Splunk
README
This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter
This analyzer comes in 10 flavors:
Splunk_Search_Domain_FQDN : Dispatch a list of saved searches on a given domain/fqdn
Splunk_Search_File_Filename : Dispatch a list of saved searches on a given file/filename
Splunk_Search_Hash : Dispatch a list of saved searches on a given hash
Splunk_Search_IP : Dispatch a list of saved searches on a given IP (IPv4 only)
Splunk_Search_Mail_Email : Dispatch a list of saved searches on a given mail/email
Splunk_Search_Mail_Subject : Dispatch a list of saved searches on a given mail_subject
Splunk_Search_Other : Dispatch a list of saved searches on a given data (any type)
Splunk_Search_Registry : Dispatch a list of saved searches on a given registry
Splunk_Search_URL_URI_Path : Dispatch a list of saved searches on a given url/uri_path
Splunk_Search_User_Agent : Dispatch a list of saved searches on a given user_agent
Splunk_Search_User : Dispatch a list of saved searches on a given user id (variable name is 'other'
Requirements
You need to have access to a Splunk instance with a dedicated account. For any saved search you want to use, you have to group them in the same Application and with the same owner.
When you configure an analyzer, it will ask you these information:
host : This is the domain name or the IP of your Splunk instance.
port : This is the port to reach to access Splunk (API) (Splunk default to 8089).
port_gui : This is the port to reach to access Splunk (HTTP) (Splunk default to 8000).
username (optional): If your Splunk instance has authentication, you need an account to access to it (and to the indexes you want to search). Please avoid to use admin.
password (optional): If your Splunk instance has authentication, this is the password of the previous account. Please avoid to use admin and respect password complexity. No token access is supported.
application : This is the application in which all the saved searches are stored on your Splunk instance.
owner : This is the owner of all the saved searches, it must be the same for all of them. This can be different from the username mentionned above but you will need shared rights.
savedsearches : A list of all saved searches you want to execute. You just have to put the name of the saved searches here. Each saved search will be executed/dispatch in parallel (and so they will become jobs) but the Cortex job will finish once all Splunk jobs are done .
earliest_time : If not empty, this parameter will specify the earliest time to use for all searches. If empty, the earliest time set in the saved search will be used by Splunk
latest_time : If not empty, this parameter will specify the latest time to use for all searches. If empty, the latest time set in the saved search will be used by Splunk
max_count : This parameter is set to 1,000 by default. It's the number of results to recover from the job. A limit is set to avoid any trouble in TheHive/Cortex on the GUI. If value is set to 0, then all available results are returned.
How to recover arguments in Splunk ?
All arguments can be retrieve using "$args.DATATYPE$". As an example is better than a long speech, here it is:
Imagine that you have a search with this query:
index=myindex_internet sourcetype=mysourcetype url=$args.url$*
| stats count by user, url, src_ip
This query will recover the data using $args.url$.
So, you can recover your data using :
$args.type$: This parameter indicates the type of data (if you need so)
$args.domain$: This parameter contains the data for an analysis over a domain
$args.fqdn$: This parameter contains the data for an analysis over a fqdn
$args.file$: This parameter contains the data for an analysis over a file
$args.filename$: This parameter contains the data for an analysis over a filename
$args.hash$: This parameter contains the data for an analysis over a hash
$args.ip$: This parameter contains the data for an analysis over a ip
$args.mail$: This parameter contains the data for an analysis over a mail
$args.email$: This parameter contains the data for an analysis over a email
$args.mail_subject$: This parameter contains the data for an analysis over a email_subject
$args.other$: This parameter contains the data for an analysis over a other
$args.registry$: This parameter contains the data for an analysis over a registry
$args.url$: This parameter contains the data for an analysis over a url
$args.uri_path$: This parameter contains the data for an analysis over a uri_path
$args.user-agent$: This parameter contains the data for an analysis over a user-agent
Taxonomies
They are 5 taxonomies available on this analyzer:
Splunk:Results : Indicates the total number of results found by all the saved searches
Splunk:Info (optional): Indicates the total number of results which have a field "level" set to "info"
Splunk:Safe (optional): Indicates the total number of results which have a field "level" set to "safe"
Splunk:Suspicious (optional): Indicates the total number of results which have a field "level" set to "suspicious"
Splunk:Malicious (optional): Indicates the total number of results which have a field "level" set to "malicious"
As mentionned above, your saved searches can return a field named "level" which will be interpreted by Cortex/TheHive as a taxonomy and will create reports accordingly to the value (info,safe,suspicious or malicious)
Splunk_Search_IP
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- ip
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with an IP as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Mail_Subject
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- mail_subject
- mail-subject
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a mail subject as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Domain_FQDN
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- domain
- fqdn
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Hash
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- hash
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a hash as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Mail_Email
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- mail
- email
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a mail/email as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Registry
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- registry
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a registry data as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_Other
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- other
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with an unidentified data as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_URL_URI_Path
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- url
- uri_path
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with an URL or a URI path as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_File_Filename
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- file
- filename
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a file/filename as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_User_Agent
Author : Unit777, LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- user-agent
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a user agent as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
Splunk_Search_User
Author : LetMeR00t
License : AGPL-V3
Version : 3.0
Supported observables types :
- other
Registration required : False
Subscription required : False
Free subscription : True
Third party service : N/A
Description
Execute a savedsearch on a Splunk instance with a user ID as argument
Configuration
host
Splunk API host or IP
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port
Splunk API port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
port_gui
Splunk GUI port
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
username
User account used for searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
password
User password of the previous mentionned account
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
application
Spunk application in which the saved searches are stored
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
owner
Username that corresponds to the owner of the saved searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
saved_searches
Name of the saved searches to use
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
True
Is required
True
earliest_time
If not empty, this will set the earliest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
latest_time
If not empty, this will set the latest time of the searches
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
max_count
Maximum number of results to return for a search
Default value if not configured
1000
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
December 17, 2024 17:53:43