def do_generate(self, api_key, logger):
query = self.query
count = self.count
if query == '':
logger.error("Parameter query should not be empty.")
self.write_error("Parameter query should not be empty.")
exit(1)
# Strip the spaces from the parameter value if given
if count:
count = count.strip()
# Validating the given parameters
try:
count = validator.Integer(option_name='count',
minimum=1).validate(count)
except ValueError as e:
# Validator will throw ValueError with error message when the parameters are not proper
logger.error(str(e))
self.write_error(str(e))
exit(1)
logger.info(
"Fetching aggregate statistics for query: {}, count: {}".format(
str(query), count))
# Opting timout 120 seconds for the requests
api_client = GreyNoise(api_key=api_key,
timeout=240,
integration_name="Splunk")
# If count is not passed explicitely to the command by the user, then it will have the value None
stats_data = api_client.stats(query, count)
logger.info(
"Successfully retrieved response for the aggregate statistics for query: {}, count: {}"
.format(str(query), count))
if int(stats_data.get('count', -1)) >= 0:
results = {}
results['source'] = 'greynoise'
results['sourcetype'] = 'greynoise'
results['_time'] = time.time()
results['_raw'] = {'results': stats_data}
yield results
else:
response = stats_data.get('message', None) or stats_data.get(
'error', None)
if 'bad count' in response or 'bad query' in response:
logger.error(
"Invalid response retrieved from the GreyNoise API for query: {}, response: {}"
.format(str(query), str(response)))
if 'message' in response:
event = {'message': response}
else:
event = {'error': response}
yield event_generator.make_invalid_event('stats', event, True)
def generate(self):
"""Method that yields records to the Splunk processing pipeline."""
logger = utility.setup_logger(
session_key=self._metadata.searchinfo.session_key,
log_context=self._metadata.searchinfo.command)
# Enter the mechanism only when the Search is complete and all the events are available
if self.search_results_info and not self.metadata.preview:
try:
api_key = utility.get_api_key(
self._metadata.searchinfo.session_key, logger=logger)
# Completing the search if the API key is not available.
if not api_key:
logger.error(
"API key not found. Please configure the GreyNoise App for Splunk."
)
exit(1)
# Opting timout 120 seconds for the requests
api_client = GreyNoise(api_key=api_key,
timeout=240,
integration_name=INTEGRATION_NAME)
queries = {
"malicious": "classification:malicious last_seen:today",
"benign": "classification:benign last_seen:today",
"unknown": "classification:unknown last_seen:today"
}
for key, value in queries.items():
logger.debug(
"Fetching records for classification: {}".format(key))
stats_data = api_client.stats(value, None)
if stats_data.get("stats"):
self.handle_stats(stats_data.get("stats"), key)
else:
logger.error(
"Returning no results because of unexpected response in one of the query."
)
exit(1)
for result in self.RESULTS:
yield result
logger.info("Events returned successfully to Splunk.")
except Exception:
logger.error("Exception: {} ".format(
str(traceback.format_exc())))
exit(1)
