search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Inputs.conf is not created in MISP #195

Closed aldoarreolaAZ closed 2 years ago

aldoarreolaAZ commented 3 years ago

Once I execute a Search for MISP, I received the b elow error:

External search command 'mispgetioc' returned error code 1. Script output = "error_message=HTTPError at "/opt/splunk/etc/apps/misp42splunk/lib/splunklib/binding.py"

Inputs.conf is not created automatically, what shoul Include in this inputs.conf

aldoarreolaAZ commented 3 years ago

Hello Remi

The problem that I have is that I don’t have any events from MISP in Splunk ,

@.***D7263E.1F2B53C0]

Below the search sintax that we are using

| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src, misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table domain,description,file_hash,file_name,http_user_agent,ip,registry_value_name,registry_value_text,src_user,subject,url,weight

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

remg427 commented 3 years ago

Hi Have you defined instance default_misp? If you use another custom command like mispcollect have you any result? Could you test with a specific event ID to validate connection? I like your signature😃 -- Sent with K-9 Mail.

aldoarreolaAZ commented 3 years ago

Hello Remi,

We are stucked in the connection between MISP and Splunk, I feel that there is an issue in this connectivity, I’m not using another custom command to get more results.

Do you think if possible, to have a remote session to show you my configuration and you can help with this issue?

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

aldoarreolaAZ commented 3 years ago

Hello Remi

We did additional tests by running different commands and this is the result

Command:

| mispgetevent misp_instance=MISP json_request=json eventid=1795 last=120d published=true

Error Messages:

Error 1: External search command 'mispgetevent' returned error code 1. Script output = "error_message=Exception at "/opt/splunk/etc/apps/misp42splunk/bin/mispgetevent.py", line 426 : Missing "json_request", "eventid", "last" or "date" argument ".

Error 2: External search command 'mispgetevent' returned error code 1. Script output = "error_message=Exception at "/opt/splunk/etc/apps/misp42splunk/bin/mispgetevent.py", line 431 : Options "json_request", "eventid", "last" and "date" are mutually exclusive ".

Any help here?

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

From: Arreola, Aldo Sent: martes, 6 de abril de 2021 09:57 a. m. To: remg427/misp42splunk @.>; remg427/misp42splunk @.> Cc: Author @.***> Subject: RE: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)

Hello Remi

The problem that I have is that I don’t have any events from MISP in Splunk ,

@.***D72B85.5D7A2650]

Below the search sintax that we are using

| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src, misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table domain,description,file_hash,file_name,http_user_agent,ip,registry_value_name,registry_value_text,src_user,subject,url,weight

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

remg427 commented 3 years ago

Hi Simply connect to your MISP server, the one you have configured with instance name MISP Pick one event id and run one of following commands

| mispgetioc misp_instance=MISP eventid=

This should return all attributes in event Let me know how it works -- Sent with K-9 Mail.

aldoarreolaAZ commented 3 years ago

Hello Remy

I was able to connect to MISP and see the events In MISP

@.***D72C48.06F33AB0]

But I can´t see any event created on MISP, even if I create manually and publish them.

@.***D72C48.06F33AB0]

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

From: Rémi Séguy @.> Sent: miércoles, 7 de abril de 2021 03:12 p. m. To: remg427/misp42splunk @.> Cc: Arreola, Aldo @.>; Author @.> Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)

Hi Simply connect to your MISP server, the one you have configured with instance name MISP Pick one event id and run one of following commands

| mispgetioc misp_instance=MISP eventid=

This should return all attributes in event Let me know how it works

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/195#issuecomment-815221358, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQNZTYKZG3PJIAD6VBJ2FDLTHS4BHANCNFSM42DBOQRQ.

Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.

aldoarreolaAZ commented 3 years ago

Hello Remy,

Trusting you are ok, wondering if you could help us to validate why we can´t validate publish events from MISP to Splunk.

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

From: Arreola, Aldo Sent: jueves, 8 de abril de 2021 07:23 a. m. To: remg427/misp42splunk @.>; remg427/misp42splunk @.> Cc: Author @.>; HE, Leo @.> Subject: RE: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)

Hello Remy

I was able to connect to MISP and see the events In MISP

@.***D73AAE.847687C0]

But I can´t see any event created on MISP, even if I create manually and publish them.

@.***D73AAE.847687C0]

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

From: Rémi Séguy @.**@.>> Sent: miércoles, 7 de abril de 2021 03:12 p. m. To: remg427/misp42splunk @.**@.>> Cc: Arreola, Aldo @.**@.>>; Author @.**@.>> Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)

Hi Simply connect to your MISP server, the one you have configured with instance name MISP Pick one event id and run one of following commands

| mispgetioc misp_instance=MISP eventid=

This should return all attributes in event Let me know how it works

Sent with K-9 Mail.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/195#issuecomment-815221358, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQNZTYKZG3PJIAD6VBJ2FDLTHS4BHANCNFSM42DBOQRQ.

Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.

remg427 commented 3 years ago

hello sorry for late reply do you still face issues?

aldoarreolaAZ commented 3 years ago

Now is solved Remy

Thank you so much!

Thank you and Best Regards, Aldo Arreola “Think like a proton and stay positive”

From: Rémi Séguy @.> Sent: miércoles, 23 de junio de 2021 07:41 a. m. To: remg427/misp42splunk @.> Cc: Arreola, Aldo @.>; Author @.> Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)

hello sorry for late reply do you still face issues?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/remg427/misp42splunk/issues/195#issuecomment-866800776, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQNZTYKLLQYJ3I2XNF6NPUTTUHI4VANCNFSM42DBOQRQ.

Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.