Splunk
README
This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter
This analyzer comes in 10 flavors:
- Splunk_Search_Domain_FQDN: Dispatch a list of saved searches on a given domain/fqdn
- Splunk_Search_File_Filename: Dispatch a list of saved searches on a given file/filename
- Splunk_Search_Hash: Dispatch a list of saved searches on a given hash
- Splunk_Search_IP: Dispatch a list of saved searches on a given IP (IPv4 only)
- Splunk_Search_Mail_Email: Dispatch a list of saved searches on a given mail/email
- Splunk_Search_Mail_Subject: Dispatch a list of saved searches on a given mail_subject
- Splunk_Search_Other: Dispatch a list of saved searches on a given data (any type)
- Splunk_Search_Registry: Dispatch a list of saved searches on a given registry
- Splunk_Search_URL_URI_Path: Dispatch a list of saved searches on a given url/uri_path
- Splunk_Search_User_Agent: Dispatch a list of saved searches on a given user_agent
- Splunk_Search_User: Dispatch a list of saved searches on a given user id (variable name is 'other'
Requirements
You need to have access to a Splunk instance with a dedicated account. For any saved search you want to use, you have to group them in the same Application and with the same owner.
When you configure an analyzer, it will ask you these information:
- host: This is the domain name or the IP of your Splunk instance.
- port: This is the port to reach to access Splunk (API) (Splunk default to 8089).
- port_gui: This is the port to reach to access Splunk (HTTP) (Splunk default to 8000).
- username (optional): If your Splunk instance has authentication, you need an account to access to it (and to the indexes you want to search). Please avoid to use admin.
- password (optional): If your Splunk instance has authentication, this is the password of the previous account. Please avoid to use admin and respect password complexity. No token access is supported.
- application: This is the application in which all the saved searches are stored on your Splunk instance.
- owner: This is the owner of all the saved searches, it must be the same for all of them. This can be different from the username mentionned above but you will need shared rights.
- savedsearches: A list of all saved searches you want to execute. You just have to put the name of the saved searches here. Each saved search will be executed/dispatch in parallel (and so they will become jobs) but the Cortex job will finish once all Splunk jobs are done.
- earliest_time: If not empty, this parameter will specify the earliest time to use for all searches. If empty, the earliest time set in the saved search will be used by Splunk
- latest_time: If not empty, this parameter will specify the latest time to use for all searches. If empty, the latest time set in the saved search will be used by Splunk
- max_count: This parameter is set to 1,000 by default. It's the number of results to recover from the job. A limit is set to avoid any trouble in TheHive/Cortex on the GUI. If value is set to 0, then all available results are returned.
How to recover arguments in Splunk ?
All arguments can be retrieve using "$args.DATATYPE$". As an example is better than a long speech, here it is:
Imagine that you have a search with this query:
index=myindex_internet sourcetype=mysourcetype url=$args.url$*
| stats count by user, url, src_ip
This query will recover the data using $args.url$.
So, you can recover your data using :
- $args.type$: This parameter indicates the type of data (if you need so)
- $args.domain$: This parameter contains the data for an analysis over a domain
- $args.fqdn$: This parameter contains the data for an analysis over a fqdn
- $args.file$: This parameter contains the data for an analysis over a file
- $args.filename$: This parameter contains the data for an analysis over a filename
- $args.hash$: This parameter contains the data for an analysis over a hash
- $args.ip$: This parameter contains the data for an analysis over a ip
- $args.mail$: This parameter contains the data for an analysis over a mail
- $args.email$: This parameter contains the data for an analysis over a email
- $args.mail_subject$: This parameter contains the data for an analysis over a email_subject
- $args.other$: This parameter contains the data for an analysis over a other
- $args.registry$: This parameter contains the data for an analysis over a registry
- $args.url$: This parameter contains the data for an analysis over a url
- $args.uri_path$: This parameter contains the data for an analysis over a uri_path
- $args.user-agent$: This parameter contains the data for an analysis over a user-agent
Taxonomies
They are 5 taxonomies available on this analyzer:
- Splunk:Results: Indicates the total number of results found by all the saved searches
- Splunk:Info (optional): Indicates the total number of results which have a field "level" set to "info"
- Splunk:Safe (optional): Indicates the total number of results which have a field "level" set to "safe"
- Splunk:Suspicious (optional): Indicates the total number of results which have a field "level" set to "suspicious"
- Splunk:Malicious (optional): Indicates the total number of results which have a field "level" set to "malicious"
As mentionned above, your saved searches can return a field named "level" which will be interpreted by Cortex/TheHive as a taxonomy and will create reports accordingly to the value (info,safe,suspicious or malicious)
Splunk_Search_Hash
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- hash
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a hash as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_Mail_Subject
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- mail_subject
- mail-subject
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a mail subject as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_Mail_Email
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- mail
- email
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a mail/email as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_File_Filename
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- file
- filename
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a file/filename as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_User
Author: LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- other
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a user ID as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_Domain_FQDN
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- domain
- fqdn
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_User_Agent
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- user-agent
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a user agent as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_IP
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- ip
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with an IP as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_Other
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- other
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with an unidentified data as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_URL_URI_Path
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- url
- uri_path
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with an URL or a URI path as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive


Splunk_Search_Registry
Author: Unit777, LetMeR00t
License: AGPL-V3
Version: 3.0
Supported observables types:
- registry
Registration required: False
Subscription required: False
Free subscription: True
Third party service: N/A
Description
Execute a savedsearch on a Splunk instance with a registry data as argument
Configuration
host |
Splunk API host or IP |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port |
Splunk API port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
port_gui |
Splunk GUI port |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
username |
User account used for searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
password |
User password of the previous mentionned account |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
application |
Spunk application in which the saved searches are stored |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
owner |
Username that corresponds to the owner of the saved searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
saved_searches |
Name of the saved searches to use |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
earliest_time |
If not empty, this will set the earliest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
latest_time |
If not empty, this will set the latest time of the searches |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
max_count |
Maximum number of results to return for a search |
Default value if not configured |
1000 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive

