Skip to content

Commit

Permalink
Merge branch 'main' into ccianelli/fix_wl_bug
Browse files Browse the repository at this point in the history
  • Loading branch information
@ianhelle
ianhelle authored Sep 29, 2023
2 parents f8d99fb + 15fb44b commit 4e28ab1
Show file tree
Hide file tree
Showing 8 changed files with 442 additions and 141 deletions.
34 changes: 27 additions & 7 deletions docs/source/data_acquisition/SplunkProvider.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The settings in the file should look like the following:
Splunk:
Args:
host: splunk_host
port: 8089
port: '8089'
username: splunk_user
password: [PLACEHOLDER]
Expand All @@ -54,7 +54,7 @@ to a Key Vault secret using the MSTICPy configuration editor.
Splunk:
Args:
host: splunk_host
port: 8089
port: '8089'
username: splunk_user
password:
KeyVault:
Expand All @@ -67,8 +67,13 @@ Parameter Description
host (string) The host name (the default is 'localhost').
username (string) The Splunk account username, which is used to authenticate the Splunk instance.
password (string) The password for the Splunk account.
splunkToken (string) The Authorization Bearer Token <JWT> created in the Splunk.
=========== ===========================================================================================================================

The username and password are needed for user account authentication.
On the other hand, splunkToken is needed for Token authentication.
The user auth method has a priority to token auth method if both username and splunkToken are set.


Optional configuration parameters:

Expand Down Expand Up @@ -106,11 +111,11 @@ in msticpy config file.
For more information on how to create new user with appropriate roles
and permissions, follow the Splunk documents:

`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Addandeditusers>`__
`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Addandeditusers>`__

and

`About users and roles <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles>`__.
`About users and roles <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Aboutusersandroles>`__

The user should have permission to at least run its own searches or more
depending upon the actions to be performed by user.
Expand All @@ -120,10 +125,20 @@ require the following details to specify while connecting:

- host = "localhost" (Splunk server FQDN hostname to connect, for locally
installed splunk, you can specify localhost)
- port = 8089 (Splunk REST API )
- port = "8089" (Splunk REST API)
- username = "admin" (username to connect to Splunk instance)
- password = "yourpassword" (password of the user specified in username)

On the other hand, you can use the authentification token to connect.

`Create authentication token <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/CreateAuthTokens>`__

- host = "localhost" (Splunk server FQDN hostname to connect, for locally
installed splunk, you can specify localhost)
- port = "8089" (Splunk REST API)
- splunkToken = "<Authorization Bearer Token>" (token can be used instead of username/password)


Once you have details, you can specify it in ``msticpyconfig.yaml`` as
described earlier.

Expand All @@ -146,6 +161,11 @@ as parameters to connect.
qry_prov.connect(host=<hostname>, username=<username>, password=<password>)
OR

.. code:: ipython3
qry_prov.connect(host=<hostname>, splunkToken=<token_string>)
Listing available queries
Expand Down Expand Up @@ -217,7 +237,7 @@ For more information, see
(default value is: | head 100)
end: datetime (optional)
Query end time
(default value is: 08/26/2017:00:00:00)
(default value is: current time + 1 day)
index: str (optional)
Splunk index name
(default value is: \*)
Expand All @@ -229,7 +249,7 @@ For more information, see
(default value is: \*)
start: datetime (optional)
Query start time
(default value is: 08/25/2017:00:00:00)
(default value is: current time - 1 day)
timeformat: str (optional)
Datetime format to use in Splunk query
(default value is: "%Y-%m-%d %H:%M:%S.%6N")
Expand Down
41 changes: 21 additions & 20 deletions msticpy/context/tiproviders/intsights.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,42 +46,42 @@ class IntSights(HttpTIProvider):

_QUERIES = {
"ipv4": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"ipv6": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"dns": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"url": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"md5_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"sha1_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"sha256_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"email": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
Expand Down Expand Up @@ -111,27 +111,28 @@ def parse_results(self, response: Dict) -> Tuple[bool, ResultSeverity, Any]:
):
return False, ResultSeverity.information, "Not found."

if response["RawResult"]["Whitelist"] == "True":
if response["RawResult"].get("whitelisted", False):
return False, ResultSeverity.information, "Whitelisted."

sev = response["RawResult"]["Severity"]
sev = response["RawResult"].get("severity", "Low")
result_dict = {
"threat_actors": response["RawResult"]["RelatedThreatActors"],
"geolocation": response["RawResult"].get("Geolocation", ""),
"threat_actors": response["RawResult"].get("relatedThreatActors", ""),
"geolocation": response["RawResult"].get("geolocation", None),
"response_code": response["Status"],
"tags": response["RawResult"]["Tags"] + response["RawResult"]["SystemTags"],
"malware": response["RawResult"]["RelatedMalware"],
"campaigns": response["RawResult"]["RelatedCampaigns"],
"sources": response["RawResult"]["Sources"],
"score": response["RawResult"]["Score"],
"tags": response["RawResult"].get("tags", [])
+ response["RawResult"].get("SystemTags", []),
"malware": response["RawResult"].get("relatedMalware", []),
"campaigns": response["RawResult"].get("relatedCampaigns", []),
"score": response["RawResult"].get("score", 0),
"first_seen": dt.datetime.strptime(
response["RawResult"]["FirstSeen"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("firstSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"last_seen": dt.datetime.strptime(
response["RawResult"]["LastSeen"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("lastSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"last_update": dt.datetime.strptime(
response["RawResult"]["LastUpdate"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("lastUpdateDate", None),
"%Y-%m-%dT%H:%M:%S.%fZ",
),
}

Expand Down
Loading

0 comments on commit 4e28ab1

Please sign in to comment.