Closed farmsec closed 3 years ago
Hi
We're trying to create event based on Splunk query. The alert was been created on MISP, but as ip-dst I need to put as ip-src. Could you help me?
########Query######### index=cdn | dedup clientIP | rename clientIP AS no_ip | eval misp_time=round(_time,0) | eval misp_info="Daily Malicious IP Requests" |eval misp_tag="Daily Malicious IP Requests" | table eventkey misp_time misp_info misp_tag to_ids mispcategory misp fo_ eo* no* | sendalert misp_alert_create_event param.title="Daily Malicious IP Requests" param.misp_instance="Mymisp" param.distribution="2" param.threatlevel="2" param.analysis="1" param.tlp ="TLP_AMBER"
Hi, thank you for using misp42. I cannot reproduce your env withe the SPL above but could you try having the field misp_ip_src containing the values you want to see as ip-src
Hi.
Thank you so much! It worked now!
Hi
We're trying to create event based on Splunk query. The alert was been created on MISP, but as ip-dst I need to put as ip-src. Could you help me?
########Query######### index=cdn | dedup clientIP | rename clientIP AS no_ip | eval misp_time=round(_time,0) | eval misp_info="Daily Malicious IP Requests" |eval misp_tag="Daily Malicious IP Requests" | table eventkey misp_time misp_info misp_tag to_ids mispcategory misp fo_ eo* no* | sendalert misp_alert_create_event param.title="Daily Malicious IP Requests" param.misp_instance="Mymisp" param.distribution="2" param.threatlevel="2" param.analysis="1" param.tlp ="TLP_AMBER"