Support request: Why does the saved search query differ depending on the lookup table type (KvStore/CSV) ?

[Nicolas-Pellletier]

Hello,

First of all many thanks for this tool, It has really help me to make the interconnection between MISP and Splunk,

I was wondering if is there any reason why you changed the savedsearch query when dealing with different lookup table (KvStore Lookup and csv Lookup) ?

Is there any performance issue that you want to address here ? (CSV lookup Vs KvStore lookup)

For example in savedsearch.conf the email related saved search that feed the KvStore lookup is:

search = | mispgetioc misp_instance=default_misp last=1d getuuid=t getorg=t geteventtag=t type="email-attachment,email-src,email-src-display-name,email-subject" limit=0\
| where isnotnull(misp_email_attachment) or isnotnull(misp_email_src) or isnotnull(misp_email_src_display_name) or isnotnull(misp_email_subject) | fields - _time, _raw, host \
| outputlookup MISP_email append=true

But the email related saved search that feed the CSV lookup is not the same:

search = | mispgetioc misp_instance=default_misp last=1d to_ids=t geteventtag=t type="email-src,email-subject" limit=0\
| where isnotnull(misp_email_src) or isnotnull(misp_email_subject)\
| eval weight=case(match(misp_tag,"tlp:white"),20,match(misp_tag,"tlp:green"),40,match(misp_tag,"tlp:amber"),80,match(misp_tag,"tlp:red"),100,true(),50)\
| eval description = "MISP e" + misp_event_id | rename misp_email_src AS src_user misp_email_subject AS subject \
| where isnotnull(src_user) or isnotnull(subject) | fields description,src_user,subject,weight \
| outputlookup misp_email_intel.csv

Is it made for purpose ? or it's just to show another way to get some email_lookup (to avoid repeating something that already exist) ?