Closed dmolina213 closed 4 years ago
Hi, Could you try to pull events generated by this feed using MISP REST client via the GUI? When it works, take the json payload and use it with param json_request. When it works, please paste it here so I can find faulty params. Thanks -- Sent with K-9 Mail.
How do I do that? I don’t get your instructions. Sent from my IPhone V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.gov
From: Rémi Séguy notifications@github.com Sent: Monday, June 8, 2020 12:07:39 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)
Sent with K-9 Mail.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-640369783, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYXCRHYZEUEBMS5EBN3RVRWZXANCNFSM4NXZDZ2A.
The feed is not available on the GUI. Can only be pulled down using a script.
Sent from my IPhone V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.gov
From: Rémi Séguy notifications@github.com Sent: Monday, June 8, 2020 12:07:39 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)
Sent with K-9 Mail.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-640369783, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYXCRHYZEUEBMS5EBN3RVRWZXANCNFSM4NXZDZ2A.
I have been using this script, PySight.py to pull down our fireeye feeds https://github.com/jaegeral/PySight2MISP
this our my debug logs ; Not sure if this would help
2020-06-05 02:31:38,317 - PySight_settings - DEBUG - FireEye iSight request URL:
https://api.isightpartners.com/view/indicators?since=1591237898
2020-06-05 02:31:38,317 - PySight_settings - DEBUG - FireEye iSight request head
er: {'X-Auth': '
from run.log
result {'success': True, 'message': [{'reportId': '20-00007720', 'title': 'Indic ator Report: ATMOS Activity Report (Apr 29, 2020)', 'ThreatScape': 'Cyber Crime' , 'audience': 'Operational', 'intelligenceType': 'malware', 'publishDate': 15882 12420, 'reportLink': 'https://api.isightpartners.com/report/20-00007720', 'webLi nk': 'https://intelligence.fireeye.com/reports/20-00007720', 'emailIdentifier': None, 'senderAddress': None, 'senderName': None, 'sourceDomain': None, 'sourceIp ': None, 'subject': None, 'recipient': None, 'emailLanguage': None, 'fileName': None, 'fileSize': None, 'fuzzyHash': None, 'fileIdentifier': None, 'md5': None, 'sha1': None, 'sha256': None, 'description': None, 'fileType': None, 'packer': N one, 'userAgent': None, 'registry': None, 'fileCompilationDateTime': None, 'file Path': None, 'asn': None, 'cidr': None, 'domain': None, 'domainTimeOfLookup': No ne, 'networkIdentifier': 'Related', 'ip': '185.70.187.188', 'port': None, 'proto col': None, 'registrantEmail': None, 'registrantName': None, 'networkType': 'net work', 'url': None, 'malwareFamily': 'atmos', 'malwareFamilyId': '702e2481-5904- 49b5-843e-a7baa38736a7', 'actor': None, 'actorId': None, 'observationTime': 1588 212420}, {'reportId': '20-00007720', 'title': 'Indicator Report: ATMOS Activity Report (Apr 29, 2020)', 'ThreatScape': 'Cyber Crime', 'audience': 'Operational', 'intelligenceType': 'malware', 'publishDate': 1588212420, 'reportLink': 'https: //api.isightpartners.com/report/20-00007720', 'webLink': 'https://intelligence.f ireeye.com/reports/20-00007720', 'emailIdentifier': None, 'senderAddress': None, 'senderName': None, 'sourceDomain': None, 'sourceIp': None, 'subject': None, 'r ecipient': None, 'emailLanguage': None, 'fileName': None, 'fileSize': None, 'fuz zyHash': None, 'fileIdentifier': None, 'md5': None, 'sha1': None, 'sha256': None
here is what i got from my restclient
{"response": {"Attribute": [{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d26-bb78-4891-9b9b-5308ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009438","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"2","event_id":"1","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d26-a6b0-43ef-b4c3-04a8ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009438","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"3","event_id":"1","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d26-2adc-4a14-9db6-04a4ac1f1e65","timestamp":"1590631718","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"4","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a9fd2240-50cb-4193-a953-f9d467a11a62","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"zeusvm","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/ucecelra.com\/playoff\/panel\/config.jpg","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"5","event_id":"1","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"b39d3ee9-c49a-4ce0-804f-5cd22610f9b5","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"zeusvm","Event":{"org_id":"1","distribution":"1","id":"1","info":"iSIGHT: Indicator Report: ZeusVM Activity Report (May 26, 2020)","orgc_id":"1","uuid":"23099146-5ef7-4296-afc4-b6175e4d25fe"}},{"id":"6","event_id":"2","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d27-eeb4-417f-a238-52edac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009437","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"7","event_id":"2","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d27-df98-4b19-81c1-52f6ac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009437","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"8","event_id":"2","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d27-afb4-4910-922b-52f5ac1f1e65","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"9","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"1b7d1d89-d48a-452c-b9ff-3d6bcfe7e054","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"encorebodyart.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"10","event_id":"2","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"99d12642-7b3f-48b0-9ebe-274f8cbd07fb","timestamp":"1590631719","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"ursnif","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"11","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"4652058a-19a4-43c8-80a6-4d432dcf72ef","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"mezendracr.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"12","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"1cd983a7-3e44-464e-89ee-0973eb415e91","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/ybk6uxiwnxe3pud3.onion","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"13","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a0bcd6f0-aac2-4530-aef6-4a5ea74f6a56","timestamp":"1590631720","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/encorebodyart.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"14","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"51238bc1-aaf3-4a93-8e18-110dba4a0233","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"bulbsener.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"15","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"2a86f977-f78a-41ac-b0aa-69ec2f0a34a4","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"consulttrus.org","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"16","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"cde890c5-bb75-460d-b1f0-157bb4574a22","timestamp":"1590631721","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"groundgirl.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"17","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"b7dc10a2-d9e5-4e42-9a34-86d7d38d35ba","timestamp":"1590631722","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"moskotskylops.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"18","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"15aff243-9e80-4f31-9d56-77fd757ac5fa","timestamp":"1590631722","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"objecopoly.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"19","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"8bcfc162-7880-4e1d-bb34-dc3e9cf5c308","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/eastiggeno.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"20","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"779828db-429f-44af-8716-ca82ec591f58","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/rushruflr.abkhazia.su","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"21","event_id":"2","object_id":"1","object_relation":"md5","category":"Payload delivery","type":"md5","to_ids":true,"uuid":"4e50995b-eb5d-4e8d-b30e-c6b857357431","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"40e709abb9f9fd7e50391afe1c84fbfc","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"22","event_id":"2","object_id":"1","object_relation":"sha1","category":"Payload delivery","type":"sha1","to_ids":true,"uuid":"59034cdc-6d57-4b8a-8759-289bc8138248","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"2d1a7f18bf287d716f6e8f3d17a1e1989c86d3be","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"23","event_id":"2","object_id":"1","object_relation":"sha256","category":"Payload delivery","type":"sha256","to_ids":true,"uuid":"bb640786-0cb2-42f4-889f-0846bdc94836","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"6977bb1bfd5744790bb84bdee1c5f420aad8de2d29064b1b41d7a36fa23b99cf","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"24","event_id":"2","object_id":"1","object_relation":"size-in-bytes","category":"Other","type":"size-in-bytes","to_ids":false,"uuid":"1e885c90-81a7-4bb2-a9b4-c87975c43f08","timestamp":"1590631723","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"720896","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"1","distribution":"5","sharing_group_id":"0"}},{"id":"25","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f947b985-ad26-4a41-afd6-a80d3099bc80","timestamp":"1590631724","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/mezendracr.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"26","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"875feaf2-fb3d-4815-b915-c1975f555443","timestamp":"1590631724","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/objecopoly.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"27","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a70eaa83-6c85-44c6-bb32-6e398283e82c","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/bulbsener.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"28","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"6e14b859-ac78-4e59-b705-631995d428cd","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"eastiggeno.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"29","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"e2f15502-958b-455d-8431-c1e77c84b4a2","timestamp":"1590631725","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/107gam.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"30","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"866f7da1-ac22-4aa9-a8cb-414c3c7a996f","timestamp":"1590631726","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/accordages.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"31","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"9baf29e5-d4e1-4938-88b6-ea05f4d060cd","timestamp":"1590631726","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/gstat.premiumkashmirisaffron.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"32","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"db1ca0a6-0c4c-47af-826c-8a955783f983","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/rshushurar.abkhazia.su","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"33","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f21a43fe-9314-4cd8-a7d7-51c27728c4b4","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/sumrachnorber.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"34","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"9d0adccc-4d9f-433c-9f31-056f884ebc9c","timestamp":"1590631727","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"107gam.com","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"35","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"3286f48d-da76-442b-af1e-3fce267ed531","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"accordages.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"36","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"eb5b6539-673c-4c09-ba87-72bde42f5a79","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"http:\/\/consulttrus.org","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"37","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a549fead-cea7-4f09-927d-72a0620012c9","timestamp":"1590631728","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/moskotskylops.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"38","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"hostname","to_ids":true,"uuid":"36b3d4a8-c2cb-403c-ad5d-9083dfd9a338","timestamp":"1590631729","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"sumrachnorber.agency","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"39","event_id":"2","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"0b7c6b91-40d7-4595-af0e-736d33174c47","timestamp":"1590631729","distribution":"5","sharing_group_id":"0","comment":"ursnif","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/groundgirl.xyz","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"}},{"id":"40","event_id":"2","object_id":"2","object_relation":"md5","category":"Payload delivery","type":"md5","to_ids":true,"uuid":"d3d59220-382a-4a91-89b7-f824185fa8f8","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"3a7f332a1a7a22ba3f02e9f3609ac414","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"41","event_id":"2","object_id":"2","object_relation":"sha1","category":"Payload delivery","type":"sha1","to_ids":true,"uuid":"4ef4a41a-c3a2-4e5e-9f4f-9bbf38ab1f2d","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"ff4aec44d8343d6713d049f4952ccec946c4b20c","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"42","event_id":"2","object_id":"2","object_relation":"sha256","category":"Payload delivery","type":"sha256","to_ids":true,"uuid":"6569bf95-8d33-4779-b619-ccea717d5447","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"d413a8997b4bacf978d97635e109e29c7adf56f88ee7f4f57e0f3007e72ca620","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"43","event_id":"2","object_id":"2","object_relation":"size-in-bytes","category":"Other","type":"size-in-bytes","to_ids":false,"uuid":"0e5d649e-93ec-4dea-9eea-76e0cf6412b8","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"506880","Event":{"org_id":"1","distribution":"1","id":"2","info":"iSIGHT: Indicator Report: Ursnif Activity Report (May 26, 2020)","orgc_id":"1","uuid":"3a82bed3-a7dc-436e-bd9f-fc86af909491"},"Object":{"id":"2","distribution":"5","sharing_group_id":"0"}},{"id":"44","event_id":"3","object_id":"0","object_relation":null,"category":"External analysis","type":"text","to_ids":false,"uuid":"5ecf1d32-7208-4306-9080-52f6ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"20-00009435","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"45","event_id":"3","object_id":"0","object_relation":null,"category":"External analysis","type":"link","to_ids":false,"uuid":"5ecf1d32-bf7c-476e-9128-52f5ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/intelligence.fireeye.com\/reports\/20-00009435","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"46","event_id":"3","object_id":"0","object_relation":null,"category":"Attribution","type":"text","to_ids":false,"uuid":"5ecf1d32-98f0-46ec-ae66-04a7ac1f1e65","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":true,"first_seen":null,"last_seen":null,"value":"Cyber Crime","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"47","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"1ad37db4-816e-4bfb-8b22-224df9853992","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"103.207.169.78","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"48","event_id":"3","object_id":"0","object_relation":null,"category":"Antivirus detection","type":"text","to_ids":false,"uuid":"471b4d0e-fbbb-4aa7-a5fe-8cca9d72117e","timestamp":"1590631730","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"trickbot","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"49","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"21e025ff-19af-4324-9920-c90c49ec690b","timestamp":"1590631731","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"110.232.76.39","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"50","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"20905381-3779-4dbb-8a1a-f67eaca49298","timestamp":"1590631731","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"122.50.6.122","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"51","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"0124e1ad-5049-4e8f-8f42-1c0533678c00","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"138.59.233.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"52","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"dd357d4f-c656-44b5-a377-cf978d9ba7cf","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"181.196.61.110","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"53","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"cc0e33b6-e3cd-4f97-bda7-d4547d4a84d3","timestamp":"1590631732","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"187.110.100.122","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"54","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6c455486-c616-4032-824e-3a59a20d649d","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"187.58.56.26","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"55","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"75431f63-a3e4-4031-829b-1a66fa77b3a5","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"190.136.178.52","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"56","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"bf3da828-17f6-4f5e-b84a-b9fbd00cc984","timestamp":"1590631733","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"195.123.238.155","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"57","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"e2d5881c-57cc-4bd2-9dfd-1aa2c53ea559","timestamp":"1590631734","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"212.22.77.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"58","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"12251c0b-b606-45ec-bd5d-f117cf0a610a","timestamp":"1590631734","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"91.235.129.20","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"59","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"a077e0b3-7c75-47cc-9c8a-ffb6c29f281a","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"93.95.97.209","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"60","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"f60badb7-3ad6-4256-8bdc-f8abd11e1ac9","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/103.117.232.198:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"61","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a9840d50-1144-4021-b7a3-287967a9fb43","timestamp":"1590631735","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/107.175.72.141:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"62","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"533aa6b9-7ecf-434c-a598-08dd345dca5c","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/110.232.76.39:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"63","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"d3a6c924-23fc-44a5-88a0-e089e8da3115","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/110.50.84.5:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"64","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"2b6303f9-190d-45d0-beb5-1f437926284a","timestamp":"1590631736","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/134.119.191.21:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"65","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"aa773b52-dc09-47d0-95bc-6b225f86669a","timestamp":"1590631737","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/146.185.219.31:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"66","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"1320d0c9-2564-4208-9c56-2b81db65ecd9","timestamp":"1590631737","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/168.232.42.14:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"67","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"af68d47a-8f16-4132-ae74-aa95f0922d75","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/177.12.82.27:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"68","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"a5173fe9-ba10-4624-91c9-e71835d6ca19","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/185.90.61.9","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"69","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"3d93e808-a0e0-45bb-b46d-57201a14899c","timestamp":"1590631738","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/187.65.49.88:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"70","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"6cb2d286-dd98-4372-a105-111f2f84b80b","timestamp":"1590631739","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/200.35.56.81:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"71","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"b1c7fca8-4311-46ca-bb7a-b02940435482","timestamp":"1590631739","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/36.66.218.117:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"72","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"b6a3d27b-e666-4999-8682-232540e9f3e2","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/36.89.85.103:449","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"73","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"2372a4d0-697b-4283-8e0a-6d6a051a95f1","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/5.1.81.68:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"74","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"6a32bd3c-d49e-4622-a2b5-a7f0c5be9b01","timestamp":"1590631740","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/85.204.116.100:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"75","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"837c3ad4-5006-4edd-aed5-2bc144cb5b39","timestamp":"1590631741","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/85.204.116.216:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"76","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"238cd2dd-2a01-42e4-8e07-17f706a4b918","timestamp":"1590631741","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"https:\/\/93.95.97.209:443","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"77","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"e6f6e619-0a46-47b8-823d-91dbf68112c1","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"110.50.84.5","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"78","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"85121a19-756a-4eab-96b0-7e9243ee3733","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"131.161.253.190","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"79","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6cd0090d-c9ea-4b2e-9fb0-7fb129a34805","timestamp":"1590631742","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"134.119.191.11","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"80","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"a34d73aa-2f31-4f94-b055-4c318a2034de","timestamp":"1590631743","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"146.196.122.152","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"81","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"5f8e6da9-1289-4f3e-9c5b-33a1589a5ca2","timestamp":"1590631743","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"168.232.42.14","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"82","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"6ccc17b7-ec12-4d1c-b7c5-e183f2cf877b","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"177.103.240.149","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"83","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"2d4f9c9a-713d-430f-b199-f106ee4c0114","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"181.129.134.18","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"84","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"20c1eb2a-d108-4595-809c-55903d884dca","timestamp":"1590631744","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"185.90.61.9","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"85","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"014b6893-1c7f-4733-8dba-b6483c4170c0","timestamp":"1590631745","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"186.42.186.202","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"86","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"8ffae582-f91c-4869-a61b-eef9e4c55a08","timestamp":"1590631745","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"186.42.226.46","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"87","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"dbbc4bfe-b2c5-441a-8969-b29f6bf17d5c","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"188.68.210.159","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"88","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"21a63af4-8776-4e83-b023-95a9cad68824","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"200.35.56.81","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"89","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"3aa96a3f-7126-481d-97ab-7a3c826254cf","timestamp":"1590631746","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"36.89.243.241","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"90","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"816133ae-aebd-4d36-88ae-3946c271cd41","timestamp":"1590631747","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"5.1.81.68","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"91","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"571b435a-2b39-4160-9e90-6695030b178e","timestamp":"1590631747","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"5.188.41.101","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"92","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":true,"uuid":"8f10d861-3ff4-4149-bf85-f14480c9a01d","timestamp":"1590631748","distribution":"5","sharing_group_id":"0","comment":"trickbot","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"85.204.116.216","Event":{"org_id":"1","distribution":"1","id":"3","info":"iSIGHT: Indicator Report: TrickBot Activity Report (May 26, 2020)","orgc_id":"1","uuid":"9b471501-d119-448d-8e66-ee69505f26db"}},{"id":"93","event_id":"3","object_id":"0","object_relation":null,"category":"Network activity","type":"url","to_ids":true,"uuid":"
Hi, What JSON request do you use to get this response? If you use the same JSON request with mispgetioc what do you get? Normally the same json request passed to misp api should return the same response -- Sent with K-9 Mail.
Looks like its is working now. I didn’t do anything but noticed I was getting fireeye feeds. I did notice there was an upgrade to the app recently. Not sure if it was fixed there.
V/R Help Me, Help You Douglas P Molina, MBA, CISSP, C|EH, CySA+,CCSK,GCTI U.S. Department of Veterans Affairs Office of Information Security (OIS) Cyber Threat Intelligence (CTI) Work Phone: 708-938-2720 Mobile Phone: 202 779 2034 UNCLASS: douglas.molina@va.govmailto:douglas.molina@va.gov [cid:image001.jpg@01D63E3E.49EB9A40]
From: Rémi Séguy notifications@github.com Sent: Tuesday, June 9, 2020 8:57 AM To: remg427/misp42splunk misp42splunk@noreply.github.com Cc: Molina, Douglas Douglas.Molina@va.gov; Author author@noreply.github.com Subject: [EXTERNAL] Re: [remg427/misp42splunk] 3rd party feeds not being pulled when running mispgetioc (#153)
Sent with K-9 Mail.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/153#issuecomment-641314160, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKD2KYWMCEREUXUBZJLOMADRVY5TFANCNFSM4NXZDZ2A.
When I am running this search from Splunk. I am unable to pull events that are generated from a 3rd party custom feed. The feed is pulled by running a python3 script and not via the GUI on MISP. Do you have any ideas why this is not working? I am not sure if i got the options correctly selected in the SPL query below.
| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src,misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table _time, _raw, description | sort _time desc