Skip to content
This repository was archived by the owner on Dec 14, 2024. It is now read-only.

Integrate Cortex XDR incidents #166

Merged
merged 12 commits into from
May 8, 2021
Merged

Integrate Cortex XDR incidents #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9ea8dc8
feat(addon): Add Cortex XDR Support
paulmnguyen Feb 13, 2021
bb82048
feat(addon): Add Cortex XDR Modular Input
paulmnguyen Feb 22, 2021
443db91
feat(app/addon): Integrate Cortex XDR into Splunk app and add-on
paulmnguyen Mar 4, 2021
9ebd14a
feat(app/addon): Integrate Cortex XDR incidents to app and addon
paulmnguyen Mar 4, 2021
7e71ad2
feat(app/addon): Integrate Cortex XDR incidents to App and Addon
paulmnguyen Mar 4, 2021
a1928e5
feat(app/addon): Integrate Cortex XDR incidents into Splunk App and A…
paulmnguyen Mar 4, 2021
54f0b78
feat(app/addon): Integrate Cortex XDR into app and addon
paulmnguyen Mar 6, 2021
d172fa5
feat(app/addon): Add Cortex XDR support to Splunk app and addon
paulmnguyen Mar 15, 2021
a4f4dd2
feat(app/addon): Integrate Cortex XDR into Splunk App and Add-on
paulmnguyen Mar 16, 2021
a2e7cb7
feat(app/addon): Integrate Cortex XDR with Splunk app and addon
paulmnguyen Mar 16, 2021
603c689
feat(app/addon): Integrate Cortex XDR with Splunk app and addon
paulmnguyen Mar 18, 2021
c3dfdb6
feat(addon): Add Cortex XDR support to Splunk app and add-on
paulmnguyen Apr 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Splunk_TA_paloalto/README/inputs.conf.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ access_key_id =
secret_access_key =
python.version = python3

[cortex_xdr://<name>]
xdr_tenant = Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/
xdr_region = Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/
xdr_key_id = API key should have "Advanced" security level with a role of "Viewer"
xdr_key = API key should have "Advanced" security level with a role of "Viewer"

# [threatlist://<name>]
# description =
# interval =
Expand Down
139 changes: 139 additions & 0 deletions Splunk_TA_paloalto/appserver/static/js/build/globalConfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,22 @@
{
"field": "secret_access_key",
"label": "Secret Access Key"
},
{
"field": "xdr_tenant",
"label": "Tenant Name"
},
{
"field": "xdr_region",
"label": "Tenant Region"
},
{
"field": "xdr_key_id",
"label": "API Key ID"
},
{
"field": "xdr_key",
"label": "API Key"
}
],
"actions": [
Expand Down Expand Up @@ -723,6 +739,129 @@
]
}
]
},
{
"name": "cortex_xdr",
"title": "Cortex XDR",
"entity": [
{
"field": "name",
"label": "Name",
"type": "text",
"help": "Enter a unique name for the data input",
"required": true,
"validators": [
{
"type": "regex",
"pattern": "^[a-zA-Z]\\w*$",
"errorMsg": "Input Name must start with a letter and followed by alphabetic letters, digits or underscores."
},
{
"type": "string",
"minLength": 1,
"maxLength": 100,
"errorMsg": "Length of input name should be between 1 and 100"
}
]
},
{
"field": "interval",
"label": "Interval",
"type": "text",
"required": true,
"help": "Time interval of input in seconds.",
"validators": [
{
"type": "regex",
"pattern": "^\\-[1-9]\\d*$|^\\d*$",
"errorMsg": "Interval must be an integer."
}
]
},
{
"field": "index",
"label": "Index",
"type": "singleSelect",
"defaultValue": "default",
"options": {
"endpointUrl": "data/indexes",
"blackList": "^_.*$",
"createSearchChoice": true
},
"required": true,
"validators": [
{
"type": "string",
"minLength": 1,
"maxLength": 80,
"errorMsg": "Length of index name should be between 1 and 80."
}
]
},
{
"field": "xdr_tenant",
"label": "Tenant Name",
"help": "Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
"required": true,
"type": "text",
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of text input is 8192"
}
]
},
{
"field": "xdr_region",
"label": "Tenant Region",
"help": "Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
"required": true,
"type": "text",
"defaultValue": "us",
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of text input is 8192"
}
]
},
{
"field": "xdr_key_id",
"label": "API Key ID",
"help": "API key should have \"Advanced\" security level with a role of \"Viewer\"",
"required": true,
"type": "text",
"encrypted": true,
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of password is 8192"
}
]
},
{
"field": "xdr_key",
"label": "API Key",
"help": "API key should have \"Advanced\" security level with a role of \"Viewer\"",
"required": true,
"type": "text",
"encrypted": true,
"validators": [
{
"type": "string",
"minLength": 0,
"maxLength": 8192,
"errorMsg": "Max length of password is 8192"
}
]
}
]
}
]
}
Expand Down
98 changes: 98 additions & 0 deletions Splunk_TA_paloalto/bin/Splunk_TA_paloalto_rh_cortex_xdr.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@

import splunk_ta_paloalto_declare

from splunktaucclib.rest_handler.endpoint import (
field,
validator,
RestModel,
DataInputModel,
)
from splunktaucclib.rest_handler import admin_external, util
from splunk_aoblib.rest_migration import ConfigMigrationHandler

util.remove_http_proxy_env_vars()


fields = [
field.RestField(
'interval',
required=True,
encrypted=False,
default=None,
validator=validator.Pattern(
regex=r"""^\-[1-9]\d*$|^\d*$""",
)
),
field.RestField(
'index',
required=True,
encrypted=False,
default='default',
validator=validator.String(
min_len=1,
max_len=80,
)
),
field.RestField(
'xdr_tenant',
required=True,
encrypted=False,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_region',
required=True,
encrypted=False,
default='us',
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_key_id',
required=True,
encrypted=True,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),
field.RestField(
'xdr_key',
required=True,
encrypted=True,
default=None,
validator=validator.String(
min_len=0,
max_len=8192,
)
),

field.RestField(
'disabled',
required=False,
validator=None
)

]
model = RestModel(fields, name=None)



endpoint = DataInputModel(
'cortex_xdr',
model,
)


if __name__ == '__main__':
admin_external.handle(
endpoint,
handler=ConfigMigrationHandler,
)
102 changes: 102 additions & 0 deletions Splunk_TA_paloalto/bin/cortex_xdr.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
import splunk_ta_paloalto_declare

import os
import sys
import time
import datetime
import json

import modinput_wrapper.base_modinput
from solnlib.packages.splunklib import modularinput as smi



import input_module_cortex_xdr as input_module

bin_dir = os.path.basename(__file__)

'''
Do not edit this file!!!
This file is generated by Add-on builder automatically.
Add your modular input logic to file input_module_cortex_xdr.py
'''
class ModInputcortex_xdr(modinput_wrapper.base_modinput.BaseModInput):

def __init__(self):
if 'use_single_instance_mode' in dir(input_module):
use_single_instance = input_module.use_single_instance_mode()
else:
use_single_instance = False
super(ModInputcortex_xdr, self).__init__("splunk_ta_paloalto", "cortex_xdr", use_single_instance)
self.global_checkbox_fields = None

def get_scheme(self):
"""overloaded splunklib modularinput method"""
scheme = super(ModInputcortex_xdr, self).get_scheme()
scheme.title = ("Cortex XDR")
scheme.description = ("Go to the add-on\'s configuration UI and configure modular inputs under the Inputs menu.")
scheme.use_external_validation = True
scheme.streaming_mode_xml = True

scheme.add_argument(smi.Argument("name", title="Name",
description="",
required_on_create=True))

"""
For customized inputs, hard code the arguments here to hide argument detail from users.
For other input types, arguments should be get from input_module. Defining new input types could be easier.
"""
scheme.add_argument(smi.Argument("xdr_tenant", title="Tenant Name",
description="Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_region", title="Tenant Region",
description="Value can be found in Cortex XDR URL: https://<tenantname>.xdr.<tenantregion>.paloaltonetworks.com/",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_key_id", title="API Key ID",
description="API key should have \"Advanced\" security level with a role of \"Viewer\"",
required_on_create=True,
required_on_edit=False))
scheme.add_argument(smi.Argument("xdr_key", title="API Key",
description="API key should have \"Advanced\" security level with a role of \"Viewer\"",
required_on_create=True,
required_on_edit=False))
return scheme

def get_app_name(self):
return "Splunk_TA_paloalto"

def validate_input(self, definition):
"""validate the input stanza"""
input_module.validate_input(self, definition)

def collect_events(self, ew):
"""write out the events"""
input_module.collect_events(self, ew)

def get_account_fields(self):
account_fields = []
return account_fields

def get_checkbox_fields(self):
checkbox_fields = []
return checkbox_fields

def get_global_checkbox_fields(self):
if self.global_checkbox_fields is None:
checkbox_name_file = os.path.join(bin_dir, 'global_checkbox_param.json')
try:
if os.path.isfile(checkbox_name_file):
with open(checkbox_name_file, 'r') as fp:
self.global_checkbox_fields = json.load(fp)
else:
self.global_checkbox_fields = []
except Exception as e:
self.log_error('Get exception when loading global checkbox parameter names. ' + str(e))
self.global_checkbox_fields = []
return self.global_checkbox_fields

if __name__ == "__main__":
exitcode = ModInputcortex_xdr().run(sys.argv)
sys.exit(exitcode)
Loading