https://github.com/crowdsecurity/crowdsec-splunk-app
https://github.com/crowdsecurity/crowdsec-splunk-app
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/crowdsecurity/crowdsec-splunk-app
- Owner: crowdsecurity
- License: mit
- Created: 2023-03-17T11:59:48.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-04-03T08:40:38.000Z (almost 3 years ago)
- Last Synced: 2025-03-01T16:39:16.980Z (about 1 year ago)
- Language: Python
- Size: 282 KB
- Stars: 0
- Watchers: 11
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/crowdsecurity/crowdsec-splunk-app/actions/workflows/appinspect.yml)
## Overview
The CrowdSec Splunk app leverages the CrowdSec's CTI API's smoke endpoint which enables users to query an IP and receive enrichment
## Table of Contents
- [Overview](#overview)
- [Example Usage](#example-usage)
- [Results](#results)
- [Profiles](#profiles)
- [Local Dump](#local-dump)
- [Configuration file](#configuration-file)
- [`api_key`](#api_key)
- [`batching`](#batching)
- [`batch_size`](#batch_size)
- [`local_dump`](#local_dump)
## Example Usage
The following command is used to run an IP check through the CrowdSec's CTI API's smoke endpoint. On the Homepage of Splunk Web Interface, select `Search & Reporting` and use the following command.
```
| makeresults | eval ip="" | cssmoke ipfield="ip"
```
- `cssmoke`:
- Custom command driving the core functionality of the application.
- `ipfield`:
- It denotes the field name where the IP address is stored in the index.
- `profile`:
Optional preset that selects a predefined set of CrowdSec output fields (it is possible to specify mutliple profiles).
## Results
On the event of clicking the `Search` button, users will be able to view a brief overview of various fields associated with the input IP address.
This includes but not limited to location, behaviors, classifications, attack details – name, label, description, references followed by scores, threats, etc.
## Profiles
Profiles are optional presets that automatically select a predefined set of CrowdSec output fields, so results stay consistent and you don’t have to manually maintain long `ipfield=` lists.
- `base`: returns `ip`, `reputation`, `confidence`, `as_num`, `as_name`, `location`, `classifications`.
- `anonymous`: (aliases: `vpn` `proxy`): returns `ip`, `reputation`, `proxy_or_vpn`, `classifications`.
- `iprange`: returns `ip`, `ip_range`, `ip_range_24`, `ip_range_24_score`.
You can provide multiple profile in the same command:
```
| cssmoke ipfield="ip" profile="anonymous,iprange"
```
The output will contains the columns for the `anonymous` and the `iprange` profiles.
## Local Dump
The first time you setup the local dump feature, you need to download manually the CrowdSec lookup databases (they will be updated every 24h automatically after that):
```
| cssmokedownload
```
After that, you can look up IPs using the local databases.
**Note:** Check the `query_time` and `query_mode` fields in the results to confirm whether lookups are done via `local_dump` or the live API.
## Configuration file
You can configure the CrowdSec app by uploading a JSON configuration file:
```
{
"api_key": "YOUR_API_KEY_HERE",
"batching": true|false,
"batch_size": 20,
"local_dump": true|false
}
```
### `api_key`
CrowdSec CTI API key.
**Warning:** Local dump and live CTI API lookups are mutually exclusive (enable only one mode).
### `batching`
Enable batching for live CTI API lookups.
### `batch_size`
Batch size used when `batching` is enabled.
### `local_dump`
Enable local dump mode (use the downloaded lookup databases).
Lookup databases are download automatically every 24h.
**Warning:** Local dump requires a CTI API key that has access to the dump endpoint.