Last active
May 26, 2023 13:34
-
-
Save LukeMurphey/29b61fc5837511efa531 to your computer and use it in GitHub Desktop.
An example of how to edit notable events using the REST API in the Enterprise Security app for Splunk. #splunk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import splunk | |
import json | |
def updateNotableEvents(sessionKey, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None): | |
""" | |
Update some notable events. | |
Arguments: | |
sessionKey -- The session key to use | |
comment -- A description of the change or some information about the notable events | |
status -- A status (only required if you are changing the status of the event) | |
urgency -- An urgency (only required if you are changing the urgency of the event) | |
owner -- A nowner (only required if reassigning the event) | |
eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided) | |
searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results. | |
""" | |
# Make sure that the session ID was provided | |
if sessionKey is None: | |
raise Exception("A session key was not provided") | |
# Make sure that rule IDs and/or a search ID is provided | |
if eventIDs is None and searchID is None: | |
raise Exception("Either eventIDs of a searchID must be provided (or both)") | |
return False | |
# These the arguments to the REST handler | |
args = {} | |
args['comment'] = comment | |
if status is not None: | |
args['status'] = status | |
if urgency is not None: | |
args['urgency'] = urgency | |
if owner is not None: | |
args['newOwner'] = owner | |
# Provide the list of event IDs that you want to change: | |
if eventIDs is not None: | |
args['ruleUIDs'] = eventIDs | |
# If you want to manipulate the notable events returned by a search then include the search ID | |
if searchID is not None: | |
args['searchID'] = searchID | |
# Perform the request | |
serverResponse, serverContent = splunk.rest.simpleRequest('/services/notable_update', sessionKey=sessionKey, postargs=args) | |
# Make sure the request was successful | |
if serverResponse['status'] != '200': | |
raise Exception("Server response indicates that the request failed") | |
# Return the information about the request | |
response_info = json.loads(serverContent) | |
return response_info | |
if __name__ == "__main__": | |
# | |
# Get a session ID and make a function for outputting the results for the examples below | |
# | |
import splunk.entity as entity | |
from splunk import auth | |
sessionKey = auth.getSessionKey(username='admin', password='changeme') | |
def printResultMessage(response_info): | |
if not response_info['success']: | |
print "The operation was not successful" | |
if 'failure_count' in response_info and response_info['failure_count'] > 0: | |
print "Some failures were noted: " + str(response_info['failure_count']) | |
print response_info['message'] | |
# | |
# Example 1: using known eventIDs | |
# | |
# Update some events and reassigning them, changing the status and urgency | |
print "Updating some notable events..." | |
printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009'])) | |
# Update some events by just adding a comment (leaves the assignee and urgency and status alone) | |
print "Updating some notable events but this time just leaving some comments..." | |
printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009'])) | |
# | |
# Example 2: updating all notables that match a search | |
# | |
import splunk.search | |
print "Updating some notable events by processing the results from a search..." | |
# Kick off a search | |
job = splunk.search.dispatch("search `notable` | head 2", sessionKey=sessionKey, earliest='-7d') | |
# Wait until the search is done | |
while True: | |
if job.isDone and (job.resultCount > 0 or job.eventCount > 0): | |
print "Search is done, result count is", job.resultCount | |
break | |
# Process the search results | |
print "Updating the notable events in the completed search" | |
printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment via a search', searchID=job.sid)) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment