forked from TheHive-Project/Cortex-Analyzers
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add the possibility to search for a user
- Loading branch information
1 parent
b08d6fc
commit b6e44f5
Showing
3 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
{ | ||
"name": "Splunk_Search_User", | ||
"version": "3.0", | ||
"url": "", | ||
"author": "LetMeR00t", | ||
"license": "AGPL-V3", | ||
"dataTypeList": ["other"], | ||
"description": "Execute a savedsearch on a Splunk instance with a user ID as argument", | ||
"baseConfig": "Splunk", | ||
"config": { | ||
"check_tlp": false, | ||
"max_tlp": 4, | ||
"service": "Search_User" | ||
}, | ||
"configurationItems": [ | ||
{ | ||
"name": "host", | ||
"description": "Splunk API host or IP", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "port", | ||
"description": "Splunk API port", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "port_gui", | ||
"description": "Splunk GUI port", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "username", | ||
"description": "User account used for searches", | ||
"type": "string", | ||
"multi": false, | ||
"required": false | ||
}, | ||
{ | ||
"name": "password", | ||
"description": "User password of the previous mentionned account", | ||
"type": "string", | ||
"multi": false, | ||
"required": false | ||
}, | ||
{ | ||
"name": "application", | ||
"description": "Spunk application in which the saved searches are stored", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "owner", | ||
"description": "Username that corresponds to the owner of the saved searches", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "saved_searches", | ||
"description": "Name of the saved searches to use", | ||
"type": "string", | ||
"multi": true, | ||
"required": true | ||
}, | ||
{ | ||
"name": "earliest_time", | ||
"description": "If not empty, this will set the earliest time of the searches", | ||
"type": "string", | ||
"multi": false, | ||
"required": false | ||
}, | ||
{ | ||
"name": "latest_time", | ||
"description": "If not empty, this will set the latest time of the searches", | ||
"type": "string", | ||
"multi": false, | ||
"required": false | ||
}, | ||
{ | ||
"name": "max_count", | ||
"description": "Maximum number of results to return for a search", | ||
"type": "number", | ||
"multi": false, | ||
"required": false, | ||
"defaultValue": 1000 | ||
} | ||
], | ||
"command": "Splunk/splunk.py" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
<div class="panel panel-danger" ng-if="!success"> | ||
<div class="panel-heading"> | ||
<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong> | ||
</div> | ||
<div class="panel-body"> | ||
{{content.errorMessage}} | ||
</div> | ||
</div> | ||
|
||
<div ng-if="success"> | ||
<div class="panel panel-info"> | ||
<div class="panel-heading"> | ||
Summary | ||
</div> | ||
<div class="panel-body"> | ||
<dl class="dl-horizontal" ng-repeat="res in content.savedsearches"> | ||
<strong>{{res.savedsearch}}</strong>: {{res.length}} results recovered out of a total of {{res.resultCount}} results over {{res.eventCount}} events | ||
</dl> | ||
</div> | ||
</div> | ||
<div class="panel panel-info" ng-repeat="res in content.savedsearches"> | ||
<div class="panel-heading"> | ||
Results for "{{res.savedsearch}}" | ||
</div> | ||
<div class="panel-body" ng-if="res.length != 0"> | ||
<dl class="dl-horizontal"> | ||
<dt>Results: </dt> | ||
<dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd> | ||
<dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd> | ||
<dt>Events: </dt> | ||
<dd>{{res.eventCount}}</dd> | ||
<dt>Job: </dt> | ||
<dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd> | ||
<dt>Earliest time:</dt> | ||
<dd>{{res.searchEarliestTime}} UTC</dd> | ||
<dt>Latest time:</dt> | ||
<dd>{{res.searchLatestTime}} UTC</dd> | ||
<dt ng-if="res.levels">Levels :</dt> | ||
<dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd> | ||
<dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd> | ||
<dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd> | ||
<dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd> | ||
</dl> | ||
<table class="table table-hover" > | ||
<tr> | ||
<td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td> | ||
</tr> | ||
<tr ng-repeat="line in res.results"> | ||
<td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td> | ||
</tr> | ||
</table> | ||
</div> | ||
<div class="panel-body" ng-if="res.length == 0"> | ||
<dl class="dl-horizontal"> | ||
<dd>No result for this search</dd> | ||
</dl> | ||
</div> | ||
</div> | ||
</div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
{{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
</span> | ||
|