search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Dashboard Example Data #133

Closed idev closed 4 years ago

idev commented 4 years ago

Hello,

so I am able to connect to my MISP, but I am struggeling to utilize the Demo Dashboard. I understand the Index an Interval provided in the configuration is currently not used.

But it would be helpful to show the search which is needed to fill the index (with the requiered fields). Is it possible to add the search for example to the readme.md of the Dashboard Example?

Kind regards!

idev commented 4 years ago

Something like:

| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=1h to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | collect index=misp

idev commented 4 years ago

I also don't know how to use limit / page if your MISP hold events with huge attribute lists. For performance considerations there should be somekind of limit / pagenation usage?!

remg427 commented 4 years ago

Hi Limit is set to 1000 by default You can change that with limit=XXX if you set to 0 then there is no limit If you set limit=1000 and you get 1000 results then there is more and you can relaunch the search with limit=1000 and page=2 If you have 1000 results then you launch with page 3 and so on This is not optimum that's why I have nightly scheduled search that append last day attributes to several lookups and I use those lookups in dashboard Or you save to index and then reused from index -- Sent with K-9 Mail.

idev commented 4 years ago

Thank you for your feedback.

My question is, how to properly fill a index with a sheduled search and the knowledge to handle events with attributes > 30.000.

Maybe this "index saving" have to be done by a python or scripted input script. Perhaps the project "The-Hive" can be some inspiration, there is also a script filling up there own database with the misp events: https://github.com/TheHive-Project/TheHive/tree/master/thehive-misp/app/connectors/misp (I suspekt it is the MispExport.scala)

Kind regards

PS: great work - i love the project!

ykorkmaz commented 4 years ago

Hi all,

Just a quick question. Is there a specific reason not to include the "Antivirus detection" and "Artifacts dropped" attribute categories to the search query?

Best regards

remg427 commented 4 years ago

Hi No specific reasons you can add and adapt as you like -- Sent with K-9 Mail.