Cannot edit/add IOCs to an existing event

[schimpy]

Hello folks.

I am facing an issue while adding IOCs to an existing event. I am using "sendalert" command with "param.eventid" set from previous results and I receive following error: Error in 'sendalert' command: Alert script returned error code 5.

Details:

• first I am asking MISP if you have the event under specific conditions (creation time and tag)
• if yes, take the event ID, if not assign "0" to event ID field
• then run the SPL logic on IOCs and format in accordance with MISP
• finally execute "sendalert misp_alert_create_event"

SPL (abbreviated):

| mispgetevent misp_instance=misp_default
    [| makeresults 
    | eval time=strftime(relative_time(now(),"@w1"),"%Y-%m-%d") 
    | return date=time ] 
| search misp_orgc_name="Org XY" AND misp_tag="*key:value*" 
| fields misp_event_uuid 
| appendpipe 
    [ stats count 
    | where count=0 ] 
| eval event_uuid=if(isnull(misp_event_uuid),0,misp_event_uuid) 
| fields event_uuid 
| append 
    [ ... SPL logic here ... ]
| eventstats first(event_uuid) as event_uuid 
| where isnotnull(id) 
| fields event_uuid value type 

.... some field normalization ...

| table misp_time misp_info misp_sg_id event_uuid misp_ip_src misp_hostname misp_url misp_md5
| sendalert misp_alert_create_event 
   param.eventid="$result.event_uuid$"
   param.title="TITLE" 
   param.tags="key:pair"
   param.tlp="TLP_GREEN" 
   param.info=$result.misp_info$ 
   param.misp_instance=misp_default
   param.distribution=4 
   param.threatlevel=1 
   param.analysis=2

How the SPL should behave:

• when there is no event matched in MISP, the new one is created
• where there is a matching event in MISP, it should be updated

How the SPL behaves now:

• if there is no matching event in MISP, it creates everything perfectly
• if there is a matching event, I receive error: "Error in 'sendalert' command: Alert script returned error code 5."

I suspect param.eventid not working properly. I also tried to paste in both the event ID and event UUID as it is (not using $result.event_uuid$) and it is not working as well. I also tried the dashboard to test this, also failing with the same error code.

Have anyone encounter such issue? What is the best way to update an existing event?

[remg427]

Hello, thank you for using MISP42. I will try to reproduce error on my side. Which version do you use? also could you check error messages in SPLUNK_HOME/var/log/splunk/misp_alert_create_event_modalert.log?

[hkelley]

I have been testing the update of an existing event using the basic /app/misp42splunk/misp_alert_create_event dashboard. It works for me.

[remg427]

Hi, thank you for this feedback and for using misp42. I have just pushed back new 4.2.0 . If you have time to double-check you have no issue with it, thanks in advance