New version of the Splunk analyzer for Cortex #534
Conversation
|
Documentation is done and a PR is waiting. Here some screenshots of the result : Thank you |
- Update TheHive template with long saved searches names and error in case of parsing results
3c7
added
scope:analyzer
|
Hi, |
|
What needs to happen to merge this PR? It would be very helpful. |
|
Hi, |
|
Thank you. |
|
Thank you. Yes we might indeed need some help. We used to use CortexDocs for documentation. In the meantime, we migrated our documentation to https://thehive-project.github.io/Cortex-Analyzers. Do you think it is possible to update this analyzer to contain all interesting info for the documentation ? All instructions there: https://thehive-project.github.io/Cortex-Analyzers/analyzers_definition/ |
|
@jeromeleonard , |
|
Everything is automatically generated based on JSON content and README.md file. An example can be found for The Domaintools_Iris analyzer. |
|
Hi @jeromeleonard, |
|
thank you very much. merged. |
Hello everyone,
This is a new analyzer for Cortex which is able to search data into Splunk.
This version is different (even if inspired) from this PR : #142
For those who known how Splunk work, I though that this PR was not a good version of how a Splunk analyzer must be. In this new version, we are using savedsearches. No request is hardcoded in the JSON files. Moreover, templates are now available for TheHive.
Please, let me know if I have to change something but this analyzer seems to be a must have for me.
I will update the CortexDocs soon to have all the details about this analyzer of course.
Thank you