j91321
commented
3 years ago Hello,
this should be possible you need to modify fetch_data() in misp.py so the request made to MISP API returns the results you want.
MISP has a builti-n tool where you can test the API calls, lot of examples can be found in MISP documentation
Then you need to modify the load functions to actually store this in MISP, but some characters may break the parsing of multiple events.
Currently the values are stored as comma separated values in this format:
event_id1#event_type1,event_id2#event_type2e.g.
1352#ip-dst,246#ip-srcSo if your text description fetched from MISP contains for example # or , it'll break the parsing. I guess you could store the whole JSON instead of my made-up CSV format, but I'm afraid that parsing whole JSON could lead to logstash filter being too slow in bigger environments. That's the main reason why I decided to store only MISP Event IDs.
I'll consider maybe adding it as an option to choose between the "CSV event id only" option and JSON option, since it's a valid request, but it'll take some time.
Hi !
Would it be possible to get the event info for example Feodo IP Blocklist feed in the memcache tag isntead of teh event_id. I tried changing the code of misp.py but disn't find a way. I am new to misp and their data structure. So would be great if you can help me.
Thanks