def do_generate(self, api_key, logger): query = self.query count = self.count if query == '': logger.error("Parameter query should not be empty.") self.write_error("Parameter query should not be empty.") exit(1) # Strip the spaces from the parameter value if given if count: count = count.strip() # Validating the given parameters try: count = validator.Integer(option_name='count', minimum=1).validate(count) except ValueError as e: # Validator will throw ValueError with error message when the parameters are not proper logger.error(str(e)) self.write_error(str(e)) exit(1) logger.info( "Fetching aggregate statistics for query: {}, count: {}".format( str(query), count)) # Opting timout 120 seconds for the requests api_client = GreyNoise(api_key=api_key, timeout=240, integration_name="Splunk") # If count is not passed explicitely to the command by the user, then it will have the value None stats_data = api_client.stats(query, count) logger.info( "Successfully retrieved response for the aggregate statistics for query: {}, count: {}" .format(str(query), count)) if int(stats_data.get('count', -1)) >= 0: results = {} results['source'] = 'greynoise' results['sourcetype'] = 'greynoise' results['_time'] = time.time() results['_raw'] = {'results': stats_data} yield results else: response = stats_data.get('message', None) or stats_data.get( 'error', None) if 'bad count' in response or 'bad query' in response: logger.error( "Invalid response retrieved from the GreyNoise API for query: {}, response: {}" .format(str(query), str(response))) if 'message' in response: event = {'message': response} else: event = {'error': response} yield event_generator.make_invalid_event('stats', event, True)
def generate(self): """Method that yields records to the Splunk processing pipeline.""" logger = utility.setup_logger( session_key=self._metadata.searchinfo.session_key, log_context=self._metadata.searchinfo.command) # Enter the mechanism only when the Search is complete and all the events are available if self.search_results_info and not self.metadata.preview: try: api_key = utility.get_api_key( self._metadata.searchinfo.session_key, logger=logger) # Completing the search if the API key is not available. if not api_key: logger.error( "API key not found. Please configure the GreyNoise App for Splunk." ) exit(1) # Opting timout 120 seconds for the requests api_client = GreyNoise(api_key=api_key, timeout=240, integration_name=INTEGRATION_NAME) queries = { "malicious": "classification:malicious last_seen:today", "benign": "classification:benign last_seen:today", "unknown": "classification:unknown last_seen:today" } for key, value in queries.items(): logger.debug( "Fetching records for classification: {}".format(key)) stats_data = api_client.stats(value, None) if stats_data.get("stats"): self.handle_stats(stats_data.get("stats"), key) else: logger.error( "Returning no results because of unexpected response in one of the query." ) exit(1) for result in self.RESULTS: yield result logger.info("Events returned successfully to Splunk.") except Exception: logger.error("Exception: {} ".format( str(traceback.format_exc()))) exit(1)