Closed Nicolas-Pellletier closed 1 year ago
Hello,
Some teams automatically index into splunk the output of sandboxing solutions ( open source or commercial) getting new attributes from detonating samples With alert action, thoses attributes can be pushed to a MISP event
If investigation / scanner reports are indexed then it is possible to do the same Different scenarios and actually whenever potential attributes are available on Splink they can be pushed to a misp event Regards
Le 30 mars 2023 10:43:55 GMT+02:00, Nicolas @.***> a écrit :
Hello,
I'm sorry to bothering you with this but i've some trouble to understand this part of the doc:
I've tried to search on internet what is "automated sandboxing" (linked to splunk or in general) but nothing revelant comes up... What is "sandboxing output"/"automated sandboxing" ?
And you talk about "if you have output of analysis pushed to splunk" you mean by this SOC analyst investigation report made to an incident is that it ?
I hope you could help me with that, thank you in advance.
-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/229 You are receiving this because you are subscribed to this thread.
Message ID: @.***> -- Sent with K-9 Mail.
Thanks a lot for these informations, It's much more clear !
I apologize for my late response, I missed your response, I thought until today that the support request went unanswered
Hello,
I'm sorry to bothering you with this but i've some trouble to understand this part of the doc:
I've tried to search on internet what is "automated sandboxing" (linked to splunk or in general) but nothing revelant comes up... What is "sandboxing output"/"automated sandboxing" ?
And you talk about "if you have output of analysis pushed to splunk" you mean by this SOC analyst investigation report made to an incident is that it ?
I hope you could help me with that, thank you in advance.
By the way, this sample in the doc redirect to an 404 error