Git Product home page Git Product logo

prisma-cloud-compute-splunk's Introduction

Prisma Cloud Compute Splunk App

IMPORTANT: Please see SUPPORT.md for the official support policy for the contents of this repository.

The Prisma Cloud Compute Splunk App allows high priority security incidents from Prisma Cloud Compute to be sampled by Splunk on a user-defined interval and provides in-depth forensic data for incident analysis and response. The app adds two main components to your Splunk deployment: scripted data inputs that make use of your Prisma Cloud Compute API to pull incidents and forensics and a sample Splunk dashboard that presents that data.

Note: For bringing in data besides incidents and forensics, please use syslog or webhooks.

Important news

Getting the app

GitHub

Download the latest app tarball (pcc-splunk-app-*.tar.gz) from its release page.

Splunkbase

Download the latest app tarball from Splunkbase.

Splunk Apps Browser

In the Splunk UI, click on the Apps dropdown, click "Find More Apps", then search for "Prisma Cloud Compute".

Installation and setup

  1. Install the app by either uploading the tarball or following the Splunkbase prompts.
  2. Navigate to the setup page if you aren't guided there.
  3. Fill out the setup form and click "Complete setup." Field descriptions are on the setup page.
  4. If on Windows, update $SPLUNK_HOME\etc\twistlock\default\inputs.conf according to the instructions at the top of the file.
  5. Enable poll_incidents.py and poll_forensics.py at Settings > Data inputs > Scripts in Splunk.
  6. (Optional) Adjust the schedule as needed. By default, the poll_forensics.py script runs 2 minutes after poll_incidents.py and both scripts will run every 5 minutes.

FAQs

What user role is required?

Any user role that is able to view incidents and forensic data. This is a user with at least the DevSecOps role (self-hosted Compute) or Account Group Read Only role (SaaS Compute).

What is my SaaS Compute Console address?

You can find it at Compute > Manage > System > Utilities under the Path to Console heading.

Where is the configuration stored?

Whenever you complete the setup, local/twistlock.conf and local/passwords.conf are created. The passwords are stored and accessed using Splunk's encrypted password storage APIs.

Troubleshooting

General

If incidents and/or forensics are not being ingested into Splunk, please verify the following:

  • You have at least one incident at Monitor > Runtime > Incident Explorer under the "Active" tab.
  • You are able to see the incident's forensic data by clicking on the "Forensic snapshot" button.
  • The values in local/twistlock.conf and local/passwords.conf are correct. If any are not correct, use the setup page with the same Console configuration name to update them.
  • The app's scripts are enabled in Splunk (#4 in instructions), and have been ran at least once (#5 in instructions).

If data is still not being ingested, check $SPLUNK_HOME/var/log/splunk/splunkd.log for messages related to poll_incidents.py and poll_forensics.py:

index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" ("poll_incidents.py" OR "poll_forensics.py")

Updating To Latest Version

If new features or bug fixes are not appearing in your environment after updating the app in place, completely delete the Prisma Cloud Compute application out of Splunk before reinstalling the app.

Some users will also have to force clear their browswers cache in order to see changes to the App Setup Page in splunk.

Screenshots

image of the incident explorer

image of the dashboard

image of a search

Support

Please read SUPPORT.md for details on how to get support for this project.

prisma-cloud-compute-splunk's People

Contributors

adam-hamsuth avatar wfg avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nathanawmk susanhooks mwilco03 nterl0k sunatp tommynsong boscodon

prisma-cloud-compute-splunk's Issues

Cannot Complete App Setup

Describe the bug

After filling out the setup page, the "Complete Setup" button does nothing

Expected behavior

Inputs are created with the given settings

Current behavior

After filling out the setup page, the "Complete Setup" button does nothing. I have also not seen any logs being created (of any log level), after clicking "complete setup".

Possible solution

The setup requiring assets from "unpkg.com". Might be the issue, but I don't know.

Steps to reproduce

  1. Install Splunk version 8.2.1
  2. Install app version 4.1.1
  3. open addon
  4. go to setup page
  5. try to enter any info that matches the supported format
  6. click the "complete setup" button

Context

Trying to set up inputs and it doesn't work.

Your Environment

Splunk version 8.2.1
App version 4.1.1
Chrome version 96.0.4664.55 (normal and incognito)
MacOS

entity.getEntities only returns 1st 30 passwords in get_credentials

Describe the bug

By default, splunk.entity.getEntities only returns the first 30 entries it finds. We have twistlock installed on a heavy forwarder with 38 other passwords (one TA stores previous passwords to prevent re-use). The twistlock TA doesn't find our password in the first 30 and it bombs out

Expected behavior

It should look at all passwords to find the one it needs

Current behavior

splunk.entity.getEntities gets the first 30 by default

Possible solution

Add "count=0" to the getEntities call in get_credentials:
entities = entity.getEntities(
["storage", "passwords"], namespace="twistlock", count=0,
owner="nobody", sessionKey=session_key)

This is a one-line fix to #9

I am not fluent in github and I'm not sure how to submit a PR to a PR, so I'm just listing this here in case someone else wants to fix this

Steps to reproduce

If you add 31 passwords to other TAs on the splunk server that houses twistlock, you will not be able to see the 31st.

Screenshots

none

Context

Trying to get twistlock TA running on a heavy forwarder with many other TAs.

Your Environment

Using Splunk 8.2.2

The "poll_incidents.py" in PR #10 fails if there is no checkpoint file (last_datestring_indexed isn't set, but is used later)

Describe the bug

"last_datestring_indexed" is not defined in #10 if there is no checkpoint file (i.e. on a first run). Just add

  last_datestring_indexed=""

after line 69

Expected behavior

Expect code to work if there is no checkpoint file

Current behavior

The "else" condition when there is no checkpoint file does not set "last_datestring_indexed", so we get an error when it is accessed a few lines later

Possible solution

Just add

  last_datestring_indexed=""

after line 69

Steps to reproduce

Screenshots

Context

Your Environment

  • Version used:
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
  • Operating System and version (desktop or mobile):
  • Link to your project:

Support Compute versions >= 21.08

In 21.08, the JWT no longer has project information, so the lines below will fail.

prisma-cloud-compute-splunk/twistlock/bin/utils/compute.py

Line 71 in e27555e

if jwt_payload["permissions"][0]["project"] == "Central Console":

prisma-cloud-compute-splunk/twistlock/bin/utils/compute.py

Line 77 in e27555e

params = {"project": jwt_payload["permissions"][0]["project"]}

The JWT was used to collect the list of projects available to the user. The data may still be there, but it's no longer obvious.

[Community Health Assessment] Changes needed

Health Check Pass Score More Info
Contains a meaningful README.md file 20 / 20 More info
SUPPORT.md file exists 20 / 20 More info
Repo has a description 15 / 15 More info
Has a recognized open source license 15 / 15 More info
Has a descriptive repo name 15 / 15 More info
Required topics attached to repo 15 / 15 More info
CONTRIBUTING.md file with contribution guidelines 0 / 5 More info
Has custom issue and pull request templates 0 / 5 More info

Current score: 100
Target threshold: 100
Total possible: 110

[Community Health Assessment] Changes needed

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Health Check Pass Score More Info
Contains a meaningful README.md file 20 / 20 More info
SUPPORT.md file exists 0 / 20 More info
Repo has a description 0 / 15 More info
Has a recognized open source license 15 / 15 More info
Has a descriptive repo name 15 / 15 More info
Required topics attached to repo 0 / 15 More info
CONTRIBUTING.md file with contribution guidelines 0 / 5 More info
Has custom issue and pull request templates 0 / 5 More info

Current score: 50
Target threshold: 100
Total possible: 110

We are getting error (UnboundlocalError: local variable 'conf_values' refenced before assignment) pulling the data from twistlock

Describe the bug

We are getting error (UnboundlocalError: local variable 'conf_values' refenced before assignment) pulling the data from twistlock

We received both pcc:incidents and pcc:forensics for some time and stopped after few days

ERROR ExecProcessor - message from"/usr/splunk/bin/phthon3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" UnboundlocalError: local variable 'conf_values' refenced before assignment.

Expected behavior

Current behavior

Here is the error messages that we get from splunk:
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" UnboundLocalError: local variable 'conf_values' referenced before assignment
 1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" "console_addr": conf_values["console_addr"],
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/usr/splunk/etc/apps/twistlock/bin/utils/splunk_sdk.py", line 44, in get_config_stanza
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" stanza = get_config_stanza(credential["realm"], session_key)
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/usr/splunk/etc/apps/twistlock/bin/utils/splunk_sdk.py", line 60, in generate_configs
 1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" configs = generate_configs(session_key)
 1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/usr/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 198, in main
 1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" main()
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/usr/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 233, in
1/14/228:25:00.307 AM | 01-14-2022 08:25:00.307 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" Traceback (most recent call last):
1/14/228:25:00.306 AM | 01-14-2022 08:25:00.306 -0500 ERROR ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" Failed getting configuration from Splunk: ResourceNotFound('https://127.0.0.1:8089/servicesNS/nobody/twistlock/configs/conf-twistlock/None')
1/14/228:25:00.180 AM | 01-14-2022 08:25:00.180 -0500 INFO ExecProcessor - message from "/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py" Prisma Cloud Compute poll_incidents script started.
1/14/228:25:00.003 AM | 01-14-2022 08:25:00.003 -0500 INFO ExecProcessor - setting reschedule_ms=299997, for command=/usr/splunk/bin/python3.7 /usr/splunk/etc/apps/twistlock/bin/poll_incidents.py

Possible solution

Steps to reproduce

Tried upgrading and reinstalling the app but no luck

Screenshots

Context

Trying to pull the twistlock incidents from console (hosted on-prem) to Splunk but getting error message

Your Environment

Splunk 8.1.3
Prisma Cloud Compute (Twistlock) App for Splunk - 4.1.1

$ cat inputs.conf
[script://./bin/poll_incidents.py]
disabled = 0
sourcetype = pcc:incident
interval = 00-59/5 * * * *
start_by_shell = 0
passAuth = splunk-system-user
index = twistlock

[script://./bin/poll_forensics.py]
disabled = 0
sourcetype = pcc:forensicdata
interval = 02-59/5 * * * *
start_by_shell = 0
passAuth = splunk-system-user
index = twistlock

$ cat passwords.conf
[credential:twsitlock_splunk:twistlock_splunk:]
password = xxxxxxxxxxxxxx

$ cat twistlock.conf
[twsitlock_splunk]
console_addr = https://xxxxxxxxxxxxxxx/
username = twistlock_splunk

entity.getEntities only returns 1st 30 passwords in get_credentials

Describe the bug

By default, splunk.entity.getEntities only returns the first 30 entries it finds. We have twistlock installed on a heavy forwarder with 38 other passwords (one TA stores previous passwords to prevent re-use). The twistlock TA doesn't find our password in the first 30 and it bombs out

Expected behavior

It should look at all passwords to find the one it needs

Current behavior

splunk.entity.getEntities gets the first 30 by default

Possible solution

Add "count=0" to the getEntities call in get_credentials:
entities = entity.getEntities(
["storage", "passwords"], namespace="twistlock", count=0,
owner="nobody", sessionKey=session_key)

This is a one-line fix to #9

I am not fluent in github and I'm not sure how to submit a PR to a PR, so I'm just listing this here in case someone else wants to fix this

Steps to reproduce

If you add 31 passwords to other TAs on the splunk server that houses twistlock, you will not be able to see the 31st.

Screenshots

none

Context

Trying to get twistlock TA running on a heavy forwarder with many other TAs.

Your Environment

Using Splunk 8.2.2

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.