search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Issue with the timestamp #244

Closed Moorocks closed 11 months ago

Moorocks commented 11 months ago

Hi @remg427 ,

I have an issue with misp timestamps.

We integrated splunk and misp and all the events are coming in as expected. However, there is a problem with the timestamps.

input : if I execute the below command:

| mispgetioc misp_instance=ssss_misp limit=0 last=2d

Output: I can see the events and its attributes. However the attributes are older than 2days.

I read your documentation and can see that param 'last' refers to event published in 'x' days or hrs. The threat feed I added is configured as 'fixed event' with delta merge flag enabled.

This param 'last' is looking for events that were published 2 days ago. I'd rather like to see the attributes that were published 2 days ago. Would this be possible with splunk app?

remg427 commented 11 months ago

Hi,

Indeed your analysis is correct Last=2d returns all attributes of events published in last 2 days regardless of attributes timestamp

The _time is set to attribute timestamp in the results so you could further filter with | where _time > relative_time(now(), "-2d")

Or look at REST API if there is a key related to attribute timestamp and if yes you could use json_request= instead of last=

Hope it helps Remi

Le 20 septembre 2023 07:18:27 GMT+02:00, Moorocks @.***> a écrit :

Hi @remg427 ,

I have an issue with misp timestamps.

We integrated splunk and misp and all the events are coming in as expected. However, there is a problem with the timestamps.

input : if I execute the below command:

| mispgetioc misp_instance=ssss_misp limit=0 last=2d

Output: I can see the attributes that are published in june.

I read your documentation and can see that param 'last' refers to event published in 'x' days or hrs. Since my threat feed is configured as fixed event and keeps updating daily I'm assuming that it is showing both new and old attributes within that event when I execute the above command.

This param last is looking for events that were published 2 days ago. I'd rather like to see the attributes that were published 2 days ago. Would this be possible with splunk app? image

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/244 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent with K-9 Mail.

Moorocks commented 11 months ago

Hi @remg427, Appreciate your help.

I can see that where condition within the splunk query is working.

There is a parameter called 'attribute-timestamp' which gives the attributes only for that particular day and the time format has to be given in epoch format. This is again not flexible while building splunk searches.

I just wanted to know if there are any alternative best practise to get attributes to splunk which are not older than 'x' days?

remg427 commented 11 months ago

You could use a subsearch to make the JSON request

Le 22 septembre 2023 04:48:39 GMT+02:00, Moorocks @.***> a écrit :

Hi @remg427, Appreciate your help.

I can see that where condition within the splunk query is working.

There is a parameter called 'attribute-timestamp' which gives the attributes only for that particular day and the time format has to be given in epoch format. This id again not flexible while build splunk searches.

I just wanted to know if there are any alternative best practise to get attributes to splunk which are not older than '40' days?

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/244#issuecomment-1730730574 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent with K-9 Mail.

Moorocks commented 11 months ago

Thanks @remg427 ,

Will work on this and will get back to you. Cheers,