search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Sending _time timestamp to MISP attribute of existing event #218

Open hkelley opened 1 year ago

hkelley commented 1 year ago

Should the misp_time field be working for both attributes (on existing events) and new events?

Background: we receive Splunk logs as typosquatting domains are discovered. We then push these to MISP (as attributes of one big event we use to hold these domains). I'd like to record the date the domain was registered (which is sometimes a day or two before we log it).

I'm setting up the misp_domain and misp_time fields:

| eval misp_domain=SquatDomain
| eval misp_time=round(_time,0) 
| eval SquatDomain=replace(SquatDomain,"\.","[.]")

| sendalert misp_alert_create_event param.misp_instance=XXXXX param.eventid="14122" param.title=SquatDomain param.description=description param.distribution=0 param.analysis=0 param.tlp="TLP_AMBER" param.pap="PAP_AMBER" param.publish_on_creation="0"

The domain comes through but I don't see the time specified in the MISP log or the resulting attribute.

add | Attribute (804537) from Event (14122): Network activity/domain xxx.website | to_ids () => (1), distribution () => (5), deleted () => (0), disable_correlation () => (0), type () => (domain), event_id () => (14122), category () => (Network activity), uuid () => (7353fd77-3368-4c7a-9e6a-5f8e6b702706), value1 () => (xxx.website) -- | -- | --
remg427 commented 1 year ago

Hi thanks for using MISP42. In current implementation misp_time allows to set event date from the result set. if not present it is set to the day of creation.

misp_time is used to set first_seen of all attribute on same row. I should address your need but may have side effects. I will rather use misp_first_seen and misp_last_seen to give you better control on what you would like to use

hkelley commented 6 months ago

Yes, this would be helpful, particularly the update to misp_last_seen.

We often see the same indicator over many different days. I would like to be able to update the misp_last_seen property on an existing attribute each time we call misp_alert_create_event. Otherwise, we don't have a good reference property for attribute aging.

Am I correct that the current version only sets times on attribute creation, not on subsequent occurrences?

| eval misp_ip_src=src_ip
| eval misp_time=round(_time,0)
| eval misp_last_seen=round(latest,0)

| sendalert misp_alert_create_event param.misp_instance=feed_MISP_Feed param.eventid="9999" param.title=misp_domain param.description=description param.distribution=0 param.analysis=0 param.tlp="TLP_AMBER" param.pap="PAP_AMBER" param.publish_on_creation=0