remg427
commented
1 year ago Hi Nicolas Thank you for using MISP42 It is correct to use mispgetioc or mispgetevent to pull data from MISP into splunk. Then you can write to a lookup or an index like you have done. For index you need to check it exists or you create it.
For parameter date, it is important to work with recent versions of MISP because API changed field date into from And version 4.2.1+ of MISP42 because I have kept parameter date= and assign any valid value to key 'from' (to keep compatibility)
When you pass an array you need to escape double quote [\"2023-01-01\", \"2023-03-26\"] as parameters need to be numeric or a string. Let me know if it works
Also keep in mind date= is an alias if from and refer to the date set if MISP events
last= is an alias of published timestamp Cheers Remi
Le 26 mars 2023 12:23:28 GMT+02:00, Nicolas @.***> a écrit :
Hello,
Thanks a lot for this tools, it's seems really great,
On the Misp42 app page related to
mispgetioc(http://misp-url/en-US/app/misp42splunk/mispgetioc), it's possible to customize our MISP API request with specific fields.It says that the
date fieldcan have the following syntax:date: a simple date %Y-%m%d or a list ["date_from","date_to"]Or when i put only a date like that "2023-01-01", i get an array as value for date field in the body of MISP request (
body={'date': ['2023-01-01'], 'returnFormat': 'json', ...}.And when i put the following command
| mispgetioc misp_instance=MISP_test date=["2023-01-01", "2023-03-26"]it return the following error:Error in 'SearchParser': Missing a search command before '"'. Error at position '46' of search query '| mispgetioc misp_instance=MISP_test date=["202'.When i put the following: '7d', '14d' it give me the following as value in Misp request body:
body={'date': ["'7d'"], ...-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/226 You are receiving this because you are subscribed to this thread.
Message ID: @.***> -- Sent with K-9 Mail.
Nicolas-Pellletier
Hello,
Thanks a lot for this tools, it's seems really great,
On the Misp42 app page related to
mispgetioc(http://misp-url/en-US/app/misp42splunk/mispgetioc), it's possible to customize our MISP API request with specific fields.It says that the
date fieldcan have the following syntax:Or when i put only a date like that "2023-01-01", i get an array as value for date field in the body of MISP request (
body={'date': ['2023-01-01'], 'returnFormat': 'json', ...}.And when i put the following command
| mispgetioc misp_instance=MISP_test date=["2023-01-01", "2023-03-26"]it return the following error:When i put the following: '7d', '14d' it give me the following as value in Misp request body:
body={'date': ["'7d'"], ...