Initial delivery of Flare Splunk Integration app. feature : add UI tabs, config options & dynamic links

[ankushy-metron]

Flare for Splunk Enterprise App PR

App name: Flare (flare)
Version: 1.3.4 (see splunk-integration/packages/flare/src/main/resources/splunk/default/app.conf)
Splunk compatibility: Splunk Enterprise 9.3 / 9.4, Python 3.9
License: Apache 2.0

What this app does

The Flare Splunk app pulls threat-intelligence events from the Flare platform (api.flare.io) into Splunk so analysts can search, alert, and dashboard on them like any other Splunk data source. Events land in a dedicated flare index with sourcetype = flare_json.

Repository layout (monorepo - Yarn workspaces + Lerna)

splunk-integration/
├── Makefile                       # build / package / validate / publish to Splunkbase
├── requirements.txt               # Python deps vendored into the app (flareio, splunk-sdk, requests…)
├── compose.yml                    # local Splunk in Docker for dev
├── README.md / RELEASE_NOTES.md
└── packages/
    ├── flare/                     # The actual Splunk app (Python + JSX entry pages)
    │   ├── bin/                   # Python backend
    │   │   ├── cron_job_ingest_events.py   # Scheduled input fetches & prints events to stdout
    │   │   ├── flare.py                    # FlareAPI client wrapper around flareio SDK
    │   │   ├── flare_external_requests.py  # Custom REST handlers used by the UI
    │   │   ├── data_store.py               # Persistent state via local conf file
    │   │   ├── constants.py / logger.py
    │   └── src/main/resources/splunk/      # app.conf, inputs.conf, restmap.conf,
    │                                       # savedsearches.conf, nav, views, templates
    └── react-components/          # Shared React UI (TS) for the Configuration & Status screens

How it works end-to-end

1. Setup UI (ConfigurationScreen.tsx) Admin enters Flare API key → picks tenants, index, severities, source-type filters, "full event data" toggle, and backfill days.
2. UI → backend via custom REST endpoints declared in restmap.conf (/fetch_api_key_validation, /fetch_user_tenants, /fetch_severity_filters, /fetch_source_type_filters, /fetch_ingestion_status) — handlers in flare_external_requests.py.
3. Secrets are stored in Splunk storage/passwords under realm flare_integration_realm (API key, tenant IDs, filters, etc.). No KV store dependency.
4. Ingestion inputs.conf registers cron_job_ingest_events.py as a scripted input (default schedule * * * * * once configured). For each tenant it:
   • reads cursor (next token) + earliest-ingested timestamp from data_store.conf,
   • pages through /firework/v4/events/tenant/_search (and optionally fetches full event via /firework/v2/activities/{uid}),
   • prints each event as JSON to stdout → Splunk ingests as sourcetype=flare_json.
5. Status screen + saved searches (Flare Search, Severity) and nav links are pre-wired in default.xml / savedsearches.conf.

Key things for the reviewer to focus on

• packages/flare/bin/cron_job_ingest_events.py — main ingestion loop, concurrency guard (CRON_JOB_THRESHOLD_SINCE_LAST_FETCH = 10 min), multi-tenant pagination, error handling.
• packages/flare/bin/flare.py — Flare API client, retry on full-event fetch, rate-limit sleeps, User-Agent tagging (flare-splunk).
• packages/flare/bin/data_store.py — uses a local .conf file (not KV store) for cursor / last-fetch state. Confirm file paths under $SPLUNK_HOME/etc/apps/flare/local/.
• packages/flare/src/main/resources/splunk/default/ — app.conf (version 1.3.4, build 11), inputs.conf, restmap.conf, savedsearches.conf, nav + views.
• packages/react-components/src/utils/setupConfiguration.ts — orchestrates first-time setup: creates flare index, saves passwords, sets passAuth to current user, flips cron interval, reloads the app.
• Makefile — build, package (produces output/flare.tar.gz), validate (Splunk AppInspect), publish (Splunkbase app id 7602), test, lint, mypy, format.
• Tests: Python unit tests in packages/flare/tests/bin/ (pytest), React tests in packages/react-components/src/tests/ (jest).

How to test locally

cd splunk-integration
make build          # vendors python deps + builds JS bundles
make splunk-local   # spins up Splunk in Docker (compose.yml) + frontend watcher
make test           # pytest + yarn test:ci
make validate       # runs Splunk AppInspect against the packaged app

Then open Splunk → Apps → Flare → run through the Configuration screen with a Flare API key.

Risk / blast radius

• Scoped to a single Splunk app (flare); no global conf changes.
• Writes only to: flare_integration_realm passwords, local data_store.conf, the chosen index, and 2 saved searches.
• KV store is not required (disabled in splunk/default.yml).
• Outbound network: only api.flare.io.

Release notes entry

1.3.4
-----
* Update the minimum version of the Flare SDK.

[xvaier]

Why are we ignoring the test files?

[alakeshk-metron]

incorrect file path, we have test files in separate directory, we'll remove the entry.

[xvaier]

What does this do?

[alakeshk-metron]

ta_version.txt holds the Splunk app release version (e.g. 1.0.0) when we run to generate tgz file