I have created an alert with user name password fields such that the alert in savedsearches.conf has
action.creds_transfer.param.username= aaa
action.creds_transfer.param.password = test
where creds_transfer is an alert action
I need to read all searches with this action and encrypt the password since it is in clear text.
How can i do that?
Thanks
Hello Gauri,
Using the rot13-encoding is reversible especially since you are doing it via rex so anyone that can see what the search is will know what is replaced by what and decode it. I advise you to have a look at :
Using hash functions such as :
... | eval n=md5(field)
Or
.. | eval n=sha512(field)
Is safer and not reversible.
Regards,
David
This uses rot13-encoding to obscure:
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "grfg"
Thanks for your response.
couple of questions
Does saved/searches command also read searches from local/savedsearches.conf?
Where do i add this command? How can i call this from a python script?.
Can i run it using curl?
This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.
[test-alert]
action.creds_transfer = 1
action.creds_transfer.param.password = coolio
action.creds_transfer.param.username = test
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 0 1 * * *
description = test Alert
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = equal to
run_on_startup = 1
search = *
It doesn't work that way.
ok. i tried with
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa"
and it didnt give error but also i did not get any results.
When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.
but when i put where clause i do not see any results.
I also tried with other values instead of username and for those too i did not get any results.
is the syntax correct?
Thanks
-Gauri
You have to rot13-encode coolio
so use pbbyvb
:
I assumed the whole purpose was to obfuscate plain-text passwords in your search and search results, which this approach does.
i ran this on splunk search
|rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"
it gives me this error:
Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username'
I had a mistake, please try again with updated answer text.