通过自定义SPL命令关联微步情报数据,效果如下:

 

 

1、安装splunk-sdk

cd /data/splunk/etc/apps/search/bin
pip3 install -t . splunk-sdk

2、自定义脚本开发

[root@SIEM-P-VC-A001 bin]# more threatquery.py 
#!/usr/bin/python
# -*- coding: utf-8 -*-
import sys
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators
from splunklib import six
import requests
import urllib3
urllib3.disable_warnings()

proxies={
    "http":"xxxx:808",
    "https":"xxxxx:808"
}
 
url = "https://api.threatbook.cn/v3/scene/ip_reputation"
apikey="xxxxxxxxx"

def get_ip_info(ip): 
    query = {
        "apikey":apikey,
        "resource":ip
    }
    headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'}
    response = requests.post(url,headers=headers,params=query,verify=False,proxies=proxies)
    get_result = response.json()
    if str(get_result).count("data")!=0:
        dict = {}
        dict['severity'] = get_result['data']['{}'.format(ip)]['severity']
        dict['judgments'] = str(get_result['data']['{}'.format(ip)]['judgments'] )
        dict['tags_classes']=str(get_result['data']['{}'.format(ip)]['tags_classes'] )
        dict['country']= get_result['data']['{}'.format(ip)]['basic']['location']['country']
        dict['province'] = get_result['data']['{}'.format(ip)]['basic']['location']['province']
        dict['city'] = get_result['data']['{}'.format(ip)]['basic']['location']['city']
        dict['scene'] = get_result['data']['{}'.format(ip)]['scene']
        dict['confidence_level'] = get_result['data']['{}'.format(ip)]['confidence_level']
        dict['is_malicious'] = get_result['data']['{}'.format(ip)]['is_malicious']
        dict['update_time']=get_result['data']['{}'.format(ip)]['update_time']
        return dict

 
@Configuration()
class TestCMD(StreamingCommand):
    ip=Option(require=True, validate=validators.Fieldname())
    def stream(self, records):
        for record in records:
            get_result=get_ip_info(record[self.ip])
            if get_result!=None:
                record["result"]=get_result
            yield record
dispatch(TestCMD, sys.argv, sys.stdin, sys.stdout, __name__)

3、自定义脚本配置

在/data/splunk/etc/apps/search/local 中,新建commands.conf

[root@test]# vi commands.conf 
[threatquery] 
filename = threatquery.py 
python.version = python3
chunked = true

注意:修改完成之后,在浏览器中访问https://splunk服务器地址/debug/refresh,能看到一个Refresh按钮,点击之后平台配置会重新载入,自定义命令就能使用了。不需要执行重启操作。

 

 

参考连接:https://blog.csdn.net/MrRight17/article/details/113686345