Reintroduce earliest_occurrence_time_fieldname and latest_occurrence_…

[pmunaretto]

…time_fieldname parameters in SplunkPy integration

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

fixes: n/a

Description

In version 2.1.10 of the SplunkPy integration, the ability to customize the earliest_fetch_time_fieldname and latest_fetch_time_fieldname parameters in the oneshot fetch search was removed (#14365). These parameters are essential for dispatching the fetch search based on index_earliest and index_latest time filters, rather than the default earliest_time and latest_time.

Although the code for these parameters was reintroduced in version 2.3.0 (#16576), the corresponding parameters in the configuration file were not, making it impossible to set these values. The new parameter names are earliest_occurrence_time_fieldname and latest_occurrence_time_fieldname.

This pull request aims to reintroduce the earliest_occurrence_time_fieldname and latest_occurrence_time_fieldname parameters in the SplunkPy integration's configuration file (SplunkPy.yml) and ensure they are properly utilized in the code (SplunkPy.py).

By reintroducing these parameters, users can customize the oneshot fetch search based on specific time filters, enhancing the flexibility and usability of the SplunkPy integration.

Must have

• Tests
• Documentation

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @mmhw will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

[content-bot]

Unfortunately, your PR review will be slightly delayed because of an Israeli holiday in the upcoming week (the 12th of April - the 19th of April). Thank you in advance for your patience and understanding.

[content-bot]

Hi @pmunaretto, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

[mmhw]

Hi @pmunaretto,
Thank you for your contribution!
Good work :)

I would appreciate it if you could explain exactly what use case you need this functionality for, this is just about Fetch.

Please feel free to reach out to me with any questions - I'm available here or on slack :)
Thanks again

[pmunaretto]

Hi @mmhw,

Thank you for your kind words and feedback!

Our use case involves writing security incidents in Splunk that sometimes have a _time field set in the past, as we use the _time field to represent the first activity related to the incident. We definitely don't want to miss these incidents in our XSOAR incident ingestion. To ensure the completeness of the incidents, we want to include all newly indexed events from our incidents index in XSOAR, regardless of what the _time field is. Specifically, this means index_earliest=-15m and index_latest=now. This was possible until version 2.1.10, but not anymore.

Please feel free to reach out to me if you have any further questions.

[mmhw]

Hi @pmunaretto,

Hi, I sent you an email.

Thanks!