remg427
commented
2 years ago Hi This is achievable If you have lalest version of MISP42 you can use dashboard to build alert With your example you just need to get another field | eval unique=misp_info And in sendalert use param.unique=unique
So rows with same misp_info will be in same events. Let me know if it works -- Sent with K-9 Mail.
I am trying to create a multiple events but somehow able to create a single event in MISP with object & attribute. Looks like i am missing something. Here is the sample command i have created
| makeresults count=3 | streamstats count | eval malware_family = case(count=1 OR count=3, "virlock", count=2 OR count=4, "makop") | strcat allrequired=f "My-Daily " malware_family " Activity Report " _time title | eval misp_info = title | eval tag_1 = "tlp:amber" | eval tag_3 = "confidence:high" | eval tag_4 = "attack-pattern:malspam" | eval tag_2 = "my-Collection" | eval misp_tag_known = tag_1 + "," + tag_2 + "," + tag_3 + "," + tag_4 | eval tag_5 = "confidence:low" | eval misp_tag_unknown = tag_1 + "," + tag_2 + "," + tag_5 + "," + tag_4 | eval misp_tag= if(malware_family=="no_match_found" OR malware_family=="unknown",misp_tag_unknown,misp_tag_known) | eval misp_info = title | eval eo_from = "sender@sender.com" | eval eo_to = "recipient@recipient.com" | eval eo_attachment = "file_name" | eval eo_subject = "subject" | fields - malware_family misp_tag_known misp_tag_unknown tag_1 tag_2 tag_3 tag_4 tag_5 count title | sendalert misp_alert_create_event param.misp_instance=MISP param.title="not_sure" param.description="my_first_test" param.distribution=1 param.threatlevel=3 param.analysis=0 param.tlp=TLP_AMBER param.pap=PAP_AMBER param.publish_on_creation=0
when i run this command, single MISP event gets generated along with attribute and object. I want to create two events based on the MISP info and respective attributes and objects are written into each event.
Not sure that's achievable or not.
Thanks in advance