Add the ability to specify the index when forwarding to splunk #61

Update docs Update rules
wagga40 · Jun 9, 2023 · c947671 · c947671
1 parent db73ed4
commit c947671
Show file tree

Hide file tree

Showing 13 changed files with 158,355 additions and 124,669 deletions.
diff --git a/docs/Advanced.md b/docs/Advanced.md
@@ -202,9 +202,12 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk
 
 ```shell
 python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
-	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \ 
+	[--index myindex]
 ```
 
+Since Splunk HEC default to the first associated index, `--index` is optional but can be used to specify the choosen index among the available ones.
+
 :warning: On Windows do not forget to put quotes
 
 #### Forward to ELK

diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf
diff --git a/rules/rules_linux.json b/rules/rules_linux.json
diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json
diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json
diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json
diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json
diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json
diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json
diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json
diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json
diff --git a/zircolite.py b/zircolite.py
@@ -133,7 +133,7 @@ def __init__(
         self.remoteHost = remote
         self.token = token
         self.localHostname = socket.gethostname()
-        self.userAgent = "zircolite/2.8.x"
+        self.userAgent = "zircolite/2.x"
         self.index = index
         self.login = login
         self.password = password
@@ -225,9 +225,13 @@ def disableESDefaultLogging(self):
 
     async def HECWorker(self, session, queue, sigmaEvents):
         while True:
+            if self.index:
+                providedIndex = f"?index={self.index}"
+            else:
+                providedIndex = ""
             data = await queue.get()  # Pop data from Queue
             resp = await session.post(
-                f"{self.remoteHost}/services/collector/event",
+                f"{self.remoteHost}/services/collector/event{providedIndex}",
                 headers={"Authorization": f"Splunk {self.token}"},
                 json=data,
             )  # Exec action from Queue
@@ -411,7 +415,7 @@ def initESSession(self):
             )
         return session
 
-    async def testESession(self, session):
+    async def testESSession(self, session):
         try:
             await session.info()
         except Exception as e:
@@ -452,7 +456,7 @@ async def sendAllAsyncQueue(
 
         if mode == "ES":
             session = self.initESSession()
-            await self.testESession(session)
+            await self.testESSession(session)
             if self.connectionFailed:
                 return
             fnformatEvent = self.formatEventForES

diff --git a/zircolite_dev.py b/zircolite_dev.py
@@ -103,7 +103,7 @@ def __init__(self, remote, timeField, token, logger=None, index=None, login='',
         self.remoteHost = remote
         self.token = token
         self.localHostname = socket.gethostname()
-        self.userAgent = "zircolite/2.8.x"
+        self.userAgent = "zircolite/2.x"
         self.index = index
         self.login = login
         self.password = password
@@ -158,8 +158,12 @@ def disableESDefaultLogging(self):
 
     async def HECWorker(self, session, queue, sigmaEvents):
         while True:
+            if self.index:
+                providedIndex = f"?index={self.index}"
+            else:
+                providedIndex = ""
             data = await queue.get() # Pop data from Queue
-            resp = await session.post(f"{self.remoteHost}/services/collector/event", headers={'Authorization': f"Splunk {self.token}"}, json=data) # Exec action from Queue
+            resp = await session.post(f"{self.remoteHost}/services/collector/event{providedIndex}", headers={'Authorization': f"Splunk {self.token}"}, json=data) # Exec action from Queue
             queue.task_done() # Notify Queue action ended
             if str(resp.status)[0] in ["4", "5"]:
                 self.logger.error(f"{Fore.RED}   [-] Forwarding failed for event {Fore.RESET}")
@@ -263,7 +267,7 @@ def initESSession(self):
             session = AsyncElasticsearch(hosts=[self.remoteHost], verify_certs=False, basic_auth=(self.login, self.password))
         return session
 
-    async def testESession(self, session):
+    async def testESSession(self, session):
         try:
             await session.info()
         except Exception as e:
@@ -291,7 +295,7 @@ async def sendAllAsyncQueue(self, payloads, timeField="", sigmaEvents=False, mod
 
         if mode == "ES":
             session = self.initESSession()
-            await self.testESession(session)
+            await self.testESSession(session)
             if self.connectionFailed: return
             fnformatEvent = self.formatEventForES
             fnWorker = self.ESWorker