feat: scheduled update lookups

2023-02-19 07:07:13 +00:00 · 2023-02-19 07:07:13 +00:00 · 7d615cb50f
parent 5a18483c6f
commit 7d615cb50f
2 changed files with 72 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -16,7 +16,9 @@

 Provide custom search commands to update [malware-filter](https://gitlab.com/malware-filter) lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.

-Source CSV will be downloaded via a proxy if configured in "$SPLUNK_HOME/etc/system/local/[server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#Splunkd_http_proxy_configuration)".
+Source CSVs will be downloaded via a proxy if configured in "$SPLUNK_HOME/etc/system/local/[server.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#Splunkd_http_proxy_configuration)".
+
+By default, [lookup files](./lookups/) will be updated using scheduled reports every 12 hours from 00:00 of your configured time zone on Splunk. Modify the relevant saved searches to add [optional arguments](#usage).

 Tested on Splunk 9.x.

--- a/default/savedsearches.conf
+++ b/default/savedsearches.conf
@ -0,0 +1,69 @@
+[malware-filter Update botnet_ip.csv]
+action.lookup = 1
+action.lookup.filename = botnet_ip.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getbotnetip
+
+[malware-filter Update botnet-filter-splunk.csv]
+action.lookup = 1
+action.lookup.filename = botnet-filter-splunk.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getbotnetfilter
+
+[malware-filter Update opendbl_ip.csv]
+action.lookup = 1
+action.lookup.filename = opendbl_ip.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getopendbl
+
+[malware-filter Update phishing-filter-splunk.csv]
+action.lookup = 1
+action.lookup.filename = phishing-filter-splunk.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getphishingfilter
+
+[malware-filter Update pup-filter-splunk.csv]
+action.lookup = 1
+action.lookup.filename = pup-filter-splunk.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getpupfilter
+
+[malware-filter Update urlhaus-filter-splunk-online.csv]
+action.lookup = 1
+action.lookup.filename = urlhaus-filter-splunk-online.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | geturlhausfilter
+
+[malware-filter Update vn-badsite-filter-splunk.csv]
+action.lookup = 1
+action.lookup.filename = vn-badsite-filter-splunk.csv
+cron_schedule = 0 */12 * * *
+description = Update lookup every 12 hours from 00:00
+dispatch.earliest_time = -12h
+enableSched = 1
+schedule_window = 60
+search = | getvnbadsitefilter