Skip to content

plup/sextant

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

102 Commits
samples
samples
 
 
src/sextant
src/sextant
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

Sextant

CLI tool for navigating security events across multiple endpoints (Splunk, TheHive).

Installation

Requires Python 3.10+.

pip install .

For Okta/WebAuthn authentication support:

pip install ".[auth]"

Configuration

Sextant reads its configuration from ~/.config/sextant/config.yaml. Each entry in endpoints registers a CLI subcommand.

endpoints:
  - name: splunk-prod
    client: splunk
    remote: https://splunk.example.com:8089
    credentials:
      provider: 1password
      vault: Security
      item: Splunk
      fields:
        secret: api-token

  - name: hive
    client: thehive
    remote: https://thehive.example.com:9000
    credentials:
      secret: <your-api-key>

Endpoints

Field Description
name Name used as the CLI subcommand
client Client module to use (splunk or thehive)
remote Base URL of the service
verify TLS verification (default: true). Set to false to skip, or a path to a CA bundle
credentials Authentication credentials (see below)

Credentials

Inline credentials -- provide fields directly:

credentials:
  secret: my-api-token

TheHive also supports basic auth:

credentials:
  username: analyst
  password: hunter2

1Password integration -- fields are resolved at runtime via the op CLI:

credentials:
  provider: 1password
  vault: Security
  item: Splunk
  fields:
    secret: api-token

Usage

sextant <endpoint> <resource> <action> [options]

Global commands

# Test authentication against all configured endpoints
sextant check

Splunk

# Run a search query (results stream as a live table in the terminal)
sextant splunk-prod query "search index=_internal | head 10 | fieldsummary"
sextant splunk-prod query --from 1h --to now "search index=main sourcetype=syslog"

# List and inspect saved searches
sextant splunk-prod search list
sextant splunk-prod search list --user admin --name "failed logins"
sextant splunk-prod search get "My Saved Search"

# Dispatch a saved search and optionally trigger its alert actions
sextant splunk-prod search run "My Saved Search"
sextant splunk-prod search run --trigger --from 2h --to 30m "My Saved Search"

# Manage search jobs
sextant splunk-prod job list
sextant splunk-prod job list --user admin
sextant splunk-prod job get <sid>
sextant splunk-prod job get <sid> --wait 30 --fields _time,host,source

# List accessible indexes
sextant splunk-prod indexes

TheHive

# List recent alerts and cases (default: last 10 minutes)
sextant hive alert list
sextant hive alert list --from 1h
sextant hive case list --from 7d

# Get a specific alert
sextant hive alert get <alert-id>

# Create an alert from a JSON file
sextant hive alert new alert.json

Piping

When stdout is not a terminal, all commands output JSON for piping:

# Pipe job results between commands
sextant splunk-prod search run "My Search" | sextant splunk-prod job get - --wait 60

# Feed into jq
sextant hive alert list --from 1d | jq '.[].title'

Time formats

Time options (--from, --to) accept:

Format Example Description
Relative 30s, 10m, 2h, 7d, 1y Duration ago from now
ISO 8601 2025-01-15T08:00:00 Absolute timestamp

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages