Merge pull request #30 from splunk-soar-connectors/next

Merging next to main for release 2.13.0

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ repos:
     -   id: org-hook
     -   id: package-app-dependencies
 -   repo: https://github.com/Yelp/detect-secrets
-    rev: v1.2.0
+    rev: v1.4.0
     hooks:
     -   id: detect-secrets
         args: ['--no-verify', '--exclude-files', '^splunk.json$']

README.md

@@ -2,11 +2,11 @@
 # Splunk
 
 Publisher: Splunk  
-Connector Version: 2\.12\.0  
+Connector Version: 2\.13\.0  
 Product Vendor: Splunk Inc\.  
 Product Name: Splunk Enterprise  
 Product Version Supported (regex): "\.\*"  
-Minimum Product Version: 5\.3\.0  
+Minimum Product Version: 5\.3\.5  
 
 This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions
 
@@ -319,6 +319,8 @@ ports used by Splunk SOAR.
 |         http         | tcp                | 80   |
 |         https        | tcp                | 443  |
 
+8089 is the default port used by Splunk Server.
+
 
 ### Configuration Variables
 The below configuration variables are required for this Connector to operate.  These variables are specified when configuring a Splunk Enterprise asset in SOAR.
@@ -455,6 +457,7 @@ action\_result\.parameter\.command | string |
 action\_result\.parameter\.display | string | 
 action\_result\.parameter\.end\_time | string | 
 action\_result\.parameter\.parse\_only | boolean | 
+action\_result\.parameter\.search\_mode | string | 
 action\_result\.parameter\.query | string |  `splunk query` 
 action\_result\.parameter\.start\_time | string | 
 action\_result\.data\.\*\.\_key | string | 

readme.html

@@ -345,5 +345,6 @@ <h2>Port Information</h2>
             </tr>
         </table>
     </p>
+    8089 is the default port used by Splunk Server.
   </body>
 </html>

release_notes/2.13.0.md

@@ -0,0 +1 @@
+* Fixed load balancer sticky sessions related cookie persistence bug [PAPP-27448, PAPP-26097]

requirements.txt

@@ -3,5 +3,5 @@ python-dateutil==2.8.1
 pytz==2021.1
 requests==2.25.0
 simplejson==3.17.2
-splunk-sdk==1.6.18
+splunk-sdk==1.7.2
 xmltodict==0.13.0

splunk.json

@@ -28,13 +28,13 @@
     ],
     "type": "siem",
     "main_module": "splunk_connector.py",
-    "app_version": "2.12.0",
+    "app_version": "2.13.0",
     "utctime_updated": "2022-09-08T08:47:45.000000Z",
     "package_name": "phantom_splunk",
     "product_name": "Splunk Enterprise",
     "product_vendor": "Splunk Inc.",
     "product_version_regex": ".*",
-    "min_phantom_version": "5.3.0",
+    "min_phantom_version": "5.3.5",
     "fips_compliant": true,
     "python_version": "3",
     "latest_tested_versions": [
@@ -52,7 +52,7 @@
             },
             {
                 "module": "certifi",
-                "input_file": "wheels/py3/certifi-2022.6.15-py3-none-any.whl"
+                "input_file": "wheels/py3/certifi-2022.9.24-py3-none-any.whl"
             },
             {
                 "module": "chardet",
@@ -561,6 +561,13 @@
                         false
                     ]
                 },
+                {
+                    "data_path": "action_result.parameter.search_mode",
+                    "data_type": "string",
+                    "example_values": [
+                        "smart"
+                    ]
+                },
                 {
                     "data_path": "action_result.parameter.query",
                     "data_type": "string",
@@ -1221,7 +1228,7 @@
             },
             {
                 "module": "certifi",
-                "input_file": "wheels/py3/certifi-2022.6.15-py3-none-any.whl"
+                "input_file": "wheels/py3/certifi-2022.9.24-py3-none-any.whl"
             },
             {
                 "module": "chardet",

splunk_connector.py

@@ -89,33 +89,33 @@ def _get_error_message_from_exception(self, e):
         :return: error message
         """
         error_code = None
-        error_msg = consts.SPLUNK_ERR_MSG_UNAVAILABLE
+        error_message = consts.SPLUNK_ERR_MESSAGE_UNAVAILABLE
 
         self.error_print("Traceback: {}".format(traceback.format_stack()))
         try:
             if hasattr(e, "args"):
                 if len(e.args) > 1:
                     error_code = e.args[0]
-                    error_msg = e.args[1]
+                    error_message = e.args[1]
                 elif len(e.args) == 1:
-                    error_msg = e.args[0]
+                    error_message = e.args[0]
             else:
-                error_msg = consts.SPLUNK_ERR_MSG_UNAVAILABLE
+                error_message = consts.SPLUNK_ERR_MESSAGE_UNAVAILABLE
 
-            if error_msg == consts.SPLUNK_ERR_MSG_UNAVAILABLE:
-                error_msg = str(e).strip().replace("'", '').replace("\"", '').replace("\n", '').replace("\r", '')
-                if len(error_msg) > 500:
-                    error_msg = '{} - truncated'.format(error_msg[:500])
-                error_msg = '{} ({})'.format(error_msg, sys.exc_info()[-1].tb_lineno)
+            if error_message == consts.SPLUNK_ERR_MESSAGE_UNAVAILABLE:
+                error_message = str(e).strip().replace("'", '').replace("\"", '').replace("\n", '').replace("\r", '')
+                if len(error_message) > 500:
+                    error_message = '{} - truncated'.format(error_message[:500])
+                error_message = '{} ({})'.format(error_message, sys.exc_info()[-1].tb_lineno)
         except Exception as e:
             self._dump_error_log(e, "Error occurred while fetching exception information")
 
             if not error_code:
-                error_msg = "Error Message: {}".format(error_msg)
+                error_message = "Error Message: {}".format(error_message)
             else:
-                error_msg = "Error Code: {}. Error Message: {}".format(error_code, error_msg)
+                error_message = "Error Code: {}. Error Message: {}".format(error_code, error_message)
 
-        return error_msg
+        return error_message
 
     def initialize(self):
 
@@ -240,7 +240,7 @@ def request(self, url, message, **kwargs):
         return {
             'status': response.code,
             'reason': response.msg,
-            'headers': dict(response.info()),
+            'headers': response.getheaders(),
             'body': BytesIO(response.read())
         }
 
@@ -308,7 +308,7 @@ def _connect(self, action_result):
                                                 "Error occurred while connecting to the Splunk server. Details: {}".format(error_text))
         except Exception as e:
             self._dump_error_log(e)
-            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                 error_text=self._get_error_message_from_exception(e))
             return action_result.set_status(phantom.APP_ERROR, error_text)
 
@@ -369,7 +369,7 @@ def _make_rest_call(self, action_result, endpoint, data, params=None, method=req
                     verify=config[phantom.APP_JSON_VERIFY],
                     timeout=consts.SPLUNK_DEFAULT_REQUEST_TIMEOUT)
         except Exception as e:
-            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                 error_text=self._get_error_message_from_exception(e))
             return action_result.set_status(phantom.APP_ERROR, error_text), None
 
@@ -481,8 +481,8 @@ def _process_html_response(self, response, action_result):
             split_lines = [x.strip() for x in split_lines if x.strip()]
             error_text = '\n'.join(split_lines)
         except Exception as e:
-            error_msg = self._get_error_message_from_exception(e)
-            error_text = consts.SPLUNK_ERR_UNABLE_TO_PARSE_HTML_RESPONSE.format(error=error_msg)
+            error_message = self._get_error_message_from_exception(e)
+            error_text = consts.SPLUNK_ERR_UNABLE_TO_PARSE_HTML_RESPONSE.format(error=error_message)
 
         if not error_text:
             error_text = "Empty response and no information received"
@@ -508,10 +508,10 @@ def _process_json_response(self, r, action_result):
         try:
             resp_json = r.json()
         except Exception as e:
-            error_msg = self._get_error_message_from_exception(e)
+            error_message = self._get_error_message_from_exception(e)
             return RetVal(
                 action_result.set_status(
-                    phantom.APP_ERROR, consts.SPLUNK_ERR_UNABLE_TO_PARSE_JSON_RESPONSE.format(error=error_msg)
+                    phantom.APP_ERROR, consts.SPLUNK_ERR_UNABLE_TO_PARSE_JSON_RESPONSE.format(error=error_message)
                 ), None
             )
 
@@ -604,7 +604,7 @@ def _return_first_row_from_query(self, search_query, action_result, kwargs_creat
                 return action_result.set_status(phantom.APP_ERROR, error_text, query=search_query)
             except Exception as e:
                 if attempt_count == RETRY_LIMIT - 1:
-                    error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+                    error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                         error_text=self._get_error_message_from_exception(e))
                     return action_result.set_status(phantom.APP_ERROR, error_text)
 
@@ -641,7 +641,7 @@ def _return_first_row_from_query(self, search_query, action_result, kwargs_creat
                         break
                     except Exception as e:
                         if attempt_count == RETRY_LIMIT - 1:
-                            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+                            error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                                 error_text=self._get_error_message_from_exception(e))
                             return action_result.set_status(phantom.APP_ERROR, error_text)
 
@@ -969,7 +969,7 @@ def _on_poll(self, param):
             # if fips is not enabled, we should continue with our existing md5 usage for generating SDIs
             # to not impact existing customers
             if not fips_enabled:
-                sdi = hashlib.md5(input_str).hexdigest()
+                sdi = hashlib.md5(input_str).hexdigest()    # nosemgrep
             else:
                 sdi = hashlib.sha256(input_str).hexdigest()
 
@@ -1228,8 +1228,8 @@ def _test_asset_connectivity(self, param):
         self.save_progress("Detected Splunk {0}server version {1}".format("ES " if is_es else "", version))
 
         self.debug_print("connect passed")
-        self.save_progress(consts.SPLUNK_SUCC_CONNECTIVITY_TEST)
-        return action_result.set_status(phantom.APP_SUCCESS, consts.SPLUNK_SUCC_CONNECTIVITY_TEST)
+        self.save_progress(consts.SPLUNK_SUCCESS_CONNECTIVITY_TEST)
+        return action_result.set_status(phantom.APP_SUCCESS, consts.SPLUNK_SUCCESS_CONNECTIVITY_TEST)
 
     def _run_query(self, search_query, action_result, attach_result=False, kwargs_create=dict(), parse_only=True):
         """Function that executes the query on splunk"""
@@ -1256,7 +1256,7 @@ def _run_query(self, search_query, action_result, attach_result=False, kwargs_cr
                 if (phantom.is_fail(self._connect(action_result))):
                     return action_result.get_status()
                 if attempt_count == RETRY_LIMIT - 1:
-                    error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+                    error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                         error_text=self._get_error_message_from_exception(e))
                     return action_result.set_status(phantom.APP_ERROR, error_text)
 
@@ -1294,7 +1294,7 @@ def _run_query(self, search_query, action_result, attach_result=False, kwargs_cr
                     break
                 except Exception as e:
                     if attempt_count == RETRY_LIMIT - 1:
-                        error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTION_FAILED,
+                        error_text = consts.SPLUNK_EXCEPTION_ERR_MESSAGE.format(msg=consts.SPLUNK_ERR_CONNECTIVITY_FAILED,
                             error_text=self._get_error_message_from_exception(e))
                         return action_result.set_status(phantom.APP_ERROR, error_text)
 
@@ -1362,8 +1362,8 @@ def add_json_result(self, action_result, data):
 
         except Exception as e:
             self._dump_error_log(e, "Error occurred while adding file to Vault.")
-            error_msg = self._get_error_message_from_exception(e)
-            msg = "Error occurred while adding file to Vault. Error Details: {}".format(error_msg)
+            error_message = self._get_error_message_from_exception(e)
+            msg = "Error occurred while adding file to Vault. Error Details: {}".format(error_message)
             self.debug_print(msg)
             return phantom.APP_ERROR
 

splunk_consts.py

@@ -16,24 +16,22 @@
 #
 # Success/Error status and messages
 SPLUNK_ERR_INVALID_QUERY = "Query invalid '{query}'"
-SPLUNK_SUCC_QUERY_EXECUTED = "Executed splunk query"
 SPLUNK_ERR_BAD_STATUS = "The supplied status is invalid"
 SPLUNK_ERR_CONNECTIVITY_TEST = "Connectivity test failed"
-SPLUNK_SUCC_CONNECTIVITY_TEST = "Connectivity test passed"
+SPLUNK_SUCCESS_CONNECTIVITY_TEST = "Connectivity test passed"
 SPLUNK_ERR_NOT_JSON = "Splunk server response was not JSON"
 SPLUNK_ERR_NOT_200 = "Splunk server returned error from API call"
-SPLUNK_ERR_CONNECTION_FAILED = "Failed to connect to splunk server"
+SPLUNK_ERR_CONNECTIVITY_FAILED = "Failed to connect to splunk server"
 SPLUNK_ERR_UNABLE_TO_CREATE_JOB = "Failed to get a job id from splunk server"
 SPLUNK_ERR_GET_EVENTS = "Error getting events for alert '{ss_name}' having sid '{sid}'"
 SPLUNK_ERR_NOT_ES = "This instance does not seem to be Splunk ES. This action cannot be run"
-SPLUNK_ERR_CONNECTION_NOT_PRE_ESTABLISHED = "Connection to splunk server not yet established"
 SPLUNK_ERR_INVALID_TIME_RANGE = "Invalid Time range specified, where the end time is less than start time"
 SPLUNK_ERR_NEED_PARAM = "One of comment, status, integer_status, urgency, or owner parameters needs to be supplied to run this \
     action"
 SPLUNK_ERR_INVALID_INTEGER = "Please provide a valid integer value in the {param} parameter"
 SPLUNK_ERR_NON_NEGATIVE_INTEGER = "Please provide a valid non-negative integer value in the {param} parameter"
 SPLUNK_ERR_INVALID_PARAM = "Please provide non-zero positive integer in {param}"
-SPLUNK_ERR_MSG_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters."
+SPLUNK_ERR_MESSAGE_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters."
 SPLUNK_EXCEPTION_ERR_MESSAGE = "{msg}. {error_text}"
 SPLUNK_JOB_FIELD_NOT_FOUND_MESSAGE = "{field} not found"
 SPLUNK_ERR_INVALID_SLEEP_TIME = "Please provide a value <= 120 seconds in the {param} parameter"