publish_on_creation is not working as expected #181
Comments
|
Hi,
Thanks for using misp42
My tests were ok.
Have you any constraints set on misp to publish events? Mandatory tags etc. Has the user the right to publish?
I will double check on my side
Remi
Le 5 décembre 2020 00:19:33 GMT+01:00, Michael <notifications@github.com> a écrit :
…when using sendalert , setting misp_publish_on_creation is expected to
create a published event, this is not happening.
Test search:
```
| makeresults
| eval no_url="http://test.com"
| eval misp_url = no_url
| eval misp_domain = no_domain
| eval misp_sha256 = fo_sha256
| eval misp_from = eo_from
| eval misp_info="Test info 4"
| eval tags=misp_tag
| eval misp_attribute_tag="test"
| eval misp_publish_on_creation="True"
| eval publish_on_creation=misp_publish_on_creation
| table misp_* no_url no_domain fo_sha256 eo_from
| sendalert misp_alert_create_event param.misp_instance="testinstance"
param.distribution=3 param.threatlevel=3 param.analysis=2
param.tlp="TLP_RED" param.pap="TLP_RED" param.title="Test4"
param.publish_on_creation="True" param.misp_publish_on_creation="True"
```
According to the code [here
](https://github.com/remg427/misp42splunk/blob/5d57d2204025bd3cdbcaadc94deccf5d8fb1d862/misp42splunk/bin/modalert_misp_alert_create_event_helper.py#L260)
setting misp_publish_on_creation to a string "True" should set the
event["published"] param to boolean True which all makes sense. I have
no idea why it isn't being published.
Thanks in advance for your help and for maintaining this project.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#181
--
Sent with K-9 Mail.
|
|
@remg427 The user is an admin with publish right, no restrictions on publishing are set. The audit logs show this: I'm wondering if a separate call to publish() is needed. |
|
@remg427 Have you been able to reproduce the problem? |
|
Hello, couldn't work on it yet planned for this week
--
Sent with K-9 Mail.
|
|
Hello i tested from dashboard of 4.0.0 and it works: event is published at creation
Le 13 décembre 2020 00:21:09 GMT+01:00, Michael <notifications@github.com> a écrit :
…
@remg427 Have you been able to reproduce the problem?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#181 (comment)
--
Sent with K-9 Mail.
|
|
You should set logging to debug so you will exact payload in logs and then you can use Misp rest api client to test directly on misp
--
Sent with K-9 Mail.
|
|
@remg427 I've moved on from this by writing a scheduled script that auto-publishes everything, had issues with this: MISP/MISP#6748 I don't know if it is a MISP version issue, but one of the problems I ran into is how 'published' worked with 0/1 but not with True/False. |
|
Hi,
Could you set log level to debug and check what is passed to misp and what return you get from misp
Then using misp rest client with the very same payload check if events are created.
I will double check the accepted strings for True
--
Sent with K-9 Mail.
|
|
@remg427 I will try to get this, but the problem I have is that I'm not the Splunk admin. Due to holidays I'm not able to get someone with access to the debug log in Splunk to assist me unless it is urgent. |
|
Are you allowed to confiture this app?
If yes then setting log level to DEBUG allows you to see logs in internal index. This should be displayed on the dashboard where you can test alert action.
This is almost default settings and you might have access to it with role power
|
|
@remg427 , The app is set to debug, i ran the example search I used to create this issue and below is the debug output for the splunk process that ran: I don't see much that would be useful here, but let me know. It isn't showing the json request to MISP (I even looked at processes' logs as well). I am on MISP42 3.1.12, I am unable to upgrade to 4.x due to python incompatibility with my splunk version. |
|
Hello MISP42 works on my side with Splunk 7.2.10.1 if you don't check certificate (request library on server misses one library and the lib shipped with misp42splunk under aob_py2 is not taken into account). This will be fixed in forthcoming 4.0.1 |
|
@remg427 , when the upgraded to 4.0.0 was tested on splunk 7.3.0, the configuration page is not loading. Additionally, the app is not "Splunk AppInspect Passed' for 7.3.* or any 7.* (https://splunkbase.splunk.com/app/4335/), which prevents us from implementing it in production. If 4.0.1 can address these concerns I think that would solve this and many other roadblocks. |
|
4.0.1 published - values set to 0 for No and 1 for Yes to avoid case issues. |
|
Thank you @remg427 , greatly appreciate your work on this. Please give me a week or so to test this and I'll close out the issue. |
|
@remg427 Unfortunately upgrading from 3.x to 4.0.1 results in the configuration page looping:
Are you able to duplicate this, and do you recommend anything to resolve this? EDIT: Installing it from scratch does the same thing |
when using sendalert , setting misp_publish_on_creation is expected to create a published event, this is not happening.
Test search:
According to the code here setting misp_publish_on_creation to a string "True" should set the event["published"] param to boolean True which all makes sense. I have no idea why it isn't being published.
Thanks in advance for your help and for maintaining this project.
The text was updated successfully, but these errors were encountered: