remg427
commented
5 months ago Hi Romain, Thank you for using misp42 and kind words
Yes last is equivalent to published_timestamp on MISP API endpoints
I didn't know about this issue for newly installed MISP instance You may use parameter date= that works on the date declared for the MISP event Or select the timestamp keys supported by restSearch endpoints and build a custom JSON body. In that case mispfetch might be easier using tojson to prepare it
Thanks Remi
Thanks a lot for this great Splunk app.
For all practical purposes, it seems "last" should be matching the event's "timestamp" and not "published_timestamp".
For example currently, if I setup a new MISP instance with events pulled from a remote instance from the last year, and set "last=1d", all the events from the last year will be returned, regardless of their actual timestamps. This is because having a new MISP instance means all these old events will be republished "today". Using "timestamps" should allow the correct date to be used for filtering out older events.
Thanks, Romain.