search

microsoft / msticpy

Microsoft Threat Intelligence Security Tools
Other
1.72k stars 310 forks source link

Add bearer token auth to splunk driver #708

Closed Tatsuya-hasegawa closed 9 months ago

Tatsuya-hasegawa commented 10 months ago

Hi

I have implemented splunkToken auth in splunk driver. Of course, I have completed the connection test to my splunk instances.

image

Reference: What is Splunk Auth Token ? https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/CreateAuthTokens https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtoconnectpython/#Log-in-using-a-bearer-token

Token authentication is more secure than username & password authentication because of the RBAC and Expiring features. Thus I would like you to merge this auth function as soon as possible.

Thank you. Best regards,

Tatsuya-hasegawa commented 10 months ago

FYI: Technical appendix

The splunkToken option is not documented in the splunklib.client class used in the current splunk driver. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.3/client.html

However, it is introduced in splunklib.binding class. https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.3/binding.html

The splunklib.client wraps a Pythonic layer around the wire-level binding of the splunklib.binding module. Thus, splunkToken can be used in splunklib.client too and I was able to implement it without writing new method. :)

Tatsuya-hasegawa commented 10 months ago

@ianhelle

Thanks for your approval. OMG, I have forgotten to add white spaces at two array points thus black/flask8 caused the below errors.

https://github.com/microsoft/msticpy/actions/runs/6090840061/job/16526403910?pr=708

Would you slightly modify them ?

Unfortunately, I'm away from my dev PC and back in several days.

ianhelle commented 10 months ago

Would you slightly modify them ?

I can fix this but haven't been able to find the time before leaving for vacation later today. I can easily do it when I get back but I imagine you'll have the chance before this.

Tatsuya-hasegawa commented 10 months ago

Ok, I was able to fix them.

@ianhelle

Thanks for your approval. OMG, I have forgotten to add white spaces at two array points thus black/flask8 caused the below errors.

https://github.com/microsoft/msticpy/actions/runs/6090840061/job/16526403910?pr=708

Would you slightly modify them ?

Unfortunately, I'm away from my dev PC and back in several days.

Tatsuya-hasegawa commented 9 months ago

Hi, @ianhelle

The CI test finally seemed to be approved. Could you merge this ?

Thanks in advance. :)