deekayen/prisma_alerts_jenkins.sh

## prisma_alerts_jenkins.sh
#!/bin/bash

# For EL7:
# yum install curl jq

######################
# SET VALUES FOR THESE

# Prisma Cloud config
API="api2.prismacloud.io"
# update the api key in the JWT call

# Splunk config
HEC="http://splunk.example.com:8088/services/collector"
TOKEN="ce40f9de-asdf-asdf-asdf-d80ce1add1ef"

# Note this is in millisecond format with three extra digits of microtime.
START=$(date -d '2 weeks ago Sunday 00:00:00' +%s000)
END=$(date -d '1 week ago Saturday 23:59:59' +%s999)

# END EDITABLE VARIABLES
########################

echo "Logging in..."
JWT="$(curl -s --request POST \
  --url https://${API}/login \
  --header 'accept: application/json; charset=UTF-8' \
  --header 'content-type: application/json; charset=UTF-8' \
  --data '{"username":"76a0d9c6-asdf-asdf-asdf-6a928a492a93","password":"v1gST9ktNbgDiDfrlsJilIXvFxg="}' \
  | jq '.["token"]' \
  | tr -d '"')"

echo "GETing alerts for UNIX millisecond epoch ${START} to ${END}..."
curl -s --request GET \
  --url "https://${API}/alert?detailed=true&timeType=absolute&startTime=${START}&endTime=${END}" \
  --header 'accept: */*' \
  --header "x-redlock-auth: ${JWT}" \
  > "prisma_alerts_${START}_${END}.json"

LINES=$(cat "prisma_alerts_${START}_${END}.json" | jq -r '.[] | @base64' | wc -l | xargs)
echo "Found ${LINES} alerts..."

# Filesize
du -sh "prisma_alerts_${START}_${END}.json"

# jq outputs prettified JSON over multiple lines.
# Doing a base64 encode brings it back to a single line string
# so that we can treat split elements the same as loop rows.
for row in $(cat "prisma_alerts_${START}_${END}.json" | jq -r '.[] | @base64'); do
    _decode() {
     echo ${row} | base64 --decode
    }

    printf "\nPOSTing $(_decode | jq .'id') to Splunk HTTP Event Collector..."
    curl -s -k "${HEC}" \
     -H "Authorization: Splunk ${TOKEN}" \
     -d "{\"time\": $(_decode | jq .'alertTime'), \"sourcetype\": \"_json\", \"event\": $(_decode)}"
done
	#!/bin/bash

	# For EL7:
	# yum install curl jq

	######################
	# SET VALUES FOR THESE

	# Prisma Cloud config
	API="api2.prismacloud.io"
	# update the api key in the JWT call

	# Splunk config
	HEC="http://splunk.example.com:8088/services/collector"
	TOKEN="ce40f9de-asdf-asdf-asdf-d80ce1add1ef"

	# Note this is in millisecond format with three extra digits of microtime.
	START=$(date -d '2 weeks ago Sunday 00:00:00' +%s000)
	END=$(date -d '1 week ago Saturday 23:59:59' +%s999)

	# END EDITABLE VARIABLES
	########################

	echo "Logging in..."
	JWT="$(curl -s --request POST \
	--url https://${API}/login \
	--header 'accept: application/json; charset=UTF-8' \
	--header 'content-type: application/json; charset=UTF-8' \
	--data '{"username":"76a0d9c6-asdf-asdf-asdf-6a928a492a93","password":"v1gST9ktNbgDiDfrlsJilIXvFxg="}' \
	\| jq '.["token"]' \
	\| tr -d '"')"

	echo "GETing alerts for UNIX millisecond epoch ${START} to ${END}..."
	curl -s --request GET \
	--url "https://${API}/alert?detailed=true&timeType=absolute&startTime=${START}&endTime=${END}" \
	--header 'accept: /' \
	--header "x-redlock-auth: ${JWT}" \
	> "prisma_alerts_${START}_${END}.json"

	LINES=$(cat "prisma_alerts_${START}_${END}.json" \| jq -r '.[] \| @base64' \| wc -l \| xargs)
	echo "Found ${LINES} alerts..."

	# Filesize
	du -sh "prisma_alerts_${START}_${END}.json"

	# jq outputs prettified JSON over multiple lines.
	# Doing a base64 encode brings it back to a single line string
	# so that we can treat split elements the same as loop rows.
	for row in $(cat "prisma_alerts_${START}_${END}.json" \| jq -r '.[] \| @base64'); do
	_decode() {
	echo ${row} \| base64 --decode
	}

	printf "\nPOSTing $(_decode \| jq .'id') to Splunk HTTP Event Collector..."
	curl -s -k "${HEC}" \
	-H "Authorization: Splunk ${TOKEN}" \
	-d "{\"time\": $(_decode \| jq .'alertTime'), \"sourcetype\": \"_json\", \"event\": $(_decode)}"
	done