From e6f348123065aab09476d41ae0000708b570915e Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Tue, 5 Sep 2023 16:32:07 +0900 Subject: [PATCH 1/5] add token auth to splunk driver and fix splunk port value type --- .../data_acquisition/SplunkProvider.rst | 34 +++++++++++++++---- msticpy/data/drivers/splunk_driver.py | 17 +++++++--- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/docs/source/data_acquisition/SplunkProvider.rst b/docs/source/data_acquisition/SplunkProvider.rst index 39819663b..7f439dc75 100644 --- a/docs/source/data_acquisition/SplunkProvider.rst +++ b/docs/source/data_acquisition/SplunkProvider.rst @@ -38,7 +38,7 @@ The settings in the file should look like the following: Splunk: Args: host: splunk_host - port: 8089 + port: '8089' username: splunk_user password: [PLACEHOLDER] @@ -54,7 +54,7 @@ to a Key Vault secret using the MSTICPy configuration editor. Splunk: Args: host: splunk_host - port: 8089 + port: '8089' username: splunk_user password: KeyVault: @@ -67,8 +67,13 @@ Parameter Description host (string) The host name (the default is 'localhost'). username (string) The Splunk account username, which is used to authenticate the Splunk instance. password (string) The password for the Splunk account. +splunkToken (string) The Authorization Bearer Token created in the Splunk. =========== =========================================================================================================================== +The username and password are needed for user account authentication. +On the other hand, splunkToken is needed for Token authentication. +The user auth method has a priority to token auth method if both username and splunkToken are set. + Optional configuration parameters: @@ -106,11 +111,11 @@ in msticpy config file. For more information on how to create new user with appropriate roles and permissions, follow the Splunk documents: -`Securing the Spunk platform `__ +`Securing the Spunk platform `__ and -`About users and roles `__. +`About users and roles `__ The user should have permission to at least run its own searches or more depending upon the actions to be performed by user. @@ -120,10 +125,20 @@ require the following details to specify while connecting: - host = "localhost" (Splunk server FQDN hostname to connect, for locally installed splunk, you can specify localhost) -- port = 8089 (Splunk REST API ) +- port = "8089" (Splunk REST API) - username = "admin" (username to connect to Splunk instance) - password = "yourpassword" (password of the user specified in username) +On the other hand, you can use the authentification token to connect. + +`Create authentication token `__ + +- host = "localhost" (Splunk server FQDN hostname to connect, for locally + installed splunk, you can specify localhost) +- port = "8089" (Splunk REST API) +- splunkToken = "" (token can be used instead of username/password) + + Once you have details, you can specify it in ``msticpyconfig.yaml`` as described earlier. @@ -146,6 +161,11 @@ as parameters to connect. qry_prov.connect(host=, username=, password=) +OR + +.. code:: ipython3 + + qry_prov.connect(host=, splunkToken=) Listing available queries @@ -217,7 +237,7 @@ For more information, see (default value is: | head 100) end: datetime (optional) Query end time - (default value is: 08/26/2017:00:00:00) + (default value is: current time + 1 day) index: str (optional) Splunk index name (default value is: \*) @@ -229,7 +249,7 @@ For more information, see (default value is: \*) start: datetime (optional) Query start time - (default value is: 08/25/2017:00:00:00) + (default value is: current time - 1 day) timeformat: str (optional) Datetime format to use in Splunk query (default value is: "%Y-%m-%d %H:%M:%S.%6N") diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index 3b4c4a6e9..01afa7faa 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -35,14 +35,14 @@ ) from imp_err __version__ = VERSION -__author__ = "Ashwin Patil" +__author__ = "Ashwin Patil, Tatsuya Hasegawa" logger = logging.getLogger(__name__) SPLUNK_CONNECT_ARGS = { "host": "(string) The host name (the default is 'localhost').", - "port": "(integer) The port number (the default is 8089).", + "port": "(string) The port number (the default is '8089').", "http_scheme": "('https' or 'http') The scheme for accessing the service " + "(the default is 'https').", "verify": "(Boolean) Enable (True) or disable (False) SSL verrification for " @@ -60,6 +60,7 @@ "username": "(string) The Splunk account username, which is used to " + "authenticate the Splunk instance.", "password": "(string) The password for the Splunk account.", + "splunkToken": "(string) The Authorization Bearer Token created in the Splunk.", } @@ -67,8 +68,8 @@ class SplunkDriver(DriverBase): """Driver to connect and query from Splunk.""" - _SPLUNK_REQD_ARGS = ["host", "username", "password"] - _CONNECT_DEFAULTS: Dict[str, Any] = {"port": 8089} + _SPLUNK_REQD_ARGS = ["host"] + _CONNECT_DEFAULTS: Dict[str, Any] = {"port": "8089"} _TIME_FORMAT = '"%Y-%m-%d %H:%M:%S.%6N"' def __init__(self, **kwargs): @@ -142,7 +143,7 @@ def connect(self, connection_str: Optional[str] = None, **kwargs): help_uri="https://msticpy.readthedocs.io/en/latest/DataProviders.html", ) from err self._connected = True - print("connected") + print("Connected.") def _get_connect_args( self, connection_str: Optional[str], **kwargs @@ -172,6 +173,12 @@ def _get_connect_args( elif isinstance(verify_opt, bool): cs_dict["verify"] = verify_opt + # judge the REST API authentification method between user/pass and authorization bearer token + if "username" in cs_dict: + self._SPLUNK_REQD_ARGS = ["host","username","password"] + else: + self._SPLUNK_REQD_ARGS = ["host","splunkToken"] + missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys() if missing_args: raise MsticpyUserConfigError( From b2ebc7790139df65da4d3ab9218de67c36da6510 Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Sat, 9 Sep 2023 02:06:56 +0900 Subject: [PATCH 2/5] fix flask8 error --- msticpy/data/drivers/splunk_driver.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index 01afa7faa..00bb5ed0c 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -173,11 +173,12 @@ def _get_connect_args( elif isinstance(verify_opt, bool): cs_dict["verify"] = verify_opt - # judge the REST API authentification method between user/pass and authorization bearer token + # judge the REST API authentification method + # between user/pass and authorization bearer token if "username" in cs_dict: - self._SPLUNK_REQD_ARGS = ["host","username","password"] + self._SPLUNK_REQD_ARGS = ["host", "username", "password"] else: - self._SPLUNK_REQD_ARGS = ["host","splunkToken"] + self._SPLUNK_REQD_ARGS = ["host", "splunkToken"] missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys() if missing_args: From 9bb8f2883297f4c9e96c21aea332b97b6ee5479e Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Sat, 9 Sep 2023 02:17:32 +0900 Subject: [PATCH 3/5] fix flask8 error --- msticpy/data/drivers/splunk_driver.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index 00bb5ed0c..90a62be3c 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -173,8 +173,8 @@ def _get_connect_args( elif isinstance(verify_opt, bool): cs_dict["verify"] = verify_opt - # judge the REST API authentification method - # between user/pass and authorization bearer token + # Judge the REST API authentification method + # between user/pass and authorization bearer token if "username" in cs_dict: self._SPLUNK_REQD_ARGS = ["host", "username", "password"] else: From 1892c74e9f68c057d8443f39f0f52e9568f4774a Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Sat, 9 Sep 2023 02:20:50 +0900 Subject: [PATCH 4/5] fix flask8 error --- msticpy/data/drivers/splunk_driver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index 90a62be3c..c90e482fd 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -174,7 +174,7 @@ def _get_connect_args( cs_dict["verify"] = verify_opt # Judge the REST API authentification method - # between user/pass and authorization bearer token + # between user/pass and authorization bearer token if "username" in cs_dict: self._SPLUNK_REQD_ARGS = ["host", "username", "password"] else: From 82afefe28c0e23d0fbc8d1ed9cbb48c98f4a51f0 Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Fri, 29 Sep 2023 11:54:19 -0700 Subject: [PATCH 5/5] Fixing some linting errors in splunk_driver.py --- msticpy/data/drivers/splunk_driver.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/msticpy/data/drivers/splunk_driver.py b/msticpy/data/drivers/splunk_driver.py index c90e482fd..0754027ad 100644 --- a/msticpy/data/drivers/splunk_driver.py +++ b/msticpy/data/drivers/splunk_driver.py @@ -80,6 +80,7 @@ def __init__(self, **kwargs): self._connected = False if kwargs.get("debug", False): logger.setLevel(logging.DEBUG) + self._required_params = self._SPLUNK_REQD_ARGS self.set_driver_property( DriverProps.PUBLIC_ATTRS, @@ -173,19 +174,19 @@ def _get_connect_args( elif isinstance(verify_opt, bool): cs_dict["verify"] = verify_opt - # Judge the REST API authentification method - # between user/pass and authorization bearer token + # Different required parameters for the REST API authentication method + # between user/pass and authorization bearer token if "username" in cs_dict: - self._SPLUNK_REQD_ARGS = ["host", "username", "password"] + self._required_params = ["host", "username", "password"] else: - self._SPLUNK_REQD_ARGS = ["host", "splunkToken"] + self._required_params = ["host", "splunkToken"] - missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys() + missing_args = set(self._required_params) - cs_dict.keys() if missing_args: raise MsticpyUserConfigError( "One or more connection parameters missing for Splunk connector", ", ".join(missing_args), - f"Required parameters are {', '.join(self._SPLUNK_REQD_ARGS)}", + f"Required parameters are {', '.join(self._required_params)}", "All parameters:", *[f"{arg}: {desc}" for arg, desc in SPLUNK_CONNECT_ARGS.items()], title="no Splunk connection parameters",