misp42splunk app connects MISP and Splunk. The app is designed to be easy to install, set up and maintain using the Splunk GUI without editing directly files. You can use as many MISP instances as you like; one being defined at setup time to be the default instance.
The main use cases are:
- MISP to SPLUNK: get MISP event attributes into Splunk search pipeline: | mispgetioc params | .... see
- MISP for SPLUNK: 2 Splunk alert actions are available to directly create events or increment attribute sighting in a MISP instance.
BONUS: You can also create Splunk alert action to create The Hive alerts
- Install Python 3 on the Splunk Search Head.
- Install PyMISP (see https://github.com/MISP/PyMISP).
- Check that your Splunk SH can connect to the MISP instance.
- In App setup screen, you can adapt pathes to python3 binary and temp folder
This app is designed to run on Splunk Search Head(s) on Linux plateforms
- Download this file which is the Splunk app ( it is an archive containing the sub-directory misp42splunk)
- Install the app on your Splunk Search Head(s): "Manage Apps" -> "Install app from file"
- A custom endpoint has been defined so you need to restart Splunk (for later updates, you may skip this step)
- At next logon, you should be invited to configure the app (if not go to Manage Apps > App-MISP42 > Set up)
- For MISP
- provide the url to your MISP instance;
- provide the authkey;
- check (or not) the certificate of the MISP server.
- For TheHive
- provide the url to the API of your instance;
- provide the authkey.
- Pathes to python3 binary and temp folder
- For MISP
Here some activities you may carry out more easily with this app.
Hunting in Splunk logs
Fresh IOC from MISP > saved searches in Splunk > on match create an alert on TheHive or (later) any SIR platform of your choice.
Creating events based on automated sandboxing
If you have output of analysis pushed to Splunk you may automate the creation of events Log on sandboxing output > saved search to qualify, sanitize (dedup remove top Alexa, etc.) and prepare the table (misp_, fo_, eo_* etc.) > set a splunk alert to create event(s) in MISP
- Only fields prefixed with misp_ (or fo_ for file objects, eo_ for email objects) are imported
- if you use MISP objects, please upgrade PyMISP and MISP accordingly
- Advise: for objects verify the name of the fields to be created; for example see Email Object definition
Sighting in MISP based on Splunk alerts
Search for attributes values/uuids in Splunk > alert to increment sighting counters (standard,false positive,expiration) in MISP for those values/uuids
-- Alert to create MISP event(s)
-- Alert for attribute sighting in MISP
- implement event tagging in misp_alert_create_event
- store some saved searches and lookups as examples
The creation of this app started from work done by https://github.com/xme/splunk/tree/master/getmispioc and the associated blog https://blog.rootshell.be/2017/10/31/splunk-custom-search-command-searching-misp-iocs/ for MISP interactions.
The alert_action for TheHive is inpired by this Splunk app
This app misp42splunk is licensed under the GNU Lesser General Public License v3.0.