sendalert creates lots of empty domain-ip objects

remg427 / misp42splunk

A Splunk app to use MISP in background

GNU Lesser General Public License v3.0

109 stars 30 forks source link

sendalert creates lots of empty domain-ip objects #175

Closed ag-michael closed 3 years ago

ag-michael commented 3 years ago

Hi,

As the title says, for some reason along with actual indicators lots of empty domain-ip objects are created, the table output contains no such objects. I'm using the alert action function in Splunk.

remg427 commented 3 years ago

Hi, could you provide an example of the SPL? what version of splunk and misp42splunk do you use?

ag-michael commented 3 years ago

@remg427

Here is a sample SPL you can replicate, just change the misp_instance:

| makeresults 
| eval no_url="http://test.com"
| eval misp_url = no_url
| eval misp_domain = no_domain
| eval misp_sha256 = fo_sha256
| eval misp_from = eo_from
| eval misp_info="Test info"
| eval tags=misp_tag
| eval misp_attribute_tag="test"
| table  misp_* no_url no_domain fo_sha256 eo_from
|  sendalert misp_alert_create_event param.misp_instance=misp_instance  param.distribution=3 param.threatlevel=3 param.analysis=2 param.tlp="TLP_RED" param.pap="TLP_RED" param.title="Test"

Screenshot of what it creates in MISP: https://i.imgur.com/8aqoEL6.png MISP version string v2.4.129 (4f8140cd335ae78501e24fb39e21eb18fa3af318)

remg427 commented 3 years ago

Hello, In your search you use no_domain without values and there is no field no_ip therefore script is creating object domain-ip has field no_domain is found in result row but there is no value to set. I will improve script not to create empty object. point taken. that object has no attribute url (https://www.misp-project.org/objects.html#_domain_ip) could you check your SPL to ensure that the values you want to push to MISP are assigned to misp_ or no_ or fo_ for https://www.misp-project.org/objects.html#_file or eo_ for https://www.misp-project.org/objects.html#_email. you can also use other field name provided you have created and filled in the lookup lookups/misp_datatypes.csv thank you again on using misp42 and let me know in case you need further help or improvements

ag-michael commented 3 years ago

@remg427 I'll test and let you know if that fixes the issue, but most of my usecases don't have a fixed type of indicator,sometimes no_domain will have value,sometimes no_url/misp_url will have value. Thank you for the support!

remg427 commented 3 years ago

Hi afaik there is no URL in domain-ip object so no_url won't be pushed Empty attributes are not a problem per say but you should test if you have values for no_domain and no_ip otherwise if you have only one value out of the 2 it is better to rename as misp_domain or misp_ip_dst My 2 cents -- Sent with K-9 Mail.