{"id":19149531,"url":"https://github.com/alphasoc/splunk-alert-reader","last_synced_at":"2026-02-17T08:04:10.323Z","repository":{"id":85395365,"uuid":"131025499","full_name":"alphasoc/splunk-alert-reader","owner":"alphasoc","description":"A utility to escalate AlphaSOC alerts from Splunk to other platforms","archived":false,"fork":false,"pushed_at":"2018-06-07T11:48:50.000Z","size":134,"stargazers_count":1,"open_issues_count":0,"forks_count":3,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-23T09:49:47.120Z","etag":null,"topics":["intrusion-detection","monitoring","security"],"latest_commit_sha":null,"homepage":"https://alphasoc.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alphasoc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-25T15:17:21.000Z","updated_at":"2023-07-25T04:15:57.000Z","dependencies_parsed_at":"2023-03-04T05:00:24.833Z","dependency_job_id":null,"html_url":"https://github.com/alphasoc/splunk-alert-reader","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/alphasoc/splunk-alert-reader","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fsplunk-alert-reader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fsplunk-alert-reader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fsplunk-alert-reader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fsplunk-alert-reader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alphasoc","download_url":"https://codeload.github.com/alphasoc/splunk-alert-reader/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasoc%2Fsplunk-alert-reader/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923637,"owners_count":23683780,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["intrusion-detection","monitoring","security"],"created_at":"2024-11-09T08:08:34.702Z","updated_at":"2025-10-14T22:08:43.152Z","avatar_url":"https://github.com/alphasoc.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Splunk Alert Reader\n\n\u003e Output AlphaSOC alerts indexed in Splunk to stdout\n\nSplunk Alert Reader retrieves alerts generated by [AlphaSOC applications for Splunk](https://splunkbase.splunk.com/apps/#/search/alphasoc/) and outputs them to `stdout` in a JSON format that can be ingested easily by SIEM products (e.g. IBM QRadar, AlienVault USM), SOAR platforms (e.g. Demisto), and custom scripts that users may create to work with and escalate AlphaSOC alerts.\n\nAt the first run, the tool retrieves alerts which are at most 60 minutes old from Splunk (this can be modified in the config file). The subsequent runs return new alerts only. This behavior makes it easy to schedule it with cron at any interval. The emitted alerts may be then processed further and escalated.\n\n## Requirements\n\nThe tool requires Python \u003e=2.7 or \u003e=3.1. No 3rd party Python libraries are required. The [Splunk SDK for Python](http://dev.splunk.com/python) is included in the repository. It doesn't have to be run from the Search Head, as it connects to the Splunk's service port over the network.\n\n## Installation and usage example\n\n```sh\ngit clone https://github.com/alphasoc/splunk-alert-reader.git\ncd splunk-alert-reader\ncp example.ini config.ini\n```\n\nAfter completing the steps above, update `config.ini` with your Splunk credentials and adjust other configuration options as needed. Ensure that the tool can connect to the Splunk's service port (default 8089). After doing that, you may run the script:\n\n```sh\npython main.py --config config.ini\n```\n\n## Alert format\n\nThe tool returns AlphaSOC alerts in a JSON format, one alert per line. Alerts can be received from two apps: DNS Analytics for Splunk and Network Behavior Analytics for Splunk. There are significant differences between the output returned by these apps so alerts can't be fetched from both applications at single run. You can choose the application in the configuration file by setting `format_version` option. \n\n### DNS Analytics alert\n\nIf you'd like to receive alerts from DNS Analytics, please set `format_version=1`. By default, DNS Analytics alerts may consist of more than one corresponding raw DNS event and/or assigned threat. You can change this behavior by adjusting the `unfold` config option. When changed to 1, the tool will emit one entry per network event and threat.\n\n```json\n{\n  \"threats\": [\n    {\n      \"policy\": true,\n      \"desc\": \"Multiple requests for DGA domains indicating infection\",\n      \"id\": \"dga_volume\",\n      \"severity\": 4\n    },\n    {\n      \"policy\": true,\n      \"desc\": \"Multiple requests to unreachable domains\",\n      \"id\": \"unreachable_domain_volume\",\n      \"severity\": 2\n    }\n  ],\n  \"risk\": 4,\n  \"ip\": \"10.14.1.39\",\n  \"fqdn\": \"rproahjondxj.net\",\n  \"ts\": [\"2018-04-26T12:40:41+00:00\", \"2018-04-26T12:39:21+00:00\"],\n  \"record_type\": \"A\",\n  \"flags\": [\"perplexing_domain\", \"unreachable_domain\"],\n  \"groups\": [\n    {\n      \"desc\": \"Zurich\"\n    }\n  ],\n  \"type\": \"alert\"\n}\n```\n\nNote: the above would be unfolded to 4 separate alerts (as it contains two raw DNS event timestamps, and two assigned threats)\n\n### Network Behavior Analytics alert\n\nTo receive alerts from Network Behavior Analytics, please set `format_version=2` in the configuration file. Currently Network Behavior Analytics can render alerts with two types of corresponding events: `dns` or `ip`. If you'd like to emit one entry per threat, please change `unfold` option to 1.\n\n```json\n{\n  \"threats\": {\n    \"conn_unusual_port_volume\": {\n      \"policy\": false,\n      \"severity\": 3,\n      \"desc\": \"Multiple outbound connections to an unusual server port\"\n    },\n    \"c2_communication\": {\n      \"policy\": false,\n      \"severity\": 5,\n      \"desc\": \"C2 communication attempt indicating infection\"\n    }\n  },\n  \"risk\": 5,\n  \"eventType\": \"ip\",\n  \"wisdom\": {\n    \"c2Proto\": \"DarkComet\",\n    \"flags\": [\"c2\"]\n  },\n  \"groups\": {\n    \"london\": {\n      \"desc\": \"London\"\n    }\n  },\n  \"event\": {\n    \"proto\": \"tcp\",\n    \"bytesOut\": 9866,\n    \"srcPort\": 64329,\n    \"ts\": \"2018-06-06T07:33:04+00:00\",\n    \"destIP\": \"94.188.103.122\",\n    \"srcIP\": \"10.100.91.3\",\n    \"destPort\": 1604,\n    \"bytesIn\": 21357\n  }\n}\n```\n\nIn the above format, `event` object can contains raw DNS or IP event depending on `eventType` value. \n\n#### DNS event\n\n```json\n{\n  \"event\": {\n    \"srcIP\": \"10.14.1.43\",\n    \"query\": \"rproahjondxj.net\",\n    \"qtype\": \"A\",\n    \"ts\": \"2018-06-06T09:17:00+00:00\"\n  }\n}\n```\n\n#### IP event\n\n```json\n{\n  \"event\": {\n    \"proto\": \"tcp\",\n    \"bytesOut\": 9866,\n    \"srcPort\": 64329,\n    \"ts\": \"2018-06-06T07:33:04+00:00\",\n    \"destIP\": \"94.188.103.122\",\n    \"srcIP\": \"10.100.91.3\",\n    \"destPort\": 1604,\n    \"bytesIn\": 21357\n  }\n}\n```\n\n## Release History\n\n* 0.0.1\n  * Initial release\n* 0.0.2\n  * Network Behavior Analytics compatibility\n\n## License\n\nDistributed under the MIT license. See `LICENSE` for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasoc%2Fsplunk-alert-reader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falphasoc%2Fsplunk-alert-reader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasoc%2Fsplunk-alert-reader/lists"}