Add support for detecting errors in saved searches

LaZyDK · Aug 10, 2020 · 15f7a95 · 15f7a95
1 parent 9834904
commit 15f7a95
Show file tree

Hide file tree

Showing 12 changed files with 371 additions and 305 deletions.
diff --git a/analyzers/Splunk/splunk.py b/analyzers/Splunk/splunk.py
@@ -5,6 +5,7 @@
 from time import sleep
 from cortexutils.analyzer import Analyzer
 import splunklib.results as results
+import splunklib
 import urllib
 import re
 from datetime import datetime
@@ -70,14 +71,23 @@ def SplunkSearch(self, **kwargs_savedsearch):
             for saved_search in jobs:
                 job = jobs[saved_search]["job"]
                 if job.is_done():
-                   jobs[saved_search]["results"] = results.ResultsReader(job.results(count=self.MAX_COUNT))
-                   jobs[saved_search]["link"] = "http://"+self.HOST+":"+self.PORT_GUI+"/fr-FR/app/"+self.APP+"/search?sid="+job["sid"]
-                   jobs[saved_search]["eventCount"] = int(job["eventCount"])
-                   jobs[saved_search]["resultCount"] = int(job["resultCount"])
-                   jobs[saved_search]["searchEarliestTime"] = datetime.utcfromtimestamp(round(float(job["searchEarliestTime"]))).strftime("%c")
-                   jobs[saved_search]["searchLatestTime"] = datetime.utcfromtimestamp(round(float(job["searchLatestTime"]))).strftime("%c")
-                   jobs[saved_search]["search"] = job["search"]
-                   jobs_running -= 1 
+                   try:
+                       jobs[saved_search]["results"] = results.ResultsReader(job.results(count=self.MAX_COUNT))
+                       jobs[saved_search]["is_failed"] = False
+
+                   except splunklib.binding.HTTPError as e:
+                       jobs[saved_search]["results"] = [str(e)]
+                       jobs[saved_search]["is_failed"] = True
+
+
+                   finally:
+                       jobs[saved_search]["link"] = "http://"+self.HOST+":"+self.PORT_GUI+"/fr-FR/app/"+self.APP+"/search?sid="+job["sid"]
+                       jobs[saved_search]["eventCount"] = int(job["eventCount"])
+                       jobs[saved_search]["resultCount"] = int(job["resultCount"])
+                       jobs[saved_search]["searchEarliestTime"] = datetime.utcfromtimestamp(round(float(job["searchEarliestTime"]))).strftime("%c")
+                       jobs[saved_search]["searchLatestTime"] = datetime.utcfromtimestamp(round(float(job["searchLatestTime"]))).strftime("%c")
+                       jobs[saved_search]["search"] = job["search"]
+                       jobs_running -= 1 
 
         # Get the results and display them
         savedSearchResults = []
@@ -119,6 +129,7 @@ def SplunkSearch(self, **kwargs_savedsearch):
 
             finally:
               jobResult["length"] = index
+              jobResult["failed"] = job_infos["is_failed"]
               jobResult["link"] = job_infos["link"]
               jobResult["eventCount"] = job_infos["eventCount"]
               jobResult["resultCount"] = job_infos["resultCount"]

diff --git a/thehive-templates/Splunk_Search_Domain_FQDN_3_0/long.html b/thehive-templates/Splunk_Search_Domain_FQDN_3_0/long.html
@@ -23,33 +23,38 @@
     	    Results for "{{res.savedsearch}}"
     	</div>
     	<div class="panel-body" ng-if="res.length != 0">
-    	    <dl class="dl-horizontal">
-                <dt>Results: </dt>
-                <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
-                <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
-                <dt>Events: </dt>
-                <dd>{{res.eventCount}}</dd>
-                <dt>Job: </dt>
-                <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
-                <dt>Earliest time:</dt>
-                <dd>{{res.searchEarliestTime}} UTC</dd>
-                <dt>Latest time:</dt>
-                <dd>{{res.searchLatestTime}} UTC</dd>
-                <dt ng-if="res.levels">Levels :</dt>
-                <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
-                <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
-                <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
-                <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
-            </dl>
-    	    <table class="table table-hover" >
-    	        <tr>
-    	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
-    	        </tr>
-    	        <tr ng-repeat="line in res.results">
-    	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
-    	        </tr>
-    	    </table>
-    	</div>
+    	    <div ng-if="!res.failed">
+        	    <dl class="dl-horizontal">
+                    <dt>Results : </dt>
+                    <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
+                    <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
+                    <dt>Events : </dt>
+                    <dd>{{res.eventCount}}</dd>
+                    <dt>Job: </dt>
+                    <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
+                    <dt>Earliest time:</dt>
+                    <dd>{{res.searchEarliestTime}} UTC</dd>
+                    <dt>Latest time:</dt>
+                    <dd>{{res.searchLatestTime}} UTC</dd>
+                    <dt ng-if="res.levels">Levels :</dt>
+                    <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
+                    <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
+                    <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
+                    <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
+                </dl>
+        	    <table class="table table-hover" >
+        	        <tr>
+        	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
+        	        </tr>
+        	        <tr ng-repeat="line in res.results">
+        	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
+        	        </tr>
+        	    </table>
+        	</div>
+        	<div ng-if="res.failed">
+                <dd><div class="text-danger"><strong>Error: {{res.results[0]}}</strong</div></dd>
+            </div>
+        </div>
     	<div class="panel-body" ng-if="res.length == 0">
     			<dl class="dl-horizontal">
     				<dd>No result for this search</dd>

diff --git a/thehive-templates/Splunk_Search_File_Filename_3_0/long.html b/thehive-templates/Splunk_Search_File_Filename_3_0/long.html
@@ -23,33 +23,38 @@
     	    Results for "{{res.savedsearch}}"
     	</div>
     	<div class="panel-body" ng-if="res.length != 0">
-    	    <dl class="dl-horizontal">
-                <dt>Results: </dt>
-                <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
-                <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
-                <dt>Events: </dt>
-                <dd>{{res.eventCount}}</dd>
-                <dt>Job: </dt>
-                <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
-                <dt>Earliest time:</dt>
-                <dd>{{res.searchEarliestTime}} UTC</dd>
-                <dt>Latest time:</dt>
-                <dd>{{res.searchLatestTime}} UTC</dd>
-                <dt ng-if="res.levels">Levels :</dt>
-                <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
-                <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
-                <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
-                <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
-            </dl>
-    	    <table class="table table-hover" >
-    	        <tr>
-    	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
-    	        </tr>
-    	        <tr ng-repeat="line in res.results">
-    	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
-    	        </tr>
-    	    </table>
-    	</div>
+    	    <div ng-if="!res.failed">
+        	    <dl class="dl-horizontal">
+                    <dt>Results : </dt>
+                    <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
+                    <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
+                    <dt>Events : </dt>
+                    <dd>{{res.eventCount}}</dd>
+                    <dt>Job: </dt>
+                    <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
+                    <dt>Earliest time:</dt>
+                    <dd>{{res.searchEarliestTime}} UTC</dd>
+                    <dt>Latest time:</dt>
+                    <dd>{{res.searchLatestTime}} UTC</dd>
+                    <dt ng-if="res.levels">Levels :</dt>
+                    <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
+                    <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
+                    <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
+                    <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
+                </dl>
+        	    <table class="table table-hover" >
+        	        <tr>
+        	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
+        	        </tr>
+        	        <tr ng-repeat="line in res.results">
+        	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
+        	        </tr>
+        	    </table>
+        	</div>
+        	<div ng-if="res.failed">
+                <dd><div class="text-danger"><strong>Error: {{res.results[0]}}</strong</div></dd>
+            </div>
+        </div>
     	<div class="panel-body" ng-if="res.length == 0">
     			<dl class="dl-horizontal">
     				<dd>No result for this search</dd>

diff --git a/thehive-templates/Splunk_Search_Hash_3_0/long.html b/thehive-templates/Splunk_Search_Hash_3_0/long.html
@@ -23,33 +23,38 @@
     	    Results for "{{res.savedsearch}}"
     	</div>
     	<div class="panel-body" ng-if="res.length != 0">
-    	    <dl class="dl-horizontal">
-                <dt>Results: </dt>
-                <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
-                <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
-                <dt>Events: </dt>
-                <dd>{{res.eventCount}}</dd>
-                <dt>Job: </dt>
-                <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
-                <dt>Earliest time:</dt>
-                <dd>{{res.searchEarliestTime}} UTC</dd>
-                <dt>Latest time:</dt>
-                <dd>{{res.searchLatestTime}} UTC</dd>
-                <dt ng-if="res.levels">Levels :</dt>
-                <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
-                <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
-                <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
-                <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
-            </dl>
-    	    <table class="table table-hover" >
-    	        <tr>
-    	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
-    	        </tr>
-    	        <tr ng-repeat="line in res.results">
-    	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
-    	        </tr>
-    	    </table>
-    	</div>
+    	    <div ng-if="!res.failed">
+        	    <dl class="dl-horizontal">
+                    <dt>Results : </dt>
+                    <dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
+                    <dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
+                    <dt>Events : </dt>
+                    <dd>{{res.eventCount}}</dd>
+                    <dt>Job: </dt>
+                    <dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
+                    <dt>Earliest time:</dt>
+                    <dd>{{res.searchEarliestTime}} UTC</dd>
+                    <dt>Latest time:</dt>
+                    <dd>{{res.searchLatestTime}} UTC</dd>
+                    <dt ng-if="res.levels">Levels :</dt>
+                    <dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
+                    <dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
+                    <dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
+                    <dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
+                </dl>
+        	    <table class="table table-hover" >
+        	        <tr>
+        	            <td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
+        	        </tr>
+        	        <tr ng-repeat="line in res.results">
+        	            <td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
+        	        </tr>
+        	    </table>
+        	</div>
+        	<div ng-if="res.failed">
+                <dd><div class="text-danger"><strong>Error: {{res.results[0]}}</strong</div></dd>
+            </div>
+        </div>
     	<div class="panel-body" ng-if="res.length == 0">
     			<dl class="dl-horizontal">
     				<dd>No result for this search</dd>