Skip to content
This repository was archived by the owner on Dec 14, 2024. It is now read-only.

Commit

Permalink
feat(app/addon): Add Cortex XDR incident support to App and Add-on in…
Browse files Browse the repository at this point in the history 
…cluding new XDR Incidents dashboard

PR: #166

BREAKING CHANGE: Replaces Adversary Scoreboard and Incident Feed dashboards with new XDR Incidents dashboard
  • Loading branch information
@paulmnguyen @btorresgil
paulmnguyen authored and btorresgil committed May 8, 2021
1 parent f61a60c commit 3150694
Show file tree
Hide file tree
Showing 19 changed files with 1,200 additions and 231 deletions.
6 changes: 6 additions & 0 deletions Splunk_TA_paloalto/README/inputs.conf.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ access_key_id =
secret_access_key =
python.version = python3

[cortex_xdr://<name>]
xdr_tenant = Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/
xdr_region = Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/
xdr_key_id = API key should have "Advanced" security level with a role of "Viewer"
xdr_key = API key should have "Advanced" security level with a role of "Viewer"

# [threatlist://<name>]
# description =
# interval =
Expand Down
139 changes: 139 additions & 0 deletions Splunk_TA_paloalto/appserver/static/js/build/globalConfig.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,22 @@
{
"field": "secret_access_key",
"label": "Secret Access Key"
},
{
"field": "xdr_tenant",
"label": "Tenant Name"
},
{
"field": "xdr_region",
"label": "Tenant Region"
},
{
"field": "xdr_key_id",
"label": "API Key ID"
},
{
"field": "xdr_key",
"label": "API Key"
}
],
"actions": [
Expand Down Expand Up @@ -723,6 +739,129 @@
]
}
]
},
{
"name": "cortex_xdr",
"title": "Cortex XDR",
"entity": [
{
"field": "name",
"label": "Name",
"type": "text",
"help": "Enter a unique name for the data input",
"required": true,
"validators": [
{
"type": "regex",
"pattern": "^[a-zA-Z]\\w*$",
"errorMsg": "Input Name must start with a letter and followed by alphabetic letters, digits or underscores."
},
{
"type": "string",
"minLength": 1,
"maxLength": 100,
"errorMsg": "Length of input name should be between 1 and 100"
}
]
},
{
"field": "interval",
"label": "Interval",
"type": "text",
"required": true,
"help": "Time interval of input in seconds.",
"validators": [
{
"type": "regex",
"pattern": "^\\-[1-9]\\d*$|^\\d*$",
"errorMsg": "Interval must be an integer."
}
]
},
{
"field": "index",
"label": "Index",
"type": "singleSelect",
"defaultValue": "default",
"options": {
"endpointUrl": "data/indexes",
"blackList": "^_.*$",
"createSearchChoice": true
},
"required": true,
"validators": [
{
"type": "string",
"minLength": 1,
"maxLength": 80,
"errorMsg": "Length of index name should be between 1 and 80."
}
]
},
{
"field": "xdr_tenant",
"label": "Tenant Name",
"help": "Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
"required": true,
"type": "text",
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of text input is 8192"
}
]
},
{
"field": "xdr_region",
"label": "Tenant Region",
"help": "Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
"required": true,
"type": "text",
"defaultValue": "us",
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of text input is 8192"
}
]
},
{
"field": "xdr_key_id",
"label": "API Key ID",
"help": "API key should have \"Advanced\" security level with a role of \"Viewer\"",
"required": true,
"type": "text",
"encrypted": true,
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of password is 8192"
}
]
},
{
"field": "xdr_key",
"label": "API Key",
"help": "API key should have \"Advanced\" security level with a role of \"Viewer\"",
"required": true,
"type": "text",
"encrypted": true,
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of password is 8192"
}
]
}
]
}
]
}
Expand Down
98 changes: 98 additions & 0 deletions Splunk_TA_paloalto/bin/Splunk_TA_paloalto_rh_cortex_xdr.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@

import splunk_ta_paloalto_declare

from splunktaucclib.rest_handler.endpoint import (
field,
validator,
RestModel,
DataInputModel,
)
from splunktaucclib.rest_handler import admin_external, util
from splunk_aoblib.rest_migration import ConfigMigrationHandler

util.remove_http_proxy_env_vars()


fields = [
field.RestField(
'interval',
required=True,
encrypted=False,
default=None,
validator=validator.Pattern(
regex=r"""^\-[1-9]\d*$|^\d*$""",
)
),
field.RestField(
'index',
required=True,
encrypted=False,
default='default',
validator=validator.String(
min_len=1,
max_len=80,
)
),
field.RestField(
'xdr_tenant',
required=True,
encrypted=False,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_region',
required=True,
encrypted=False,
default='us',
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_key_id',
required=True,
encrypted=True,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_key',
required=True,
encrypted=True,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),

field.RestField(
'disabled',
required=False,
validator=None
)

]
model = RestModel(fields, name=None)



endpoint = DataInputModel(
'cortex_xdr',
model,
)


if __name__ == '__main__':
admin_external.handle(
endpoint,
handler=ConfigMigrationHandler,
)
102 changes: 102 additions & 0 deletions Splunk_TA_paloalto/bin/cortex_xdr.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
import splunk_ta_paloalto_declare

import os
import sys
import time
import datetime
import json

import modinput_wrapper.base_modinput
from solnlib.packages.splunklib import modularinput as smi



import input_module_cortex_xdr as input_module

bin_dir = os.path.basename(__file__)

'''
Do not edit this file!!!
This file is generated by Add-on builder automatically.
Add your modular input logic to file input_module_cortex_xdr.py
'''
class ModInputcortex_xdr(modinput_wrapper.base_modinput.BaseModInput):

def __init__(self):
if 'use_single_instance_mode' in dir(input_module):
use_single_instance = input_module.use_single_instance_mode()
else:
use_single_instance = False
super(ModInputcortex_xdr, self).__init__("splunk_ta_paloalto", "cortex_xdr", use_single_instance)
self.global_checkbox_fields = None

def get_scheme(self):
"""overloaded splunklib modularinput method"""
scheme = super(ModInputcortex_xdr, self).get_scheme()
scheme.title = ("Cortex XDR")
scheme.description = ("Go to the add-on\'s configuration UI and configure modular inputs under the Inputs menu.")
scheme.use_external_validation = True
scheme.streaming_mode_xml = True

scheme.add_argument(smi.Argument("name", title="Name",
description="",
required_on_create=True))

"""
For customized inputs, hard code the arguments here to hide argument detail from users.
For other input types, arguments should be get from input_module. Defining new input types could be easier.
"""
scheme.add_argument(smi.Argument("xdr_tenant", title="Tenant Name",
description="Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_region", title="Tenant Region",
description="Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_key_id", title="API Key ID",
description="API key should have \"Advanced\" security level with a role of \"Viewer\"",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_key", title="API Key",
description="API key should have \"Advanced\" security level with a role of \"Viewer\"",
required_on_create=True,
required_on_edit=False))
return scheme

def get_app_name(self):
return "Splunk_TA_paloalto"

def validate_input(self, definition):
"""validate the input stanza"""
input_module.validate_input(self, definition)

def collect_events(self, ew):
"""write out the events"""
input_module.collect_events(self, ew)

def get_account_fields(self):
account_fields = []
return account_fields

def get_checkbox_fields(self):
checkbox_fields = []
return checkbox_fields

def get_global_checkbox_fields(self):
if self.global_checkbox_fields is None:
checkbox_name_file = os.path.join(bin_dir, 'global_checkbox_param.json')
try:
if os.path.isfile(checkbox_name_file):
with open(checkbox_name_file, 'r') as fp:
self.global_checkbox_fields = json.load(fp)
else:
self.global_checkbox_fields = []
except Exception as e:
self.log_error('Get exception when loading global checkbox parameter names. ' + str(e))
self.global_checkbox_fields = []
return self.global_checkbox_fields

if __name__ == "__main__":
exitcode = ModInputcortex_xdr().run(sys.argv)
sys.exit(exitcode)
Loading

0 comments on commit 3150694

Please sign in to comment.