Inputs.conf is not created in MISP #195
Comments
|
Hello Remi
The problem that I have is that I don’t have any events from MISP in Splunk ,
***@***.***D7263E.1F2B53C0]
Below the search sintax that we are using
| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src, misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table domain,description,file_hash,file_name,http_user_agent,ip,registry_value_name,registry_value_text,src_user,subject,url,weight
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
|
|
Hi
Have you defined instance default_misp?
If you use another custom command like mispcollect have you any result?
Could you test with a specific event ID to validate connection?
I like your signature😃
--
Sent with K-9 Mail.
|
|
Hello Remi,
We are stucked in the connection between MISP and Splunk, I feel that there is an issue in this connectivity, I’m not using another custom command to get more results.
Do you think if possible, to have a remote session to show you my configuration and you can help with this issue?
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
|
|
Hello Remi
We did additional tests by running different commands and this is the result
Command:
| mispgetevent misp_instance=MISP json_request=json eventid=1795 last=120d published=true
Error Messages:
Error 1:
External search command 'mispgetevent' returned error code 1. Script output = "error_message=Exception at "/opt/splunk/etc/apps/misp42splunk/bin/mispgetevent.py", line 426 : Missing "json_request", "eventid", "last" or "date" argument ".
Error 2:
External search command 'mispgetevent' returned error code 1. Script output = "error_message=Exception at "/opt/splunk/etc/apps/misp42splunk/bin/mispgetevent.py", line 431 : Options "json_request", "eventid", "last" and "date" are mutually exclusive ".
Any help here?
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
From: Arreola, Aldo
Sent: martes, 6 de abril de 2021 09:57 a. m.
To: remg427/misp42splunk ***@***.***>; remg427/misp42splunk ***@***.***>
Cc: Author ***@***.***>
Subject: RE: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)
Hello Remi
The problem that I have is that I don’t have any events from MISP in Splunk ,
***@***.***D72B85.5D7A2650]
Below the search sintax that we are using
| mispgetioc misp_instance=default_misp pipesplit=true add_description=true category="External analysis,Financial fraud,Internal reference,Network activity,Other,Payload delivery,Payload installation,Payload type,Persistence mechanism,Person,Social network,Support Tool,Targeting data" last=90d to_ids=true geteventtag=true warning_list=true not_tags="osint:source-type=\"block-or-filter-list\"" | eval ip=coalesce(misp_ip_dst, misp_ip_src, misp_ip) | eval domain=misp_domain | eval src_user=coalesce(misp_email_src, misp_email_src_display_name) | eval subject=misp_email_subject | eval file_name=misp_filename | eval file_hash=coalesce(misp_sha1, misp_sha256, misp_sha512, misp_md5, misp_ssdeep) | eval url=coalesce(misp_url,misp_hostname) | eval http_user_agent=misp_user_agent | eval registry_value_name=misp_regkey | eval registry_value_text=if(isnotnull(misp_regkey),misp_value,null) | eval description = misp_description | table domain,description,file_hash,file_name,http_user_agent,ip,registry_value_name,registry_value_text,src_user,subject,url,weight
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
|
|
Hi
Simply connect to your MISP server, the one you have configured with instance name MISP
Pick one event id and run one of following commands
| mispgetioc misp_instance=MISP eventid=<your event id>
This should return all attributes in event
Let me know how it works
--
Sent with K-9 Mail.
|
|
Hello Remy
I was able to connect to MISP and see the events In MISP
***@***.***D72C48.06F33AB0]
But I can´t see any event created on MISP, even if I create manually and publish them.
***@***.***D72C48.06F33AB0]
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
From: Rémi Séguy ***@***.***>
Sent: miércoles, 7 de abril de 2021 03:12 p. m.
To: remg427/misp42splunk ***@***.***>
Cc: Arreola, Aldo ***@***.***>; Author ***@***.***>
Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)
Hi
Simply connect to your MISP server, the one you have configured with instance name MISP
Pick one event id and run one of following commands
| mispgetioc misp_instance=MISP eventid=<your event id>
This should return all attributes in event
Let me know how it works
--
Sent with K-9 Mail.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#195 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQNZTYKZG3PJIAD6VBJ2FDLTHS4BHANCNFSM42DBOQRQ>.
…________________________________
Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.
|
|
Hello Remy,
Trusting you are ok, wondering if you could help us to validate why we can´t validate publish events from MISP to Splunk.
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
From: Arreola, Aldo
Sent: jueves, 8 de abril de 2021 07:23 a. m.
To: remg427/misp42splunk ***@***.***>; remg427/misp42splunk ***@***.***>
Cc: Author ***@***.***>; HE, Leo ***@***.***>
Subject: RE: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)
Hello Remy
I was able to connect to MISP and see the events In MISP
***@***.***D73AAE.847687C0]
But I can´t see any event created on MISP, even if I create manually and publish them.
***@***.***D73AAE.847687C0]
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
From: Rémi Séguy ***@***.******@***.***>>
Sent: miércoles, 7 de abril de 2021 03:12 p. m.
To: remg427/misp42splunk ***@***.******@***.***>>
Cc: Arreola, Aldo ***@***.******@***.***>>; Author ***@***.******@***.***>>
Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)
Hi
Simply connect to your MISP server, the one you have configured with instance name MISP
Pick one event id and run one of following commands
| mispgetioc misp_instance=MISP eventid=<your event id>
This should return all attributes in event
Let me know how it works
--
Sent with K-9 Mail.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#195 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQNZTYKZG3PJIAD6VBJ2FDLTHS4BHANCNFSM42DBOQRQ>.
…________________________________
Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.
|
|
hello sorry for late reply |
|
Now is solved Remy
Thank you so much!
Thank you and Best Regards,
Aldo Arreola
“Think like a proton and stay positive”
From: Rémi Séguy ***@***.***>
Sent: miércoles, 23 de junio de 2021 07:41 a. m.
To: remg427/misp42splunk ***@***.***>
Cc: Arreola, Aldo ***@***.***>; Author ***@***.***>
Subject: Re: [remg427/misp42splunk] Inputs.conf is not created in MISP (#195)
hello sorry for late reply
do you still face issues?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#195 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQNZTYKLLQYJ3I2XNF6NPUTTUHI4VANCNFSM42DBOQRQ>.
…________________________________
Confidentiality Notice: This message is private and may contain confidential and proprietary information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this message is not permitted and may be unlawful.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Once I execute a Search for MISP, I received the b elow error:
External search command 'mispgetioc' returned error code 1. Script output = "error_message=HTTPError at "/opt/splunk/etc/apps/misp42splunk/lib/splunklib/binding.py"
Inputs.conf is not created automatically, what shoul Include in this inputs.conf
The text was updated successfully, but these errors were encountered: