Skip to content

[Splunk ES] Create a collector to retrieve alert from a Splunk ES #173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Splunk ES] Create a collector to retrieve alert from a Splunk ES #173

wants to merge 2 commits into from

Conversation

Kakudou
Copy link
Member

@Kakudou Kakudou commented Jun 30, 2025

Proposed changes

Create the first iteration for the Splunk ES collector.
This one can't be used in Production because:

  • Still use OBAS/PyOBAS stub for expectation and not real one
  • Since i use stub i've mock alert from Splunk ES, but can't test the real usecase
  • detection_helper.match_alert_elements return me False because i don't see all the source ip in the alert, but in reality in only need one src/tgt couple to map, i will mostly never seen all interfaces/hostname in event src.

Related issues

#15

Checklist

  • I consider the submitted work as finished
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)

Further comments

That first iteration can be reviewed in the actual knowledge of the state and limitation, should not be merged in master for now.

Kakudou added 2 commits June 18, 2025 17:35
@Kakudou
[splunk-es] Init Collector Splunk ES.
5ae0597
@Kakudou
[splunk-es] First iteration, with stubbed from obas/pyobas, so mock f…
1f9c8be 
…rom splunk, and error with detection_helper.match_alert_elements being to binary True/False
@Kakudou Kakudou requested a review from antoinemzs June 30, 2025 10:19
@Kakudou Kakudou self-assigned this Jun 30, 2025
@Kakudou Kakudou added filigran team use to identify PR from the Filigran team do not merge Do not merge this PR until this tag will be removed feature use for describing a new feature to develop labels Jun 30, 2025
@Kakudou Kakudou linked an issue Jun 30, 2025 that may be closed by this pull request
Collector for Splunk Enterprise Security #15
Open
@guillaumejparis guillaumejparis force-pushed the main branch 21 times, most recently from 3febe4b to ebf751b Compare July 15, 2025 14:18
@Dimfacion Dimfacion force-pushed the main branch 3 times, most recently from 6c676de to 992a2d9 Compare July 15, 2025 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoinemzs antoinemzs Awaiting requested review from antoinemzs

At least 1 approving review is required to merge this pull request.

Assignees

@Kakudou Kakudou

Labels
do not merge Do not merge this PR until this tag will be removed feature use for describing a new feature to develop filigran team use to identify PR from the Filigran team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Collector for Splunk Enterprise Security
1 participant
@Kakudou