Splunk Search

How can I make those authentication credentials editable through a graphical interface/dashboard in Splunk?

JerryLives
Engager

I have a Python script in an External Lookup app which makes REST GET calls to a third party endpoint which requires basic authentication (username/password).

How can I make those authentication credentials editable through a graphical interface/dashboard in Splunk?

This answer states that there is no way to pass authentication into External Lookup scripts: https://community.splunk.com/t5/Splunk-Search/Pros-and-Cons-External-lookup-script-vs-custom-search-...

I am aware of the possibility to create a setup page (https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/setuppage/) for my app so credentials can be written into a custom conf file in the "<app_name>/local" folder and then parsed by the Python script but the credentials would be readable due to being  written in plaintext. Is there a way to obfuscate the credentials but then easily use them through Python?

Labels (1)

sistemistiposta
Path Finder

Hello,

  I'm afraid, I have a similar problem. I developed an external lookup in Python which makes an API call using a password authentication.

When I submitted my app to Splunkbase, the result was:

 

 check_for_secret_disclosure

    Password is being stored in plain text. Client's secret must be stored in encrypted format. You can use this reference for manage secret storage
    https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/
    File: appserver/static/javascript/views/app.js Line: 95

 

There is no problem to write the password in passwords.conf. I followed the example in Weather App Example

The problem starts when I need to read the password from the Python external lookup script! Splunk general documentation suggests to use a client.connect

Client.connect need a Splunk user authentication, so another secret. I can find a method to read the secret as the splunklib.searchcommands allows.

I have Splunk Enterprise, so I could leave the API password clear, but I would like to use the secretstorage as suggested.

How can I fix this problem?

 

Thank you very much

Kind Regards

Marco

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...