Why cant I configure MISP feeds on splunk enterprise?

3DGjos — Tue, 01 Aug 2023 18:25:39 GMT

Hello, i'm trying to configure this app: https://splunkbase.splunk.com/app/4335/#/details

but i'm getting this error (Invalid URL; it must start with https and do not add ending /)with the URL of a public feed:

tried with this too, same error:
https://www.circl.lu/doc/misp/feed-osint
https://www.circl.lu/doc/misp/feed-osint/5a09aaa3-e7fc-4e3c-acda-cb8d950d210f.json

am I doing something wrong? or im missing something in the url?

Thanks in advance!

Re: Can't configure MISP feeds on splunk enterprise

to4kawa — Sun, 19 Jan 2020 00:30:45 GMT

| makeresults 
| eval _raw="{\"Event\": {\"info\": \"OSINT - Saudi Arabia's 'Game of Thobes'\", \"Tag\": [{\"colour\": \"#004646\", \"exportable\": true, \"name\": \"type:OSINT\"}, {\"colour\": \"#ffffff\", \"exportable\": true, \"name\": \"tlp:white\"}], \"publish_timestamp\": \"0\", \"timestamp\": \"1510922476\", \"Object\": [{\"comment\": \"\", \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\", \"uuid\": \"5a09ab2f-39b8-490c-84fb-4daf950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583087\", \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\", \"template_version\": \"3\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-fb18-4691-ad33-4c74950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"\\\"Saudi Arabia's 'Game of Thobes'.doc\\u05f3\\\" submitted from TR, CVE-2017-11826, \\r\\nC2: 45.76.106[.]149 , 45.76.36[.]243 , saudiedi.toh[.]info\\r\\n\\r\\nMore details in Raw Threat Intelligence:\\r\\n\\r\\n(link: https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpbs2pcjjp) docs.google.com/document/d/1_n\\u2026\", \"disable_correlation\": false, \"object_relation\": \"post\", \"type\": \"text\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-e0cc-4dbb-a6f9-47e2950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"Twitter\", \"disable_correlation\": true, \"object_relation\": \"type\", \"type\": \"text\"}, {\"comment\": \"\", \"category\": \"External analysis\", \"uuid\": \"5a09ab2f-db38-4066-9878-4865950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": true, \"value\": \"https://mobile.twitter.com/ClearskySec/status/929998314002673666\", \"disable_correlation\": false, \"object_relation\": \"link\", \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-13c0-4417-9869-42c4950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"2017/11/13\", \"disable_correlation\": false, \"object_relation\": \"creation-date\", \"type\": \"datetime\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-9960-4d5f-a028-4b36950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"@ClearskySec\", \"disable_correlation\": false, \"object_relation\": \"username\", \"type\": \"text\"}], \"distribution\": \"5\", \"meta-category\": \"misc\", \"name\": \"microblog\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09abf7-7304-4831-b206-46b8950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583287\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-76f0-4ca2-aa9c-4db4950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"aede654e77e92dbd77ca512e19f495b8\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-952c-4203-934c-423d950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"2017-11-13 \\u201cSaudi Arabia's 'Game of Thobes'.doc\", \"disable_correlation\": false, \"object_relation\": \"filename\", \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-970c-4251-b73f-42d6950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-cfc0-499a-8a40-4f86950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"d9fac68b6c49c485675d9141f375799d10572999\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09ad27-2430-434c-ad1b-47ea950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583591\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-2694-4e83-a1a5-498e950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"b76f4c8c22b84600ac3cff64dadfaf8b\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-47e8-4ede-a675-40ef950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"%TEMP%\\\\vcpkgs.exe\", \"disable_correlation\": false, \"object_relation\": \"filename\", \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-1a0c-4042-a259-4aa1950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"5ae0a582ed5d60324d6d1397be3deb0c704a1d77c9ef3d5f486455f99da32e7f\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-fadc-440f-8140-40fc950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"78c0266456e33abed00895cb05d0f9fe09b83da3\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09b25e-24f0-4913-8df2-4a94950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510584926\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25e-3828-4faa-a73a-4e89950d210f\", \"timestamp\": \"1510584926\", \"to_ids\": true, \"value\": \"fea6546e3299a31a58a3aa2a6b7060c9\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25f-0a8c-4cc8-ba65-4a98950d210f\", \"timestamp\": \"1510584927\", \"to_ids\": true, \"value\": \"26c672b2537f8a89f2d59674f00bcfe9825796ca9b1ec51c96e5675dd586b87b\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25f-7798-4c48-8baf-4d76950d210f\", \"timestamp\": \"1510584927\", \"to_ids\": true, \"value\": \"eddf2ca780b4396c0bf5ea3f13d22275fb6822fc\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}], \"analysis\": \"2\", \"Attribute\": [{\"comment\": \"\", \"category\": \"External analysis\", \"uuid\": \"5a09ab4a-49f4-4c13-9da2-458b950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": false, \"value\": \"https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpbs2pcjjp\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-33f0-4d46-b1e4-42e7950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"45.76.106.149\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"ip-dst\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-2168-4156-b837-4462950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"45.76.36.243\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"ip-dst\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-88f4-40d1-94bd-44ba950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"saudiedi.toh.info\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"hostname\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-143c-4539-b34a-4939950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"a1047665ed9d665f5cf066e4a9902d809e7325cf\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha1\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-4234-4cfc-8aa2-4154950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"ade199b16607fd29c8e7288fb750ca2b\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-f3d4-4794-9bfd-48a2950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09af92-b3a8-4ad7-a250-4fc7950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"saudiedi.toh.info/search?q=%E7%DF%5D%10&cvid=714105926300154928\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-f700-41f7-9d84-43ab950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937933.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-7710-49d4-9626-460c950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937934.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-5d74-4020-bd70-44fe950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937935.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-3ec4-4e61-a267-455f950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937936.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-d328-4cd7-8d4b-46ad950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937937.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-9e98-4bc5-abc1-4f62950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937938.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b133-be00-49f3-8ee8-48c6950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"00007AA8[.]ex_\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b133-653c-413d-9682-4ac3950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"Saudi Arabia's 'Game of Thobes'[.]doc\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-833c-48ce-8397-4034950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"8598313222c41280eb42863eda8a9490\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-4660-4c3b-92ba-4a33950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"256c631372692a1a907b04d27a735eb0905a003e\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha1\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-bd9c-4a2e-9950-4ff8950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"50eedaf3150253cc2298446615421f4caa0482cb93658dc095855c38d425e3fb\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-1c58-4d04-afb8-46ab950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"- Xchecked via VT: 8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8\", \"category\": \"External analysis\", \"uuid\": \"5a0ed8d0-a348-4851-8def-40e502de0b81\", \"timestamp\": \"1510922448\", \"to_ids\": false, \"value\": \"https://www.virustotal.com/file/8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8/analysis/1509021029/\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}, {\"comment\": \"- Xchecked via VT: d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb\", \"category\": \"External analysis\", \"uuid\": \"5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81\", \"timestamp\": \"1510922448\", \"to_ids\": false, \"value\": \"https://www.virustotal.com/file/d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb/analysis/1510308447/\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}], \"extends_uuid\": \"\", \"published\": false, \"date\": \"2017-11-13\", \"Orgc\": {\"uuid\": \"55f6ea5e-2c60-40e5-964f-47a8950d210f\", \"name\": \"CIRCL\"}, \"threat_level_id\": \"3\", \"uuid\": \"5a09aaa3-e7fc-4e3c-acda-cb8d950d210f\"}}"
| spath

Submitted to answer because it was too long.

If you can capture the logs in a different way, you can extract fields normally.

Set up and use HTTP Event Collector in Splunk Web

I think it's better to ask a separate question about this.
Sorry, I do not know.

Re: Can't configure MISP feeds on splunk enterprise

to4kawa — Sun, 19 Jan 2020 13:18:28 GMT

.... 
| spath path=Event.Object{} output=Event_Object
| spath path=Event.Tag{} output=Event_Tag
| spath path=Event.publish_timestamp output=publish_timestamp
| spath path=Event.timestamp output=timestamp
| eval _time=strftime(timestamp,"%F %T") 
| fields - _raw 
| stats values(_time) as _time list(*) as * by Event_Object 
| spath input=Event_Object 
| streamstats count as session 
| eval counter=mvrange(0,mvcount('Attribute{}.category')) 
| stats values(_time) as _time list(*) as * by session counter 
| eventstats values(counter) as sub_counter by session 
| rename Attribute{}.* as Attribute_* 
| foreach A* 
    [ eval <<FIELD>>=if(mvcount(<<FIELD>>)=mvcount(sub_counter),mvindex(<<FIELD>>,counter),<<FIELD>>)] 
| fields - Event_Object *counter
| streamstats count as counter
| stats values(_time) as _time list(*) as * by session counter Event_Tag
| spath input=Event_Tag path=name output=tag_name
| spath input=Event_Tag path=colour
| spath input=Event_Tag path=exportable
| fields - Event_Tag
| streamstats count as counter
| stats values(_time) as _time list(*) as * by session counter timestamp
| fields - session counter
| table _time *

Above answer, only spath.
this query is a detail table.

Re: Can't configure MISP feeds on splunk enterprise

riccardo_spl — Tue, 01 Aug 2023 13:31:39 GMT

I think you should configure a MISP instance URL, not a public feed URL

topic Re: Can't configure MISP feeds on splunk enterprise in All Apps and Add-ons

Why cant I configure MISP feeds on splunk enterprise?

Re: Can't configure MISP feeds on splunk enterprise

Re: Can't configure MISP feeds on splunk enterprise

Re: Can't configure MISP feeds on splunk enterprise