Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add bearer token auth to splunk driver #708

Merged
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions docs/source/data_acquisition/SplunkProvider.rst
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The settings in the file should look like the following:
Splunk:
Args:
host: splunk_host
port: 8089
port: '8089'
username: splunk_user
password: [PLACEHOLDER]

Expand All @@ -54,7 +54,7 @@ to a Key Vault secret using the MSTICPy configuration editor.
Splunk:
Args:
host: splunk_host
port: 8089
port: '8089'
username: splunk_user
password:
KeyVault:
Expand All @@ -67,8 +67,13 @@ Parameter Description
host (string) The host name (the default is 'localhost').
username (string) The Splunk account username, which is used to authenticate the Splunk instance.
password (string) The password for the Splunk account.
splunkToken (string) The Authorization Bearer Token <JWT> created in the Splunk.
=========== ===========================================================================================================================

The username and password are needed for user account authentication.
On the other hand, splunkToken is needed for Token authentication.
The user auth method has a priority to token auth method if both username and splunkToken are set.


Optional configuration parameters:

Expand Down Expand Up @@ -106,11 +111,11 @@ in msticpy config file.
For more information on how to create new user with appropriate roles
and permissions, follow the Splunk documents:

`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Addandeditusers>`__
`Securing the Spunk platform <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Addandeditusers>`__

and

`About users and roles <https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles>`__.
`About users and roles <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Aboutusersandroles>`__

The user should have permission to at least run its own searches or more
depending upon the actions to be performed by user.
Expand All @@ -120,10 +125,20 @@ require the following details to specify while connecting:

- host = "localhost" (Splunk server FQDN hostname to connect, for locally
installed splunk, you can specify localhost)
- port = 8089 (Splunk REST API )
- port = "8089" (Splunk REST API)
- username = "admin" (username to connect to Splunk instance)
- password = "yourpassword" (password of the user specified in username)

On the other hand, you can use the authentification token to connect.

`Create authentication token <https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/CreateAuthTokens>`__

- host = "localhost" (Splunk server FQDN hostname to connect, for locally
installed splunk, you can specify localhost)
- port = "8089" (Splunk REST API)
- splunkToken = "<Authorization Bearer Token>" (token can be used instead of username/password)


Once you have details, you can specify it in ``msticpyconfig.yaml`` as
described earlier.

Expand All @@ -146,6 +161,11 @@ as parameters to connect.

qry_prov.connect(host=<hostname>, username=<username>, password=<password>)

OR

.. code:: ipython3

qry_prov.connect(host=<hostname>, splunkToken=<token_string>)


Listing available queries
Expand Down Expand Up @@ -217,7 +237,7 @@ For more information, see
(default value is: | head 100)
end: datetime (optional)
Query end time
(default value is: 08/26/2017:00:00:00)
(default value is: current time + 1 day)
index: str (optional)
Splunk index name
(default value is: \*)
Expand All @@ -229,7 +249,7 @@ For more information, see
(default value is: \*)
start: datetime (optional)
Query start time
(default value is: 08/25/2017:00:00:00)
(default value is: current time - 1 day)
timeformat: str (optional)
Datetime format to use in Splunk query
(default value is: "%Y-%m-%d %H:%M:%S.%6N")
Expand Down
17 changes: 12 additions & 5 deletions msticpy/data/drivers/splunk_driver.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@
) from imp_err

__version__ = VERSION
__author__ = "Ashwin Patil"
__author__ = "Ashwin Patil, Tatsuya Hasegawa"

logger = logging.getLogger(__name__)


SPLUNK_CONNECT_ARGS = {
"host": "(string) The host name (the default is 'localhost').",
"port": "(integer) The port number (the default is 8089).",
"port": "(string) The port number (the default is '8089').",
"http_scheme": "('https' or 'http') The scheme for accessing the service "
+ "(the default is 'https').",
"verify": "(Boolean) Enable (True) or disable (False) SSL verrification for "
Expand All @@ -60,15 +60,16 @@
"username": "(string) The Splunk account username, which is used to "
+ "authenticate the Splunk instance.",
"password": "(string) The password for the Splunk account.",
"splunkToken": "(string) The Authorization Bearer Token <JWT> created in the Splunk.",
}


@export
class SplunkDriver(DriverBase):
"""Driver to connect and query from Splunk."""

_SPLUNK_REQD_ARGS = ["host", "username", "password"]
_CONNECT_DEFAULTS: Dict[str, Any] = {"port": 8089}
_SPLUNK_REQD_ARGS = ["host"]
_CONNECT_DEFAULTS: Dict[str, Any] = {"port": "8089"}
_TIME_FORMAT = '"%Y-%m-%d %H:%M:%S.%6N"'

def __init__(self, **kwargs):
Expand Down Expand Up @@ -142,7 +143,7 @@ def connect(self, connection_str: Optional[str] = None, **kwargs):
help_uri="https://msticpy.readthedocs.io/en/latest/DataProviders.html",
) from err
self._connected = True
print("connected")
print("Connected.")

def _get_connect_args(
self, connection_str: Optional[str], **kwargs
Expand Down Expand Up @@ -172,6 +173,12 @@ def _get_connect_args(
elif isinstance(verify_opt, bool):
cs_dict["verify"] = verify_opt

# judge the REST API authentification method between user/pass and authorization bearer token
if "username" in cs_dict:
self._SPLUNK_REQD_ARGS = ["host","username","password"]
else:
self._SPLUNK_REQD_ARGS = ["host","splunkToken"]

missing_args = set(self._SPLUNK_REQD_ARGS) - cs_dict.keys()
if missing_args:
raise MsticpyUserConfigError(
Expand Down
Loading