https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535447#M9620 <P>Hi All,</P><P>Recently, I installed MISP42Splunk in my environment&nbsp; in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.&nbsp;</P><P>1. Pull IOC from MISP and outputlookup to a csv.&nbsp;</P><P>2. Use SPL to format the CSV&nbsp;</P><P>3. outputlookup to xxx_intel like&nbsp; ip_intel, email_intel.&nbsp;</P><P>But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Jan 2021 08:34:16 GMT new2spl_unk 2021-01-12T08:34:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535447#M9620 <P>Hi All,</P><P>Recently, I installed MISP42Splunk in my environment&nbsp; in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.&nbsp;</P><P>1. Pull IOC from MISP and outputlookup to a csv.&nbsp;</P><P>2. Use SPL to format the CSV&nbsp;</P><P>3. outputlookup to xxx_intel like&nbsp; ip_intel, email_intel.&nbsp;</P><P>But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Jan 2021 08:34:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535447#M9620 new2spl_unk 2021-01-12T08:34:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535453#M9621 <P>Wanted to check if you validated same in<BR /><BR />ES APP &gt;&gt; Security Intelligence &gt;&gt; Threat Artifacts<BR /><BR />or try this search</P><LI-CODE lang="markup">| inputlookup append=T service_intel where * | `set_threat_collection_name("service_intel")` | eval file_name=mvappend(service_file_name,service_dll_file_name), file_path=mvappend(service_file_path, service_dll_file_path), file_hash=mvappend(service_file_hash, service_dll_file_hash) | inputlookup append=T process_intel where * | `set_threat_collection_name("process_intel")` | eval ip=mvappend(src, dest), domain=mvappend(src, dest) | inputlookup append=T file_intel where * | `set_threat_collection_name("file_intel")` | inputlookup append=T certificate_intel where * | `set_threat_collection_name("certificate_intel")` | mvexpand certificate_serial | `get_certificate_serial` | eventstats values(certificate_serial) as certificate_serial,values(certificate_serial_clean) as certificate_serial_clean,values(certificate_serial_dec) as certificate_serial_dec by _key | dedup _key,threat_collection | inputlookup append=T email_intel where * | `set_threat_collection_name("email_intel")` | inputlookup append=T http_intel where * | `set_threat_collection_name("http_intel")` | inputlookup append=T ip_intel where * | `set_threat_collection_name("ip_intel")` | inputlookup append=T registry_intel where * | `set_threat_collection_name("registry_intel")` | inputlookup append=T user_intel where * | fillnull value=0 updated,disabled | `set_threat_collection_name("user_intel")` | eval file_hash=coalesce(certificate_file_hash,file_hash), src_user=coalesce(certificate_issuer_email,src_user), actual_src_user=coalesce(certificate_subject_email,actual_src_user), ip=coalesce(embedded_ip,ip), domain=coalesce(embedded_domain,domain), file_name=coalesce(process_file_name,file_name), file_path=coalesce(process_file_path,file_path) | stats dc(file_hash) as file_hash_count, dc(file_name) as file_name_count, dc(certificate_serial) as certificate_serial_count, dc(certificate_issuer_common_name) as certificate_issuer_common_name_count, dc(src_user) as src_user_count, dc(certificate_issuer_organization) as certificate_issuer_organization_count, dc(certificate_issuer_unit) as certificate_issuer_unit_count, dc(certificate_subject_common_name) as certificate_subject_common_name_count, dc(actual_src_user) as actual_src_user_count, dc(certificate_subject_organization) as certificate_subject_organization_count, dc(certificate_subject_unit) as certificate_subject_unit_count, dc(ip) as ip_count, dc(domain) as domain_count, dc(subject) as subject_count, dc(http_user_agent) as http_user_agent_count, dc(http_referrer) as http_referrer_count, dc(url) as url_count, dc(header) as header_count, dc(process) as process_count, dc(process_handle_name) as process_handle_name_count, dc(registry_path) as registry_path_count, dc(registry_value_name) as registry_value_name_count, dc(registry_value_text) as registry_value_text_count, dc(service) as service_count, dc(user) as user_count by threat_key | `get_threat_attribution(threat_key)` | search | addtotals fieldname=count *_count | fields source_id, source_path, source_type, threat_group, threat_category, malware_alias, count | sort + threat_group, threat_category, - count</LI-CODE> Tue, 12 Jan 2021 09:20:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535453#M9621 General_Talos 2021-01-12T09:20:51Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535784#M9628 <P>Is that mean if I can search that IOC on&nbsp;<SPAN>Threat Artifacts no matter the&nbsp;threat_group and threat_category&nbsp; is undefined or not, the rules is fine?&nbsp;</SPAN></P> Thu, 14 Jan 2021 08:48:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/535784#M9628 new2spl_unk 2021-01-14T08:48:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/536451#M9647 <P>Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?</P> Wed, 20 Jan 2021 08:57:58 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Threat-intelligence-feeds-update/m-p/536451#M9647 new2spl_unk 2021-01-20T08:57:58Z