Skip to content

korteke/splunk

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
app_getmispioc
app_getmispioc
 
 
scripts
scripts
 
 
README.md
README.md
 
 

Repository files navigation

getiocmisp

getiocmisp is a Splunk custom search command that helps to extract IOCs from a MISP instance.

alt text

getiocmisp relies on PyMISP. PyMISP requires Python 3 but only Python 2.7 is available in the Splunk environment. The script getiocmips.py is a wrapper and calls get-ioc-misp.py. This is best to keep your Splunk instance clean.

Prerequisites

  1. Install Python 3 on the Splunk server
  2. Install Splunk-SDK for Python (see http://dev.splunk.com/view/python-sdk/SP-CAAAEDG)
  3. Install PyMISP (see https://github.com/CIRCL/PyMISP). Install it from Github

Installation

  1. Copy app_getmispioc to $SPLUNK_HOME/etc/apps/

  2. Copy scripts/* to /usr/local/bin/

  3. Verify permissions. Files owned by splunk -user and .py files are executable

  4. Edit /usr/local/bin/mispconfig.py and specify your MISP URL and authorization key

  5. Restart Splunk

Usage

See https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/

About

No description or website provided.

Topics

ioc splunk misp threatintelligence

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%