search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Create event on MISP with multivalue attribute #251

Closed jacoporusso-css closed 9 months ago

jacoporusso-css commented 9 months ago

Hello, I'm trying to use sendalert misp_alert_create_event to create on misp an event containing an attribute with multiple values (e.g.: an email object with multiple attachments, as described in the object description). Starting from the following mock (semplified to be readable - data is more complex)

| makeresults | eval misp_time=_time, eo_subject="subject", eo_from="address@example.com", eo_attachment=att_name | eval att_name="a.exe,b.exe" | makemv att_name delim=","

I tried the following methods but none seems to work:

Is there a supported way to do so?

Thanks

jacoporusso-css commented 9 months ago

Hi Remi, thanks for the insight. I just analyzed how multivalue are represented (each value is separated by newline) and found a fix to handle them. Changing the for loop at line 283 in modalert_misp_alert_create_event_helper.py it works as expected!

     for key, value in list(row.items()):
        attribute_metadata = attribute_baseline.copy()
        for single_value in str(value).split("\n"):
            helper.log_info("key: {}, single_value: {}".format(key,single_value))
            if key.startswith("misp_") and single_value not in [None, '']:
                misp_key = str(key).replace('misp_', '').replace('_', '-')
                attribute_metadata['type'] = misp_key
                attribute_metadata['value'] = str(single_value)
                attributes.append(attribute_metadata)
            elif key.startswith("fo_") and single_value not in [None, '']:
                fo_key = str(key).replace('fo_', '').replace('_', '-')
                object_attribute = store_object_attribute(
                    fo_template['attributes'], fo_key, str(single_value),
                    metadata=attribute_metadata)
                if object_attribute:
                    fo_attribute.append(object_attribute)
            elif key.startswith("eo_") and single_value not in [None, '']:
                eo_key = str(key).replace('eo_', '').replace('_', '-')
                object_attribute = store_object_attribute(
                    eo_template['attributes'], eo_key, str(single_value),
                        metadata=attribute_metadata)
                if object_attribute:
                    eo_attribute.append(object_attribute)
            elif key.startswith("no_") and single_value not in [None, '']:
                no_key = str(key).replace('no_', '').replace('_', '-')
                object_attribute = store_object_attribute(
                    no_template['attributes'], no_key, str(single_value),
                    metadata=attribute_metadata)
                if object_attribute:
                    no_attribute.append(object_attribute)
            elif key in data_type:
                misp_key = data_type[key]
                attribute_metadata['type'] = misp_key
                attribute_metadata['value'] = str(single_value)
                attributes.append(attribute_metadata)
remg427 commented 9 months ago

Thank you very much I have implemented your fix in 4.3.1