Last active
March 3, 2020 18:20
-
-
Save deekayen/6cb83b251d5d447de74479f623d17ed3 to your computer and use it in GitHub Desktop.
Jenkins/EL7 version of the Prisma Alerts to Splunk bridge bash script.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# For EL7: | |
# yum install curl jq | |
###################### | |
# SET VALUES FOR THESE | |
# Prisma Cloud config | |
API="api2.prismacloud.io" | |
# update the api key in the JWT call | |
# Splunk config | |
HEC="http://splunk.example.com:8088/services/collector" | |
TOKEN="ce40f9de-asdf-asdf-asdf-d80ce1add1ef" | |
# Note this is in millisecond format with three extra digits of microtime. | |
START=$(date -d '2 weeks ago Sunday 00:00:00' +%s000) | |
END=$(date -d '1 week ago Saturday 23:59:59' +%s999) | |
# END EDITABLE VARIABLES | |
######################## | |
echo "Logging in..." | |
JWT="$(curl -s --request POST \ | |
--url https://${API}/login \ | |
--header 'accept: application/json; charset=UTF-8' \ | |
--header 'content-type: application/json; charset=UTF-8' \ | |
--data '{"username":"76a0d9c6-asdf-asdf-asdf-6a928a492a93","password":"v1gST9ktNbgDiDfrlsJilIXvFxg="}' \ | |
| jq '.["token"]' \ | |
| tr -d '"')" | |
echo "GETing alerts for UNIX millisecond epoch ${START} to ${END}..." | |
curl -s --request GET \ | |
--url "https://${API}/alert?detailed=true&timeType=absolute&startTime=${START}&endTime=${END}" \ | |
--header 'accept: */*' \ | |
--header "x-redlock-auth: ${JWT}" \ | |
> "prisma_alerts_${START}_${END}.json" | |
LINES=$(cat "prisma_alerts_${START}_${END}.json" | jq -r '.[] | @base64' | wc -l | xargs) | |
echo "Found ${LINES} alerts..." | |
# Filesize | |
du -sh "prisma_alerts_${START}_${END}.json" | |
# jq outputs prettified JSON over multiple lines. | |
# Doing a base64 encode brings it back to a single line string | |
# so that we can treat split elements the same as loop rows. | |
for row in $(cat "prisma_alerts_${START}_${END}.json" | jq -r '.[] | @base64'); do | |
_decode() { | |
echo ${row} | base64 --decode | |
} | |
printf "\nPOSTing $(_decode | jq .'id') to Splunk HTTP Event Collector..." | |
curl -s -k "${HEC}" \ | |
-H "Authorization: Splunk ${TOKEN}" \ | |
-d "{\"time\": $(_decode | jq .'alertTime'), \"sourcetype\": \"_json\", \"event\": $(_decode)}" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment