Closed Daniel-CS-Team closed 4 years ago
remg427
commented
4 years ago Hi, if you put logging level to DEBUG you will find in logs var/log/splunk/misp42.log the exact request body you can copy it and use directly on MISP REST client to confirm the issue is on mispgetioc or not
remg427
commented
4 years ago Hello, I acknowledged the issue and this is fixed in latest release. Wrong key was used in json request. Best -- Sent with K-9 Mail.
Daniel-CS-Team
commented
4 years ago Hi,
thank you very much. We will install the update ASAP.
Warm regards
We use mispgetioc to pull MISP Events and then do Retorhunts in our Splunk. This week, we had the issue that one of the IOCs was the domain 1drv.ms (Link shortener for Microsoft OneDrive). in MISP, this is clearly marked by two warning lists. But when importing to Splunk, this IOC is imported, wheter I user warning_list=true or false or ommit it completely. I also use to_ids=true and I saw in your code, that this sets warning_list to true anyways. But this does not have any effect. Even in the results, there is no field for Warning list.
Expected Behavior: if warning_list=true, all IOCs on a warning list are filtered out and not imported Actual Behavior: the flag warning_list has no effect at all