Deploy Resilient/resilient-community-apps to github.ibm.com/Resilient…

…/resilient-community-apps.git:gh-pages
ibmresilient · Apr 4, 2024 · 96d96fb · 96d96fb
1 parent 82ba749
commit 96d96fb
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 10 deletions.
diff --git a/.doctrees/environment.pickle b/.doctrees/environment.pickle
diff --git a/.doctrees/rc_data_feed_plugin_splunkfeed/README.doctree b/.doctrees/rc_data_feed_plugin_splunkfeed/README.doctree
diff --git a/_downloads/81bfbcae20a442ef630dcd7fdd1b62ee/LICENSE b/_downloads/81bfbcae20a442ef630dcd7fdd1b62ee/LICENSE
@@ -1,4 +1,4 @@
-Copyright © IBM Corporation 2010, 2019
+Copyright © IBM Corporation 2010, 2024
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

diff --git a/_sources/rc_data_feed_plugin_splunkfeed/README.md.txt b/_sources/rc_data_feed_plugin_splunkfeed/README.md.txt
@@ -16,6 +16,7 @@ Unless otherwise specified, contents of this repository are published under the
 
 | Version | Date | Notes |
 | ------- | ---- | ----- |
+| 1.2.0   | 04/2024 | Updated base rc_data_feed to 3.1.0. Added parallel execution. Added ability to exclude selective incident fields. |
 | 1.1.2   | 01/2024 | Updated base rc_data_feed to 3.0.0 |
 | 1.1.1   | 10/2022 | Fix to handle rare corrupt event.message |
 | 1.1.0   | 5/2022 | Replaced base component, adding attachment content, workspace separation, more control over auto data reload. |
@@ -32,11 +33,14 @@ This release modified the base portion of the Data Feeder which is controlled by
 | include_attachment_data | true/false | set to true if attachment data should be part of the sent payload. When 'true', the attachment's byte data is saved in base64 format. |
 
 ### 1.2.0 Changes
-This release modified the base portion of the Data Feeder which is controlled by the `[feed]` section within the app.config file. New parameters have been added which you need to manually add if upgrading from a previous version:
+This release modified the base portion of the Data Feeder which is controlled by the `[feed]` section within the app.config file. New parameters have been added which you need to manually add if upgrading from a previous version.
+Version 1.2.0 also introduces the ability to exclude incident fields from the created `incident` database table.  Wildcards can be used to remove fields following a pattern. Ex. gdpr*.
+To use this capability, add the following app.config setting, exclude_incident_fields_file, to the particular database configuration section. 
 
 | Parameter | Value(s) | Capability |
 | --------- | -------- | ---------- |
 | parallel_execution | True, False | parallel execution for faster ingestion to Splunk |
+| exclude_incident_fields_file | /path/to/exclusion_file.txt | Specify incident fields, one per line, to exclude from the incident data sent to Splunk. Use wildcards such as '*' (multiple characters) or '?' (single character) to exclude patterns of fields. Ex. gdpr_*, custom_field_int |
 
 ## Compatibility
 SOAR: 45.0 or higher
@@ -105,8 +109,28 @@ include_attachment_data=false
 # if necessary, specify the supported workspace (by label, case sensitive) and the list of feeds associated with it
 # ex: 'Default Workspace': ['sqlserver_feed'], 'workspace A': ['kafka_feed', 'resilient_feed']
 workspaces=
-# parallel execution disabled for splunkfeed
+# parallel execution disabled for splunkfeed.
 parallel_execution = False
+
+[splunk_hec_feed]
+class=SplunkHECFeed
+token=<token>
+host=<host>
+port=8088
+index=data_feeder
+# only use event_source_type if using one type. otherwise, the resilient object type (incident, note, artifact, etc.) is used
+#event_source_type=txt
+event_host=<resilient host>
+event_source=resilient
+use_ssl=true
+# Optional settings for accessing Splunk via a proxy.
+#http_proxy=http://proxy:8088
+#https_proxy=http://proxy:8088
+# these settings are only needed for the unit tests
+#user=
+#password=
+# new in v1.2.0 exclude incident fields. Specify fields to exclude one per line. Wildcards such as * and ? may be used. 
+exclude_incident_fields_file = /path/to/exclusion_file.txt
 ```
 
 ## SplunkHECFeed Class
@@ -123,6 +147,8 @@ port | Ex. 8088 | The default is 8088 |
 | event_source | Ex. resilient | Optional source name of the events. Specifying a value improves searching
 | event_source_type |  | Optional source_type if one value is used for all events. If unspecified, each object type (incident, task, note, etc.) is used as the source_type
 | use_ssl | True | False | Indicate if connections to the HEC uses encryption (https) |
+| exclude_incident_fields_file | /path/to/exclusion_file.txt | Specify incident fields, one per line, to exclude from the incident send to Splunk. Use wildcards such as '*' (multiple characters) or '?' (single character) to exclude patterns of incident fields. |
+
 
 ### Considerations
 * Enable the HTTP Event Collector within Splunk ES before using this data feed.

diff --git a/rc_data_feed_plugin_splunkfeed/README.html b/rc_data_feed_plugin_splunkfeed/README.html
@@ -373,19 +373,23 @@ <h2>Release Notes<a class="headerlink" href="#release-notes" title="Link to this
 </tr>
 </thead>
 <tbody>
-<tr class="row-even"><td><p>1.1.2</p></td>
+<tr class="row-even"><td><p>1.2.0</p></td>
+<td><p>04/2024</p></td>
+<td><p>Updated base rc_data_feed to 3.1.0. Added parallel execution. Added ability to exclude selective incident fields.</p></td>
+</tr>
+<tr class="row-odd"><td><p>1.1.2</p></td>
 <td><p>01/2024</p></td>
 <td><p>Updated base rc_data_feed to 3.0.0</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.1.1</p></td>
+<tr class="row-even"><td><p>1.1.1</p></td>
 <td><p>10/2022</p></td>
 <td><p>Fix to handle rare corrupt event.message</p></td>
 </tr>
-<tr class="row-even"><td><p>1.1.0</p></td>
+<tr class="row-odd"><td><p>1.1.0</p></td>
 <td><p>5/2022</p></td>
 <td><p>Replaced base component, adding attachment content, workspace separation, more control over auto data reload.</p></td>
 </tr>
-<tr class="row-odd"><td><p>1.0.3</p></td>
+<tr class="row-even"><td><p>1.0.3</p></td>
 <td><p>9/2020</p></td>
 <td><p>App Host and Proxy Support</p></td>
 </tr>
@@ -422,7 +426,9 @@ <h3>1.1.0 Changes<a class="headerlink" href="#changes" title="Link to this headi
 </section>
 <section id="id1">
 <h3>1.2.0 Changes<a class="headerlink" href="#id1" title="Link to this heading">#</a></h3>
-<p>This release modified the base portion of the Data Feeder which is controlled by the <code class="docutils literal notranslate"><span class="pre">[feed]</span></code> section within the app.config file. New parameters have been added which you need to manually add if upgrading from a previous version:</p>
+<p>This release modified the base portion of the Data Feeder which is controlled by the <code class="docutils literal notranslate"><span class="pre">[feed]</span></code> section within the app.config file. New parameters have been added which you need to manually add if upgrading from a previous version.
+Version 1.2.0 also introduces the ability to exclude incident fields from the created <code class="docutils literal notranslate"><span class="pre">incident</span></code> database table.  Wildcards can be used to remove fields following a pattern. Ex. gdpr*.
+To use this capability, add the following app.config setting, exclude_incident_fields_file, to the particular database configuration section.</p>
 <div class="table-wrapper colwidths-auto docutils container">
 <table class="docutils align-default">
 <thead>
@@ -436,6 +442,10 @@ <h3>1.2.0 Changes<a class="headerlink" href="#id1" title="Link to this heading">
 <td><p>True, False</p></td>
 <td><p>parallel execution for faster ingestion to Splunk</p></td>
 </tr>
+<tr class="row-odd"><td><p>exclude_incident_fields_file</p></td>
+<td><p>/path/to/exclusion_file.txt</p></td>
+<td><p>Specify incident fields, one per line, to exclude from the incident data sent to Splunk. Use wildcards such as ‘<em>’ (multiple characters) or ‘?’ (single character) to exclude patterns of fields. Ex. gdpr_</em>, custom_field_int</p></td>
+</tr>
 </tbody>
 </table>
 </div>
@@ -525,8 +535,28 @@ <h3>app.config file<a class="headerlink" href="#app-config-file" title="Link to
 <span class="c1"># if necessary, specify the supported workspace (by label, case sensitive) and the list of feeds associated with it</span>
 <span class="c1"># ex: &#39;Default Workspace&#39;: [&#39;sqlserver_feed&#39;], &#39;workspace A&#39;: [&#39;kafka_feed&#39;, &#39;resilient_feed&#39;]</span>
 <span class="n">workspaces</span><span class="o">=</span>
-<span class="c1"># parallel execution disabled for splunkfeed</span>
+<span class="c1"># parallel execution disabled for splunkfeed.</span>
 <span class="n">parallel_execution</span> <span class="o">=</span> <span class="kc">False</span>
+
+<span class="p">[</span><span class="n">splunk_hec_feed</span><span class="p">]</span>
+<span class="n">class</span><span class="o">=</span><span class="n">SplunkHECFeed</span>
+<span class="n">token</span><span class="o">=&lt;</span><span class="n">token</span><span class="o">&gt;</span>
+<span class="n">host</span><span class="o">=&lt;</span><span class="n">host</span><span class="o">&gt;</span>
+<span class="n">port</span><span class="o">=</span><span class="mi">8088</span>
+<span class="n">index</span><span class="o">=</span><span class="n">data_feeder</span>
+<span class="c1"># only use event_source_type if using one type. otherwise, the resilient object type (incident, note, artifact, etc.) is used</span>
+<span class="c1">#event_source_type=txt</span>
+<span class="n">event_host</span><span class="o">=&lt;</span><span class="n">resilient</span> <span class="n">host</span><span class="o">&gt;</span>
+<span class="n">event_source</span><span class="o">=</span><span class="n">resilient</span>
+<span class="n">use_ssl</span><span class="o">=</span><span class="n">true</span>
+<span class="c1"># Optional settings for accessing Splunk via a proxy.</span>
+<span class="c1">#http_proxy=http://proxy:8088</span>
+<span class="c1">#https_proxy=http://proxy:8088</span>
+<span class="c1"># these settings are only needed for the unit tests</span>
+<span class="c1">#user=</span>
+<span class="c1">#password=</span>
+<span class="c1"># new in v1.2.0 exclude incident fields. Specify fields to exclude one per line. Wildcards such as * and ? may be used. </span>
+<span class="n">exclude_incident_fields_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">exclusion_file</span><span class="o">.</span><span class="n">txt</span>
 </pre></div>
 </div>
 </section>
@@ -579,6 +609,10 @@ <h2>SplunkHECFeed Class<a class="headerlink" href="#splunkhecfeed-class" title="
 <td class="text-left"><p>True</p></td>
 <td class="text-left"><p>False</p></td>
 </tr>
+<tr class="row-odd"><td class="text-left"><p>exclude_incident_fields_file</p></td>
+<td class="text-left"><p>/path/to/exclusion_file.txt</p></td>
+<td class="text-left"><p>Specify incident fields, one per line, to exclude from the incident send to Splunk. Use wildcards such as ‘*’ (multiple characters) or ‘?’ (single character) to exclude patterns of incident fields.</p></td>
+</tr>
 </tbody>
 </table>
 </div>

diff --git a/searchindex.js b/searchindex.js