Skip to content

Splunk Enterprise Security implementation #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: main
Choose a base branch
from
Open

Splunk Enterprise Security implementation #32

wants to merge 26 commits into from

Conversation

ax-hsmith
Copy link

What does this PR do?

New matcher: for Splunk Enterprise Security
Enhancement: Updated stratus-red-team to the latest version at this time (v2.23.2) and other related dependencies

Motivation

I got tired of the detection engineering loop of manually running tests, waiting for alerts to appear (or not appear) and subsequently closing those alerts. This tool is perfect for that and thus I wanted to make it work with Splunk Enterprise Security

Checklist

  • Unit tests
  • Documentation

Disclaimer:
I'm familiar with Golang as a programming language but this will be one of the first real Golang projects that I've contributed to. If I implemented something in a strange way, it's probably because I don't know any better. I'm very much open to feedback/criticism.

ax-hsmith added 26 commits April 2, 2025 16:24
@ax-hsmith
add the new splunk matcher
381a031
@ax-hsmith
add required splunkNotableEvent property and checkInterval to threate…
134e43c 
…st schema
@ax-hsmith
add CheckInterval to Scenario struct and builder
2fb00eb
@ax-hsmith
set default check interval in Scenario builder and update logging for…
053f1a5 
… assertion requeue
@ax-hsmith
add support for Splunk notable event matcher and implement check inte…
00962c5 
…rval parsing
@ax-hsmith
update parser.go with new schema changes
c37eb6d
@ax-hsmith
use scenario-specific CheckInterval in runner configuration if available
8694c20
@ax-hsmith
remove todo and change comment around job completion sleep
3c6e050
@ax-hsmith
introduce closeBody function to make my IDE happy re: unhandled errors
07fd1ba
@ax-hsmith
add debug statement to print final splunk search query
2f85aee
@ax-hsmith
remove commented code
b396d55
@ax-hsmith
Expect 2xx responses, 300s are no good either
5f467b0
@ax-hsmith
add createRequest function documentation for clarity
76f8659
@ax-hsmith
handle non-2xx response status in search results retrieval
55c7049
@ax-hsmith
add more docs
0a67721
@ax-hsmith
change log level from debug to info for assertion requeueing
0cf598c
@ax-hsmith
remove commented code
c44281f
@ax-hsmith
add autogenerated mock for SplunkAPI
7ad2ef7
@ax-hsmith
rename executionID to detonationUuid
18526e8
@ax-hsmith
rename executionID to detonationUuid and add startTime fallback in pe…
282de4a 
…rformActionOnMatchingNotables
@ax-hsmith
add tests and utility functions for Splunk notable events handling
f41d733
@ax-hsmith
add Splunk Enterprise Security notable events to supported alert matc…
b41ada9 
…hers
@ax-hsmith
add schema for Splunk notable events matcher
d9988d4
@ax-hsmith
refactor notable events generation to use custom type for improved re…
de7f350 
…adability
@ax-hsmith
add README for Splunk Enterprise Security notable event matcher confi…
886f2dd 
…guration
@ax-hsmith
updated go version to 1.23.0 and stratus-red-team to v2.23.2 along wi…
30e62da 
…th other related deps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ax-hsmith