Hi everyone,
I'm currently working on integrating Kaspersky CyberTrace with Splunk and have encountered a couple of issues I need help with:
Converting Indicators Lookup Dashboard:
Data Not Displaying in Dashboards:
Any guidance or solutions to these problems would be greatly appreciated.
Thanks in advance for your help!
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Indicators lookup</title>
<link rel="shortcut icon" href="/en-US/static/@4EAB67D171EF0F268537B07472A600B957BA5791405CEF63525C4E27D3E44D74/img/favicon.ico" />
<link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/bootstrap-enterprise.css" />
<link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/splunkjs-dashboard.css" />
<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />
<script>
(function () {
window._splunk_metrics_events = [];
window._splunk_metrics_events.active = true;
function onLoadSwa() {
new SWA({"deploymentID": "38255b58-9e6d-5dfa-8d85-b49d0a12bf26", "userID": "88dc5753653ca0684944db586ae6839c9919d788bf6408b4cca2a8e79949adac", "version": "4", "instanceGUID": "2255A6A4-6BBF-4F0C-8DE8-ABF5E956C44B", "visibility": "anonymous,support", "url": "https://e1345286.api.splkmobile.com/1.0/e1345286"});
};
document.addEventListener("DOMContentLoaded", function(event) {
var s = document.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src='/en-US/static/app/splunk_instrumentation/build/pages/swa.js';
s.addEventListener('load', onLoadSwa);
var x = document.getElementsByTagName('script')[0];
x.parentNode.insertBefore(s, x);
});
}());
</script>
</head>
<body class="simplexml preload locale-en" data-splunk-version="8.0.2.1" data-splunk-product="enterprise">
<!--
BEGIN LAYOUT
This section contains the layout for the dashboard. Splunk uses proprietary
styles in <div> tags, similar to Bootstrap's grid system.
-->
<header>
<a aria-label="Screen reader users, click here to skip the navigation bar" class="navSkip" href="#navSkip" tabIndex="1">Skip Navigation ></a>
<div class="header splunk-header">
<div id="placeholder-splunk-bar">
<a href="{{SPLUNKWEB_URL_PREFIX}}/app/launcher/home" class="brand" title="splunk > listen to your data">splunk<strong>></strong></a>
</div>
<div id="placeholder-app-bar"></div>
</div>
<a id="navSkip"></a>
</header>
<div class="dashboard-body container-fluid main-section-body" data-role="main">
<div class="dashboard-header clearfix">
<h2>Indicators lookup</h2>
</div>
<div class="fieldset">
<div>
<legend><b>Kaspersky CyberTrace connection settings</b></legend>
<div class="kl-panel-body">
<div class="input input-text" id="settings-ct-host">
<label>Kaspersky CyberTrace address</label>
</div>
<div class="input input-text" id="settings-ct-port">
<label>Kaspersky CyberTrace port</label>
</div>
</div>
</div>
<div></div>
<div id="input1" class="html">
<div class="fieldset">
<legend><b>Kaspersky CyberTrace lookup indicator</b></legend>
<div class="panel-body html">
<p>Enter indicator, that you want to lookup in the Kaspersky CyberTrace</p>
</div> </div>
<div class="input input-text" id="input2">
<label>Indicator</label>
</div>
<div class="form-submit" id="search_btn">
<button class="btn btn-primary submit">Lookup</button>
</div>
</div>
</div>
<div id="row1" class="dashboard-row dashboard-row1">
<div id="panel1" class="dashboard-cell" style="width: 100%;">
<div class="dashboard-panel clearfix">
<div class="panel-element-row">
<div id="element1" class="dashboard-element table" style="width: 100%">
<div class="panel-head">
<h3>Matching events</h3>
</div>
<div class="panel-body"></div>
</div>
</div>
</div>
</div>
</div>
</div>
<!--
END LAYOUT
-->
<script src="{{SPLUNKWEB_URL_PREFIX}}/config?autoload=1" crossorigin="use-credentials"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/static/js/i18n.js"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/i18ncatalog?autoload=1"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/static/build/simplexml/index.js"></script>
<script type="text/javascript">
// <![CDATA[
// <![CDATA[
//
// LIBRARY REQUIREMENTS
//
// In the require function, we include the necessary libraries and modules for
// the HTML dashboard. Then, we pass variable names for these libraries and
// modules as function parameters, in order.
//
// When you add libraries or modules, remember to retain this mapping order
// between the library or module and its function parameter. You can do this by
// adding to the end of these lists, as shown in the commented examples below.
require([
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/tokenutils",
"underscore",
"jquery",
"splunkjs/mvc/simplexml",
"splunkjs/mvc/layoutview",
"splunkjs/mvc/simplexml/dashboardview",
"splunkjs/mvc/simplexml/dashboard/panelref",
"splunkjs/mvc/simplexml/element/chart",
"splunkjs/mvc/simplexml/element/event",
"splunkjs/mvc/simplexml/element/html",
"splunkjs/mvc/simplexml/element/list",
"splunkjs/mvc/simplexml/element/map",
"splunkjs/mvc/simplexml/element/single",
"splunkjs/mvc/simplexml/element/table",
"splunkjs/mvc/simplexml/element/visualization",
"splunkjs/mvc/simpleform/formutils",
"splunkjs/mvc/simplexml/eventhandler",
"splunkjs/mvc/simplexml/searcheventhandler",
"splunkjs/mvc/simpleform/input/dropdown",
"splunkjs/mvc/simpleform/input/radiogroup",
"splunkjs/mvc/simpleform/input/linklist",
"splunkjs/mvc/simpleform/input/multiselect",
"splunkjs/mvc/simpleform/input/checkboxgroup",
"splunkjs/mvc/simpleform/input/text",
"splunkjs/mvc/simpleform/input/timerange",
"splunkjs/mvc/simpleform/input/submit",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/savedsearchmanager",
"splunkjs/mvc/postprocessmanager",
"splunkjs/mvc/simplexml/urltokenmodel"
// Add comma-separated libraries and modules manually here, for example:
// ..."splunkjs/mvc/simplexml/urltokenmodel",
// "splunkjs/mvc/tokenforwarder"
],
function(
mvc,
utils,
TokenUtils,
_,
$,
DashboardController,
LayoutView,
Dashboard,
PanelRef,
ChartElement,
EventElement,
HtmlElement,
ListElement,
MapElement,
SingleElement,
TableElement,
VisualizationElement,
FormUtils,
EventHandler,
SearchEventHandler,
DropdownInput,
RadioGroupInput,
LinkListInput,
MultiSelectInput,
CheckboxGroupInput,
TextInput,
TimeRangeInput,
SubmitButton,
SearchManager,
SavedSearchManager,
PostProcessManager,
UrlTokenModel
// Add comma-separated parameter names here, for example:
// ...UrlTokenModel,
// TokenForwarder
) {
var pageLoading = true;
//
// TOKENS
//
// Create token namespaces
var urlTokenModel = new UrlTokenModel();
mvc.Components.registerInstance('url', urlTokenModel);
var defaultTokenModel = mvc.Components.getInstance('default', {create: true});
var submittedTokenModel = mvc.Components.getInstance('submitted', {create: true});
urlTokenModel.on('url:navigate', function() {
defaultTokenModel.set(urlTokenModel.toJSON());
if (!_.isEmpty(urlTokenModel.toJSON()) && !_.all(urlTokenModel.toJSON(), _.isUndefined)) {
submitTokens();
} else {
submittedTokenModel.clear();
}
});
// Initialize tokens
defaultTokenModel.set(urlTokenModel.toJSON());
function submitTokens() {
// Copy the contents of the defaultTokenModel to the submittedTokenModel and urlTokenModel
FormUtils.submitForm({ replaceState: pageLoading });
}
function setToken(name, value) {
defaultTokenModel.set(name, value);
submittedTokenModel.set(name, value);
}
function unsetToken(name) {
defaultTokenModel.unset(name);
submittedTokenModel.unset(name);
}
setToken("run",false);
//
// SEARCH MANAGERS
//
var search1 = new SearchManager({
"id": "search1",
"earliest_time": "-30d@d",
"latest_time": "now",
"autostart": false,
"sample_ratio": null,
"search": "| klsearch $indicator$ | rename _raw as DetectedEvent | table LookupIndicator, DetectedEvent",
"status_buckets": 0,
"cancelOnUnload": true,
"app": utils.getCurrentApp(),
"auto_cancel": 90,
"preview": true,
"tokenDependencies": {
},
"runWhenTimeIsUndefined": false
}, {tokens: true, tokenNamespace: "submitted"});
//
// SERVICE OBJECT
//
// Create a service object REST request using the Splunk SDK for JavaScript
var service = mvc.createService({
owner: 'nobody'
});
setToken('update', false);
service.get(
'storage/collections/data/kl_cybertrace_settings/', null,
function(err, result) {
if (err) {
console.error(err);
}
else {
if (result.data.length > 0) {
setToken('update', true);
setToken('_key', result.data[0]._key);
setToken('KTCHost', result.data[0].KTCHost || '127.0.0.1');
setToken('KTCPort', result.data[0].KTCPort || 9999);
}
}
});
//
// SPLUNK LAYOUT
//
$('header').remove();
new LayoutView({"hideChrome": false, "hideSplunkBar": false, "hideAppBar": false})
.render()
.getContainerElement()
.appendChild($('.dashboard-body')[0]);
//
// DASHBOARD EDITOR
//
new Dashboard({
id: 'dashboard',
el: $('.dashboard-body'),
showTitle: true,
editable: true
}, {tokens: true}).render();
//
// VIEWS: VISUALIZATION ELEMENTS
//
var element1 = new TableElement({
"id": "element1",
"count": 50,
"managerid": "search1",
"el": $('#element1')
}, {tokens: true, tokenNamespace: "submitted"}).render();
element1.on("click", function(e) {
if (e.field !== undefined) {
e.preventDefault();
var url = TokenUtils.replaceTokenNames("http://tip.kaspersky.com/search?searchString=$click.value$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'), TokenUtils.getFilters(mvc.Components));
utils.redirect(url, false, "_blank");
}
});
//
// VIEWS: FORM INPUTS
//
var settingsktcaddr = new TextInput({
"id": "settings-ct-host",
"searchWhenChanged": false,
"default": "127.0.0.1",
"value": "$KTCHost$",
"el": $('#settings-ct-host')
}, {tokens: true}).render();
var settingsktcport = new TextInput({
"id": "settings-ct-port",
"searchWhenChanged": false,
"default": "9999",
"value": "$KTCPort$",
"el": $('#settings-ct-port')
}, {tokens: true}).render();
var input1 = new HtmlElement({
"id": "input1",
"useTokens": true,
"el": $('#input1')
}, {tokens: true, tokenNamespace: "submitted"}).render();
DashboardController.addReadyDep(input1.contentLoaded());
input1.on("change", function(newValue) {
FormUtils.handleValueChange(input1);
});
var input2 = new TextInput({
"id": "input2",
"searchWhenChanged": true,
"default": "",
"value": "$indicator$",
"el": $('#input2')
}, {tokens: true}).render();
input2.on("change", function(newValue) {
FormUtils.handleValueChange(input2);
});
//
// SUBMIT FORM DATA
//
var submit = new SubmitButton({
id: 'submit',
el: $('#search_btn'),
text: 'Lookup'
}, {tokens: true}).render();
submit.on("submit", function() {
var collectionEndpoint, headers, method, record, tokens;
tokens = mvc.Components.getInstance('default');
if (tokens.get('KTCHost') === "" ){
alert ("Incorrect value for Kaspersky CyberTrace address");
return;
}
if (tokens.get('KTCPort') === "" ){
alert ("Incorrect value for Kaspersky CyberTrace port");
return;
}
record = {
KTCHost: tokens.get('KTCHost'),
KTCPort: tokens.get('KTCPort')
};
/* add/update record */
headers = {
'Content-Type': 'application/json'
};
if (tokens.get('update')) {
collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings/' + tokens.get('_key');
}
else {
collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings';
}
method = 'POST';
service.request(collectionEndpoint, method, null, null, JSON.stringify(record), headers, null)
.done(function(data) {
data = JSON.parse(data);
if (data._key) {
submitTokens();
search1.startSearch();
}
else {
console.error('no key returned in data', data._key);
}
})
.fail(function(data) {
console.error(data.statusText);
statusMessage('error', data.statusText);
});
});
// Initialize time tokens to default
if (!defaultTokenModel.has('earliest') && !defaultTokenModel.has('latest')) {
defaultTokenModel.set({ earliest: '0', latest: '' });
}
if (!_.isEmpty(urlTokenModel.toJSON())){
submitTokens();
}
//
// DASHBOARD READY
//
DashboardController.ready();
pageLoading = false;
}
);
// ]]>
</script>
</body>
</html>