search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

3rd party feeds not being pulled when running mispgetioc #153

Closed dmolina213 closed 4 years ago

dmolina213 commented 4 years ago

When I am running this search from Splunk. I am unable to pull events that are generated from a 3rd party custom feed. The feed is pulled by running a python3 script and not via the GUI on MISP. Do you have any ideas why this is not working? I am not sure if i got the options correctly selected in the SPL query below.

| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src,misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table _time, _raw, description | sort _time desc

remg427 commented 4 years ago

Hi, Could you try to pull events generated by this feed using MISP REST client via the GUI? When it works, take the json payload and use it with param json_request. When it works, please paste it here so I can find faulty params. Thanks -- Sent with K-9 Mail.

dmolina213 commented 4 years ago

How do I do that? I don’t get your instructions. Sent from my IPhone V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.gov

From: Rémi Séguy notifications@github.com Sent: Monday, June 8, 2020 12:07:39 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)

Hi, Could you try to pull events generated by this feed using MISP REST client via the GUI? When it works, take the json payload and use it with param json_request. When it works, please paste it here so I can find faulty params. Thanks

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-640369783, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYXCRHYZEUEBMS5EBN3RVRWZXANCNFSM4NXZDZ2A.

dmolina213 commented 4 years ago

The feed is not available on the GUI. Can only be pulled down using a script.

Sent from my IPhone V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.gov

From: Rémi Séguy notifications@github.com Sent: Monday, June 8, 2020 12:07:39 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)

Hi, Could you try to pull events generated by this feed using MISP REST client via the GUI? When it works, take the json payload and use it with param json_request. When it works, please paste it here so I can find faulty params. Thanks

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-640369783, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYXCRHYZEUEBMS5EBN3RVRWZXANCNFSM4NXZDZ2A.

dmolina213 commented 4 years ago

I have been using this script, PySight.py to pull down our fireeye feeds https://github.com/jaegeral/PySight2MISP

this our my debug logs ; Not sure if this would help 2020-06-05 02:31:38,317 - PySight_settings - DEBUG - FireEye iSight request URL: https://api.isightpartners.com/view/indicators?since=1591237898 2020-06-05 02:31:38,317 - PySight_settings - DEBUG - FireEye iSight request head er: {'X-Auth': '' ', 'X-Auth-Hash': '', 'Accept': 'application/json', 'Accept-Version': '2.5', 'Date': 'Fri, 05 Ju n 2020 02:31:38 +0000'}

from run.log

result {'success': True, 'message': [{'reportId': '20-00007720', 'title': 'Indic ator Report: ATMOS Activity Report (Apr 29, 2020)', 'ThreatScape': 'Cyber Crime' , 'audience': 'Operational', 'intelligenceType': 'malware', 'publishDate': 15882 12420, 'reportLink': 'https://api.isightpartners.com/report/20-00007720', 'webLi nk': 'https://intelligence.fireeye.com/reports/20-00007720', 'emailIdentifier': None, 'senderAddress': None, 'senderName': None, 'sourceDomain': None, 'sourceIp ': None, 'subject': None, 'recipient': None, 'emailLanguage': None, 'fileName': None, 'fileSize': None, 'fuzzyHash': None, 'fileIdentifier': None, 'md5': None, 'sha1': None, 'sha256': None, 'description': None, 'fileType': None, 'packer': N one, 'userAgent': None, 'registry': None, 'fileCompilationDateTime': None, 'file Path': None, 'asn': None, 'cidr': None, 'domain': None, 'domainTimeOfLookup': No ne, 'networkIdentifier': 'Related', 'ip': '185.70.187.188', 'port': None, 'proto col': None, 'registrantEmail': None, 'registrantName': None, 'networkType': 'net work', 'url': None, 'malwareFamily': 'atmos', 'malwareFamilyId': '702e2481-5904- 49b5-843e-a7baa38736a7', 'actor': None, 'actorId': None, 'observationTime': 1588 212420}, {'reportId': '20-00007720', 'title': 'Indicator Report: ATMOS Activity Report (Apr 29, 2020)', 'ThreatScape': 'Cyber Crime', 'audience': 'Operational', 'intelligenceType': 'malware', 'publishDate': 1588212420, 'reportLink': 'https: //api.isightpartners.com/report/20-00007720', 'webLink': 'https://intelligence.f ireeye.com/reports/20-00007720', 'emailIdentifier': None, 'senderAddress': None, 'senderName': None, 'sourceDomain': None, 'sourceIp': None, 'subject': None, 'r ecipient': None, 'emailLanguage': None, 'fileName': None, 'fileSize': None, 'fuz zyHash': None, 'fileIdentifier': None, 'md5': None, 'sha1': None, 'sha256': None

dmolina213 commented 4 years ago

here is what i got from my restclient

{"response": {"Attribute": [{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d26-bb78-4891-9b9b-5308ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009438","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"2","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d26-a6b0-43ef-b4c3-04a8ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009438","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"3","event_id":"1","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d26-2adc-4a14-9db6-04a4ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"4","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a9fd2240-50cb-4193-a953-f9d467a11a62","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"zeusvm","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/ucecelra.com\/playoff\/panel\/config.jpg","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"5","event_id":"1","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"b39d3ee9-c49a-4ce0-804f-5cd22610f9b5","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"zeusvm","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"6","event_id":"2","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d27-eeb4-417f-a238-52edac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009437","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"7","event_id":"2","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d27-df98-4b19-81c1-52f6ac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009437","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"8","event_id":"2","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d27-afb4-4910-922b-52f5ac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"9","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"1b7d1d89-d48a-452c-b9ff-3d6bcfe7e054","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"encorebodyart.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"10","event_id":"2","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"99d12642-7b3f-48b0-9ebe-274f8cbd07fb","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"ursnif","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"11","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"4652058a-19a4-43c8-80a6-4d432dcf72ef","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"mezendracr.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"12","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"1cd983a7-3e44-464e-89ee-0973eb415e91","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/ybk6uxiwnxe3pud3.onion","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"13","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a0bcd6f0-aac2-4530-aef6-4a5ea74f6a56","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/encorebodyart.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"14","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"51238bc1-aaf3-4a93-8e18-110dba4a0233","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"bulbsener.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"15","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"2a86f977-f78a-41ac-b0aa-69ec2f0a34a4","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"consulttrus.org","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"16","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"cde890c5-bb75-460d-b1f0-157bb4574a22","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"groundgirl.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"17","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"b7dc10a2-d9e5-4e42-9a34-86d7d38d35ba","timestamp":"1590631722","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"moskotskylops.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"18","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"15aff243-9e80-4f31-9d56-77fd757ac5fa","timestamp":"1590631722","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"objecopoly.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"19","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"8bcfc162-7880-4e1d-bb34-dc3e9cf5c308","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/eastiggeno.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"20","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"779828db-429f-44af-8716-ca82ec591f58","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/rushruflr.abkhazia.su","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"21","event_id":"2","object_id":"1","object_relation":"md5","category":"Payload delivery","type":"md5","to_ids":true,"uuid":"4e50995b-eb5d-4e8d-b30e-c6b857357431","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"40e709abb9f9fd7e50391afe1c84fbfc","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"22","event_id":"2","object_id":"1","object_relation":"sha1","category":"Payload delivery","type":"sha1","to_ids":true,"uuid":"59034cdc-6d57-4b8a-8759-289bc8138248","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"2d1a7f18bf287d716f6e8f3d17a1e1989c86d3be","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"23","event_id":"2","object_id":"1","object_relation":"sha256","category":"Payload delivery","type":"sha256","to_ids":true,"uuid":"bb640786-0cb2-42f4-889f-0846bdc94836","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"6977bb1bfd5744790bb84bdee1c5f420aad8de2d29064b1b41d7a36fa23b99cf","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"24","event_id":"2","object_id":"1","object_relation":"size-in-bytes","category":"Other","type":"size-in-bytes","to_ids":false,"uuid":"1e885c90-81a7-4bb2-a9b4-c87975c43f08","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"720896","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"25","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f947b985-ad26-4a41-afd6-a80d3099bc80","timestamp":"1590631724","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/mezendracr.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"26","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"875feaf2-fb3d-4815-b915-c1975f555443","timestamp":"1590631724","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/objecopoly.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"27","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a70eaa83-6c85-44c6-bb32-6e398283e82c","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/bulbsener.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"28","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"6e14b859-ac78-4e59-b705-631995d428cd","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"eastiggeno.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"29","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"e2f15502-958b-455d-8431-c1e77c84b4a2","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/107gam.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"30","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"866f7da1-ac22-4aa9-a8cb-414c3c7a996f","timestamp":"1590631726","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/accordages.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"31","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"9baf29e5-d4e1-4938-88b6-ea05f4d060cd","timestamp":"1590631726","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/gstat.premiumkashmirisaffron.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"32","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"db1ca0a6-0c4c-47af-826c-8a955783f983","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/rshushurar.abkhazia.su","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"33","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f21a43fe-9314-4cd8-a7d7-51c27728c4b4","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/sumrachnorber.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"34","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"9d0adccc-4d9f-433c-9f31-056f884ebc9c","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"107gam.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"35","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"3286f48d-da76-442b-af1e-3fce267ed531","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"accordages.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"36","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"eb5b6539-673c-4c09-ba87-72bde42f5a79","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/consulttrus.org","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"37","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a549fead-cea7-4f09-927d-72a0620012c9","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/moskotskylops.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"38","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"36b3d4a8-c2cb-403c-ad5d-9083dfd9a338","timestamp":"1590631729","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"sumrachnorber.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"39","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"0b7c6b91-40d7-4595-af0e-736d33174c47","timestamp":"1590631729","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/groundgirl.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"40","event_id":"2","object_id":"2","object_relation":"md5","category":"Payload delivery","type":"md5","to_ids":true,"uuid":"d3d59220-382a-4a91-89b7-f824185fa8f8","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"3a7f332a1a7a22ba3f02e9f3609ac414","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"41","event_id":"2","object_id":"2","object_relation":"sha1","category":"Payload delivery","type":"sha1","to_ids":true,"uuid":"4ef4a41a-c3a2-4e5e-9f4f-9bbf38ab1f2d","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"ff4aec44d8343d6713d049f4952ccec946c4b20c","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"42","event_id":"2","object_id":"2","object_relation":"sha256","category":"Payload delivery","type":"sha256","to_ids":true,"uuid":"6569bf95-8d33-4779-b619-ccea717d5447","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"d413a8997b4bacf978d97635e109e29c7adf56f88ee7f4f57e0f3007e72ca620","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"43","event_id":"2","object_id":"2","object_relation":"size-in-bytes","category":"Other","type":"size-in-bytes","to_ids":false,"uuid":"0e5d649e-93ec-4dea-9eea-76e0cf6412b8","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"506880","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"44","event_id":"3","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d32-7208-4306-9080-52f6ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009435","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"45","event_id":"3","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d32-bf7c-476e-9128-52f5ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009435","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"46","event_id":"3","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d32-98f0-46ec-ae66-04a7ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"47","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"1ad37db4-816e-4bfb-8b22-224df9853992","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"103.207.169.78","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"48","event_id":"3","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"471b4d0e-fbbb-4aa7-a5fe-8cca9d72117e","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"trickbot","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"49","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"21e025ff-19af-4324-9920-c90c49ec690b","timestamp":"1590631731","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"110.232.76.39","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"50","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"20905381-3779-4dbb-8a1a-f67eaca49298","timestamp":"1590631731","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"122.50.6.122","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"51","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"0124e1ad-5049-4e8f-8f42-1c0533678c00","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"138.59.233.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"52","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"dd357d4f-c656-44b5-a377-cf978d9ba7cf","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"181.196.61.110","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"53","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"cc0e33b6-e3cd-4f97-bda7-d4547d4a84d3","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"187.110.100.122","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"54","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6c455486-c616-4032-824e-3a59a20d649d","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"187.58.56.26","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"55","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"75431f63-a3e4-4031-829b-1a66fa77b3a5","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"190.136.178.52","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"56","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"bf3da828-17f6-4f5e-b84a-b9fbd00cc984","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"195.123.238.155","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"57","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"e2d5881c-57cc-4bd2-9dfd-1aa2c53ea559","timestamp":"1590631734","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"212.22.77.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"58","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"12251c0b-b606-45ec-bd5d-f117cf0a610a","timestamp":"1590631734","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"91.235.129.20","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"59","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"a077e0b3-7c75-47cc-9c8a-ffb6c29f281a","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"93.95.97.209","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"60","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f60badb7-3ad6-4256-8bdc-f8abd11e1ac9","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/103.117.232.198:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"61","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a9840d50-1144-4021-b7a3-287967a9fb43","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/107.175.72.141:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"62","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"533aa6b9-7ecf-434c-a598-08dd345dca5c","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/110.232.76.39:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"63","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"d3a6c924-23fc-44a5-88a0-e089e8da3115","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/110.50.84.5:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"64","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"2b6303f9-190d-45d0-beb5-1f437926284a","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/134.119.191.21:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"65","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"aa773b52-dc09-47d0-95bc-6b225f86669a","timestamp":"1590631737","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/146.185.219.31:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"66","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"1320d0c9-2564-4208-9c56-2b81db65ecd9","timestamp":"1590631737","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/168.232.42.14:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"67","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"af68d47a-8f16-4132-ae74-aa95f0922d75","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/177.12.82.27:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"68","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a5173fe9-ba10-4624-91c9-e71835d6ca19","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/185.90.61.9","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"69","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"3d93e808-a0e0-45bb-b46d-57201a14899c","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/187.65.49.88:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"70","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"6cb2d286-dd98-4372-a105-111f2f84b80b","timestamp":"1590631739","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/200.35.56.81:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"71","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"b1c7fca8-4311-46ca-bb7a-b02940435482","timestamp":"1590631739","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/36.66.218.117:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"72","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"b6a3d27b-e666-4999-8682-232540e9f3e2","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/36.89.85.103:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"73","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"2372a4d0-697b-4283-8e0a-6d6a051a95f1","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/5.1.81.68:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"74","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"6a32bd3c-d49e-4622-a2b5-a7f0c5be9b01","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/85.204.116.100:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"75","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"837c3ad4-5006-4edd-aed5-2bc144cb5b39","timestamp":"1590631741","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/85.204.116.216:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"76","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"238cd2dd-2a01-42e4-8e07-17f706a4b918","timestamp":"1590631741","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/93.95.97.209:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"77","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"e6f6e619-0a46-47b8-823d-91dbf68112c1","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"110.50.84.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"78","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"85121a19-756a-4eab-96b0-7e9243ee3733","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"131.161.253.190","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"79","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6cd0090d-c9ea-4b2e-9fb0-7fb129a34805","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"134.119.191.11","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"80","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"a34d73aa-2f31-4f94-b055-4c318a2034de","timestamp":"1590631743","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"146.196.122.152","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"81","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"5f8e6da9-1289-4f3e-9c5b-33a1589a5ca2","timestamp":"1590631743","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"168.232.42.14","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"82","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6ccc17b7-ec12-4d1c-b7c5-e183f2cf877b","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"177.103.240.149","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"83","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"2d4f9c9a-713d-430f-b199-f106ee4c0114","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"181.129.134.18","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"84","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"20c1eb2a-d108-4595-809c-55903d884dca","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"185.90.61.9","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"85","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"014b6893-1c7f-4733-8dba-b6483c4170c0","timestamp":"1590631745","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"186.42.186.202","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"86","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"8ffae582-f91c-4869-a61b-eef9e4c55a08","timestamp":"1590631745","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"186.42.226.46","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"87","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"dbbc4bfe-b2c5-441a-8969-b29f6bf17d5c","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"188.68.210.159","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"88","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"21a63af4-8776-4e83-b023-95a9cad68824","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"200.35.56.81","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"89","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"3aa96a3f-7126-481d-97ab-7a3c826254cf","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"36.89.243.241","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"90","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"816133ae-aebd-4d36-88ae-3946c271cd41","timestamp":"1590631747","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"5.1.81.68","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"91","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"571b435a-2b39-4160-9e90-6695030b178e","timestamp":"1590631747","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"5.188.41.101","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"92","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"8f10d861-3ff4-4149-bf85-f14480c9a01d","timestamp":"1590631748","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"85.204.116.216","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"93","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"

remg427 commented 4 years ago

Hi, What JSON request do you use to get this response? If you use the same JSON request with mispgetioc what do you get? Normally the same json request passed to misp api should return the same response -- Sent with K-9 Mail.

dmolina213 commented 4 years ago

Looks like its is working now. I didn’t do anything but noticed I was getting fireeye feeds. I did notice there was an upgrade to the app recently. Not sure if it was fixed there.

V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.govmailto:douglas.molina@va.gov [cid:image001.jpg@01D63E3E.49EB9A40]

From: Rémi Séguy notifications@github.com Sent: Tuesday, June 9, 2020 8:57 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)

Hi, What JSON request do you use to get this response? If you use the same JSON request with mispgetioc what do you get? Normally the same json request passed to misp api should return the same response

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-641314160, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYWMCEREUXUBZJLOMADRVY5TFANCNFSM4NXZDZ2A.