Work in progress..
Disclaimer: The reversing of the product could be recognized as a breach of a license agreement and you should always consult with the vendor before decompiling binary files back into source code. Under no circumstances will I be held responsible or liable in any way for any claims, damages, losses, expenses, costs or liabilities whatsoever (including, without limitation, any direct or indirect damages for loss of profits, business interruption or loss of information) resulting or arising directly or indirectly from your use of or inability to use materials provided in this repository. You are responsible for your own actions.
HTTP Cats in a Splunk SOAR (Phantom) application meant for a demo integration purpose. The application currently covers the following topics:
- Downloading binary files;
- Placing files into Vault;
- Using custom widget to represent data;
- Showing file from Vault within the application's widget;
The application itself translates an HTTP response code into a visual representation using cat pictures from https://http.cat
All Python code within the Splunk Phantom instances are compiled to binary files. Therefore, an IDE cannot provide code completion and proper syntax highlighting. However, the following steps can be used to prepare the code for the IDE:
pip install uncompyle6
decompiled_packages=~/.phantom-packages
mkdir -p $decompiled_packages
libs=( /opt/phantom/lib3/ /opt/phantom/pycommon3/ );
for lib_path in "${libs[@]}"; do cd $lib_path; \
for file in $(find . -name "*.pyc"); do uncompyle6 -o $decompiled_packages/${file::-1} $file; done; \
done
# or
make prepareSplunk Phantom (SOAR) application development could be done using a community SOAR image. Visual Studio Code has a capability to use a remote server for development. Additionally, such setup supports most of the addons, such as Pylance. This gives a possibility to shorten the testing cycles and improve developer's morale. Because of that, most of the settings are tuned to be used within SOAR instance under user phantom.
Makefile contains some useful commands to automate some of the development tasks
# prepare local environment
make prepare
# install application in Splunk SOAR
make install
# access application execution failure logs
make logs# /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
GSSAPIAuthentication no
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS no
# Banner /etc/issue.net- Install Splunk Phantom as a virtual machine image
- Tutorial: Use the app wizard to develop an app framework
- Tutorial: Use the Splunk SOAR (Cloud) app wizard to develop an app framework
- A comprehensive guide to fixing slow SSH logins
- VSCode Python settings reference
- SOAR Connector module development
- Vault usage example - splunk-soar-connectors/endace