remg427
commented
2 years ago Hi Thank you for using misp42 In param simply mention which field contains the unique value param.unique=myuniquefield
The script will process it to create 2 events
When using Splunk token notation $result.id$ it Splunk handling replacement before calling script with the value of id in the first row so script receives a static value and therefore creates a single event Cheers Rémi
Le 23 février 2022 14:14:13 GMT+01:00, burakatabay @.***> a écrit :
Hi I want to create new misp event from splunk. but I am not able to generate different misp events within a single search. I try this search,
| makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="adenemee" . random()%255 . random()%255 | eval id = random()%255 . random()%255 | makemv delim="," misp_ip-dst | mvexpand misp_ip-dst | append [| makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="bdenemee" . random()%255 . random()%255 | makemv delim="," misp_ip-dst | eval id=random()%255 . random()%255 | mvexpand misp_ip-dst ] | sendalert misp_alert_create_event param.misp_instance=misp param.title="title" param.description="description" param.distribution=0 param.threatlevel=1 param.analysis=0 param.tlp=TLP_AMBER param.pap=PAP_AMBER param.publish_on_creation=0 param.info=$result.source$ param.unique=$result.id$
Although there are two different unique ids here, 2 different events do not occur. Can anyone support me ?
-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/212 You are receiving this because you are subscribed to this thread.
Message ID: @.***>
-- Sent with K-9 Mail.
burakatabay
Hi I want to create new misp event from splunk. but I am not able to generate different misp events within a single search. I try this search,
| makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="adenemee" . random()%255 . random()%255 | eval id = random()%255 . random()%255 | makemv delim="," misp_ip-dst | mvexpand misp_ip-dst | append [| makeresults | eval misp_ip-src = random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, misp_ip-dst =random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255 . "," . random() % 255 . "." . random() % 255 . "." . random() % 255 . "." . random() % 255, source="bdenemee" . random()%255 . random()%255 | makemv delim="," misp_ip-dst | eval id=random()%255 . random()%255 | mvexpand misp_ip-dst ] | sendalert misp_alert_create_event param.misp_instance=misp param.title="title" param.description="description" param.distribution=0 param.threatlevel=1 param.analysis=0 param.tlp=TLP_AMBER param.pap=PAP_AMBER param.publish_on_creation=0 param.info=$result.source$ param.unique=$result.id$
Although there are two different unique ids here, 2 different events do not occur. Can anyone support me ?