We currently have a PowerShell script that queries one of our EDR solutions and returns all data for the specified host.
Essentially format is like a powershell.exe script.ps1 -Host HostA
I was hoping it might be possible to incorporate this script into Splunk so we can do this from within Splunk unlike at the moment where we always have PowerShell window open.
Is what I want, possible? I have come across a number of articles for PowerShell/Splunk but they all seem to be set as 'data inputs' ( run the same script every few hours ) whereas my use case is slightly different.
If its possible do you have any links or can you point me in the right direction?
so you don't think its possible to run the powershell command directly ? ( rather than having to 'wrap' it in python?)
Maybe, but I hate to say "it works" given that I haven't tried it myself. Based on our documentation here, you should be able to invoke anything with an extension of .bat, .cmd, .py, .js or .exe natively.
The same link also states that if the "[...] executable file has no extension, or the file extension is not recognized"... "The Splunk software attempts to run the executable directly, without an interpreter."
So you could try to configure powershell.exe as your executable, and your specific ps file as a command argument (command.arg.1).
Alternatively, try to configure your ps file name directly and see if the OS does the right thing.
Re-reading your question, I am wondering if this is what you really want. Maybe you can clarify exactly what you would like to do with the data that the script pulls? Do you want each event in your initial result set to be enriched with all the fields that your script returns for a host? If so, that's probably more suited for an automatic external lookup and you are back to a (simple) Python wrapper for your powershell script.
If you just want to pull the information on request by a user, you can consider a workflow action, where a user clicks on a specific event and the workflow actions obtains the data from another system. For that to work, you would have to have an HTTP service available to query.
In any case, it depends on your use case. Apologies if I initially misunderstood.
Essentially i am building an inhouse splunk app for a few bits and pieces ( partially to help users and partially for me to learn more about splunk ) .
Anyway currently i have created a 'page' inside the app with just a textbox and submit button where the users enter an IP address , then the search goes through a csv and returns host details.
Essentially i wanted to replicate that but for the EDR solution , so basic 'page' with a textbox and submit button where users can enter a hostname and when they click the submit button our powershell script ( with some modification im assuming ) goes fetches the results and just displays them .
PS forgot to note that each page obviously has a event/stats panel to show results.
Is Powershell the only way you can interact with your EDR solution? No HTTP/REST? No RDBMS query?
It's possibly to use HTTP/REST but i have decided to try and go down the 'wrapper' route with python, thanks so much for your help.