From 861ee7d247c78d9b2f16178e1adfaaa37a75a2ce Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Tue, 25 Sep 2018 13:06:27 -0400
Subject: [PATCH] Update Splunk support

---
 README.rst           |  2 +-
 docs/index.rst       |  2 +-
 parsedmarc/cli.py    |  7 +++++--
 parsedmarc/splunk.py | 38 ++++++++++++++++++++++++++++++++++----
 4 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/README.rst b/README.rst
index b3db504..1910f7c 100644
--- a/README.rst
+++ b/README.rst
@@ -83,7 +83,7 @@ CLI help
                             collector (HEC)
       --hec-index HEC_INDEX
                             The index to use when sending events to the Splunk
-                            HTTP Events (Default: dmarc)
+                            HTTP Events
       --save-aggregate      Save aggregate reports to search indexes
       --save-forensic       Save forensic reports to search indexes
       -O OUTGOING_HOST, --outgoing-host OUTGOING_HOST
diff --git a/docs/index.rst b/docs/index.rst
index 0b01ed0..7ce562c 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -90,7 +90,7 @@ CLI help
                             collector (HEC)
       --hec-index HEC_INDEX
                             The index to use when sending events to the Splunk
-                            HTTP Events (Default: dmarc)
+                            HTTP Events
       --save-aggregate      Save aggregate reports to search indexes
       --save-forensic       Save forensic reports to search indexes
       -O OUTGOING_HOST, --outgoing-host OUTGOING_HOST
diff --git a/parsedmarc/cli.py b/parsedmarc/cli.py
index 3ac88ea..f754bec 100644
--- a/parsedmarc/cli.py
+++ b/parsedmarc/cli.py
@@ -101,8 +101,7 @@ def _main():
                                               "(HEC)")
     arg_parser.add_argument("--hec-index", help="The index to use when "
                                                 "sending events to the "
-                                                "Splunk HTTP Events "
-                                                "(Default: dmarc)")
+                                                "Splunk HTTP Events")
     arg_parser.add_argument("--save-aggregate", action="store_true",
                             default=False,
                             help="Save aggregate reports to search indexes")
@@ -160,6 +159,10 @@ def _main():
                 elastic.set_hosts(args.elasticsearch_host)
                 elastic.create_indexes()
             if args.hec:
+                if args.hec_token is None or args.hec_index is None:
+                    logger.error("HEC token and HEC index are required when "
+                                 "using HEC URL")
+                    exit(1)
                 hec_client = splunk.HECClient(args.hec, args.hec_token,
                                               index=args.hec_index)
         except ElasticsearchException as error:
diff --git a/parsedmarc/splunk.py b/parsedmarc/splunk.py
index 13ab216..e5ed768 100644
--- a/parsedmarc/splunk.py
+++ b/parsedmarc/splunk.py
@@ -17,7 +17,7 @@ class HECClient(object):
     # http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC
     # http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector
 
-    def __init__(self, url, access_token,index="dmarc",
+    def __init__(self, url, access_token, index,
                  source="parsedmarc", verify=True):
         """
         Initializes the HECClient
@@ -50,18 +50,48 @@ class HECClient(object):
         Saves aggregate DMARC reports to Splunk
 
         Args:
-            aggregate_reports (list): A list of aggregate report dictionaries
+            aggregate_reports: A list of aggregate report dictionaries
             to save in Splunk
 
         """
         if type(aggregate_reports) == dict:
             aggregate_reports = [aggregate_reports]
 
+        data = self._common_data.copy()
         json_str = ""
         for report in aggregate_reports:
-            data = self._common_data.copy()
+            for record in report["records"]:
+                new_report = dict()
+                for metadata in report["report_metadata"]:
+                    new_report[metadata] = report["report_metadata"][metadata]
+                new_report["policy_published"] = report["policy_published"]
+                new_report["source_ip_address"] = record["source"][
+                    "ip_address"]
+                new_report["source_country"] = record["source"]["country"]
+                new_report["source_reverse_dns"] = record["source"][
+                    "reverse_dns"]
+                new_report["source_base_domain"] = record["source"][
+                    "base_domain"]
+                new_report["message_count"] = record["count"]
+                new_report["disposition"] = record["policy_evaluated"][
+                    "disposition"
+                ]
+                new_report["spf_aligned"] = record["alignment"]["spf"]
+                new_report["dkim_aligned"] = record["alignment"]["dkim"]
+                new_report["passed_dmarc"] = record["alignment"]["dmarc"]
+                new_report["header_from"] = record["identifiers"][
+                    "header_from"]
+                new_report["envelope_from"] = record["identifiers"][
+                    "envelope_from"]
+                if "dkim" in record["auth_results"]:
+                    new_report["dkim_results"] = record["auth_results"][
+                        "dkim"]
+                if "spf" in record["spf_results"]:
+                    new_report["spf_results"] = record["auth_results"][
+                        "spf"]
+
             data["sourcetype"] = "dmarc:aggregate"
-            data["event"] = report.copy()
+            data["event"] = new_report.copy()
             json_str += "{0}\n".format(json.dumps(data))
 
         try: