PAPP-31540: Update the document to include all the required capabilit…

…ies to run the actions successfully (#39) * Updated documentation for steps to enable edit_tcp and added release notes * Update README.md * dev check changes * Update README.md * dev check changes * Update README.md * added PAPP-32371 changes * Update README.md * changes related to vault temp direcory access issue * minor change * Fix start_time alphanumeric value issue * Update min phantom version * Update README.md * Fix start_time validation issue * Fix Lint issue * formatting changes * Update README.md * updated login url and pre commit changes * review change * PAPP-31540: Feature Change - Make query run in the next on_poll cycle, if it fails because of corrupt timestamp * updated manual readme * Update README.md * Feature Change - Make query run in the next on_poll cycle, if it fails because of corrupt timestamp * review changes * review changes * Update README.md * formatting changes * Update README.md * formatting changes * Update README.md * minor json changes * Update README.md * formatting changes * Update README.md * review changes * Update README.md * minor changes * Update README.md * test change * Update README.md * review changes * Update README.md --------- Co-authored-by: splunk-soar-connectors-admin <admin@splunksoar> Co-authored-by: mishalp-crest <[email protected]> Co-authored-by: Ishan Shah <[email protected]>
splunk-soar-connectors · Jan 24, 2024 · 0dd195e · 0dd195e
1 parent 90cc5c3
commit 0dd195e
Show file tree

Hide file tree

Showing 12 changed files with 173 additions and 96 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.16
+    rev: v1.17
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies

diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2016-2023 Splunk Inc.
+   Copyright (c) 2016-2024 Splunk Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.
diff --git a/NOTICE b/NOTICE
@@ -1,5 +1,5 @@
 Splunk SOAR Splunk
-Copyright (c) 2016-2023 Splunk Inc.
+Copyright (c) 2016-2024 Splunk Inc.
 
 Third-party Software Attributions:
 
@@ -29,11 +29,6 @@ License: Zope
 Copyright 1987-2006 implementation only works for dates between
 Copyright 2003-2019 Stuart Bishop <[email protected]>
 
-Library: requests
-Version: 2.25.0
-License: Apache 2.0
-Kenneth Reitz
-
 Library: simplejson
 Version: 3.17.2
 License: Academic 2.1

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 # Splunk
 
 Publisher: Splunk  
-Connector Version: 2.15.1  
+Connector Version: 2.16.0  
 Product Vendor: Splunk Inc.  
 Product Name: Splunk Enterprise  
 Product Version Supported (regex): ".\*"  
@@ -11,7 +11,7 @@ Minimum Product Version: 6.1.1
 This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions
 
 [comment]: # " File: README.md"
-[comment]: # "  Copyright (c) 2016-2023 Splunk Inc."
+[comment]: # "  Copyright (c) 2016-2024 Splunk Inc."
 [comment]: # ""
 [comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
 [comment]: # "you may not use this file except in compliance with the License."
@@ -39,7 +39,7 @@ This app integrates with Splunk to update data on the device, in addition to inv
 ## Splunk-SDK
 
 This app uses the Splunk-SDK module, which is licensed under the Apache Software License, Copyright
-(c) 2011-2019 Splunk, Inc.
+(c) 2011-2024 Splunk, Inc.
 
 ## State File Permissions
 
@@ -54,9 +54,21 @@ Please check the permissions for the state file as mentioned below.
 
 #### State File Permissions
 
--   File Rights: rw-rw-r-- (664) (The phantom user should have read and write access for the state
+-   File Rights: rw-rw-r-- (664) (The Splunk SOAR user should have read and write access for the state
     file)
--   File Owner: appropriate phantom user
+-   File Owner: appropriate Splunk SOAR user
+
+## Required Permissions for Post Data Action
+The endpoint used by the post data action is not supported on Splunk Cloud Platform. Hence, the following steps are not applicable for Splunk Cloud Platform.
+
+For sending events to Splunk Platform, the User configured in the asset would require **edit_tcp** capability. Follow the below steps to configure
+
+-   Login to the Splunk Platform
+-   Go to **Setting > Roles**
+-   Click on role of the user configured in the asset(example: user) and go to **Capabilities**
+-   Search for '**edit_tcp**' in the capabilities enable it for the particular role
+-   To check if the capability is given to your user, go to **Settings > Users** and in the **Edit dropdown** and select **View Capabilities**
+-   Search for '**edit_tcp**' and if a tick besides it appears then the permission has been enabled for the user
 
 ## Asset Configuration Parameters
 
@@ -464,51 +476,51 @@ action_result.parameter.start_time | string |  |   -2d  2022-03-18T16:12:07.130+
 action_result.data.\*._bkt | string |  |  
 action_result.data.\*._cd | string |  |  
 action_result.data.\*._indextime | string |  |  
-action_result.data.\*._key | string |  |   1659398400|_audit 
-action_result.data.\*._kv | string |  |  
+action_result.data.\*._key | string |  |   user 
+action_result.data.\*._kv | string |  |   1 
 action_result.data.\*._origtime | string |  |   1659398400 
 action_result.data.\*._raw | string |  |  
 action_result.data.\*._serial | string |  |  
 action_result.data.\*._si | string |  |  
 action_result.data.\*._sourcetype | string |  |  
-action_result.data.\*._subsecond | string |  |  
+action_result.data.\*._subsecond | string |  |   .427 
 action_result.data.\*._time | string |  |  
 action_result.data.\*._value | string |  |   184 
-action_result.data.\*.a | string |  |  
+action_result.data.\*.a | string |  |   abc 
 action_result.data.\*.content.app | string |  |   search 
-action_result.data.\*.content.host | string |  |  
-action_result.data.\*.content.info | string |  |  
-action_result.data.\*.content.search | string |  |  
-action_result.data.\*.content.search_type | string |  |  
-action_result.data.\*.content.sid | string |  |  
-action_result.data.\*.content.source | string |  |  
-action_result.data.\*.content.sourcetype | string |  |  
+action_result.data.\*.content.host | string |  |   test 
+action_result.data.\*.content.info | string |  |   granted 
+action_result.data.\*.content.search | string |  |   index = main 
+action_result.data.\*.content.search_type | string |  |   adhoc 
+action_result.data.\*.content.sid | string |  |   1621953839.25275 
+action_result.data.\*.content.source | string |  |   source 
+action_result.data.\*.content.sourcetype | string |  |   source 
 action_result.data.\*.content.uri | string |  |   /en-US/app/search/search?q=search%20index%3Dmain%20%7C%20head%2010&sid=1651356328.532450&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now 
 action_result.data.\*.content.view | string |  |   search 
-action_result.data.\*.count | string |  |  
-action_result.data.\*.count(host) | string |  |  
+action_result.data.\*.count | string |  |   3058733 
+action_result.data.\*.count(host) | string |  |   28 
 action_result.data.\*.event | string |  |   {"data": {"count": 3, "size": 112, "transform": "access_app_tracker"}, "version": "1.0"} 
 action_result.data.\*.host | string |  `host name`  |   10.1.67.187:8088 
 action_result.data.\*.index | string |  |  
-action_result.data.\*.is_Acceleration_Jobs | string |  |  
-action_result.data.\*.is_Adhoc_Jobs | string |  |  
-action_result.data.\*.is_Failed_Jobs | string |  |  
-action_result.data.\*.is_Realtime_Jobs | string |  |  
-action_result.data.\*.is_Scheduled_Jobs | string |  |  
-action_result.data.\*.is_Subsearch_Jobs | string |  |  
-action_result.data.\*.is_not_Acceleration_Jobs | string |  |  
-action_result.data.\*.is_not_Adhoc_Jobs | string |  |  
-action_result.data.\*.is_not_Failed_Jobs | string |  |  
-action_result.data.\*.is_not_Realtime_Jobs | string |  |  
-action_result.data.\*.is_not_Scheduled_Jobs | string |  |  
-action_result.data.\*.is_not_Subsearch_Jobs | string |  |  
+action_result.data.\*.is_Acceleration_Jobs | string |  |   0 
+action_result.data.\*.is_Adhoc_Jobs | string |  |   1 
+action_result.data.\*.is_Failed_Jobs | string |  |   0 
+action_result.data.\*.is_Realtime_Jobs | string |  |   0 
+action_result.data.\*.is_Scheduled_Jobs | string |  |   0 
+action_result.data.\*.is_Subsearch_Jobs | string |  |   0 
+action_result.data.\*.is_not_Acceleration_Jobs | string |  |   1 
+action_result.data.\*.is_not_Adhoc_Jobs | string |  |   0 
+action_result.data.\*.is_not_Failed_Jobs | string |  |   1 
+action_result.data.\*.is_not_Realtime_Jobs | string |  |   1 
+action_result.data.\*.is_not_Scheduled_Jobs | string |  |   1 
+action_result.data.\*.is_not_Subsearch_Jobs | string |  |   1 
 action_result.data.\*.linecount | string |  |  
 action_result.data.\*.source | string |  |  
 action_result.data.\*.sourcetype | string |  |  
 action_result.data.\*.spent | string |  |   223 
 action_result.data.\*.splunk_server | string |  `host name`  |  
-action_result.data.\*.user | string |  |  
-action_result.data.\*.values(source) | string |  |  
+action_result.data.\*.user | string |  |   admin 
+action_result.data.\*.values(source) | string |  |   /opt/splunk/var/log/splunk/scheduler.log 
 action_result.summary.sid | string |  |   1612177958.977510 
 action_result.summary.total_events | numeric |  |   2 
 action_result.message | string |  |   Sid: 1612177958.977510, Total events: 2 
@@ -561,7 +573,7 @@ Post data to Splunk
 Type: **generic**  
 Read only: **False**
 
-This action creates an event on Splunk with the data included in the <b>data</b> parameter. If not specified the parameters will default to the following:<ul><li><b>host</b> - The IP of the Phantom instance running the action.</li><li><b>index</b> - The default index configured on the Splunk instance.</li><li><b>source</b> - &quot;Phantom&quot;.</li><li><b>source_type</b> - &quot;Automation/Orchestration Platform&quot;.</li></ul>
+This action creates an event on Splunk with the data included in the <b>data</b> parameter. If not specified the parameters will default to the following:<ul><li><b>host</b> - The IP of the Splunk SOAR instance running the action.</li><li><b>index</b> - The default index configured on the Splunk instance.</li><li><b>source</b> - &quot;Phantom&quot;.</li><li><b>source_type</b> - &quot;Automation/Orchestration Platform&quot;.</li></ul>
 
 #### Action Parameters
 PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS

diff --git a/__init__.py b/__init__.py
@@ -1,6 +1,6 @@
 # File: __init__.py
 #
-# Copyright (c) 2016-2023 Splunk Inc.
+# Copyright (c) 2016-2024 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/manual_readme_content.md b/manual_readme_content.md
@@ -1,5 +1,5 @@
 [comment]: # " File: README.md"
-[comment]: # "  Copyright (c) 2016-2023 Splunk Inc."
+[comment]: # "  Copyright (c) 2016-2024 Splunk Inc."
 [comment]: # ""
 [comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
 [comment]: # "you may not use this file except in compliance with the License."
@@ -27,7 +27,7 @@
 ## Splunk-SDK
 
 This app uses the Splunk-SDK module, which is licensed under the Apache Software License, Copyright
-(c) 2011-2019 Splunk, Inc.
+(c) 2011-2024 Splunk, Inc.
 
 ## State File Permissions
 
@@ -42,9 +42,21 @@ Please check the permissions for the state file as mentioned below.
 
 #### State File Permissions
 
--   File Rights: rw-rw-r-- (664) (The phantom user should have read and write access for the state
+-   File Rights: rw-rw-r-- (664) (The Splunk SOAR user should have read and write access for the state
     file)
--   File Owner: appropriate phantom user
+-   File Owner: appropriate Splunk SOAR user
+
+## Required Permissions for Post Data Action
+The endpoint used by the post data action is not supported on Splunk Cloud Platform. Hence, the following steps are not applicable for Splunk Cloud Platform.
+
+For sending events to Splunk Platform, the User configured in the asset would require **edit_tcp** capability. Follow the below steps to configure
+
+-   Login to the Splunk Platform
+-   Go to **Setting > Roles**
+-   Click on role of the user configured in the asset(example: user) and go to **Capabilities**
+-   Search for '**edit_tcp**' in the capabilities enable it for the particular role
+-   To check if the capability is given to your user, go to **Settings > Users** and in the **Edit dropdown** and select **View Capabilities**
+-   Search for '**edit_tcp**' and if a tick besides it appears then the permission has been enabled for the user
 
 ## Asset Configuration Parameters
 

diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md
@@ -1 +1,4 @@
 **Unreleased**
+* Documentation update for steps to allow edit_tcp capability for a user [PAPP-31540]
+* Bug fix for 'on poll' cef field names [PAPP-30430]
+* Bug fix for accessing vault temp directory path [PAPP-32416]