From 206b431c0ea12c44f7fc0cee60b82ca37a302842 Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 09:39:40 -0500 Subject: [PATCH 1/8] Update splunk.json Updated version, added contributer entry, added boolean config for event_id SDI --- splunk.json | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/splunk.json b/splunk.json index e255ed4..0408034 100644 --- a/splunk.json +++ b/splunk.json @@ -30,12 +30,15 @@ }, { "name": "Tony Cihak" + }, + { + "name": "Mhike" } ], "type": "siem", "main_module": "splunk_connector.py", - "app_version": "2.17.0", - "utctime_updated": "2022-09-08T08:47:45.000000Z", + "app_version": "2.17.1", + "utctime_updated": "2024-10-03T00:00:00.000000Z", "package_name": "phantom_splunk", "product_name": "Splunk Enterprise", "product_vendor": "Splunk Inc.", @@ -183,6 +186,14 @@ "order": 21, "default": 1200, "name": "splunk_job_timeout" + }, + "use_event_id_sdi": { + "description": "Option to use the event_id field value as the source data identifier instead of the full event hash", + "data_type": "boolean", + "order": 21, + "default": "False", + "name": "use_event_id_sdi", + "id": 21 } }, "actions": [ From 9788e6dda6b476c71cfbe0b5ff42475bc5fd6798 Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 09:52:29 -0500 Subject: [PATCH 2/8] Update splunk_connector.py Added handling for using event_id as source data identifier when available if the asset boolean is checked --- splunk_connector.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/splunk_connector.py b/splunk_connector.py index 6d95880..970ffae 100644 --- a/splunk_connector.py +++ b/splunk_connector.py @@ -894,6 +894,7 @@ def _on_poll(self, param): # noqa: C901 search_string = config.get("on_poll_query") po = config.get("on_poll_parse_only", False) include_cim_fields = config.get("include_cim_fields", False) + use_event_id_sdi = config.get('use_event_id_sdi', False) if not search_string: self.save_progress("Need to specify Query String to use polling") @@ -979,16 +980,22 @@ def _on_poll(self, param): # noqa: C901 # Add original CIM fields if option is checked cef.update({k: v} if include_cim_fields else {}) - input_str = json.dumps(item) - input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8") - - fips_enabled = self._get_fips_enabled() - # if fips is not enabled, we should continue with our existing md5 usage for generating SDIs - # to not impact existing customers - if not fips_enabled: - sdi = hashlib.md5(input_str).hexdigest() # nosemgrep + # If the boolean in the asset is checked, attempt to use event_id as the source data identifier + # If event_id is missing from event, print warning and use hash SDI + if use_event_id_sdi and 'event_id' in item: + sdi = item['event_id'] else: - sdi = hashlib.sha256(input_str).hexdigest() + if use_event_id_sdi and 'event_id' not in item: + self.save_progress('Use event_id as SLI is activated in the asset but event_id is missing from this event. Defaulting to event hash') + input_str = json.dumps(item) + input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8") + fips_enabled = self._get_fips_enabled() + # if fips is not enabled, we should continue with our existing md5 usage for generating SDIs + # to not impact existing customers + if not fips_enabled: + sdi = hashlib.md5(input_str).hexdigest() # nosemgrep + else: + sdi = hashlib.sha256(input_str).hexdigest() severity = self._get_splunk_severity(item) spl_event_start = self._get_event_start(item.get("_time")) From bd167e5ec8f07ed9c8bd4f3a7dc59f711b8d59ca Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 10:05:53 -0500 Subject: [PATCH 3/8] Update README.md Added notes on new asset config value --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d7334ff..532275d 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,10 @@ For sending events to Splunk Platform, the User configured in the asset would re - If the on_poll_display parameter is not provided, then all the fields that are extracted from the events will be ingested in the respective artifacts - Users can provide comma-separated field names. Example: field1, field2, field3 +- use_event_id_sdi: + - Use the event_id as the source data identifier instead of the full event hash + - If checked, the event_id as SDI will cause updated versions of the event to be ingested into the original container instead of a new one + - If checked but event_id is missing, the event hash will be used as a default - If the on_poll_query(query to use with On Poll) parameter is not provided, then an error message will be returned - If the on_poll_command(command for the query to use with On Poll) parameter is not provided and @@ -601,4 +605,4 @@ action_result.data | string | | action_result.summary | string | | action_result.message | string | | Successfully posted the data summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 \ No newline at end of file +summary.total_objects_successful | numeric | | 1 From 033459dd605bc546ebf58e333c44013cddd232b2 Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 10:08:19 -0500 Subject: [PATCH 4/8] Create 2.17.1.md Added change notes --- release_notes/2.17.1.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 release_notes/2.17.1.md diff --git a/release_notes/2.17.1.md b/release_notes/2.17.1.md new file mode 100644 index 0000000..0aa4890 --- /dev/null +++ b/release_notes/2.17.1.md @@ -0,0 +1 @@ +* Added 'use_event_id_sdi' parameter to asset config to allow updated event ingestion into the original container From 616a0558158f408289cccb6e7b812712d35d6778 Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 10:18:28 -0500 Subject: [PATCH 5/8] Update splunk_connector.py split comment line --- splunk_connector.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/splunk_connector.py b/splunk_connector.py index 970ffae..af73403 100644 --- a/splunk_connector.py +++ b/splunk_connector.py @@ -986,7 +986,8 @@ def _on_poll(self, param): # noqa: C901 sdi = item['event_id'] else: if use_event_id_sdi and 'event_id' not in item: - self.save_progress('Use event_id as SLI is activated in the asset but event_id is missing from this event. Defaulting to event hash') + self.save_progress('Use event_id as SLI is activated in the asset but event_id is missing from this event.') + self.save_progress('Defaulting to event hash') input_str = json.dumps(item) input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8") fips_enabled = self._get_fips_enabled() From bd93a011178de80f088919813e144cbb5adab53a Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 10:22:24 -0500 Subject: [PATCH 6/8] Update splunk_connector.py Swapped single quotes for double quotes for ... reasons? --- splunk_connector.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/splunk_connector.py b/splunk_connector.py index af73403..b3bcb84 100644 --- a/splunk_connector.py +++ b/splunk_connector.py @@ -894,7 +894,7 @@ def _on_poll(self, param): # noqa: C901 search_string = config.get("on_poll_query") po = config.get("on_poll_parse_only", False) include_cim_fields = config.get("include_cim_fields", False) - use_event_id_sdi = config.get('use_event_id_sdi', False) + use_event_id_sdi = config.get("use_event_id_sdi", False) if not search_string: self.save_progress("Need to specify Query String to use polling") @@ -982,12 +982,12 @@ def _on_poll(self, param): # noqa: C901 # If the boolean in the asset is checked, attempt to use event_id as the source data identifier # If event_id is missing from event, print warning and use hash SDI - if use_event_id_sdi and 'event_id' in item: - sdi = item['event_id'] + if use_event_id_sdi and "event_id" in item: + sdi = item["event_id"] else: - if use_event_id_sdi and 'event_id' not in item: - self.save_progress('Use event_id as SLI is activated in the asset but event_id is missing from this event.') - self.save_progress('Defaulting to event hash') + if use_event_id_sdi and "event_id" not in item: + self.save_progress("Use event_id as SLI is activated in the asset but event_id is missing from this event.") + self.save_progress("Defaulting to event hash") input_str = json.dumps(item) input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8") fips_enabled = self._get_fips_enabled() From d87ab8e8c3bef5de96b4a89d6451fed7a2bfad2e Mon Sep 17 00:00:00 2001 From: zamastyle Date: Thu, 3 Oct 2024 10:24:29 -0500 Subject: [PATCH 7/8] Update splunk.json fixed param index int --- splunk.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/splunk.json b/splunk.json index 0408034..2db7722 100644 --- a/splunk.json +++ b/splunk.json @@ -190,10 +190,10 @@ "use_event_id_sdi": { "description": "Option to use the event_id field value as the source data identifier instead of the full event hash", "data_type": "boolean", - "order": 21, + "order": 22, "default": "False", "name": "use_event_id_sdi", - "id": 21 + "id": 22 } }, "actions": [ From 789a29c0353d510f244ea2543cfe54c004ffb917 Mon Sep 17 00:00:00 2001 From: phantom-jacob <43217172+phantom-jacob@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:32:36 -0800 Subject: [PATCH 8/8] Update splunk_connector.py --- splunk_connector.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/splunk_connector.py b/splunk_connector.py index b3bcb84..4d85818 100644 --- a/splunk_connector.py +++ b/splunk_connector.py @@ -986,7 +986,7 @@ def _on_poll(self, param): # noqa: C901 sdi = item["event_id"] else: if use_event_id_sdi and "event_id" not in item: - self.save_progress("Use event_id as SLI is activated in the asset but event_id is missing from this event.") + self.save_progress("Use event_id as SDI is activated in the asset but event_id is missing from this event.") self.save_progress("Defaulting to event hash") input_str = json.dumps(item) input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8")