From 9993eab050e9c03b4bd0e8b2f91b2caff78a4129 Mon Sep 17 00:00:00 2001 From: Kobbi Gal <85439776+kgal-pan@users.noreply.github.com> Date: Thu, 28 Dec 2023 16:11:27 +0200 Subject: [PATCH] Update SplunkPy README Configuration/Commands Sections (#31693) * update integration * update readme * rm test conf * added eof newline * Add Xpanse Scope for XDR Integration (#31582) * Add Xpanse Scope for XDR Integration (#31539) * update xpanse mp and docker * RN * Update Packs/CortexXDR/ReleaseNotes/6_0_11.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update CortexXDRIR.yml * Update Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> * Update CortexXDRIR.yml --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: adi88d * [pre-commit] fix script runner (#31592) * SentinelOneV2 (#31687) * SentinelOneV2 (#31595) * removing the empty fields from a payload of remote-script * bumped version * updated release notes * Update Packs/SentinelOne/ReleaseNotes/3_2_15.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --------- Co-authored-by: munna-metron <82433049+munna-metron@users.noreply.github.com> Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated file variable revert test variable (#30846) Updated file variable revert test variable * [Whois] test_socks_proxy UT failed (#31395) * Init test.py/sh to run in unittests-and-lint * add location commands to bash script * Remove running script with python3 * Restructure imports * Restructure imports * Show hidden files and permissions in test script * Temporarily comment out test.py script in CI * remove test.py script * remove commented out python test script * disable darwin service startup in bash script * Add execution permissions and update darwin command * Fix microsocks_darwin path * Add microsocks executable and enable netstat * Re-enable whois integration tests * Add tempfile, time and subprocess imports * Add sys import * Update Tests/scripts/test.sh * Update Tests/scripts/test.sh * Empty commit * Update test.sh with whois commands * Fix echo command * script fix * Add dig command * Empty commit * Empty commit * Empty commit * Empty commit * [VirusTotal] Fix missing suspicious value for running instances (#31684) * Fix missing suspicious value for running instances (#31648) * Update docker * Update docker * Update pack_metadata.json * Update pack_metadata.json --------- Co-authored-by: Daniel Pascual Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> * un-skip test_socks_proxy UT * revert to origin * un-skip test_socks_proxy UT * Remove unnecessary files * Add necessary imports --------- Co-authored-by: Koby Meir Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: Daniel Pascual Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> * delete test data files from repo (#31658) * NetskopeAPIv2 `alert_query` argument (#31690) * ParseEmailFiles: Update docker (#31683) * update docker * update rn * update rn * revert * update version * Adding Cloud Alerts Layout (#31118) * Change the field to be searchable * RN * Added missing scripts * Added new layout rule Added new layout updated scripts * UPDATED SCRIPT * Fixed more pre-commit errors * Updated RN Fixed issue with the widget * Removed un-required script * Removed un-required script * Removed un-required script * Removed un-required script * Added tests * Added a test for main * Added a test for main * Added a test for main * Added a test for main * Updated main test * Updated main test * Updated main test * Updated main test * removed main tests * removed main tests * fixed tests * added MP * added MP * Updated README.md * Updated README.md * removed unrequited import * pre-commit * Updated RN description * Bump pack from version CloudIncidentResponse to 1.0.10. * alert source * Added missing scripts * Added new layout rule Added new layout updated scripts * UPDATED SCRIPT * Fixed more pre-commit errors * Removed un-required script * Removed un-required script * Removed un-required script * Removed un-required script * Added tests * Added a test for main * Added a test for main * Added a test for main * Added a test for main * Updated main test * Updated main test * Updated main test * Updated main test * removed main tests * removed main tests * fixed tests * added MP * added MP * Updated README.md * Updated README.md * removed unrequited import * pre-commit * Updated RN description * alert source * Bump pack from version CloudIncidentResponse to 1.0.10. * [SanePdfReport] - Increase resourceTimeout (#31513) * added random.randint * pre-commit * added a retry * added a retry2 * added a retry3 * flake8 * fixed * test * Reverted to master --------- Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com> Co-authored-by: Content Bot Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> * fixed output typo * rm closing parenthesis * updated cmd sections to cmd names * rm closing bracket from arg description * changed default for kv collection to auto-generated * update rn * Update pack_metadata.json * raised memory threshold for parse-raw tpb --------- Co-authored-by: content-bot <55035720+content-bot@users.noreply.github.com> Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com> Co-authored-by: adi88d Co-authored-by: ilaner <88267954+ilaner@users.noreply.github.com> Co-authored-by: munna-metron <82433049+munna-metron@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com> Co-authored-by: samuelFain <65926551+samuelFain@users.noreply.github.com> Co-authored-by: Koby Meir Co-authored-by: Daniel Pascual Co-authored-by: yasta5 <112320333+yasta5@users.noreply.github.com> Co-authored-by: dorschw <81086590+dorschw@users.noreply.github.com> Co-authored-by: Moshe Galitzky <112559840+moishce@users.noreply.github.com> Co-authored-by: Sasha Sokolovich <88268646+ssokolovich@users.noreply.github.com> Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com> Co-authored-by: Content Bot --- .../SplunkPy/Integrations/SplunkPy/README.md | 30 +++++++++---------- .../Integrations/SplunkPy/SplunkPy.yml | 2 +- Packs/SplunkPy/ReleaseNotes/3_1_14.md | 6 ++++ Packs/SplunkPy/pack_metadata.json | 4 +-- Tests/conf.json | 2 +- 5 files changed, 25 insertions(+), 19 deletions(-) create mode 100644 Packs/SplunkPy/ReleaseNotes/3_1_14.md diff --git a/Packs/SplunkPy/Integrations/SplunkPy/README.md b/Packs/SplunkPy/Integrations/SplunkPy/README.md index 5ba7e7d11670..611cc4ad63a9 100644 --- a/Packs/SplunkPy/Integrations/SplunkPy/README.md +++ b/Packs/SplunkPy/Integrations/SplunkPy/README.md @@ -59,8 +59,8 @@ This integration was integrated and tested with Splunk v9.0.4. | XSOAR user key | The name of the lookup column containing the Cortex XSOAR username. | False | | SPLUNK user key | The name of the lookup table containing the Splunk username. | False | | Incidents Fetch Interval | | False | - -The (!) *Earliest time to fetch* and *Latest time to fetch* are search parameters options. The search uses *All Time* as the default time range when you run a search from the CLI. Time ranges can be specified using one of the CLI search parameters, such as *earliest_time*, *index_earliest*, or *latest_time*. + | Comment tag from Splunk | Add this tag to an entry to mirror it as a comment from Splunk. | False | + | Comment tag to Splunk | Add this tag to an entry to mirror it as a comment to Splunk. | False | 4. Click **Test** to validate the URLs, token, and connection. @@ -296,7 +296,7 @@ For example: You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. -### Get results +### splunk-results *** Returns the results of a previous Splunk search. This command can be used in conjunction with the `splunk-job-create` command. @@ -319,7 +319,7 @@ There is no context output for this command. ##### Command Example ``` !splunk-results sid="1566221331.1186" limit="200" ``` -### Search for events +### splunk-search *** Searches Splunk for events. For human readable output, the table command is supported in the query argument. For example, `query=" * | table field1 field2 field3"` will generate a table with field1, field2, and field3 as headers. @@ -364,7 +364,7 @@ Searches Splunk for events. For human readable output, the table command is supp |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | main~445~66D21DF4-F4FD-4886-A986-82E72ADCBFE9 | 445:897774 | 1585462906 | 1 | InsertedAt="2020-03-29 06:21:43"; EventID="837005"; EventType="Application control"; Action="None"; ComputerName="ACME-code-007"; ComputerDomain="DOMAIN"; ComputerIPAddress="127.0.0.1"; EventTime="2020-03-29 06:21:43"; EventTypeID="5"; Name="LogMeIn"; EventName="LogMeIn"; UserName=""; ActionID="6"; ScanTypeID="200"; ScanType="Unknown"; SubTypeID="23"; SubType="Remote management tool"; GroupName="";\u003cbr\u003e | 2 | ip-172-31-44-193, main | sophos:appcontrol | 2020-03-28T23:21:43.000-07:00 | 127.0.0.1 | main | 2 | eventgen | sophos:appcontrol | ip-172-31-44-193 | -### Create event +### splunk-submit-event *** Creates a new event in Splunk. @@ -395,7 +395,7 @@ There is no context output for this command. ![image](https://user-images.githubusercontent.com/50324325/63268589-2fda4b00-c29d-11e9-95b5-4b9fcf6c08ee.png) -### Print all index names +### splunk-get-indexes *** Prints all Splunk index names. ##### Base Command @@ -418,7 +418,7 @@ There is no context output for this command. ![image](https://user-images.githubusercontent.com/50324325/63268447-d8d47600-c29c-11e9-88a4-5003971a492e.png) -### Update notable events +### splunk-notable-event-edit *** Update an existing notable event in Splunk ES. @@ -449,7 +449,7 @@ There is no context output for this command. ![image](https://user-images.githubusercontent.com/50324325/63522203-914e2400-c500-11e9-949a-0b55eb2c5871.png) -### Create a new job +### splunk-job-create *** Creates a new search job in Splunk. @@ -486,7 +486,7 @@ Creates a new search job in Splunk. ![image](https://user-images.githubusercontent.com/50324325/63269769-75981300-c29f-11e9-950a-6ca77bcf564c.png) -### Parse an event +### splunk-parse-raw *** Parses the raw part of the event. @@ -513,7 +513,7 @@ Parses the raw part of the event. ``` !splunk-parse-raw ``` -### Submit an event +### splunk-submit-event-hec *** Sends events to an HTTP event collector using the Splunk platform JSON event protocol. ##### Base Command @@ -541,7 +541,7 @@ There is no context output for this command. ##### Human Readable Output The event was sent successfully to Splunk. -### Get job status +### splunk-job-status *** Returns the status of a job. @@ -573,7 +573,7 @@ Splank.JobStatus = { ##### Human Readable Output ![image](https://user-images.githubusercontent.com/50324325/77630707-2b24f600-6f54-11ea-94fe-4bf6c734aa29.png) -### Get Mapping Fields +### get-mapping-fields *** Gets one sample alert per alert type. Used only for creating a mapping with `Select Schema`. ##### Base Command @@ -799,7 +799,7 @@ Lists all data within a specific KV store collection or collections. | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| app_name | The name of the Splunk application that contains the KV store collection. The default is "search". | Required | +| app_name | The name of the Splunk application that contains the KV store collection. Default is search. | Required | | kv_store_collection_name | A comma-separated list of KV store collections. | Required | | limit | Maximum number of records to return. The default is 50. | Optional | @@ -808,7 +808,7 @@ Lists all data within a specific KV store collection or collections. | **Path** | **Type** | **Description** | | --- | --- | --- | -| Splunk.KVstoreData | Unknown | An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<colletion_name> is a list of the data in the collection\). | +| Splunk.KVstoreData | Unknown | An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<collection_name> is a list of the data in the collection. | #### Command Example @@ -917,7 +917,7 @@ Searches for specific objects in a store. Search can be a basic key-value pair o | **Path** | **Type** | **Description** | | --- | --- | --- | -| Splunk.KVstoreData | Unknown | An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<colletion_name> is a list of the data in the collection\). | +| Splunk.KVstoreData | Unknown | An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData.<collection_name> is a list of the data in the collection. | #### Command Example diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml index e8a208c026bf..5fc02708cb47 100644 --- a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml +++ b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml @@ -608,7 +608,7 @@ script: name: splunk-kv-store-collection-search-entry outputs: - contextPath: Splunk.KVstoreData - description: An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData. is a list of the data in the collection). + description: An array of collection names. Each collection name will have an array of values, e.g., Splunk.KVstoreData. is a list of the data in the collection. type: Unknown - arguments: - default: true diff --git a/Packs/SplunkPy/ReleaseNotes/3_1_14.md b/Packs/SplunkPy/ReleaseNotes/3_1_14.md new file mode 100644 index 000000000000..2b3b6f02dbf1 --- /dev/null +++ b/Packs/SplunkPy/ReleaseNotes/3_1_14.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### SplunkPy + +- Documentation and metadata improvements. diff --git a/Packs/SplunkPy/pack_metadata.json b/Packs/SplunkPy/pack_metadata.json index e90eb3adbc40..36eeb36b855b 100644 --- a/Packs/SplunkPy/pack_metadata.json +++ b/Packs/SplunkPy/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Splunk", "description": "Run queries on Splunk servers.", "support": "xsoar", - "currentVersion": "3.1.13", + "currentVersion": "3.1.14", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -50,4 +50,4 @@ "marketplacev2", "xpanse" ] -} \ No newline at end of file +} diff --git a/Tests/conf.json b/Tests/conf.json index 0d9ab50f90fb..55ef0c58a9a7 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -1920,7 +1920,7 @@ { "integrations": "SplunkPy", "playbookID": "SplunkPy parse-raw - Test", - "memory_threshold": 100, + "memory_threshold": 250, "instance_names": "use_default_handler", "is_mockable": false },