remg427
commented
10 months ago Hi You can add any misp attribute type simply make field names misp_ip_src misp_ip_dst etc. Even combined attribute types are supported
Simply add prefix misp to attribute type and replace any - by in splunk field names as - is not well supported in field names as you know
When it comes to objects only those 3 are indeed supported.
Documentation is maybe short but i have made a dashboard for each command and alert actions to clarify
Cheers Remi
Le 31 octobre 2023 14:23:10 GMT+00:00, hkelley @.***> a écrit :
Skimming the code here:
we only seem to be able to create these three types of attributes:
fo_template = init_object_template(helper, 'file') fo_attribute = [] eo_template = init_object_template(helper, 'email') eo_attribute = [] no_template = init_object_template(helper, 'domain-ip') no_attribute = []Generic IPs can be handled by
domain-ipbut it would be more useful if we could also targetip-srcandip-dst, which are (at least in my experience) more commonly used in threat feeds.-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/249 You are receiving this because you are subscribed to this thread.
Message ID: @.***> -- Sent with K-9 Mail.
hkelley
Skimming the code here:
https://github.com/remg427/misp42splunk/blob/f9a405aa2f4d6fc11d7821f5b5849188cfe46989/package/bin/misp42splunk/modalert_misp_alert_create_event_helper.py#L277C16-L277C16
we only seem to be able to create these three types of attributes:
Generic IPs can be handled by
domain-ipbut it would be more useful if we could also targetip-srcandip-dst, which are (at least in my experience) more commonly used in threat feeds.