def _splunk_update_notable_function(self, event, *args, **kwargs):
"""Function: Update notable events according to the status of the corresponding incident.
Inputs:
event_id: the notable event id in the splunk_notable_event_id field
comment: add a note to the notable event
status: Notable event status. Integer: 2=active, 5= closed
"""
try:
# Get the function parameters:
event_id = kwargs.get("event_id") # text
comment = kwargs.get("comment") # text
notable_event_status = kwargs.get("notable_event_status") # number
splunk_verify_cert = True
if "verify_cert" in self.options and self.options[
"verify_cert"] == "false":
splunk_verify_cert = False
log = logging.getLogger(__name__)
log.info("event_id: %s", event_id)
log.info("comment: %s", comment)
log.info("notable_event_status: %s", notable_event_status)
log.info("splunk_verify_cert: " + str(splunk_verify_cert))
log.info("Splunk host: %s, port: %s, username: %s",
self.options["host"], self.options["port"],
self.options["username"])
yield StatusMessage("starting...")
result_payload = ResultPayload(SECTION_HDR, **kwargs)
splnk_utils = splunk_utils.SplunkUtils(
host=self.options["host"],
port=self.options["port"],
username=self.options["username"],
password=self.options["splunkpassword"],
verify=splunk_verify_cert)
splunk_result = splnk_utils.update_notable(
event_id=event_id,
comment=comment,
status=notable_event_status,
cafile=splunk_verify_cert)
yield StatusMessage("done...")
# Produce a FunctionResult with the return value
yield FunctionResult(
result_payload.done(True, splunk_result.get('content', {})))
except Exception as e:
log.error("Function execution throws exception: {}".format(str(e)))
yield FunctionError()
def _splunk_delete_threat_intel_item_function(self, event, *args,
**kwargs):
"""Function: Delete a threat intel item:
splunk_threat_intel_type: ip_intel, email_intel....., registry_intel
splunk_threat_intel_key: _key returned from Splunk ES for this item
"""
try:
# Get the function parameters:
splunk_threat_intel_type = kwargs.get(
"splunk_threat_intel_type") # text
splunk_threat_intel_key = kwargs.get(
"splunk_threat_intel_key") # text
splunk_verify_cert = kwargs.get("splunk_verify_cert") # boolean
splunk_verify_cert = True
if "verify_cert" in self.options and self.options[
"verify_cert"] == "false":
splunk_verify_cert = False
# Log all the info
log = logging.getLogger(__name__)
log.info("splunk_threat_intel_type: %s", splunk_threat_intel_type)
log.info("splunk_threat_intel_key: %s", splunk_threat_intel_key)
log.info("splunk_verify_cert: " + str(splunk_verify_cert))
# Log the splunk server we are using
log.info("Splunk host: %s, port: %s, username: %s",
self.options["host"], self.options["port"],
self.options["username"])
yield StatusMessage("starting...")
splnk_utils = splunk_utils.SplunkUtils(
host=self.options["host"],
port=self.options["port"],
username=self.options["username"],
password=self.options["splunkpassword"],
verify=splunk_verify_cert)
result = splnk_utils.delete_threat_intel_item(
threat_type=splunk_threat_intel_type,
item_key=splunk_threat_intel_key,
cafile=splunk_verify_cert)
yield StatusMessage("done...")
yield FunctionResult(result)
except Exception as e:
log.error("Function execution throws exception {}".format(str(e)))
yield FunctionError(str(e))
def _splunk_add_intel_item_function(self, event, *args, **kwargs):
"""Function: Add a new splunk es threat intelligence item to the collections
splunk_thread_intel_type: ip_intel, user_intel,...., or registry_intel
splunk_query_param1: field1 name of the dict used to create the item;
splunk_query_param2: field1 value;
splunk_query_param3: field2 name;
splunk_query_param4: field2 value;
....."""
try:
# Get the function parameters:
splunk_threat_intel_type = kwargs.get(
"splunk_threat_intel_type") # text
splunk_query_param1 = kwargs.get("splunk_query_param1") # text
splunk_query_param2 = kwargs.get("splunk_query_param2") # text
splunk_query_param3 = kwargs.get("splunk_query_param3") # text
splunk_query_param4 = kwargs.get("splunk_query_param4") # text
splunk_query_param5 = kwargs.get("splunk_query_param5") # text
splunk_query_param6 = kwargs.get("splunk_query_param6") # text
splunk_query_param7 = kwargs.get("splunk_query_param7") # text
splunk_query_param8 = kwargs.get("splunk_query_param8") # text
splunk_query_param9 = kwargs.get("splunk_query_param9") # text
splunk_query_param10 = kwargs.get("splunk_query_param10") # text
splunk_verify_cert = True
if "verify_cert" in self.options and self.options[
"verify_cert"] == "false":
splunk_verify_cert = False
log = logging.getLogger(__name__)
log.info("splunk_threat_intel_type: %s", splunk_threat_intel_type)
log.info("splunk_query_param1: %s", splunk_query_param1)
log.info("splunk_query_param2: %s", splunk_query_param2)
log.info("splunk_query_param3: %s", splunk_query_param3)
log.info("splunk_query_param4: %s", splunk_query_param4)
log.info("splunk_query_param5: %s", splunk_query_param5)
log.info("splunk_query_param6: %s", splunk_query_param6)
log.info("splunk_query_param7: %s", splunk_query_param7)
log.info("splunk_query_param8: %s", splunk_query_param8)
log.info("splunk_query_param9: %s", splunk_query_param9)
log.info("splunk_query_param10: %s", splunk_query_param10)
log.info("splunk_verify_cert: %s", str(splunk_verify_cert))
yield StatusMessage("starting...")
result_payload = ResultPayload(SECTION_HDR, **kwargs)
# build the dict used to add threat intel item
item_dict = function_utils.make_item_dict([
splunk_query_param1, splunk_query_param2, splunk_query_param3,
splunk_query_param4, splunk_query_param5, splunk_query_param6,
splunk_query_param7, splunk_query_param8, splunk_query_param9,
splunk_query_param10
])
# log it for debug
log.debug("item dict: {}".format(str(item_dict)))
splnk_utils = splunk_utils.SplunkUtils(
host=self.options["host"],
port=self.options["port"],
username=self.options["username"],
password=self.options["splunkpassword"],
verify=splunk_verify_cert)
splunk_result = splnk_utils.add_threat_intel_item(
threat_type=splunk_threat_intel_type,
threat_dict=item_dict,
cafile=splunk_verify_cert)
yield StatusMessage("done...")
# Produce a FunctionResult with the results
yield FunctionResult(
result_payload.done(True, splunk_result.get('content', {})))
except Exception as e:
log.error("Function execution throws exception {}".format(str(e)))
yield FunctionError()