Closed gurjie closed 2 years ago
Hello Yes you need to configure at least one instance and then use it with parameter misp_instance= And api port is the same as gui -- Sent with K-9 Mail.
Hi, thanks. That makes sense, I was able to set the misp_instance parameter for any searches to my configured MISP instance, and successfully made REST API calls to MISP from Splunk searches.
However, the dashboard is still not populated with any data as shown in the first image above. Any "MISP Custom commands" will also not allow me to select a misp instance, shown in the following capture:
I understand that the following search is used to retrieve a list of possible MISP instances for the above:
| rest /services/configs/conf-misp42splunk_instances
| rename eai:acl.app as app, title as misp_instance
| fields misp_instance
No results are pulled back, which would explain why the option to select an instance is greyed out.
My misp42splunk_instances.conf looks like the following:
[personal_instance]
misp_instance = personal_instance
client_use_cert = 0
misp_key = ********
misp_url = https://misp.intra.personal.com:8443
misp_use_proxy = 0
misp_verifycert = 1
Any further help on this would be greatly appreciated.
Many thanks
Weird Just try | mispgetioc misp_instance=personal_instance last=100d |
---|
Sent with K-9 Mail.
Hi, just to note that I have every other part of the app working now. The above works fine.
Hi, thanks for the useful project. I've got an issue with initially setting up the app, installed on a search head. No MISP instance is detected, not sure if this is a duplicate of another issue, or if I'm missing something obvious in the config.
The following error is generated when viewing any report, and executing any misp related query baked into the app:
External search command 'mispgetioc' returned error code 1. Script output = "error_message=Exception at "/opt/splunk/etc/apps/misp42splunk/bin/misp_common.py", line 79 : ('[MC-PC-E03] no misp_instance with specified name found: %s ', 'default_misp') ".
NB
default_misp
is not the misp instance name which I provided. Hostname definitely set in misp42splunk_instances.confI'm unsure as to which port to use for the misp instance. It's definitely reachable via curl on the search head over 8443. 8443 is the port which the web interface uses, not sure if API calls are made to another port specifically.
Thanks in advance, sorry if there's an obvious answer.
(running misp42splunk 4.0.2, MISP v2.4.148)