search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Cannot upload MISP sighting #203

Closed schimpy closed 2 years ago

schimpy commented 2 years ago

Hello folks,

I am trying to set up an SPL that will upload a sighting of a certain attribute in an event.

I would like it to be in a form of macro: update_sighting($misp_instance, $misp_event, $misp_attribute, $sightning_type)

So if I will call something like this | update_sighting(misp_default,"MISP event", domain.xyz, 1) I would like to add FP sighting for domain.xyz in "MISP event".

So far I got fetched the attribute and parsed out via regex the attribute UUID: | mispgetioc misp_instance=misp_dev geteventtag=t add_description=true [| makeresults | eval request="{\"value\": \""."ftp.physemance.com"."\", \"eventinfo\": \""."Member Submission: malspam activity potentially associated with Agent Tesla. Reported on 19 October 2021. (Alert ID: 493f18c2)"."\"}" | eval json_request=replace(request,"\"","\\\"") | return json_request] | rex field=misp_description "attribute\s(?<misp_attribute_uuid>[-a-z0-9]{36})\s"

but I am unable to execute on MISP side. Simply calling the command mentioned in docs or found here is not working:

| makeresults | eval misp_domain="domain.xyz" | sendalert misp_alert_sighting param.misp_instance=idefualt_misp param.title="TEST" param.mode=byuuid param.type=1 param.unique=$misp_attribute_uuid$

Do I have the correct syntax? How should makeresults SPL look like and what are the possible values of eval command?

Thank you very much for your answer.

remg427 commented 2 years ago

Hi thank you for using misp42

if you use version 4.0.2 there is a dashboard that demos how-to use sendalert for sighting

| makeresults | eval misp_domain="domain.xyz" is just to have some data to process for sendalert but you will replace by your search on provy logs, for example etc.

and then | sendalert misp_alert_sighting param.misp_instance=lab param.title="test" param.mode="byvalue" param.type=0

if your SPL returns values then mode is "byvalue"

if you want to do sightings by uuid then in your SPL on your logs you can use | mispsearch if there is a match between log values and misp attribute, you'll get misp_attribute_uuid(s) you have to rename it as uuid and this will increment sighting only for that attribute. Byuuid is usefull if you want to increment only one attribute from one event and not all attributes matching the value (byvalue) hope it clarifies

schimpy commented 2 years ago

Could you please show me the sample SPL of how the sighting by a single uuid is incremented? I am still confused how to do that.

When I try to update it "by value", following search is generated by the dashboard:

| makeresults | eval misp_domain="simplybook.me"
| eval switch="True"
| where switch=="True"
| fields - switch
| sendalert misp_alert_sighting misp_alert_sighting param.misp_instance=misp_test param.title="TEST" param.mode=byvalue param.type=1 param.description="TEST"

but unfortunately run with an error:

Error in 'sendalert' command: Alert script returned error code 5.

When running it "byuuid" as follows:

| makeresults 
| eval misp_domain="simplybook.me"
| mispsearch field=misp_domain misp_instance=misp_dev
| fields misp_attribute_uuid
| rename misp_attribute_uuid as uuid
| sendalert misp_alert_sighting misp_alert_sighting param.misp_instance=misp_test param.title="TEST" param.mode="byuuid" param.type=1

I am running into the same error.

Is there anything I am doing wrong?

Should sendalert command has misp_alert_sighting twice?

What are the neccesary fields that need to be passed to sendalert command?

Thank you in advance.