search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Procedure to remove IoC received via misp42splunk #243

Closed riccardosl closed 1 week ago

riccardosl commented 1 year ago

Hello, I would like to ask a question, however I'm not sure if is more related to Splunk or misp42 app. We succesfully connected MISP > splunk42splunk application > splunk, we received indicators in the lists. However is not clear in case we want to manually remove some old indicators that generate false positives in which file, inputlookup or app list we should delete these indicators. For example splunk has some lists called misp_es_domain_intel, misp_es_ip_intel and there are several other components called "CS4 outpulookup for MISP intel feed". Do you have experience with this? Is there any documentation do understand which lists to modify? If there is some help we can also write an article about it, might be helpful also for others. Thank you misp_lists R

remg427 commented 1 year ago

Hello, Thank you for using MISP42. Actually the app custom commands are designed to pull IOC of you choice into splunk using the few collections prepared in MISP42 or any other Splunk objects or indices.

Removal is then more a Splunk activity. What I have done is to search in MISP for IoC I would like to remove and then search for them into the lookups in order to delete from the lookup.

If you make a doc on that I will add to the repo Thanks Remi

Le 15 août 2023 16:20:44 GMT+02:00, riccardosl @.***> a écrit :

Hello, I would like to ask a question, however I'm not sure if is more related to Splunk or misp42 app. We succesfully connected MISP > splunk42splunk application > splunk, we received indicators in the lists. However is not clear in case we want to manually remove some old indicators that generate false positives in which file, inputlookup or app list we should delete these indicators. For example splunk has some lists called misp_es_domain_intel, misp_es_ip_intel and there are several other components called "CS4 outpulookup for MISP intel feed". Do you have experience with this? Is there any documentation do understand which lists to modify? If there is some help we can also write an article about it, might be helpful also for others. Thank you misp_lists R

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/243 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

riccardosl commented 1 year ago

Hello Remi, is there a way to contact you directly an clarify some question about the app via email maybe? Thank you

remg427 commented 1 year ago

Yes sure email is in python script

Le 26 octobre 2023 15:38:21 GMT+02:00, riccardosl @.***> a écrit :

Hello Remi, is there a way to contact you directly an clarify some question about the app via email maybe? Thank you

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/243#issuecomment-1781147398 You are receiving this because you commented.

Message ID: @.***> -- Sent with K-9 Mail.