MISP events / IOC’s not coming into Splunk

[redbiker-svg]

Hi,

I've installed the App in my Splunk and configured instance in MISP App; however, I'm not seeing any events coming into Splunk from my MISP instance.

I created a nee event to test, but no success. Neither are any of my existing events syncing on Splunk logs.

Can you please advise if there's a way to check connectivity and / or other troubleshooting options?

[redbiker-svg]

Hi @remg427

Great work on creating this app!! Life saver

Figured out it's working when I use mispgetioc / mispgetevent....

But the dashboard MISP Overview doesn't update with any details - am I missing any further config?

Additionally, using mispgetevent command for last 14d (example) doesn't bring back all events as id see in MISP gui - why?

How can I get events that had new attributes added on them in the last X days?

Finally, sorry too many questions, but what exactly is "mispgetioc" and "mispgetevent". I want to add logs from my MISP instance in an index but not sure if that is possible in case we have to use these custom commands everytime?

Edit (added after initial comment) - I cannot see any events manually created that are also set to Distribution= Organisation (MISP gui). I can however see all other events where Distribution = All

[remg427]

Hello, misp42 does no longer come with defined inputs as it is mainly installed on a search head (cluster). so to get MISP events into splunk, most common way is to use mispgetioc (using MISP API endpoint /attributes/restSearch) that get attributes and then you can use them in a search, store them in a lookup table or KV store (| outputlookup ) or even index them with | collect. so it is a question of scheduling a search using | mispgetioc with your parameters.

mispgetevent simply use endpoint /events/restSearch and return results from MISP events point of view (mispgetioc from attribute pov)

both command have same limit set by default to 1000 (as mentioned in documentation) if you want to get all results you may either set limit=0 (unlimited) or launch several searches ( using | union or | append) with limit=XXXX and page=1, page=2, page=3, etc.

for last question, could you confirm that user associated to the API key can see events with Distribution= Organisation? a quick test is to use your API key from Splunk

[redbiker-svg]

Hello.

Thanks for the response. I'll try the lookup & collect method for indexing.

Does your response mean the MISP42Splunk "overview Dashboard" cannot work until i index the data? It's a great view to see and confirm MISP data coming in.

I've checked the associated user is set to "Admin" that can view / manage Organisation events

[redbiker-svg]

@remg427 any chance you could take a look at my comment and help further?

[remg427]

Hello, sorry for late reply quite busy at dayjob. I really need to make better documentation as I am confusing too many people on that point. so misp42splunk has no inputs designed in the app. It mean that the only way to get misp events is to use | mispgetioc
(or | mispgetevent getioc=t <= but I don't use that way only on specific cases)

so you create a scheduled search starting by

| mispgetioc misp_instance=yourmisp last=1d limit=0 # if you want to collect events published in last day; | your event processing here | outputlookup a lookup (or one predefined collections in misp42)

or

| collect ...

To test | mispgetioc get to dedicated dashbaord to see all parameters you can use and visualise results in dashboard panel

let me know if I can help further

limit is by default 1000 so better to increase it depending on your misp server you might need to keep unlimited but then you can make several call

[redbiker-svg]

Hi @remg427

Thanks for the response. Tried it your method and that has worked. Amazing!

But, I still do not see my events or IOC's from manually created events. Tried creating fixed event for all ioc from 1 feed to update into. This doesn't work as well.

Why is the app only fetching events shared / categorised as "all communities"? Any way to fix this?

I could help you with documenting all these if you like?

[redbiker-svg]

Would there be any of config files in /bin need changing to get events & iocs from all orgs @remg427 ?

I checked those but not sure if messing with them will be a good choice

[remg427]

Hi, you get events that are visible for the user configurer for the API

To check if something is not working/validate you can use MISP REST client on the GUI and then mispgetioc with same settings Results should match -- Sent with K-9 Mail.

[redbiker-svg]

Hi, tried this in REST and results don't match. Is there any other permission issue or something else causing it?

[remg427]

Hello, If you test using same account on MISP REST client and mispgetioc you must have same results. Set log level to debug for misp42 in log file you will have the exact JSON request to replay with MISP REST Hope you will find where issue is -- Sent with K-9 Mail.