I have created an alert with user name password fields such that the alert in savedsearches.conf has
action.creds_transfer.param.password = test
where creds_transfer is an alert action
I need to read all searches with this action and encrypt the password since it is in clear text.
How can i do that?
Using the rot13-encoding is reversible especially since you are doing it via rex so anyone that can see what the search is will know what is replaced by what and decode it. I advise you to have a look at :
Using hash functions such as :
... | eval n=md5(field)
.. | eval n=sha512(field)
Is safer and not reversible.
This uses rot13-encoding to obscure:
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "grfg"
Thanks for your response.
couple of questions
Does saved/searches command also read searches from local/savedsearches.conf?
Where do i add this command? How can i call this from a python script?.
Can i run it using curl?
This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.
action.creds_transfer = 1
action.creds_transfer.param.password = coolio
action.creds_transfer.param.username = test
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 0 1 * * *
description = test Alert
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = equal to
run_on_startup = 1
search = *
ok. i tried with
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa"
and it didnt give error but also i did not get any results.
When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.
but when i put where clause i do not see any results.
I also tried with other values instead of username and for those too i did not get any results.
is the syntax correct?
i ran this on splunk search
|rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"
it gives me this error:
Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username'