From fbd4a7eb5afd0a001dfad14c32ec129945fefdff Mon Sep 17 00:00:00 2001 From: athreyam Date: Wed, 26 Nov 2025 11:12:18 +0530 Subject: [PATCH 1/2] refactor: remove unused configuration parameters and methods --- .pylintrc | 2 + NOTICE | 2 +- README.md | 1 - release_notes/unreleased.md | 1 + splunk.json | 36 +++++++---------- splunk_connector.py | 79 +------------------------------------ splunk_consts.py | 8 ---- 7 files changed, 20 insertions(+), 109 deletions(-) create mode 100644 .pylintrc diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 0000000..fcbba09 --- /dev/null +++ b/.pylintrc @@ -0,0 +1,2 @@ +[MASTER] +ignore=.venv diff --git a/NOTICE b/NOTICE index 6409847..90f3e45 100644 --- a/NOTICE +++ b/NOTICE @@ -4,7 +4,7 @@ Third Party Software Attributions: @@@@============================================================================ -Library: splunk-sdk - 2.1.0 +Library: splunk-sdk - 2.1.1 Homepage: http://github.com/splunk/splunk-sdk-python License: Apache Software License License Text: diff --git a/README.md b/README.md index 252a587..84e534e 100644 --- a/README.md +++ b/README.md @@ -311,7 +311,6 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION **api_token** | optional | password | API token | **splunk_owner** | optional | string | The owner context of the namespace | **splunk_app** | optional | string | The app context of the namespace | -**timezone** | required | timezone | Splunk Server Timezone | **verify_server_cert** | optional | boolean | Verify Server Certificate | **on_poll_command** | optional | string | Command for query to use with On Poll | **on_poll_query** | optional | string | Query to use with On Poll | diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index fbcb2fd..a1aa37c 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1 +1,2 @@ **Unreleased** +* remove unused methods and config parameters \ No newline at end of file diff --git a/splunk.json b/splunk.json index b022cdc..aaca62e 100644 --- a/splunk.json +++ b/splunk.json @@ -94,21 +94,15 @@ "order": 6, "data_type": "string" }, - "timezone": { - "data_type": "timezone", - "order": 7, - "description": "Splunk Server Timezone", - "required": true - }, "verify_server_cert": { "data_type": "boolean", - "order": 8, + "order": 7, "description": "Verify Server Certificate", "default": false }, "on_poll_command": { "data_type": "string", - "order": 9, + "order": 8, "description": "Command for query to use with On Poll", "value_list": [ "", @@ -122,78 +116,78 @@ }, "on_poll_query": { "data_type": "string", - "order": 10, + "order": 9, "description": "Query to use with On Poll" }, "on_poll_display": { "data_type": "string", - "order": 11, + "order": 10, "description": "Fields to save with On Poll" }, "on_poll_parse_only": { "data_type": "boolean", - "order": 12, + "order": 11, "description": "Parse Only", "default": true }, "max_container": { "data_type": "numeric", - "order": 13, + "order": 12, "description": "Max events to ingest for Scheduled Polling (Default: 100)", "default": 100 }, "container_update_state": { "data_type": "numeric", - "order": 14, + "order": 13, "description": "Container count to update the state file", "default": 100 }, "container_name_prefix": { "data_type": "string", - "order": 15, + "order": 14, "description": "Name to give containers created via ingestion" }, "container_name_values": { "data_type": "string", - "order": 16, + "order": 15, "description": "Values to append to container name" }, "retry_count": { "description": "Number of retries", "data_type": "numeric", - "order": 17, + "order": 16, "default": 3 }, "remove_empty_cef": { "description": "Remove CEF fields having empty values from the artifact", "data_type": "boolean", - "order": 18, + "order": 17, "default": false }, "sleeptime_in_requests": { "description": "The time to wait for next REST call (max 120 seconds)", "data_type": "numeric", - "order": 19, + "order": 18, "default": 1 }, "include_cim_fields": { "description": "Option to keep original Splunk CIM together with SOAR CEF fields", "data_type": "boolean", - "order": 20, + "order": 19, "default": false, "name": "include_cim_fields" }, "splunk_job_timeout": { "description": "The duration in seconds to wait before a scheduled Splunk job times out", "data_type": "numeric", - "order": 21, + "order": 20, "default": 1200, "name": "splunk_job_timeout" }, "use_event_id_sdi": { "description": "Option to use the event_id field value as the source data identifier instead of the full event hash", "data_type": "boolean", - "order": 22, + "order": 21, "default": "False", "name": "use_event_id_sdi", "id": 22 diff --git a/splunk_connector.py b/splunk_connector.py index 47dab3c..294b233 100644 --- a/splunk_connector.py +++ b/splunk_connector.py @@ -23,12 +23,11 @@ import tempfile import time import traceback -from datetime import datetime, timezone +from datetime import timezone from io import BytesIO from typing import Optional from urllib.error import HTTPError as UrllibHTTPError, URLError from urllib.request import ProxyHandler, Request, build_opener, install_opener, urlopen -from zoneinfo import ZoneInfo import phantom.app as phantom import phantom.rules as soar_vault @@ -1167,82 +1166,6 @@ def _handle_run_query(self, param): search_query, action_result, attach_result=attach_result, kwargs_create=kwargs, parse_only=po, add_raw_field=add_raw ) - def _get_tz_str_from_epoch(self, time_format_str, epoch_milli): - # Need to convert from UTC to the device's timezone, get the device's tz from config - config = self.get_config() - device_tz_sting = config[consts.SPLUNK_JSON_TIMEZONE] - - to_tz = ZoneInfo(device_tz_sting) - - utc_dt = datetime.fromtimestamp(epoch_milli // 1000, tz=timezone.utc) - to_dt = utc_dt.astimezone(to_tz) - - # return utc_dt.strftime('%Y-%m-%d %H:%M:%S') - return to_dt.strftime(time_format_str) - - def _list_alerts(self, param, action_result=None): - if not action_result: - # Create a action result to represent this action - action_result = self.add_action_result(phantom.ActionResult(dict(param))) - - # If end_time is not given, then end_time is 'now' - # If start_time is not given, then start_time is SPLUNK_NUMBER_OF_DAYS_BEFORE_ENDTIME - # days behind end_time - curr_epoch_msecs = int(time.time()) * 1000 - start_time_msecs = 0 - end_time_msecs = int(phantom.get_value(param, consts.SPLUNK_JSON_END_TIME, curr_epoch_msecs)) - start_time_msecs = int( - phantom.get_value( - param, - consts.SPLUNK_JSON_START_TIME, - end_time_msecs - (consts.SPLUNK_MILLISECONDS_IN_A_DAY * consts.SPLUNK_NUMBER_OF_DAYS_BEFORE_ENDTIME), - ) - ) - - if end_time_msecs < start_time_msecs: - return action_result.set_status(phantom.APP_ERROR, consts.SPLUNK_ERR_INVALID_TIME_RANGE) - - # From splunk documentation - # To search with an exact date as boundary, such as from November 5 at 8 PM to November 12 at 8 PM, - # use the timeformat: %m/%d/%Y:%H:%M:%S - # TODO, We need not convert the epoch to formatted and then pass the format string also to splunk - # We should be able to work off of just epoch, however not too sure what the input epoch UTC format - # is to splunk and the doc is not that clear. - time_format_str = "%m/%d/%Y:%H:%M:%S" - earliest_time = f"{self._get_tz_str_from_epoch(time_format_str, start_time_msecs)}" - latest_time = f"{self._get_tz_str_from_epoch(time_format_str, end_time_msecs)}" - - kwargs_create = {"earliest_time": earliest_time, "latest_time": latest_time, "time_format": time_format_str} - # kwargs_create = {"time_format": "%m/%d/%Y:%H:%M:%S", - # "latest_time": "03/21/2015:14:29:25", - # "earliest_time": "03/21/2015:14:24:25"} - - self.save_progress(consts.SPLUNK_PROG_TIME_RANGE, range=json.dumps(kwargs_create)) - - count = int(phantom.get_value(param, phantom.APP_JSON_CONTAINER_COUNT, consts.SPLUNK_DEFAULT_ALERT_COUNT)) - - # Work of the saved search name, if given - ss_name = phantom.get_value(self.get_config(), consts.SPLUNK_JSON_ALERT_NAME, None) - - # default to blank - ss_query = "" - - if ss_name: - # create a list of query's is easier then just replacing the ',' with 'OR ss_name= - # that way we can work on each one of them seperately, like strip them or add quotes - # if not present etc. - ss_names = ['"{}"'.format(x.strip(' "')) for x in ss_name.split(",") if len(x.strip()) > 0] - self.debug_print("ss_names", ss_names) - ss_query = "ss_name = {}".format(" OR ss_name = ".join(ss_names)) - - query = consts.SPLUNK_SEARCH_AUDIT_INDEX_QUERY.format(ss_query, count) - - self.debug_print("query", query) - - self._run_query(query, action_result, kwargs_create=kwargs_create) - - return action_result.get_status() - def _test_asset_connectivity(self, param): action_result = self.add_action_result(phantom.ActionResult(dict(param))) diff --git a/splunk_consts.py b/splunk_consts.py index 9e2e1c3..b05f39a 100644 --- a/splunk_consts.py +++ b/splunk_consts.py @@ -49,7 +49,6 @@ # Progress messages SPLUNK_PROG_GOT_JOB_ID = "Got job id '{job_id}'" -SPLUNK_PROG_TIME_RANGE = "Using range '{range}'" SPLUNK_PROG_CREATED_QUERY = "Created query '{query}'" SPLUNK_PROG_CREATING_SEARCH_JOB = "Creating search job" SPLUNK_PROG_WAITING_ON_JOB_ID = "Waiting for job (id:{job_id}) to finish" @@ -70,9 +69,7 @@ SPLUNK_JSON_STATUS = "status" SPLUNK_JSON_URGENCY = "urgency" SPLUNK_JSON_COMMENT = "comment" -SPLUNK_JSON_ALERT_NAME = "alert" SPLUNK_JSON_END_TIME = "end_time" -SPLUNK_JSON_TIMEZONE = "timezone" SPLUNK_JSON_EVENT_IDS = "event_ids" SPLUNK_JSON_START_TIME = "start_time" SPLUNK_JSON_SOURCE_TYPE = "source_type" @@ -86,13 +83,10 @@ # Default values SPLUNK_DEFAULT_EVENT_COUNT = 10 -SPLUNK_DEFAULT_ALERT_COUNT = 100 SPLUNK_DEFAULT_SOURCE = "Phantom" SPLUNK_DEFAULT_SOURCE_TYPE = "Automation/Orchestration Platform" # Numeric constants -SPLUNK_MILLISECONDS_IN_A_DAY = 86400000 -SPLUNK_NUMBER_OF_DAYS_BEFORE_ENDTIME = 10 # Dictionaries SPLUNK_SEVERITY_MAP = {"informational": "low", "low": "low", "medium": "medium", "high": "high", "critical": "high"} @@ -163,8 +157,6 @@ SPLUNK_RID_SID_NOTABLE_QUERY += r' | eval search = "( (sid::" . sid . " OR orig_sid::" . sid . ")' SPLUNK_RID_SID_NOTABLE_QUERY += r' (rid::" . rid . " OR orig_rid::" . rid . ") )"' SPLUNK_RID_SID_NOTABLE_QUERY += r" | table search] `notable` | table event_id" -SPLUNK_SEARCH_AUDIT_INDEX_QUERY = "search index=_audit action=alert_fired {0} | head {1} | \ - fields ss_name sid trigger_time severity" SPLUNK_DEFAULT_REQUEST_TIMEOUT = 60 # in seconds From 913fd964090141a07782de569eccce41aaf9a757 Mon Sep 17 00:00:00 2001 From: athreyam Date: Wed, 26 Nov 2025 11:14:08 +0530 Subject: [PATCH 2/2] refactor: remove unused configuration parameters and methods --- .pylintrc | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .pylintrc diff --git a/.pylintrc b/.pylintrc deleted file mode 100644 index fcbba09..0000000 --- a/.pylintrc +++ /dev/null @@ -1,2 +0,0 @@ -[MASTER] -ignore=.venv