Skip to content

Splunk data connector and data uploaders

Compare
Choose a tag to compare
@ianhelle ianhelle released this 06 Aug 17:55

The main features of this release are a data provider for Splunk and data uploaders for Azure Sentinel and Splunk. The Splunk provider uses the Spunk SDK and makes it eas to use msticpy functionality with results from Splunk queries.

The data uploaders let you upload results or additional data to either Azure Sentinel or Splunk.

New Features

splunk connector (#81)

  • Authentication and initialization unified with existing data providers
  • Parameterized template queries runnable from data provider class
  • Retrieve and display saved searches as part of the available query set
  • Splunk provider documentation notebook

Data Uploaders (#87)

  • uploaders from pandas DataFrame, CSV/delimited file and folder
  • upload to Azure Sentinel or Splunk
  • documentation notebook and read-the-docs page

Data providers (#81)

  • fc046a5Added support for populating dynamic query set at connect time (after connect)
  • Added populating queries with SavedSearches in splunk_driver
  • Added provider specific formatting for parameters (e.g. how a given query language expects a list of items or a datetime to be formatted)
  • Support for fully hierarchical query list (to help organize queries into categories, subcategories, etc.)

4bbf785 Blackhat Demo Notebook

Fixes

87dab39 Adding unit tests for kql and splunk drivers (latter has a failure)
7123511 Bug in data_providers and param_extractor
e2ea5c6 Fix for tooltip formatting for timeline charts
2a5a734 Error in pkg_config validate when no config sections are populated.
a141f3b Temporarily restricting pandas version to <=1.0.5
9901b72 TI Browser widget
d1e6430 Fixes to splunk driver test