TheHive-Project · jeromeleonard · Aug 10, 2020 · Sep 19, 2019 · Sep 19, 2019 · Sep 19, 2019
diff --git a/analyzers/Splunk/Splunk_Search_domain_fqdn.json b/analyzers/Splunk/Splunk_Search_domain_fqdn.json
@@ -0,0 +1,96 @@
+{
+    "name": "Splunk_Search_Domain_FQDN",
+    "version": "3.0",
+    "url": "",
+    "author": "Unit777, LetMeR00t",
+    "license": "AGPL-V3",
+    "dataTypeList": ["domain","fqdn"],
+    "description": "Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument",
+    "baseConfig": "Splunk",
+    "config": {
+        "check_tlp": false,
+        "max_tlp": 4,
+        "service": "Search_Domain_FQDN"
+    },
+  "configurationItems": [
+    {
+      "name": "host",
+      "description": "Splunk API host or IP",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port",
+      "description": "Splunk API port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port_gui",
+      "description": "Splunk GUI port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "User account used for searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "password",
+      "description": "User password of the previous mentionned account",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "application",
+      "description": "Spunk application in which the saved searches are stored",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "owner",
+      "description": "Username that corresponds to the owner of the saved searches",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "saved_searches",
+      "description": "Name of the saved searches to use",
+      "type": "string",
+      "multi": true,
+      "required": true
+    },
+    {
+      "name": "earliest_time",
+      "description": "If not empty, this will set the earliest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "latest_time",
+      "description": "If not empty, this will set the latest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "max_count",
+      "description": "Maximum number of results to return for a search",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 1000
+    }
+    ],
+    "command": "Splunk/splunk.py"
+} 
diff --git a/analyzers/Splunk/Splunk_Search_file_filename.json b/analyzers/Splunk/Splunk_Search_file_filename.json
@@ -0,0 +1,96 @@
+{
+    "name": "Splunk_Search_File_Filename",
+    "version": "3.0",
+    "url": "",
+    "author": "Unit777, LetMeR00t",
+    "license": "AGPL-V3",
+    "dataTypeList": ["file","filename"],
+    "description": "Execute a savedsearch on a Splunk instance with a file/filename as argument",
+    "baseConfig": "Splunk",
+    "config": {
+        "check_tlp": false,
+        "max_tlp": 4,
+        "service": "Search_File_Filename"
+    },
+  "configurationItems": [
+    {
+      "name": "host",
+      "description": "Splunk API host or IP",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port",
+      "description": "Splunk API port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port_gui",
+      "description": "Splunk GUI port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "User account used for searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "password",
+      "description": "User password of the previous mentionned account",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "application",
+      "description": "Spunk application in which the saved searches are stored",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "owner",
+      "description": "Username that corresponds to the owner of the saved searches",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "saved_searches",
+      "description": "Name of the saved searches to use",
+      "type": "string",
+      "multi": true,
+      "required": true
+    },
+    {
+      "name": "earliest_time",
+      "description": "If not empty, this will set the earliest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "latest_time",
+      "description": "If not empty, this will set the latest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "max_count",
+      "description": "Maximum number of results to return for a search",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 1000
+    }
+    ],
+    "command": "Splunk/splunk.py"
+} 
diff --git a/analyzers/Splunk/Splunk_Search_hash.json b/analyzers/Splunk/Splunk_Search_hash.json
@@ -0,0 +1,96 @@
+{
+    "name": "Splunk_Search_Hash",
+    "version": "3.0",
+    "url": "",
+    "author": "Unit777, LetMeR00t",
+    "license": "AGPL-V3",
+    "dataTypeList": ["hash"],
+    "description": "Execute a savedsearch on a Splunk instance with a hash as argument",
+    "baseConfig": "Splunk",
+    "config": {
+        "check_tlp": false,
+        "max_tlp": 4,
+        "service": "Search_Hash"
+    },
+  "configurationItems": [
+    {
+      "name": "host",
+      "description": "Splunk API host or IP",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port",
+      "description": "Splunk API port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port_gui",
+      "description": "Splunk GUI port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "User account used for searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "password",
+      "description": "User password of the previous mentionned account",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "application",
+      "description": "Spunk application in which the saved searches are stored",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "owner",
+      "description": "Username that corresponds to the owner of the saved searches",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "saved_searches",
+      "description": "Name of the saved searches to use",
+      "type": "string",
+      "multi": true,
+      "required": true
+    },
+    {
+      "name": "earliest_time",
+      "description": "If not empty, this will set the earliest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "latest_time",
+      "description": "If not empty, this will set the latest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "max_count",
+      "description": "Maximum number of results to return for a search",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 1000
+    }
+    ],
+    "command": "Splunk/splunk.py"
+} 
diff --git a/analyzers/Splunk/Splunk_Search_ip.json b/analyzers/Splunk/Splunk_Search_ip.json
@@ -0,0 +1,96 @@
+{
+    "name": "Splunk_Search_IP",
+    "version": "3.0",
+    "url": "",
+    "author": "Unit777, LetMeR00t",
+    "license": "AGPL-V3",
+    "dataTypeList": ["ip"],
+    "description": "Execute a savedsearch on a Splunk instance with an IP as argument",
+    "baseConfig": "Splunk",
+    "config": {
+        "check_tlp": false,
+        "max_tlp": 4,
+        "service": "Search_IP"
+    },
+  "configurationItems": [
+    {
+      "name": "host",
+      "description": "Splunk API host or IP",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port",
+      "description": "Splunk API port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "port_gui",
+      "description": "Splunk GUI port",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "User account used for searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "password",
+      "description": "User password of the previous mentionned account",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "application",
+      "description": "Spunk application in which the saved searches are stored",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "owner",
+      "description": "Username that corresponds to the owner of the saved searches",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "saved_searches",
+      "description": "Name of the saved searches to use",
+      "type": "string",
+      "multi": true,
+      "required": true
+    },
+    {
+      "name": "earliest_time",
+      "description": "If not empty, this will set the earliest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "latest_time",
+      "description": "If not empty, this will set the latest time of the searches",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "max_count",
+      "description": "Maximum number of results to return for a search",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 1000
+    }
+    ],
+    "command": "Splunk/splunk.py"
+}