Merge pull request #3 from splunk-soar-connectors/next

Merging next to main for release 1.0.1

.github/workflows/linting.yml

@@ -1,7 +1,7 @@
 name: Linting
 on: [push, pull_request]
 jobs:
-  lint: 
+  lint:
     # Run per push for internal contributers. This isn't possible for forked pull requests,
     # so we'll need to run on PR events for external contributers.
     # String comparison below is case insensitive.

.pre-commit-config.yaml

@@ -1,11 +1,11 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.13
+    rev: v1.26
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies
 -   repo: https://github.com/Yelp/detect-secrets
-    rev: v1.2.0
+    rev: v1.5.0
     hooks:
     -   id: detect-secrets
         args: ['--no-verify']

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2025 Splunk Inc.
+   Copyright (c) SpecterOps, 2025
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

README.md

@@ -1,9 +1,187 @@
-# Splunk> Phantom
+# SpecterOps BloodHound
 
-Welcome to the open-source repository for Splunk> Phantom's specteropsbloodhound App.
+Publisher: SpecterOps \
+Connector Version: 1.0.1 \
+Product Vendor: SpecterOps \
+Product Name: Specterops Bloodhound \
+Minimum Product Version: 6.3.0
 
-Please have a look at our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md) if you are interested in contributing, raising issues, or learning more about open-source Phantom apps.
+BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to identify quickly. Defenders can use BloodHound to identify and eliminate those same attack paths. The SOAR integration with SpecterOps BloodHound enables the defenders to see all the attack path findings from BloodHound as Splunk SOAR events. The actions provided with the app can be used to remediate and remove the attack paths
 
-## Legal and License
+## Overview
 
-This Phantom App is licensed under the Apache 2.0 license. Please see our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md#legal-notice) for further details.
+BloodHound uses graph theory to reveal hidden and often unintended relationships within Active Directory or Azure environments. Attackers use BloodHound to identify complex attack paths quickly. Defenders leverage it to identify and eliminate these same attack paths.
+
+The SOAR integration with SpecterOps BloodHound enables defenders to see all attack path findings as Splunk SOAR events. Additionally, the app provides actions to remediate and remove these attack paths.
+
+## Supported Actions
+
+1. **Get Object ID**\
+   Fetch the object ID using the asset's name.
+
+1. **Test Connectivity**\
+   Validate the asset configuration and ensure connectivity using the supplied configuration.
+
+1. **On Poll**\
+   Pull details about Attack Path Findings.
+
+1. **Fetch Asset Information**\
+   Retrieve information related to an asset from the API.\
+   *Works in both Enterprise and Community Edition (CE).*
+
+1. **Does Path Exist**\
+   Fetch the path between two objects.\
+   *Works in both Enterprise and Community Edition (CE).*
+
+## Prerequisites
+
+1. **Access To BloodHound Enterprise Server**
+   You must have access to the BloodHound Enterprise server to generate Token Key and Token ID for authentication.
+
+### Configuration variables
+
+This table lists the configuration variables required to operate SpecterOps BloodHound. These variables are specified when configuring a Specterops Bloodhound asset in Splunk SOAR.
+
+VARIABLE | REQUIRED | TYPE | DESCRIPTION
+-------- | -------- | ---- | -----------
+**bloodhound_base_url** | required | string | BloodHound Enterprise Domain |
+**token_id** | required | password | Token ID |
+**token_key** | required | password | Token Key |
+
+### Supported Actions
+
+[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration \
+[on poll](#action-on-poll) - Pull Attack Path Finding Details \
+[fetch asset information](#action-fetch-asset-information) - Pull information related to an asset from the API (works in Enterprise or CE) \
+[does path exist](#action-does-path-exist) - Pull a path between two objects (works in Enterprise or CE) \
+[get object id](#action-get-object-id) - Fetch object id from asset's name
+
+## action: 'test connectivity'
+
+Validate the asset configuration for connectivity using supplied configuration
+
+Type: **test** \
+Read only: **True**
+
+#### Action Parameters
+
+No parameters are required for this action
+
+#### Action Output
+
+No Output
+
+## action: 'on poll'
+
+Pull Attack Path Finding Details
+
+Type: **ingest** \
+Read only: **False**
+
+#### Action Parameters
+
+No parameters are required for this action
+
+#### Action Output
+
+No Output
+
+## action: 'fetch asset information'
+
+Pull information related to an asset from the API (works in Enterprise or CE)
+
+Type: **investigate** \
+Read only: **False**
+
+#### Action Parameters
+
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**object_id** | required | Object Id | string | |
+
+#### Action Output
+
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.data.\*.data.props.name | string | | |
+action_result.data.\*.data.props.domain | string | | |
+action_result.data.\*.data.props.objectid | string | | |
+action_result.data.\*.data.props.domainsid | string | | |
+action_result.data.\*.data.props.functionallevel | string | | |
+action_result.data.\*.data.props.distinguishedname | string | | |
+action_result.data.\*.data.props.isaclprotected | boolean | | |
+action_result.data.data.\*.props.system_tags | string | | |
+action_result.message | string | | |
+action_result.summary | string | | |
+summary.total_objects | numeric | | 1 |
+summary.total_objects_successful | numeric | | 1 |
+action_result.status | string | | success failed |
+
+## action: 'does path exist'
+
+Pull a path between two objects (works in Enterprise or CE)
+
+Type: **investigate** \
+Read only: **False**
+
+#### Action Parameters
+
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**start_node** | required | Start Node | string | |
+**end_node** | required | End Node | string | |
+
+#### Action Output
+
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.parameter.start_node | string | | |
+action_result.parameter.end_node | string | | |
+action_result.data.\*.response | string | | |
+action_result.message | string | | |
+action_result.summary | string | | |
+summary.total_objects | numeric | | 1 |
+summary.total_objects_successful | numeric | | 1 |
+action_result.status | string | | success failed |
+
+## action: 'get object id'
+
+Fetch object id from asset's name
+
+Type: **investigate** \
+Read only: **False**
+
+#### Action Parameters
+
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**name** | required | Name | string | |
+
+#### Action Output
+
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.parameter.name | string | | |
+action_result.data.\*.object_id | string | | |
+action_result.message | string | | |
+action_result.summary | string | | |
+summary.total_objects | numeric | | 1 |
+summary.total_objects_successful | numeric | | 1 |
+action_result.status | string | | success failed |
+
+______________________________________________________________________
+
+Auto-generated Splunk SOAR Connector documentation.
+
+Copyright 2025 Splunk Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and limitations under the License.

__init__.py

@@ -0,0 +1,13 @@
+# File: __init__.py
+
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions
+# and limitations under the License.

manual_readme_content.md

@@ -0,0 +1,46 @@
+[comment]: # " File: README.md"
+[comment]: # "  Copyright (c) SpecterOps, 2025"
+[comment]: # ""
+[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
+[comment]: # "you may not use this file except in compliance with the License."
+[comment]: # "You may obtain a copy of the License at"
+[comment]: # ""
+[comment]: # "    http://www.apache.org/licenses/LICENSE-2.0"
+[comment]: # ""
+[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under"
+[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,"
+[comment]: # "either express or implied. See the License for the specific language governing permissions"
+[comment]: # "and limitations under the License."
+[comment]: # ""
+
+## Overview
+
+BloodHound uses graph theory to reveal hidden and often unintended relationships within Active Directory or Azure environments. Attackers use BloodHound to identify complex attack paths quickly. Defenders leverage it to identify and eliminate these same attack paths.
+
+The SOAR integration with SpecterOps BloodHound enables defenders to see all attack path findings as Splunk SOAR events. Additionally, the app provides actions to remediate and remove these attack paths.
+
+## Supported Actions
+
+1. **Get Object ID**  
+   Fetch the object ID using the asset's name.
+
+2. **Test Connectivity**  
+   Validate the asset configuration and ensure connectivity using the supplied configuration.
+
+3. **On Poll**  
+   Pull details about Attack Path Findings.
+
+4. **Fetch Asset Information**  
+   Retrieve information related to an asset from the API.  
+   *Works in both Enterprise and Community Edition (CE).*
+
+5. **Does Path Exist**  
+   Fetch the path between two objects.  
+   *Works in both Enterprise and Community Edition (CE).*
+
+## Prerequisites
+
+1. **Access To BloodHound Enterprise Server**
+    You must have access to the BloodHound Enterprise server to generate Token Key and Token ID for authentication.
+
+

pyproject.toml

@@ -0,0 +1,8 @@
+[tool.black]
+line-length = 145
+target-version = ['py39']
+verbose = true
+
+[tool.isort]
+line_length = 145
+profile = "black"

release_notes/1.0.1.md

@@ -0,0 +1 @@
+* Initial release