Merge pull request #13 from crowdsecurity/local-dump-function

Add support of local CTI download

Author: AlteredCoder

.github/workflows/release.yml

@@ -106,6 +106,19 @@ jobs:
               exit 1
           fi
 
+          # Check in bin/crowdsec_constants.py
+          # Example: VERSION = "1.2.3"
+          PY_VERSION=$(sed -n 's/^VERSION[[:space:]]*=[[:space:]]*"\(.*\)"/\1/p' bin/crowdsec_constants.py | tr -d '\r')
+          if [[ "$PY_VERSION" == "${{ env.VERSION_NUMBER }}" ]]
+          then
+              echo "bin/crowdsec_constants.py VERSION OK"
+          else
+              echo "bin/crowdsec_constants.py VERSION KO"
+              echo "Found:    $PY_VERSION"
+              echo "Expected: ${{ env.VERSION_NUMBER }}"
+              exit 1
+          fi
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:

CHANGELOG.md

@@ -12,9 +12,9 @@ Splunk app: i.e., all files and folders except ones that are ignored by the `.sl
 
 ---
 
-## [1.2.3](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.3) - 2025-11-25
+## [1.2.4](https://github.com/crowdsecurity/crowdsec-splunk-app/releases/tag/v1.2.4) - 2025-11-25
 
-[_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.2...v1.2.3)
+[_Compare with previous release_](https://github.com/crowdsecurity/crowdsec-splunk-app/compare/v1.2.2...v1.2.4)
 
 ### Changed
 

README.md

@@ -5,6 +5,20 @@
 ## Overview
 The CrowdSec Splunk app leverages the CrowdSec's CTI API's smoke endpoint which enables users to query an IP and receive enrichment
 
+
+## Table of Contents
+- [Overview](#overview)
+- [Example Usage](#example-usage)
+- [Results](#results)
+- [Profiles](#profiles)
+- [Local Dump](#local-dump)
+- [Configuration file](#configuration-file)
+  - [`api_key`](#api_key)
+  - [`batching`](#batching)
+  - [`batch_size`](#batch_size)
+  - [`local_dump`](#local_dump)
+
+
 ## Example Usage
 
 The following command is used to run an IP check through the CrowdSec's CTI API's smoke endpoint. On the Homepage of Splunk Web Interface, select `Search & Reporting` and use the following command.
@@ -19,7 +33,77 @@ The following command is used to run an IP check through the CrowdSec's CTI API'
 - `ipfield`: 
     - It denotes the field name where the IP address is stored in the index.
 
+- `profile`:
+    Optional preset that selects a predefined set of CrowdSec output fields (it is possible to specify mutliple profiles).
+
 ## Results
 On the event of clicking the `Search` button, users will be able to view a brief overview of various fields associated with the input IP address. 
 
 This includes but not limited to location, behaviors, classifications, attack details – name, label, description, references followed by scores, threats, etc.
+
+## Profiles
+
+Profiles are optional presets that automatically select a predefined set of CrowdSec output fields, so results stay consistent and you don’t have to manually maintain long `ipfield=` lists.
+
+- `base`: returns `ip`, `reputation`, `confidence`, `as_num`, `as_name`, `location`, `classifications`.
+
+- `anonymous`: (aliases: `vpn` `proxy`): returns `ip`, `reputation`, `proxy_or_vpn`, `classifications`.
+
+- `iprange`: returns `ip`, `ip_range`, `ip_range_24`, `ip_range_24_score`.
+
+You can provide multiple profile in the same command:
+
+```
+| cssmoke ipfield="ip" profile="anonymous,iprange"
+```
+
+The output will contains the columns for the `anonymous` and the `iprange` profiles.
+
+## Local Dump
+
+The first time you setup the local dump feature, you need to download manually the CrowdSec lookup databases (they will be updated every 24h automatically after that):
+
+```
+| cssmokedownload
+```
+
+After that, you can look up IPs using the local databases.
+
+**Note:** Check the `query_time` and `query_mode` fields in the results to confirm whether lookups are done via `local_dump` or the live API.
+
+## Configuration file
+
+You can configure the CrowdSec app by uploading a JSON configuration file:
+
+```
+{
+    "api_key": "YOUR_API_KEY_HERE",
+    "batching": true|false,
+    "batch_size": 20,
+    "local_dump": true|false
+}
+```
+
+### `api_key`
+
+CrowdSec CTI API key.
+
+**Warning:** Local dump and live CTI API lookups are mutually exclusive (enable only one mode).
+
+### `batching`
+
+Enable batching for live CTI API lookups.
+
+### `batch_size`
+
+Batch size used when `batching` is enabled.
+
+### `local_dump`
+
+Enable local dump mode (use the downloaded lookup databases).
+
+Lookup databases are download automatically every 24h.
+
+**Warning:** Local dump requires a CTI API key that has access to the dump endpoint.
+
+

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "crowdsec-splunk-app",
-      "version": "1.2.3"
+      "version": "1.2.4"
     },
     "author": [
       {

appserver/static/data/config_example.json

@@ -0,0 +1,6 @@
+{
+    "api_key": "YOUR_CROWDSEC_CTI_KEY",
+    "batching": false,
+    "batch_size": 10,
+    "local_dump": false
+}

appserver/static/img/crowdsec_logo.png

@@ -10,7 +10,7 @@ require.config({
       "../app/" + app_name + "/javascript/vendor/react-dom.production.min",
   },
   scriptType: "module",
-  urlArgs: "v=v1.2.3",
+  urlArgs: "v=v1.2.4",
 });
 
 require(["react", "ReactDOM", "myApp"], function (react, ReactDOM, myApp) {