Add all UCC framework files

Author: mcgrail-s1

README.md

@@ -0,0 +1,121 @@
+#  TA-dataset
+The DataSet Add-on for Splunk provides integration with [DataSet](https://www.dataset.com) by [SentinelOne](https://sentinelone.com). The key functions allow two-way integration:
+- SPL custom command to query DataSet directly from the Splunk UI without having to reindex data to Splunk.
+- Inputs to index alerts as CIM-compliant, or user-defined query results, from DataSet to Splunk.
+- Alert action to send events from Splunk to DataSet.
+
+## Installation
+Reference Splunk documentation for [installing add-ons](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons).
+### Splunk Enterprise
+| Splunk component | Required | Comments |
+| ------ | ------ | ------ |
+| Search heads | Yes | Required to use the custom search command. |
+| Indexers | No | Parsing is performed during data collection. | 
+| Forwarders | Yes | For distributed deployments, this add-on requires heavy forwarders for modular inputs. |
+
+### Splunk Cloud
+| Splunk component | Required | Comments |
+| ------ | ------ | ------ |
+| Search heads | Yes | Required to use the custom search command. Splunk Cloud Victoria Experience also handles modular inputs on the search heads. |
+| Indexers | No | Parsing is performed during data collection. | 
+| Inputs Data Manager | Yes | For Splunk Cloud Classic Experience, this add-on requires an IDM for modular inputs. |
+
+## Configuration
+### Dataset
+1. Navigate to https://app.scalyr.com/keys
+
+![Creating DataSet API keys](README_images/dataset_key.png)
+
+2. Click Add Key > Add Read Key (required for inputs and search command).
+3. Click Add Key > Add Write Key (required for alert action).
+4. Optionally, click the pencil icon to rename the keys.
+
+### Splunk
+1. In Splunk, open the Add-on
+
+![Configuring DataSet Account](README_images/setup_account.png)
+
+2. In configuration on DataSet Account tab:
+- Select the environment.
+- Enter the DataSet read key.
+- Enter the DataSet write key.
+
+3. Optionally, configure logging level and proxy information on the associated tabs.
+4. Click Save.
+
+![Setup new input](README_images/setup_new_input.png)
+
+5. On the inputs page, click Create New Input and select the desired input
+
+![Setup alerts indexing](README_images/setup_alerts.png)
+
+6. For DataSet alerts, enter:
+- A name for the input.
+- Interval, in seconds. A good starting point is `300` seconds to collect every five mintues.
+- Splunk index name
+- Start time, in relative shorthand form, e.g.: `24h` for 24 hours before input execution time.
+7. Click Save.
+
+![Setup query indexing](README_images/setup_query.png)
+
+7. For DataSet queries, enter:
+- A name for the input.
+- Interval, in seconds. A good starting point is `300` seconds to collect every five mintues.
+- Splunk index name
+- Start time, in relative shorthand form, e.g.: `24h` for 24 hours before input execution time.
+- *(optional)* End time, in relative shorthand form, e.g.: `5m` for 5 minutes before input execution time.
+- *(optional)* Query string used to return matching events.
+- *(optional)* Maximum number of events to return.
+
+## Using
+
+### Inputs
+The DataSet Add-on for Splunk collects the following inputs utilizing time-based checkpointing to prevent reindexing the same data:
+
+| Source Type | Description | CIM Data Model |
+| ------ | ------ | ------ |
+| dataset:alerts | Predefined Power Query API call to index [alert state change records](https://app.scalyr.com/help/alerts#logging)  | [Alerts](https://docs.splunk.com/Documentation/CIM/latest/User/Alerts) |
+| dataset:query | User-defined standard [query](https://app.scalyr.com/help/api#query) API call to index events | - |
+
+## SPL Command
+The `| dataset` command allows queries against the DataSet API directly from Splunk's search bar. Five optional parameters are supported:
+
+- **method** - Define `query` or `powerQuery` to call the appropriate REST endpoint. Default is query.
+- **query** - The DataSet [query](https://app.scalyr.com/help/query-language) or Power Query []()  used to filter events. Default is no filter (return all events limited by maxCount).
+- **maxCount** - Number of events to return from DataSet. Default is 100.
+- **startTime** - The Splunk time picker can be used (not "All Time"), or startTime is an alternative to define the [start time](https://app.scalyr.com/help/time-reference) for DataSet events to return. Use epoch time or relative shorthand in the form of a number followed by d, h, m or s (for days, hours, minutes or seconds), e.g.: `24h`. Default is 24h. Note the
+- **endTime** - The Splunk time picker can be used (not "All Time"), or endTime is an alternative to define the [end time](https://app.scalyr.com/help/time-reference) for DataSet events to return. Use epoch time or relative shorthand in the form of a number followed by d, h, m or s (for days, hours, minutes or seconds), e.g.: `5m`. Default is search time.
+
+For all queries, be sure to `"`wrap the entire query in double quotes`"`, and inside use `'`single quotes`'` or double quotes `\"`escaped with a backslash`\"`, as shown in the following examples.
+
+Query Example:
+`| dataset method=query search="serverHost = * AND Action = 'allow'" maxCount=50 startTime=10m endTime=1m`
+
+Power Query Example 1: `| dataset method=powerquery search="dataset = \"accesslog\"
+| group requests = count(), errors = count(status == 404) by uriPath
+| let rate = errors / requests
+| filter rate > 0.01
+| sort -rate"`
+
+![SPL Power Query example](README_images/spl_powerquery.png)
+
+Power Query Example 2: `| dataset method=powerQuery search="$serverHost == 'cloudWatchLogs' 
+| parse 'RequestId: $RID$ Duration: $DUR$ ms Billed Duration: $BDUR$ ms Memory Size: $MEM$ MB Max Memory Used: $UMEM$ MB' 
+| let deltaDUR= BDUR - DUR, deltaMEM = MEM - UMEM 
+| sort -DUR 
+| columns 'Request ID' = RID, 'Duration(ms)' = DUR, 'Charged delta (ms)' = deltaDUR, 'Used Memory (MB)' = UMEM, 'Charged delta Memory (MB)' = deltaMEM" startTime=5m`
+
+Since events are returned in JSON format, the Splunk [spath command](https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) is useful. Additionally, the Splunk [collect command](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/collect) can be used to add the events to a summary index:
+
+```
+| dataset query="serverHost = * AND Action = 'allow'" maxCount=50 startTime=10m endTime=1m
+| spath
+| collect index=dataset
+```
+
+## Alert Action
+An alert action allows sending an event to the DataSet [addEvents API](https://app.scalyr.com/help/api#addEvents). 
+
+##### Note
+This add-on was built with the [Splunk Add-on UCC framework](https://splunk.github.io/addonfactory-ucc-generator/).
+Splunk is a trademark or registered trademark of Splunk Inc. in the United States and other countries.

globalConfig.json

@@ -0,0 +1,5 @@
+[dataset_event]
+python.version = python3
+param.dataset_serverhost = <string> ServerHost. It's a required parameter. It's default value is splunk.
+param.dataset_message = <string> DataSet Message Body. It's a required parameter. It's default value is $name$.
+param.dataset_severity = <string> Severity. It's a required parameter. It's default value is 3

output/TA-dataset-1.0.0.tar.gz

@@ -0,0 +1,2 @@
+[dataset]
+python.version = {default|python|python2|python3}

package/.DS_Store

@@ -0,0 +1,12 @@
+[dataset_query://<name>]
+start_time = Start time for the DataSet query to use. Use shortform (e.g.: 1m, 24h, 3d).
+end_time = If left blank, present time at query execution is used.
+dataset_query_string = If left blank, all records (limited by max count) are retrieved.
+max_count = Specifies the maximum number of records to return, from 1 to 5000. If left blank, the default is 100.
+python.version = {default|python|python2|python3}
+start_by_shell = {true|false}
+
+[dataset_alerts://<name>]
+start_time = Relative time to query back. Use short form relative time, e.g.: 24h or 30d. Reference https://app.scalyr.com/help/time-reference
+python.version = {default|python|python2|python3}
+start_by_shell = {true|false}

LICENSE renamed to package/LICENSE

@@ -0,0 +1,2 @@
+[admin_external:<uniqueName>]
+python.version = {default|python|python2|python3}