A Splunk® add-on providing a custom search command haveibeenpwned to query Troy Hunt's haveibeenpwned API (https://haveibeenpwned.com/api/v3/) for known breaches of your (company's) domains or your friends'/family's/enemies'/hardly distantly related someone's/employees'/colleagues' mail adresses.
Please respect people's privacy and adhere to the service's acceptable use (https://haveibeenpwned.com/API/v3#AcceptableUse). I tried respecting the limits posed on the API's use in the command's source code.
I was unsatisfied with the publicly available Splunk add-ons already providing this functionality as they either didn't allow control over what and how is queried for or didn't format the output to my wishes. So I came up with my own Splunk add-on implementing these missing features.
Cross-compatible with Python 2 and 3. Tested on Splunk Enterprise 7.3.5 and 184.108.40.206.
Licensed under http://www.apache.org/licenses/LICENSE-2.0.
Feel free to submit issues via https://github.com/hRun/SA-haveibeenpwned/issues.
Just unpack to $SPLUNK_HOME/etc/apps on your Splunk search head and restart the instance. Use the deployer in a distributed environment.
Set python.version=python2 or python.version=python3 in commands.conf if you would like to explicitly specify the Python version to use. Otherwise this will be determined by your instance's global settings.
Your Splunk instance requires acess to the internet (via a proxy) to query https://haveibeenpwned.com/api/v3/*.
Unfortunately parts of the HIBP API now require an API key which you can obtain here: https://haveibeenpwned.com/API/Key. Specify your API key via the app's setup screen to be able to use mode=mail. mode=domain will work without an API key.
Use as a search command like so:
search index=example | table email | haveibeenpwned [mode=<mail|domain>] [threshold=<days>] <field-list>
mode: Control whether to query for breaches regarding one or multiple domains or specific mail addresses. Default: mail.
threshold: Set how many days to look back for breaches. Default: 7 days.
Add some more error handling.
Add some better handling of HTTP response code 429.
Potentially add a mode to query the passwords API. As password hashes should not be stored in Splunk this should not be a valid use case.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.