Creating ip-src, ip-dst, and other attribute types beyond file, email, and domain-ip #249

hkelley · 2023-10-31T14:22:59Z

Skimming the code here:

https://github.com/remg427/misp42splunk/blob/f9a405aa2f4d6fc11d7821f5b5849188cfe46989/package/bin/misp42splunk/modalert_misp_alert_create_event_helper.py#L277C16-L277C16

we only seem to be able to create these three types of attributes:

        fo_template = init_object_template(helper, 'file')
        fo_attribute = []
        eo_template = init_object_template(helper, 'email')
        eo_attribute = []
        no_template = init_object_template(helper, 'domain-ip')
        no_attribute = []

Generic IPs can be handled by domain-ip but it would be more useful if we could also target ip-src and ip-dst, which are (at least in my experience) more commonly used in threat feeds.

The text was updated successfully, but these errors were encountered:

remg427 · 2023-10-31T18:29:00Z

Hi You can add any misp attribute type simply make field names misp_ip_src misp_ip_dst etc. Even combined attribute types are supported Simply add prefix misp_ to attribute type and replace any - by _ in splunk field names as - is not well supported in field names as you know When it comes to objects only those 3 are indeed supported. Documentation is maybe short but i have made a dashboard for each command and alert actions to clarify Cheers Remi Le 31 octobre 2023 14:23:10 GMT+00:00, hkelley ***@***.***> a écrit :

Skimming the code here: https://github.com/remg427/misp42splunk/blob/f9a405aa2f4d6fc11d7821f5b5849188cfe46989/package/bin/misp42splunk/modalert_misp_alert_create_event_helper.py#L277C16-L277C16 we only seem to be able to create these three types of attributes: ``` fo_template = init_object_template(helper, 'file') fo_attribute = [] eo_template = init_object_template(helper, 'email') eo_attribute = [] no_template = init_object_template(helper, 'domain-ip') no_attribute = [] ``` Generic IPs can be handled by `domain-ip` but it would be more useful if we could also target `ip-src` and `ip-dst`, which are (at least in my experience) more commonly used in threat feeds. -- Reply to this email directly or view it on GitHub: #249 You are receiving this because you are subscribed to this thread. Message ID: ***@***.***>

-- Sent with K-9 Mail.

hkelley · 2023-11-01T01:10:09Z

Terrific, that works.

| eval misp_time=round(earliest,0) 
| eval misp_to_ids="True"
| strcat ISP " ASN: " ASN " " src_ip attribute misp_comment
| rename src_ip as misp_ip_src
| sendalert misp_alert_create_event param.misp_instance=MISP_Feed param.eventid="9999"

hkelley mentioned this issue Oct 31, 2023

Error in 'misprest' command: This command must be the first command of a search. #250

Closed

hkelley closed this as completed Nov 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Creating ip-src, ip-dst, and other attribute types beyond file, email, and domain-ip #249

Creating ip-src, ip-dst, and other attribute types beyond file, email, and domain-ip #249

hkelley commented Oct 31, 2023

remg427 commented Oct 31, 2023 via email

hkelley commented Nov 1, 2023

Creating ip-src, ip-dst, and other attribute types beyond file, email, and domain-ip #249

Creating ip-src, ip-dst, and other attribute types beyond file, email, and domain-ip #249

Comments

hkelley commented Oct 31, 2023

remg427 commented Oct 31, 2023 via email

hkelley commented Nov 1, 2023