From 15fb44b900577fe67c4bd9e501ab93291ce8e686 Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Sat, 30 Sep 2023 04:45:39 +0900 Subject: [PATCH] Add bearer token auth to splunk driver (#708) * add token auth to splunk driver and fix splunk port value type * fix flask8 error * fix flask8 error * fix flask8 error * Fixing some linting errors in splunk_driver.py --------- Co-authored-by: Ian Hellen --- .../data_acquisition/SplunkProvider.rst | 34 +++++++++++++++---- msticpy/data/drivers/splunk_driver.py | 23 +++++++++---- 2 files changed, 43 insertions(+), 14 deletions(-) diff --git a/docs/source/data_acquisition/SplunkProvider.rst b/docs/source/data_acquisition/SplunkProvider.rst index 39819663b..7f439dc75 100644 --- a/docs/source/data_acquisition/SplunkProvider.rst +++ b/docs/source/data_acquisition/SplunkProvider.rst @@ -38,7 +38,7 @@ The settings in the file should look like the following: Splunk: Args: host: splunk_host - port: 8089 + port: '8089' username: splunk_user password: [PLACEHOLDER] @@ -54,7 +54,7 @@ to a Key Vault secret using the MSTICPy configuration editor. Splunk: Args: host: splunk_host - port: 8089 + port: '8089' username: splunk_user password: KeyVault: @@ -67,8 +67,13 @@ Parameter Description host (string) The host name (the default is 'localhost'). username (string) The Splunk account username, which is used to authenticate the Splunk instance. password (string) The password for the Splunk account. +splunkToken (string) The Authorization Bearer Token created in the Splunk. =========== =========================================================================================================================== +The username and password are needed for user account authentication. +On the other hand, splunkToken is needed for Token authentication. +The user auth method has a priority to token auth method if both username and splunkToken are set. + Optional configuration parameters: @@ -106,11 +111,11 @@ in msticpy config file. For more information on how to create new user with appropriate roles and permissions, follow the Splunk documents: -`Securing the Spunk platform `__ +`Securing the Spunk platform `__ and -`About users and roles `__. +`About users and roles `__ The user should have permission to at least run its own searches or more depending upon the actions to be performed by user. @@ -120,10 +125,20 @@ require the following details to specify while connecting: - host = "localhost" (Splunk server FQDN hostname to connect, for locally installed splunk, you can specify localhost) -- port = 8089 (Splunk REST API ) +- port = "8089" (Splunk REST API) - username = "admin" (username to connect to Splunk instance) - password = "yourpassword" (password of the user specified in username) +On the other hand, you can use the authentification token to connect. + +`Create authentication token `__ + +- host = "localhost" (Splunk server FQDN hostname to connect, for locally + installed splunk, you can specify localhost) +- port = "8089" (Splunk REST API) +- splunkToken = "" (token can be used instead of username/password) + + Once you have details, you can specify it in ``msticpyconfig.yaml`` as described earlier. @@ -146,6 +161,11 @@ as parameters to connect. qry_prov.connect(host=, username=, password=) +OR + +.. code:: ipython3 + + qry_prov.connect(host=, splunkToken=) Listing available queries @@ -217,7 +237,7 @@ For more information, see (default value is: | head 100) end: datetime (optional) Query end time - (default value is: 08/26/2017:00:00:00) + (default value is: current time + 1 day) index: str (optional) Splunk index name (default value is: \*) @@ -229,7 +249,7 @@ For more information, see (default value is: \*) start: datetime (optional) Query start time - (default value is: 08/25/2017:00:00:00) + (default value is: current time - 1 day) timeformat: str (optional) Datetime format to use in Splunk query (default value is: "%Y-%m-%d %H:%M:%S.%6N") diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index 3b4c4a6e9..0754027ad 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -35,14 +35,14 @@ ) from imp_err __version__ = VERSION -__author__ = "Ashwin Patil" +__author__ = "Ashwin Patil, Tatsuya Hasegawa" logger = logging.getLogger(__name__) SPLUNK_CONNECT_ARGS = { "host": "(string) The host name (the default is 'localhost').", - "port": "(integer) The port number (the default is 8089).", + "port": "(string) The port number (the default is '8089').", "http_scheme": "('https' or 'http') The scheme for accessing the service " + "(the default is 'https').", "verify": "(Boolean) Enable (True) or disable (False) SSL verrification for " @@ -60,6 +60,7 @@ "username": "(string) The Splunk account username, which is used to " + "authenticate the Splunk instance.", "password": "(string) The password for the Splunk account.", + "splunkToken": "(string) The Authorization Bearer Token created in the Splunk.", } @@ -67,8 +68,8 @@ class SplunkDriver(DriverBase): """Driver to connect and query from Splunk.""" - _SPLUNK_REQD_ARGS = ["host", "username", "password"] - _CONNECT_DEFAULTS: Dict[str, Any] = {"port": 8089} + _SPLUNK_REQD_ARGS = ["host"] + _CONNECT_DEFAULTS: Dict[str, Any] = {"port": "8089"} _TIME_FORMAT = '"%Y-%m-%d %H:%M:%S.%6N"' def __init__(self, **kwargs): @@ -79,6 +80,7 @@ def __init__(self, **kwargs): self._connected = False if kwargs.get("debug", False): logger.setLevel(logging.DEBUG) + self._required_params = self._SPLUNK_REQD_ARGS self.set_driver_property( DriverProps.PUBLIC_ATTRS, @@ -142,7 +144,7 @@ def connect(self, connection_str: Optional[str] = None, **kwargs): help_uri="https://msticpy.readthedocs.io/en/latest/DataProviders.html", ) from err self._connected = True - print("connected") + print("Connected.") def _get_connect_args( self, connection_str: Optional[str], **kwargs @@ -172,12 +174,19 @@ def _get_connect_args( elif isinstance(verify_opt, bool): cs_dict["verify"] = verify_opt - missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys() + # Different required parameters for the REST API authentication method + # between user/pass and authorization bearer token + if "username" in cs_dict: + self._required_params = ["host", "username", "password"] + else: + self._required_params = ["host", "splunkToken"] + + missing_args = set(self._required_params) - cs_dict.keys() if missing_args: raise MsticpyUserConfigError( "One or more connection parameters missing for Splunk connector", ", ".join(missing_args), - f"Required parameters are {', '.join(self._SPLUNK_REQD_ARGS)}", + f"Required parameters are {', '.join(self._required_params)}", "All parameters:", *[f"{arg}: {desc}" for arg, desc in SPLUNK_CONNECT_ARGS.items()], title="no Splunk connection parameters",