Splunk: Feature Add - Boolean to use event_id as SDI

README.md

@@ -159,6 +159,10 @@ For sending events to Splunk Platform, the User configured in the asset would re
     -   If the on_poll_display parameter is not provided, then all the fields that are extracted
         from the events will be ingested in the respective artifacts
     -   Users can provide comma-separated field names. Example: field1, field2, field3
+-   use_event_id_sdi:
+    -   Use the event_id as the source data identifier instead of the full event hash
+    -   If checked, the event_id as SDI will cause updated versions of the event to be ingested into the original container instead of a new one
+    -   If checked but event_id is missing, the event hash will be used as a default
 -   If the on_poll_query(query to use with On Poll) parameter is not provided, then an error message
     will be returned  
 -   If the on_poll_command(command for the query to use with On Poll) parameter is not provided and
@@ -601,4 +605,4 @@ action_result.data | string |  |
 action_result.summary | string |  |  
 action_result.message | string |  |   Successfully posted the data 
 summary.total_objects | numeric |  |   1 
-summary.total_objects_successful | numeric |  |   1 
+summary.total_objects_successful | numeric |  |   1 

release_notes/2.17.1.md

@@ -0,0 +1 @@
+* Added 'use_event_id_sdi' parameter to asset config to allow updated event ingestion into the original container

splunk.json

@@ -30,12 +30,15 @@
         },
         {
             "name": "Tony Cihak"
+        },
+        {
+            "name": "Mhike"
         }
     ],
     "type": "siem",
     "main_module": "splunk_connector.py",
-    "app_version": "2.17.0",
-    "utctime_updated": "2022-09-08T08:47:45.000000Z",
+    "app_version": "2.17.1",
+    "utctime_updated": "2024-10-03T00:00:00.000000Z",
     "package_name": "phantom_splunk",
     "product_name": "Splunk Enterprise",
     "product_vendor": "Splunk Inc.",
@@ -183,6 +186,14 @@
             "order": 21,
             "default": 1200,
             "name": "splunk_job_timeout"
+        },
+        "use_event_id_sdi": {
+            "description": "Option to use the event_id field value as the source data identifier instead of the full event hash",
+            "data_type": "boolean",
+            "order": 22,
+            "default": "False",
+            "name": "use_event_id_sdi",
+            "id": 22
         }
     },
     "actions": [

splunk_connector.py

@@ -894,6 +894,7 @@ def _on_poll(self, param):  # noqa: C901
         search_string = config.get("on_poll_query")
         po = config.get("on_poll_parse_only", False)
         include_cim_fields = config.get("include_cim_fields", False)
+        use_event_id_sdi = config.get("use_event_id_sdi", False)
 
         if not search_string:
             self.save_progress("Need to specify Query String to use polling")
@@ -979,16 +980,23 @@ def _on_poll(self, param):  # noqa: C901
                     # Add original CIM fields if option is checked
                     cef.update({k: v} if include_cim_fields else {})
 
-            input_str = json.dumps(item)
-            input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8")
-
-            fips_enabled = self._get_fips_enabled()
-            # if fips is not enabled, we should continue with our existing md5 usage for generating SDIs
-            # to not impact existing customers
-            if not fips_enabled:
-                sdi = hashlib.md5(input_str).hexdigest()  # nosemgrep
+            # If the boolean in the asset is checked, attempt to use event_id as the source data identifier
+            # If event_id is missing from event, print warning and use hash SDI
+            if use_event_id_sdi and "event_id" in item:
+                sdi = item["event_id"]
             else:
-                sdi = hashlib.sha256(input_str).hexdigest()
+                if use_event_id_sdi and "event_id" not in item:
+                    self.save_progress("Use event_id as SLI is activated in the asset but event_id is missing from this event.")
+                    self.save_progress("Defaulting to event hash")
+                input_str = json.dumps(item)
+                input_str = UnicodeDammit(input_str).unicode_markup.encode("utf-8")
+                fips_enabled = self._get_fips_enabled()
+                # if fips is not enabled, we should continue with our existing md5 usage for generating SDIs
+                # to not impact existing customers
+                if not fips_enabled:
+                    sdi = hashlib.md5(input_str).hexdigest()  # nosemgrep
+                else:
+                    sdi = hashlib.sha256(input_str).hexdigest()
 
             severity = self._get_splunk_severity(item)
             spl_event_start = self._get_event_start(item.get("_time"))