search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Data received from Misp42 #197

Closed korsasub closed 1 year ago

korsasub commented 3 years ago

Hi,

We have installed MISP on our Splunk instance and we have connected with MISP. We need to get the last hour events and attributes created on MISP. However, the plugin retrieves all the events and attributes stored in MISP since the beginnig of its usage(We would need just the data from last hour)

We do the following search:

| mispgetioc misp_instance=default last=1h | convert ctime(misp_timestamp) as date

Misp version: 2.4.128 Misp42 Splunk version: 4.0.2 Splunk version: 8.1

Thank you for your support.

remg427 commented 3 years ago

Hello, thank you for using misp42. last= takes only published events in last period (alias of published_timestamp). to verify search you may use MISP REST client (GUI) to search for attributes using last=1h endpoint /attributes/restSearch HTTP Body { "returnFormat": "json", "last": "1h" }

this is what mispgetioc does in backend. let me know if you observe different behaviour

anierudh commented 3 years ago

Hi, We have installed MISP and connected it with Splunk. We need to get the last 12 hours of events and attributes created on MISP. However, the plugin retrieves all the events and attributes stored in MISP since the beginning of its usage(We would need just the data from the last 12 hours). We are able to see the latest ones when we give the limit to 100000 and sorting the _time field SPL query is | mispgetioc misp_instance=default last=12h limit=100000 After seeing the latest events, if we try to put that date in the query we are not getting the results

Splunk version 7.1.3 misp splunk version 3.4 (not sure of the version)

remg427 commented 3 years ago

Hi, Could you check version of misp42. It should be 4.0.2 Last=12h is equivalent to publish_timestamp so I don't understand why you get all events Limit=0 is unlimited You could use date=2021-07-20 to get attributes of events with event timestamps older than that date

Another way to proceed is to use MISP REST client GUI build the request you want and use same JSON body with param json_request

Once you retrieve events you need to save into an index with collect and before eval _time=misp_timestamp

Sent with K-9 Mail.