Dev 1.1.0 (#14)

* update to version 1.0.2

* update to version 1.0.2

* #9

* update permissions

* #4

* #10

* various update

* #12

Author: romain-filigran

README.md

@@ -18,10 +18,10 @@ The app is installed
 
 ### Installing from file
 
-1. Download latest version of the Splunk App: [TA-opencti-add-on-1.0.1.spl](https://github.com/OpenCTI-Platform/splunk-add-on/releases/download/1.0.1/TA-opencti-add-on-1.0.1.spl)
+1. Download latest version of the Splunk App: [TA-opencti-add-on-1.1.0.spl](https://github.com/OpenCTI-Platform/splunk-add-on/releases/download/1.1.0/TA-opencti-add-on-1.1.0.spl)
 2. Log in to the Splunk Web UI and navigate to "Apps" and click on "Manage Apps"
 3. Click "Install app from file"
-4. Choose file and select the "TA-opencti-add-on-1.0.1.spl" file
+4. Choose file and select the "TA-opencti-add-on-1.1.0.spl" file
 5. Click on Upload
 The app is installed
 
@@ -68,7 +68,7 @@ If a proxy configuration is required to connect to OpenCTI platform, you can con
 ## OpenCTI Indicators Inputs Configuration
 
 The “OpenCTI Add-On for Splunk” enables Splunk to be feed with indicators exposed through a live stream. To do this, the add-on implements and manages Splunk modular inputs. 
-Indicators are stored in a dedicated kvstore named “opencti_iocs”. 
+Indicators are stored in a dedicated kvstore named “opencti_indicators”. 
 A default lookup definition named "opencti_lookup" is also implemented to facilitate indicator management.
 
 Proceed as follows to enable the ingestion of indicators:

TA-opencti-add-on/app.manifest

@@ -1,21 +1,21 @@
 {
   "schemaVersion": "2.0.0",
   "info": {
-    "title": "OpenCTI Add-on",
+    "title": "OpenCTI Add-on for Splunk",
     "id": {
       "group": null,
       "name": "TA-opencti-add-on",
-      "version": "1.0.1"
+      "version": "1.1.0"
     },
     "author": [
       {
         "name": "Filigran",
-        "email": null,
-        "company": null
+        "email": "contact@filigran.io",
+        "company": "Filigran"
       }
     ],
     "releaseDate": null,
-    "description": "",
+    "description": "Add-on for OpenCTI",
     "classification": {
       "intendedAudience": null,
       "categories": [],
@@ -34,26 +34,18 @@
     },
     "releaseNotes": {
       "name": null,
-      "text": null,
+      "text": "./README.txt",
       "uri": null
     }
   },
-  "dependencies": {
-  },
-  "tasks": [],
-  "inputGroups": {
-  },
-  "incompatibleApps": {
-  },
-  "platformRequirements": {
-    "splunk": {
-      "Enterprise": "*"
-    }
-  },
+  "dependencies": null,
+  "tasks": null,
+  "inputGroups": null,
+  "incompatibleApps": null,
+  "platformRequirements": null,
   "supportedDeployments": [
-    "*"
+    "_standalone",
+    "_distributed"
   ],
-  "targetWorkloads": [
-    "*"
-  ]
+  "targetWorkloads": null
 }

TA-opencti-add-on/appserver/static/js/build/globalConfig.json

@@ -2,7 +2,7 @@
     "meta": {
         "name": "TA-opencti-add-on",
         "displayName": "OpenCTI Add-on",
-        "version": "1.0.1",
+        "version": "1.1.0",
         "restRoot": "TA_opencti_add_on",
         "_uccVersion": "5.39.0",
         "schemaVersion": "0.0.3"

TA-opencti-add-on/appserver/static/openapi.json

@@ -2,7 +2,7 @@
     "openapi": "3.0.0",
     "info": {
         "title": "TA-opencti-add-on",
-        "version": "1.0.1",
+        "version": "1.1.0",
         "description": "OpenCTI Add-on",
         "contact": {
             "name": "Filigran"

TA-opencti-add-on/bin/input_module_opencti_indicators.py

@@ -1,12 +1,15 @@
 # encoding = utf-8
-from datetime import datetime, timezone, timedelta
 import json
+import sys
+from datetime import datetime, timezone, timedelta
+
+import six
 import splunklib.client as client
 from filigran_sseclient import SSEClient
 from stix2patterns.v21.pattern import Pattern
-import six
+
+from ta_opencti_add_on.constants import VERIFY_SSL, INDICATORS_KVSTORE_NAME
 from ta_opencti_add_on.utils import get_proxy_config
-import sys
 
 '''
     IMPORTANT
@@ -36,6 +39,7 @@ def use_single_instance_mode():
 
 IDENTITY_DEFs = {}
 
+
 def date_now_z():
     """get the current date (UTC)
     :return: current datetime for utc
@@ -48,6 +52,7 @@ def date_now_z():
         .replace("+00:00", "Z")
     )
 
+
 def validate_input(helper, definition):
     """Implement your own validation logic to validate the input stanza configurations"""
     # This example accesses the modular input variable
@@ -56,13 +61,19 @@ def validate_input(helper, definition):
 
 
 def exist_in_kvstore(kv_store, key_id):
+    """
+    :param kv_store:
+    :param key_id:
+    :return:
+    """
     try:
         kv_store.query_by_id(key_id)
         exist = True
     except:
         exist = False
     return exist
 
+
 def sanitize_key(key):
     """Sanitize key name for Splunk usage
 
@@ -78,7 +89,12 @@ def sanitize_key(key):
     """
     return key.replace(".", ":").replace("'", "")
 
+
 def parse_stix_pattern(stix_pattern):
+    """
+    :param stix_pattern:
+    :return:
+    """
     parsed_pattern = Pattern(stix_pattern)
     for observable_type, comparisons in six.iteritems(
             parsed_pattern.inspect().comparisons
@@ -93,9 +109,14 @@ def parse_stix_pattern(stix_pattern):
                             "value": obj_value.strip("'")
                         }
 
-def enrich_payload(splunk_helper, payload):
 
-    # add stream id and input name #TODO: check if it's usefull
+def enrich_payload(splunk_helper, payload):
+    """
+    :param splunk_helper:
+    :param payload:
+    :return:
+    """
+    # add stream id and input name #TODO: check if it's useful
     payload["stream_id"] = splunk_helper.get_arg('stream_id')
     payload["input_name"] = splunk_helper.get_input_stanza_names()
 
@@ -244,12 +265,14 @@ def collect_events(helper, ew):
         raise Exception("Unable to initialize connection with Splunk, Splunk client is None")
 
     # manage kvstore
+    """
     indicators_kvstore = "opencti_indicators"
     try:
         # Create KV Store if it doesn't exist
         splunk.kvstore.create(indicators_kvstore)
     except Exception as ex:
         helper.log_info(f"An exception occurred while creating kv_store, {ex}")
+    """
 
     # get proxy setting configuration
     proxies = get_proxy_config(helper)
@@ -263,15 +286,15 @@ def collect_events(helper, ew):
     helper.log_info(f"going to fetch data of OpenCTI stream.id: {stream_id}")
 
     # load kvstore
-    kv_store = splunk.kvstore[indicators_kvstore].data
+    kv_store = splunk.kvstore[INDICATORS_KVSTORE_NAME].data
 
     # get stream state
     state = helper.get_check_point(input_name)
     helper.log_info(f"checkpoint State: {state}")
     if state is None:
         helper.log_info("No state, going to initialize it")
         import_from = helper.get_arg('import_from')
-        recover_until =  datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
+        recover_until = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
         start_date = datetime.utcnow() - timedelta(days=int(import_from))
         start_date_timestamp = int(datetime.timestamp(start_date)) * 1000
         state = {"start_from": str(start_date_timestamp)+"-0", "recover_until": recover_until}
@@ -281,7 +304,7 @@ def collect_events(helper, ew):
         helper.log_info(f"State: {state}")
 
     if "recover_until" in state:
-        live_stream_url = opencti_url+"/stream/"+stream_id+ "?recover=" + state.get("recover_until")
+        live_stream_url = opencti_url+"/stream/"+stream_id + "?recover=" + state.get("recover_until")
     else:
         live_stream_url = opencti_url+"/stream/"+stream_id
 
@@ -296,7 +319,7 @@ def collect_events(helper, ew):
                 "no-dependencies": "true",
                 "with-inferences": "true",
             },
-            verify=True,
+            verify=VERIFY_SSL,
             proxies=proxies
         )
 
@@ -308,7 +331,8 @@ def collect_events(helper, ew):
                     if parsed_stix is None:
                         helper.log_error(f"Unable to process indicator: {data['name']} - {data['pattern']}")
                         continue
-                    helper.log_info("processing msg: "+ msg.event +" - "+ msg.id +" - "+parsed_stix['name']+" - "+parsed_stix['pattern'])
+                    helper.log_info("processing msg: " + msg.event + " - " + msg.id + " - " + parsed_stix['name']
+                                    + " - " + parsed_stix['pattern'])
                     if msg.event == "create" or msg.event == "update":
                         exist = exist_in_kvstore(kv_store, parsed_stix["_key"])
                         if exist:
@@ -322,13 +346,15 @@ def collect_events(helper, ew):
                             kv_store.delete_by_id(parsed_stix["_key"])
 
                 if data['type'] == "marking-definition":
-                    helper.log_info("processing msg: "+ msg.event +" - "+ msg.id +" - "+data['name']+" - "+data['id'])
+                    helper.log_info("processing msg: " + msg.event + " - " + msg.id +" - "
+                                    + data['name'] + " - " + data['id'])
                     if msg.event == "create" or msg.event == "update":
                         if data['id'] not in MARKING_DEFs:
                             MARKING_DEFs[data['id']] = data['name']
 
                 if data['type'] == "identity":
-                    helper.log_info("processing msg: "+ msg.event +" - "+ msg.id +" - "+data['name']+" - "+data['id'])
+                    helper.log_info("processing msg: " + msg.event + " - " + msg.id + " - "
+                                    + data['name'] + " - " + data['id'])
                     if msg.event == "create" or msg.event == "update":
                         if data['id'] not in IDENTITY_DEFs:
                             IDENTITY_DEFs[data['id']] = data['name']