Python library and command line tool hunting in ACE ecosystems.
Project description
ace-hunter
ace-hunter
is primarily a command line tool for performing hunt validation in ACE environments. It's derived directly from the ACE Hunting System and can serve has a drop in replacement with some small changes to the ACE Hunting System.
Splunk hunts are the only hunts currently supported.
Install
pip install ace_hunter
You could also git clone this repo and python3 setup.py install
inside whatever python environment you wish. NOTE: I've only tested this in python3.9 but it should work for python>=3.7.
CLI Tool
A tool called hunt
is made available on the command line after install. For legacy reasons the tool can also be found under ace-hunt
.
$ hunt -h
usage: hunt [-h] [-d] {list-types,lt,list,l,verify,v,execute,e,config-query,cq,configure,c} ...
A hunting tool for ACE ecosystems.
positional arguments:
{list-types,lt,list,l,verify,v,execute,e,config-query,cq,configure,c}
list-types (lt) List the types of Hunts configured.
list (l) List the available hunts. The format of the output is E|D type:name - description E: enabled D: disabled
verify (v) Verifies that all configured hunts are able to load.
execute (e) Execute a hunt with the given parameters.
config-query (cq) Query the Hunter configuration.
configure (c) Configure Hunter requirements.
optional arguments:
-h, --help show this help message and exit
-d, --debug Turn on debug logging.
Configure
You will need to configure ace-hunter to work with your Splunk environment, your splunk hunt rules, and optionally your ACE environment.
Configuration items can be overridden on a system and user level. Config items take the following precedence, where items found later override earlier ones:
- Built in defaults.
- ACE settings at
/opt/ace/etc/saq.hunting.ini
. - System level settings at
/etc/ace/hunting.ini
. - User level settings at
~/.config/ace/hunting.ini
. - Special Environment Variables
Most of the ace-hunter
configuration flexibility is so it may be dropped directly into ACE or for later convenience as much lighter ace-hunting docker container.
Basic CLI Hunting Configuration
Below is an example of the minimum requirements for Splunk hunting with ace-hunter
.
[splunk]
; ex. uri = https://your.splunk.address
uri =
; timezone of your splunk server. ex: US/Eastern
timezone =
username =
password =
; Can supply path to CA cert, yes for using system certs, no to turn off.
ssl_verification =
[SSL]
; SSL section is for submitting results to ACE.
; The ca_chain_path will be attempted if supplied.
; Next, systems certs used unless verify_ssl set to False.
verify_ssl =
ca_chain_path =
[hunt_type_splunk]
; Optionally specify the base location all rule directories
; will be relative to.
; Example showing that current user references will be expanded:
;detection_dir = ~/detections
; This is for convenience. SAQ_HOME or other settings can also be used.
detection_dir =
; Comma sep list pointing to your different splunk rule dirs.
rule_dirs = hunts/splunk/hippo,hunts/splunk/cat
Easy User Level Configuration
You can easily override whatever config settings you need with the hunt configure
API.
Ex: save your rules directories:
➜ hunt configure hunt_type_splunk.rule_dirs -v 'hunts/splunk/hippo,hunts/splunk/cat'
2022-02-04 14:49:23 MacBook-Pro ace_hunter.config[1141] INFO saving passed value to hunt_type_splunk.rule_dirs to /Users/sean/.config/ace/hunting.ini
2022-02-04 14:49:23 MacBook-Pro ace_hunter.config[1141] INFO saved configuration to: /Users/sean/.config/ace/hunting.ini
Ex: save your password:
➜ hunt configure splunk.password
Enter value for splunk.password:
2022-02-04 14:50:56 MacBook-Pro ace_hunter.config[1565] INFO saving passed value to splunk.password to /Users/sean/.config/ace/hunting.ini
2022-02-04 14:50:56 MacBook-Pro ace_hunter.config[1565] INFO saved configuration to: /Users/sean/.config/ace/hunting.ini
If the hunt
tool creates or edits the user level config at ~/.config/ace/hunting.ini
the file will be made RW for the current user only.
TODO
- Allow proxy settings to be configurable for flexibility. Use use environment variables as needed for now.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ace-hunter-1.0.2.tar.gz
.
File metadata
- Download URL: ace-hunter-1.0.2.tar.gz
- Upload date:
- Size: 32.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.9.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1e9afe59e8a8cab6f2b183c5a676bd457dd05753c28115aedefa0a02832bc754 |
|
MD5 | bdf3b133a333eb3702f5f072d35d83cd |
|
BLAKE2b-256 | 4642e0eae55ead5d8139c45725e08e768aa2f05ee37895065593cb0174bcf336 |
File details
Details for the file ace_hunter-1.0.2-py3-none-any.whl
.
File metadata
- Download URL: ace_hunter-1.0.2-py3-none-any.whl
- Upload date:
- Size: 35.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.9.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 544de4fef734abf05e08656af755f0781162dc633e6a461def612778a706b5cc |
|
MD5 | 353e0e6c2b283142db1f22b37ac51eeb |
|
BLAKE2b-256 | 91152bc96ef070966c932bf5519153f5ca568c1e24df376760291e8736128340 |