search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

publish_on_creation is not working as expected #181

Closed ag-michael closed 2 years ago

ag-michael commented 3 years ago

when using sendalert , setting misp_publish_on_creation is expected to create a published event, this is not happening.

Test search:

| makeresults 
| eval no_url="http://test.com"
| eval misp_url = no_url
| eval misp_domain = no_domain
| eval misp_sha256 = fo_sha256
| eval misp_from = eo_from
| eval misp_info="Test info 4"
| eval tags=misp_tag
| eval misp_attribute_tag="test"
| eval misp_publish_on_creation="True"
| eval publish_on_creation=misp_publish_on_creation
| table  misp_* no_url no_domain fo_sha256 eo_from
|  sendalert misp_alert_create_event param.misp_instance="testinstance"  param.distribution=3 param.threatlevel=3 param.analysis=2 param.tlp="TLP_RED" param.pap="TLP_RED" param.title="Test4" param.publish_on_creation="True" param.misp_publish_on_creation="True"

According to the code here setting misp_publish_on_creation to a string "True" should set the event["published"] param to boolean True which all makes sense. I have no idea why it isn't being published.

Thanks in advance for your help and for maintaining this project.

remg427 commented 3 years ago

Hi, Thanks for using misp42 My tests were ok. Have you any constraints set on misp to publish events? Mandatory tags etc. Has the user the right to publish? I will double check on my side Remi

Le 5 décembre 2020 00:19:33 GMT+01:00, Michael notifications@github.com a écrit :

when using sendalert , setting misp_publish_on_creation is expected to create a published event, this is not happening.

Test search:

| makeresults 
| eval no_url="http://test.com"
| eval misp_url = no_url
| eval misp_domain = no_domain
| eval misp_sha256 = fo_sha256
| eval misp_from = eo_from
| eval misp_info="Test info 4"
| eval tags=misp_tag
| eval misp_attribute_tag="test"
| eval misp_publish_on_creation="True"
| eval publish_on_creation=misp_publish_on_creation
| table  misp_* no_url no_domain fo_sha256 eo_from
|  sendalert misp_alert_create_event param.misp_instance="testinstance"
param.distribution=3 param.threatlevel=3 param.analysis=2
param.tlp="TLP_RED" param.pap="TLP_RED" param.title="Test4"
param.publish_on_creation="True" param.misp_publish_on_creation="True"

According to the code here setting misp_publish_on_creation to a string "True" should set the event["published"] param to boolean True which all makes sense. I have no idea why it isn't being published.

Thanks in advance for your help and for maintaining this project.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/181

-- Sent with K-9 Mail.

ag-michael commented 3 years ago

@remg427 The user is an admin with publish right, no restrictions on publishing are set. The audit logs show this:

attribute_count () => (0), distribution () => (3), proposal_email_lock () => (0), locked () => (0), publish_timestamp () => (0), sighting_timestamp () => (0), disable_correlation () => (0), analysis () => (2), info () => (Test info 4), threat_level_id () => (3), date () => (2020-12-04), user_id () => (1), org_id () => (1), orgc_id () => (1), uuid () => (<redacted uuid>)

I'm wondering if a separate call to publish() is needed.

ag-michael commented 3 years ago

@remg427 Have you been able to reproduce the problem?

remg427 commented 3 years ago

Hello, couldn't work on it yet planned for this week -- Sent with K-9 Mail.

remg427 commented 3 years ago

Hello i tested from dashboard of 4.0.0 and it works: event is published at creation

Le 13 décembre 2020 00:21:09 GMT+01:00, Michael notifications@github.com a écrit :

@remg427 Have you been able to reproduce the problem?

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/181#issuecomment-743919132

-- Sent with K-9 Mail.

remg427 commented 3 years ago

You should set logging to debug so you will exact payload in logs and then you can use Misp rest api client to test directly on misp -- Sent with K-9 Mail.

ag-michael commented 3 years ago

@remg427 I've moved on from this by writing a scheduled script that auto-publishes everything, had issues with this: https://github.com/MISP/MISP/issues/6748

I don't know if it is a MISP version issue, but one of the problems I ran into is how 'published' worked with 0/1 but not with True/False.

remg427 commented 3 years ago

Hi, Could you set log level to debug and check what is passed to misp and what return you get from misp Then using misp rest client with the very same payload check if events are created.

I will double check the accepted strings for True -- Sent with K-9 Mail.

ag-michael commented 3 years ago

@remg427 I will try to get this, but the problem I have is that I'm not the Splunk admin. Due to holidays I'm not able to get someone with access to the debug log in Splunk to assist me unless it is urgent.

remg427 commented 3 years ago

Are you allowed to confiture this app? If yes then setting log level to DEBUG allows you to see logs in internal index. This should be displayed on the dashboard where you can test alert action. This is almost default settings and you might have access to it with role power

ag-michael commented 3 years ago

@remg427 ,

The app is set to debug, i ran the example search I used to create this issue and below is the debug output for the splunk process that ran:

2021-02-03 02:30:11,040 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="event created" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,364 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="create body has been prepared for eventkey oneEvent" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,363 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Events dict is ready to use" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,362 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="eventid is 0" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,362 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="eventkey is oneEvent" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,362 DEBUG pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Reader is <csv.DictReader instance at 0x7ff48a599638>" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc"
2021-02-03 02:30:10,362 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config dict is ready to use" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,361 DEBUG pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config_args['pap'] TLP:RED" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc"
2021-02-03 02:30:10,361 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config_args['client_cert_full_path']         None" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,361 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config_args['misp_verifycert']         False" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,361 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config_args['misp_url']         https://misp.domain" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,361 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="config_args['misp_url'] https://misp.domain" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,360 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="misp_key found for instance                 misp_instance" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,335 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="{"misp_key": "****", "disabled": "0", "misp_url": "https://misp.domain", "misp_use_proxy": "0", "client_use_cert": "0", "misp_verifycert": "0"}" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,334 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="stanza_name=misp://misp_instance" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:10,334 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Alert action misp_alert_create_event started." action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc" action_status="success"
2021-02-03 02:30:00,299 INFO pid=34829 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="Invoking modular action" action_name="misp_alert_create_event" sid="sidnum.2487943" rid="0" app="app" user="user" action_mode="adhoc"

I don't see much that would be useful here, but let me know. It isn't showing the json request to MISP (I even looked at processes' logs as well).

I am on MISP42 3.1.12, I am unable to upgrade to 4.x due to python incompatibility with my splunk version.

remg427 commented 3 years ago

Hello MISP42 works on my side with Splunk 7.2.10.1 if you don't check certificate (request library on server misses one library and the lib shipped with misp42splunk under aob_py2 is not taken into account). This will be fixed in forthcoming 4.0.1 if you can disable this check, it might be fine to check 4.0.0 for creating and publishing.

ag-michael commented 3 years ago

@remg427 , when the upgraded to 4.0.0 was tested on splunk 7.3.0, the configuration page is not loading. Additionally, the app is not "Splunk AppInspect Passed' for 7.3. or any 7. (https://splunkbase.splunk.com/app/4335/), which prevents us from implementing it in production.

If 4.0.1 can address these concerns I think that would solve this and many other roadblocks.

remg427 commented 3 years ago

4.0.1 published - values set to 0 for No and 1 for Yes to avoid case issues.

ag-michael commented 3 years ago

Thank you @remg427 , greatly appreciate your work on this. Please give me a week or so to test this and I'll close out the issue.

ag-michael commented 3 years ago

@remg427 Unfortunately upgrading from 3.x to 4.0.1 results in the configuration page looping:

image

Are you able to duplicate this, and do you recommend anything to resolve this?

EDIT: Installing it from scratch does the same thing

ag-michael commented 3 years ago

@remg427 I've opened https://github.com/remg427/misp42splunk/issues/192 to avoid cluttering this issue. once that is resolved, I'm hoping this can too (after testing).