Dashboards & Visualizations

Help Needed with Converting Kaspersky CyberTrace Indicators Lookup Dashboard

msyazdani
Loves-to-Learn

Hi everyone,

I'm currently working on integrating Kaspersky CyberTrace with Splunk and have encountered a couple of issues I need help with:

  1. Converting Indicators Lookup Dashboard:

    • I successfully converted the "Kaspersky CyberTrace Matches" and "Kaspersky CyberTrace Status" dashboards to Dashboard Studio.
    • However, the "Indicators Lookup" dashboard does not have an option for conversion and throws an error when I try to open it: "HTML Dashboards are no longer supported. You can recreate your HTML dashboard using Dashboard Studio."
    • The code for this dashboard is quite extensive. Does anyone have any suggestions or best practices on how to convert it to Dashboard Studio effectively?
  2. Data Not Displaying in Dashboards:

    • Even though data is being received from Kaspersky and stored in the Main index, the dashboards are not displaying any information.
    • Has anyone faced similar issues or could provide insight into what might be going wrong here?

Any guidance or solutions to these problems would be greatly appreciated.

Thanks in advance for your help!

Labels (2)
0 Karma

msyazdani
Loves-to-Learn

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Indicators lookup</title>
<link rel="shortcut icon" href="/en-US/static/@4EAB67D171EF0F268537B07472A600B957BA5791405CEF63525C4E27D3E44D74/img/favicon.ico" />
<link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/bootstrap-enterprise.css" />
<link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/splunkjs-dashboard.css" />


<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />

<script>
(function () {
window._splunk_metrics_events = [];
window._splunk_metrics_events.active = true;

function onLoadSwa() {
new SWA({"deploymentID": "38255b58-9e6d-5dfa-8d85-b49d0a12bf26", "userID": "88dc5753653ca0684944db586ae6839c9919d788bf6408b4cca2a8e79949adac", "version": "4", "instanceGUID": "2255A6A4-6BBF-4F0C-8DE8-ABF5E956C44B", "visibility": "anonymous,support", "url": "https://e1345286.api.splkmobile.com/1.0/e1345286"});
};

document.addEventListener("DOMContentLoaded", function(event) {
var s = document.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src='/en-US/static/app/splunk_instrumentation/build/pages/swa.js';
s.addEventListener('load', onLoadSwa);
var x = document.getElementsByTagName('script')[0];
x.parentNode.insertBefore(s, x);
});
}());
</script>
</head>
<body class="simplexml preload locale-en" data-splunk-version="8.0.2.1" data-splunk-product="enterprise">
<!--
BEGIN LAYOUT
This section contains the layout for the dashboard. Splunk uses proprietary
styles in <div> tags, similar to Bootstrap's grid system.
-->
<header>
<a aria-label="Screen reader users, click here to skip the navigation bar" class="navSkip" href="#navSkip" tabIndex="1">Skip Navigation &gt;</a>
<div class="header splunk-header">
<div id="placeholder-splunk-bar">
<a href="{{SPLUNKWEB_URL_PREFIX}}/app/launcher/home" class="brand" title="splunk &gt; listen to your data">splunk<strong>&gt;</strong></a>
</div>
<div id="placeholder-app-bar"></div>
</div>
<a id="navSkip"></a>
</header>
<div class="dashboard-body container-fluid main-section-body" data-role="main">
<div class="dashboard-header clearfix">
<h2>Indicators lookup</h2>
</div>
<div class="fieldset">
<div>
<legend><b>Kaspersky CyberTrace connection settings</b></legend>
<div class="kl-panel-body">
<div class="input input-text" id="settings-ct-host">
<label>Kaspersky CyberTrace address</label>
</div>
<div class="input input-text" id="settings-ct-port">
<label>Kaspersky CyberTrace port</label>
</div>
</div>
</div>
<div></div>
<div id="input1" class="html">
<div class="fieldset">
<legend><b>Kaspersky CyberTrace lookup indicator</b></legend>
<div class="panel-body html">
<p>Enter indicator, that you want to lookup in the Kaspersky CyberTrace</p>
</div> </div>
<div class="input input-text" id="input2">
<label>Indicator</label>
</div>
<div class="form-submit" id="search_btn">
<button class="btn btn-primary submit">Lookup</button>
</div>
</div>
</div>

<div id="row1" class="dashboard-row dashboard-row1">
<div id="panel1" class="dashboard-cell" style="width: 100%;">
<div class="dashboard-panel clearfix">

<div class="panel-element-row">
<div id="element1" class="dashboard-element table" style="width: 100%">
<div class="panel-head">
<h3>Matching events</h3>
</div>
<div class="panel-body"></div>
</div>
</div>
</div>
</div>
</div>
</div>

<!--
END LAYOUT
-->

<script src="{{SPLUNKWEB_URL_PREFIX}}/config?autoload=1" crossorigin="use-credentials"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/static/js/i18n.js"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/i18ncatalog?autoload=1"></script>
<script src="{{SPLUNKWEB_URL_PREFIX}}/static/build/simplexml/index.js"></script>
<script type="text/javascript">
// <![CDATA[
// <![CDATA[
//
// LIBRARY REQUIREMENTS
//
// In the require function, we include the necessary libraries and modules for
// the HTML dashboard. Then, we pass variable names for these libraries and
// modules as function parameters, in order.
//
// When you add libraries or modules, remember to retain this mapping order
// between the library or module and its function parameter. You can do this by
// adding to the end of these lists, as shown in the commented examples below.

require([
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/tokenutils",
"underscore",
"jquery",
"splunkjs/mvc/simplexml",
"splunkjs/mvc/layoutview",
"splunkjs/mvc/simplexml/dashboardview",
"splunkjs/mvc/simplexml/dashboard/panelref",
"splunkjs/mvc/simplexml/element/chart",
"splunkjs/mvc/simplexml/element/event",
"splunkjs/mvc/simplexml/element/html",
"splunkjs/mvc/simplexml/element/list",
"splunkjs/mvc/simplexml/element/map",
"splunkjs/mvc/simplexml/element/single",
"splunkjs/mvc/simplexml/element/table",
"splunkjs/mvc/simplexml/element/visualization",
"splunkjs/mvc/simpleform/formutils",
"splunkjs/mvc/simplexml/eventhandler",
"splunkjs/mvc/simplexml/searcheventhandler",
"splunkjs/mvc/simpleform/input/dropdown",
"splunkjs/mvc/simpleform/input/radiogroup",
"splunkjs/mvc/simpleform/input/linklist",
"splunkjs/mvc/simpleform/input/multiselect",
"splunkjs/mvc/simpleform/input/checkboxgroup",
"splunkjs/mvc/simpleform/input/text",
"splunkjs/mvc/simpleform/input/timerange",
"splunkjs/mvc/simpleform/input/submit",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/savedsearchmanager",
"splunkjs/mvc/postprocessmanager",
"splunkjs/mvc/simplexml/urltokenmodel"
// Add comma-separated libraries and modules manually here, for example:
// ..."splunkjs/mvc/simplexml/urltokenmodel",
// "splunkjs/mvc/tokenforwarder"
],
function(
mvc,
utils,
TokenUtils,
_,
$,
DashboardController,
LayoutView,
Dashboard,
PanelRef,
ChartElement,
EventElement,
HtmlElement,
ListElement,
MapElement,
SingleElement,
TableElement,
VisualizationElement,
FormUtils,
EventHandler,
SearchEventHandler,
DropdownInput,
RadioGroupInput,
LinkListInput,
MultiSelectInput,
CheckboxGroupInput,
TextInput,
TimeRangeInput,
SubmitButton,
SearchManager,
SavedSearchManager,
PostProcessManager,
UrlTokenModel

// Add comma-separated parameter names here, for example:
// ...UrlTokenModel,
// TokenForwarder
) {

var pageLoading = true;


//
// TOKENS
//

// Create token namespaces
var urlTokenModel = new UrlTokenModel();
mvc.Components.registerInstance('url', urlTokenModel);
var defaultTokenModel = mvc.Components.getInstance('default', {create: true});
var submittedTokenModel = mvc.Components.getInstance('submitted', {create: true});

urlTokenModel.on('url:navigate', function() {
defaultTokenModel.set(urlTokenModel.toJSON());
if (!_.isEmpty(urlTokenModel.toJSON()) && !_.all(urlTokenModel.toJSON(), _.isUndefined)) {
submitTokens();
} else {
submittedTokenModel.clear();
}
});

// Initialize tokens
defaultTokenModel.set(urlTokenModel.toJSON());

function submitTokens() {
// Copy the contents of the defaultTokenModel to the submittedTokenModel and urlTokenModel
FormUtils.submitForm({ replaceState: pageLoading });
}

function setToken(name, value) {
defaultTokenModel.set(name, value);
submittedTokenModel.set(name, value);
}

function unsetToken(name) {
defaultTokenModel.unset(name);
submittedTokenModel.unset(name);
}

setToken("run",false);

//
// SEARCH MANAGERS
//


var search1 = new SearchManager({
"id": "search1",
"earliest_time": "-30d@d",
"latest_time": "now",
"autostart": false,
"sample_ratio": null,
"search": "| klsearch $indicator$ | rename _raw as DetectedEvent | table LookupIndicator, DetectedEvent",
"status_buckets": 0,
"cancelOnUnload": true,
"app": utils.getCurrentApp(),
"auto_cancel": 90,
"preview": true,
"tokenDependencies": {
},
"runWhenTimeIsUndefined": false
}, {tokens: true, tokenNamespace: "submitted"});

//
// SERVICE OBJECT
//
// Create a service object REST request using the Splunk SDK for JavaScript

var service = mvc.createService({
owner: 'nobody'
});

setToken('update', false);
service.get(
'storage/collections/data/kl_cybertrace_settings/', null,
function(err, result) {
if (err) {
console.error(err);
}
else {
if (result.data.length > 0) {
setToken('update', true);
setToken('_key', result.data[0]._key);

setToken('KTCHost', result.data[0].KTCHost || '127.0.0.1');
setToken('KTCPort', result.data[0].KTCPort || 9999);
}
}
});


//
// SPLUNK LAYOUT
//

$('header').remove();
new LayoutView({"hideChrome": false, "hideSplunkBar": false, "hideAppBar": false})
.render()
.getContainerElement()
.appendChild($('.dashboard-body')[0]);

//
// DASHBOARD EDITOR
//

new Dashboard({
id: 'dashboard',
el: $('.dashboard-body'),
showTitle: true,
editable: true
}, {tokens: true}).render();


//
// VIEWS: VISUALIZATION ELEMENTS
//

var element1 = new TableElement({
"id": "element1",
"count": 50,
"managerid": "search1",
"el": $('#element1')
}, {tokens: true, tokenNamespace: "submitted"}).render();

element1.on("click", function(e) {
if (e.field !== undefined) {
e.preventDefault();
var url = TokenUtils.replaceTokenNames("http://tip.kaspersky.com/search?searchString=$click.value$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'), TokenUtils.getFilters(mvc.Components));
utils.redirect(url, false, "_blank");
}
});


//
// VIEWS: FORM INPUTS
//

var settingsktcaddr = new TextInput({
"id": "settings-ct-host",
"searchWhenChanged": false,
"default": "127.0.0.1",
"value": "$KTCHost$",
"el": $('#settings-ct-host')
}, {tokens: true}).render();

var settingsktcport = new TextInput({
"id": "settings-ct-port",
"searchWhenChanged": false,
"default": "9999",
"value": "$KTCPort$",
"el": $('#settings-ct-port')
}, {tokens: true}).render();

var input1 = new HtmlElement({
"id": "input1",
"useTokens": true,
"el": $('#input1')
}, {tokens: true, tokenNamespace: "submitted"}).render();

DashboardController.addReadyDep(input1.contentLoaded());

input1.on("change", function(newValue) {
FormUtils.handleValueChange(input1);
});

var input2 = new TextInput({
"id": "input2",
"searchWhenChanged": true,
"default": "",
"value": "$indicator$",
"el": $('#input2')
}, {tokens: true}).render();

input2.on("change", function(newValue) {
FormUtils.handleValueChange(input2);
});

//
// SUBMIT FORM DATA
//

var submit = new SubmitButton({
id: 'submit',
el: $('#search_btn'),
text: 'Lookup'
}, {tokens: true}).render();

submit.on("submit", function() {
var collectionEndpoint, headers, method, record, tokens;
tokens = mvc.Components.getInstance('default');
if (tokens.get('KTCHost') === "" ){
alert ("Incorrect value for Kaspersky CyberTrace address");
return;
}
if (tokens.get('KTCPort') === "" ){
alert ("Incorrect value for Kaspersky CyberTrace port");
return;
}
record = {
KTCHost: tokens.get('KTCHost'),
KTCPort: tokens.get('KTCPort')
};

/* add/update record */
headers = {
'Content-Type': 'application/json'
};

if (tokens.get('update')) {
collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings/' + tokens.get('_key');
}
else {
collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings';
}

method = 'POST';
service.request(collectionEndpoint, method, null, null, JSON.stringify(record), headers, null)
.done(function(data) {
data = JSON.parse(data);
if (data._key) {
submitTokens();
search1.startSearch();
}
else {
console.error('no key returned in data', data._key);
}
})
.fail(function(data) {
console.error(data.statusText);
statusMessage('error', data.statusText);
});
});

// Initialize time tokens to default
if (!defaultTokenModel.has('earliest') && !defaultTokenModel.has('latest')) {
defaultTokenModel.set({ earliest: '0', latest: '' });
}

if (!_.isEmpty(urlTokenModel.toJSON())){
submitTokens();
}


//
// DASHBOARD READY
//

DashboardController.ready();
pageLoading = false;

}
);
// ]]>
</script>
</body>
</html>

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...