Incoming Mirroring)
name: close_end_status_statuses
required: false
type: 8
section: Collect
advanced: true
- display: Close Mirrored Splunk Notable Events (Outgoing Mirroring)
name: close_notable
required: false
type: 8
section: Collect
advanced: true
hidden:
- marketplacev2
additionalinfo: When selected, closing the Cortex XSOAR incident will close the Notable Event in Splunk.
defaultvalue: 'false'
- display: Trust any certificate (not secure)
name: unsecure
required: false
type: 8
section: Connect
advanced: true
- name: proxy
required: false
type: 8
section: Connect
advanced: true
display: Use system proxy settings
- display: 'The app context of the namespace'
name: app
required: false
type: 0
section: Collect
advanced: true
- name: cred_hec_token
required: false
type: 9
section: Collect
advanced: true
displaypassword: HEC Token (HTTP Event Collector)
hiddenusername: true
- display: 'HEC Token (HTTP Event Collector)'
name: hec_token
required: false
type: 4
section: Collect
advanced: true
hidden: true
- display: 'HEC BASE URL (e.g: https://localhost:8088 or https://example.splunkcloud.com/).'
name: hec_url
required: false
type: 0
section: Collect
advanced: true
- display: 'Enrichment Types'
name: enabled_enrichments
required: false
type: 16
section: Collect
advanced: true
additionalinfo: Enrichment types to enrich each fetched notable. If none are selected, the integration will fetch notables as usual (without enrichment). For more info about enrichment types see the integration additional info.
options:
- Drilldown
- Asset
- Identity
- display: 'Enrichment Timeout (Minutes)'
name: enrichment_timeout
required: false
type: 0
section: Collect
advanced: true
additionalinfo: When the selected timeout was reached, notable events that were not enriched will be saved without the enrichment.
defaultvalue: '5'
- additionalinfo: The limit of how many events to retrieve per each one of the enrichment types (Drilldown, Asset, and Identity). To retrieve all events, enter "0" (not recommended).
display: 'Number of Events Per Enrichment Type'
name: num_enrichment_events
required: false
type: 0
section: Collect
advanced: true
defaultvalue: '20'
- display: 'Advanced: Extensive logging (for debugging purposes). Do not use this option unless advised otherwise.'
name: extensive_logs
required: false
type: 8
section: Collect
advanced: true
- defaultvalue: '15'
display: 'Advanced: Fetch backwards window for the events occurrence time (minutes)'
name: occurrence_look_behind
required: false
type: 0
section: Collect
advanced: true
additionalinfo: The fetch time range will be at least the size specified here. This will support events that have a gap between their occurrence time and their index time in Splunk. To decide how long the backwards window should be, you need to determine the average time between them both in your Splunk environment.
- additionalinfo: A comma-separated list of fields, which together are a unique identifier for the events to fetch in order to avoid fetching duplicates incidents.
display: 'Advanced: Unique ID fields'
name: unique_id_fields
required: false
type: 0
section: Collect
advanced: true
- defaultvalue: 'false'
display: Enable user mapping
name: userMapping
required: false
type: 8
section: Collect
advanced: true
- defaultvalue: 'splunk_xsoar_users'
display: Users Lookup table name
name: user_map_lookup_name
required: false
type: 0
section: Connect
advanced: true
additionalinfo: The name of the lookup table in Splunk, containing the username's mapping data.
- defaultvalue: 'xsoar_username'
display: XSOAR user key
name: xsoar_user_field
required: false
type: 0
section: Connect
advanced: true
additionalinfo: The name of the lookup column containing the Cortex XSOAR username.
- defaultvalue: 'splunk_username'
display: SPLUNK user key
name: splunk_user_field
required: false
type: 0
section: Connect
advanced: true
additionalinfo: The name of the lookup table containing the Splunk username.
- defaultvalue: '1'
display: Incidents Fetch Interval
name: incidentFetchInterval
required: false
type: 19
section: Collect
advanced: true
description: Runs queries on Splunk servers.
display: SplunkPy
name: SplunkPy
script:
commands:
- arguments:
- default: true
description: ID of the search for which to return results.
name: sid
required: true
- defaultValue: '100'
description: The maximum number of returned results per search. To retrieve all results, enter "0" (not recommended).
name: limit
description: Returns the results of a previous Splunk search. You can use this command in conjunction with the splunk-job-create command.
name: splunk-results
- arguments:
- default: true
description: 'The Splunk search language string to execute. For example: "index=* | head 3". '
name: query
required: true
- description: 'Specifies the earliest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string. Default is 1 week ago, in the format "-7d". You can also specify time in the format: 2014-06-19T12:00:00.000-07:00.'
name: earliest_time
- description: 'Specifies the latest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string. For example: "2014-06-19T12:00:00.000-07:00" or "-3d" (for 3 days ago).'
name: latest_time
- description: Maximum number of events to return. Default is 100. If "0", all results are returned.
name: event_limit
- defaultValue: '25000'
description: The maximum number of returned results to process at a time. For example, if 100 results are returned, and you specify a batch_limit of 10, the results will be processed 10 at a time over 10 iterations. This does not effect the search or the context and outputs returned. In some cases, specifying a batch_size enhances search performance. If you think that the search execution is suboptimal, we recommend trying several batch_size values to determine which works best for your search. Default is 25,000.
name: batch_limit
- auto: PREDEFINED
defaultValue: 'true'
description: 'Determines whether the results will be entered into the context. Possible values: "true" and "false".'
name: update_context
predefined:
- 'true'
- 'false'
- description: A string that contains the application namespace in which to restrict searches.
name: app
- auto: PREDEFINED
description: Use XSOAR built-in polling to retrieve the result when it's ready.
name: polling
predefined:
- 'true'
- 'false'
- defaultValue: '30'
description: Interval in seconds between each poll.
name: interval_in_seconds
- description: The job sid.
name: sid
- auto: PREDEFINED
defaultValue: 'false'
description: The Fast mode prioritizes the performance of the search and does not return nonessential field or event data. This means that the search returns what is essential and required if fast_mode equals 'true'.
name: fast_mode
predefined:
- 'true'
- 'false'
description: Searches Splunk for events. For human readable output, the table command is supported in the query argument. For example, `query=" * | table field1 field2 field3"` will generate a table with field1, field2, and field3 as headers.
name: splunk-search
polling: true
outputs:
- contextPath: Splunk.Result
description: The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.
type: Unknown
- contextPath: Splunk.JobStatus.SID
description: ID of the job.
type: String
- contextPath: Splunk.JobStatus.Status
description: Status of the job.
type: String
- contextPath: Splunk.JobStatus.TotalResults
description: The number of events that were returned by the job.
type: String
- arguments:
- description: Splunk index in which to push data. Run the splunk-get-indexes command to get all indexes.
name: index
required: true
- default: true
description: The new event data to push. Can be any string.
name: data
required: true
- description: Event source type.
name: sourcetype
required: true
- description: Event host. Can be "Local" or "120.0.0.1".
name: host
required: true
description: Creates a new event in Splunk.
name: splunk-submit-event
- description: Prints all Splunk index names.
name: splunk-get-indexes
arguments: []
- arguments:
- description: A comma-separated list of event IDs of notable events.
name: eventIDs
required: true
- description: A Splunk user to assign to the notable events.
name: owner
- description: Comment to add to the notable events.
name: comment
- auto: PREDEFINED
description: 'Notable event urgency. Possible values: "critical", "high", "medium", "low", and "informational".'
name: urgency
predefined:
- critical
- high
- medium
- low
- informational
- description: Notable event status. 0 - Unassigned, 1 - Assigned, 2 - In Progress, 3 - Pending, 4 - Resolved, 5 - Closed.
name: status
- name: disposition
auto: PREDEFINED
predefined:
- True Positive - Suspicious Activity
- Benign Positive - Suspicious But Expected
- False Positive - Incorrect Analytic Logic
- False Positive - Inaccurate Data
- Other
- Undetermined
description: Disposition of the notable. If the more options exist on the server,
specifying the disposition as `disposition:#` will work in place of choosing
one of the default values from the list.
description: Updates existing notable events in Splunk ES.
execution: true
name: splunk-notable-event-edit
- arguments:
- description: The Splunk search language string to execute. For example :"index=* | head 3".
name: query
required: true
- description: A string that contains the application namespace in which to restrict searches.
name: app
description: Creates a new search job in Splunk.
name: splunk-job-create
outputs:
- contextPath: Splunk.Job
description: The SID of the created job.
type: Unknown
- arguments:
- default: true
defaultValue: ${Splunk.Result._raw}
description: The raw data of the Splunk event (string).
name: raw
description: Parses the raw part of the event.
name: splunk-parse-raw
outputs:
- contextPath: Splunk.Raw.Parsed
description: The raw event data (parsed).
type: unknown
- arguments:
- description: |-
Event payload key-value pair.
String example: "event": "Access log test message."
name: event
required: true
- description: Fields for indexing that do not occur in the event payload itself. Accepts multiple, comma-separated, fields.
name: fields
- description: The index name.
name: index
- description: The hostname.
name: host
- description: User-defined event source type.
name: source_type
- description: User-defined event source.
name: source
- description: Epoch-formatted time.
name: time
description: Sends events to an HTTP Event Collector using the Splunk platform JSON event protocol.
name: splunk-submit-event-hec
- arguments:
- description: ID of the job for which to get the status.
name: sid
required: true
description: Returns the status of a job.
name: splunk-job-status
outputs:
- contextPath: Splunk.JobStatus.SID
description: ID of the job.
type: String
- contextPath: Splunk.JobStatus.Status
description: Status of the job.
type: String
- arguments:
- description: The name of the KV store collection.
name: kv_store_name
required: true
- default: true
defaultValue: search
description: The name of the Splunk application in which to create the KV store. The default is "search".
name: app_name
required: true
description: Creates a new KV store table.
name: splunk-kv-store-collection-create
- arguments:
- description: The name of the KV store collection.
name: kv_store_collection_name
required: true
- description: |
The list of names and value types used to define the KV store collection scheme, e.g., id=number, name=string, address=string.
isArray: true
name: kv_store_fields
required: true
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. The default is "search".
name: app_name
required: true
description: Configures the KV store fields.
name: splunk-kv-store-collection-config
- arguments:
- description: 'The data to add to the KV store collection, according to the collection JSON format, e.g., [{"name": "Splunk HQ", "id": 456, "address": { "street": "340 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "121212"}}, {"name": "Splunk HQ", "id": 123, "address": { "street": "250 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "94107"}}]'
name: kv_store_data
required: true
- description: The name of the KV store collection.
name: kv_store_collection_name
required: true
- description: The path to the indicator value in kv_store_data.
name: indicator_path
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. The default is "search".
name: app_name
required: true
description: Adds objects to a KV store utilizing the batch-save API.
name: splunk-kv-store-collection-add-entries
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application in which to create the KV store. The default is "search".
name: app_name
required: true
description: Lists all collections for the specified application.
name: splunk-kv-store-collections-list
outputs:
- contextPath: Splunk.CollectionList
description: List of collections.
type: String
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. The default is "search".
name: app_name
required: true
- description: A comma-separated list of KV store collections.
isArray: true
name: kv_store_collection_name
required: true
- defaultValue: '50'
description: Maximum number of records to return. The default is 50.
name: limit
description: Lists all data within a specific KV store collection or collections.
name: splunk-kv-store-collection-data-list
outputs:
- contextPath: Splunk.KVstoreData
description: An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<collection_name> is a list of the data in the collection).
type: Unknown
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. For example, "search".
name: app_name
required: true
- description: A comma-separated list of KV store collections.
isArray: true
name: kv_store_collection_name
required: true
description: Deletes all data within the specified KV store collection or collections.
name: splunk-kv-store-collection-data-delete
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store. The default is "store".
name: app_name
required: true
- description: A comma-separated list of KV stores.
isArray: true
name: kv_store_name
required: true
description: Deletes the specified KV stores.
name: splunk-kv-store-collection-delete
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. The default is "search".
name: app_name
required: true
- description: The name of the KV store collection.
name: kv_store_collection_name
required: true
- description: The key name to search in the store. If the query argument is used, this argument will be ignored.
name: key
- description: The value to search in the store. If the query argument is used, this argument will be ignored.
name: value
- description: 'Complex query to search in the store with operators such as "and", "or", "not", etc. For more information, see the Splunk documentation: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTkvstore.'
name: query
description: Searches for specific objects in a store. The search can be a basic key-value pair or a full query.
name: splunk-kv-store-collection-search-entry
outputs:
- contextPath: Splunk.KVstoreData
description: An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<collection_name> is a list of the data in the collection).
type: Unknown
- arguments:
- default: true
defaultValue: search
description: The name of the Splunk application that contains the KV store collection. The default is "search".
name: app_name
required: true
- description: The name of the KV store collection.
name: kv_store_collection_name
required: true
- description: The path to the indicator value in kv_store_data.
name: indicator_path
- description: The key name to search in the store. If the query argument is used, this argument will be ignored.
name: key
- description: The value to search in the store. If the query argument is used, this argument will be ignored.
name: value
- description: |-
Complex query to search in the store with operators such as "and", "or", "not", etc.
For more information, see the Splunk documentation: https://docs.splunk.com/Documentation/Splunk/8.0.3/RESTREF/RESTkvstore.
name: query
description: Deletes the specified object in store. The search can be a basic key-value pair or a full query.
name: splunk-kv-store-collection-delete-entry
- description: Query Splunk to retrieve a list of sample alerts by alert type. Used for mapping fetched incidents through the Get Schema option.
name: get-mapping-fields
arguments: []
- arguments:
- description: The remote event ID.
name: id
required: true
- defaultValue: '0'
description: ISO format date with timezone, e.g., 2021-02-09T16:41:30.589575+02:00. The incident is only updated if it was modified after the last update time.
name: lastUpdate
description: Gets data from a notable event. This method does not update the current incident, and should be used for debugging purposes.
name: get-remote-data
- arguments:
- description: ISO format date with timezone, e.g., 2021-02-09T16:41:30.589575+02:00. The incident is only returned if it was modified after the last update time.
name: lastUpdate
description: Gets the list of notable events that were modified since the last update. This command should be used for debugging purposes, and is available from Cortex XSOAR version 6.1.
name: get-modified-remote-data
- description: Resets the enrichment mechanism of fetched notables.
name: splunk-reset-enriching-fetch-mechanism
arguments: []
- arguments:
- default: true
description: Cortex XSOAR username to match in Splunk's usernames records.
isArray: true
name: xsoar_username
required: true
description: Returns the Splunk's username matching the given Cortex XSOAR's username.
name: splunk-get-username-by-xsoar-user
outputs:
- contextPath: Splunk.UserMapping.XsoarUser
description: Cortex XSOAR user mapping.
type: String
- contextPath: Splunk.UserMapping.SplunkUser
description: Splunk user mapping.
type: String
dockerimage: demisto/splunksdk-py3:1.0.0.56501
isfetch: true
ismappable: true
isremotesyncin: true
isremotesyncout: true
runonce: false
script: ''
subtype: python3
type: python
tests:
- SplunkPySearch_Test_default_handler
- SplunkPy-Test-V2_default_handler
- Splunk-Test_default_handler
- SplunkPy_KV_commands_default_handler
- SplunkPy parse-raw - Test
fromversion: 5.0.0