Skip to content

Commit

Permalink
Add the possibility to search for a user
Browse files Browse the repository at this point in the history
  • Loading branch information
LetMeR00t authored and jeromeleonard committed Aug 10, 2020
1 parent b08d6fc commit b6e44f5
Show file tree
Hide file tree
Showing 3 changed files with 159 additions and 0 deletions.
96 changes: 96 additions & 0 deletions analyzers/Splunk/Splunk_Search_user.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
{
"name": "Splunk_Search_User",
"version": "3.0",
"url": "",
"author": "LetMeR00t",
"license": "AGPL-V3",
"dataTypeList": ["other"],
"description": "Execute a savedsearch on a Splunk instance with a user ID as argument",
"baseConfig": "Splunk",
"config": {
"check_tlp": false,
"max_tlp": 4,
"service": "Search_User"
},
"configurationItems": [
{
"name": "host",
"description": "Splunk API host or IP",
"type": "string",
"multi": false,
"required": true
},
{
"name": "port",
"description": "Splunk API port",
"type": "string",
"multi": false,
"required": true
},
{
"name": "port_gui",
"description": "Splunk GUI port",
"type": "string",
"multi": false,
"required": true
},
{
"name": "username",
"description": "User account used for searches",
"type": "string",
"multi": false,
"required": false
},
{
"name": "password",
"description": "User password of the previous mentionned account",
"type": "string",
"multi": false,
"required": false
},
{
"name": "application",
"description": "Spunk application in which the saved searches are stored",
"type": "string",
"multi": false,
"required": true
},
{
"name": "owner",
"description": "Username that corresponds to the owner of the saved searches",
"type": "string",
"multi": false,
"required": true
},
{
"name": "saved_searches",
"description": "Name of the saved searches to use",
"type": "string",
"multi": true,
"required": true
},
{
"name": "earliest_time",
"description": "If not empty, this will set the earliest time of the searches",
"type": "string",
"multi": false,
"required": false
},
{
"name": "latest_time",
"description": "If not empty, this will set the latest time of the searches",
"type": "string",
"multi": false,
"required": false
},
{
"name": "max_count",
"description": "Maximum number of results to return for a search",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 1000
}
],
"command": "Splunk/splunk.py"
}
59 changes: 59 additions & 0 deletions thehive-templates/Splunk_Search_User_3_0/long.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>

<div ng-if="success">
<div class="panel panel-info">
<div class="panel-heading">
Summary
</div>
<div class="panel-body">
<dl class="dl-horizontal" ng-repeat="res in content.savedsearches">
<strong>{{res.savedsearch}}</strong>: {{res.length}} results recovered out of a total of {{res.resultCount}} results over {{res.eventCount}} events
</dl>
</div>
</div>
<div class="panel panel-info" ng-repeat="res in content.savedsearches">
<div class="panel-heading">
Results for "{{res.savedsearch}}"
</div>
<div class="panel-body" ng-if="res.length != 0">
<dl class="dl-horizontal">
<dt>Results: </dt>
<dd><div ng-class="{'text-warning': res.length<res.resultCount, 'text-success': res.length==res.resultCount}"><strong>{{res.length}}/{{res.resultCount}}</strong></div><div ng-if="res.note">Note: {{res.note}}</div></dd>
<dd><div class="text-danger" ng-if="res.error"><strong>Error: {{res.error}}</strong</div></dd>
<dt>Events: </dt>
<dd>{{res.eventCount}}</dd>
<dt>Job: </dt>
<dd><a href={{res.link}} target="_blank">Go to Splunk</a></dd>
<dt>Earliest time:</dt>
<dd>{{res.searchEarliestTime}} UTC</dd>
<dt>Latest time:</dt>
<dd>{{res.searchLatestTime}} UTC</dd>
<dt ng-if="res.levels">Levels :</dt>
<dd ng-if="res.levels.info>0" class='text-info'><div class='fa fa-question-circle wrap'> Info: {{res.levels.info}}</div></dd>
<dd ng-if="res.levels.safe>0" class='text-success'><div class='fa fa-check-circle wrap'> Safe: {{res.levels.safe}}</div></dd>
<dd ng-if="res.levels.suspicious>0" class='text-warning'><div class='fa fa-exclamation-triangle wrap'> Suspicious: {{res.levels.suspicious}}</div></dd>
<dd ng-if="res.levels.malicious>0" class='text-danger'><div class='fa fa-bug wrap'> Malicious: {{res.levels.malicious}}</div></dd>
</dl>
<table class="table table-hover" >
<tr>
<td ng-repeat="(field,value) in res.results[0]"><strong>{{field}}</strong></td>
</tr>
<tr ng-repeat="line in res.results">
<td ng-repeat="(field,value) in line" class="wrap"><div ng-if="field != 'level'">{{value}}</div><div ng-if="field == 'level'" ng-class="{'text-info fa fa-question-circle': value=='info', 'text-success fa fa-check-circle': value=='safe', 'text-warning fa fa-exclamation-triangle': value=='suspicious', 'text-danger fa fa-bug': value=='malicious'}"> {{value}}</div></td>
</tr>
</table>
</div>
<div class="panel-body" ng-if="res.length == 0">
<dl class="dl-horizontal">
<dd>No result for this search</dd>
</dl>
</div>
</div>
</div>
4 changes: 4 additions & 0 deletions thehive-templates/Splunk_Search_User_3_0/short.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}="{{t.value}}"
</span>

0 comments on commit b6e44f5

Please sign in to comment.