All Apps and Add-ons

Why cant I configure MISP feeds on splunk enterprise?

3DGjos
Communicator

Hello, i'm trying to configure this app: https://splunkbase.splunk.com/app/4335/#/details

but i'm getting this error (Invalid URL; it must start with https and do not add ending /)with the URL of a public feed:

alt text

tried with this too, same error:
https://www.circl.lu/doc/misp/feed-osint
https://www.circl.lu/doc/misp/feed-osint/5a09aaa3-e7fc-4e3c-acda-cb8d950d210f.json

am I doing something wrong? or im missing something in the url?

Thanks in advance!

Labels (2)
0 Karma

riccardo_spl
Explorer

I think you should configure a MISP instance URL, not a public feed URL

0 Karma

to4kawa
Ultra Champion
.... 
| spath path=Event.Object{} output=Event_Object
| spath path=Event.Tag{} output=Event_Tag
| spath path=Event.publish_timestamp output=publish_timestamp
| spath path=Event.timestamp output=timestamp
| eval _time=strftime(timestamp,"%F %T") 
| fields - _raw 
| stats values(_time) as _time list(*) as * by Event_Object 
| spath input=Event_Object 
| streamstats count as session 
| eval counter=mvrange(0,mvcount('Attribute{}.category')) 
| stats values(_time) as _time list(*) as * by session counter 
| eventstats values(counter) as sub_counter by session 
| rename Attribute{}.* as Attribute_* 
| foreach A* 
    [ eval <<FIELD>>=if(mvcount(<<FIELD>>)=mvcount(sub_counter),mvindex(<<FIELD>>,counter),<<FIELD>>)] 
| fields - Event_Object *counter
| streamstats count as counter
| stats values(_time) as _time list(*) as * by session counter Event_Tag
| spath input=Event_Tag path=name output=tag_name
| spath input=Event_Tag path=colour
| spath input=Event_Tag path=exportable
| fields - Event_Tag
| streamstats count as counter
| stats values(_time) as _time list(*) as * by session counter timestamp
| fields - session counter
| table _time *

Above answer, only spath.
this query is a detail table.

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="{\"Event\": {\"info\": \"OSINT - Saudi Arabia's 'Game of Thobes'\", \"Tag\": [{\"colour\": \"#004646\", \"exportable\": true, \"name\": \"type:OSINT\"}, {\"colour\": \"#ffffff\", \"exportable\": true, \"name\": \"tlp:white\"}], \"publish_timestamp\": \"0\", \"timestamp\": \"1510922476\", \"Object\": [{\"comment\": \"\", \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\", \"uuid\": \"5a09ab2f-39b8-490c-84fb-4daf950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583087\", \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\", \"template_version\": \"3\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-fb18-4691-ad33-4c74950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"\\\"Saudi Arabia's 'Game of Thobes'.doc\\u05f3\\\" submitted from TR, CVE-2017-11826, \\r\\nC2: 45.76.106[.]149 , 45.76.36[.]243 , saudiedi.toh[.]info\\r\\n\\r\\nMore details in Raw Threat Intelligence:\\r\\n\\r\\n(link: https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpb... docs.google.com/document/d/1_n\\u2026\", \"disable_correlation\": false, \"object_relation\": \"post\", \"type\": \"text\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-e0cc-4dbb-a6f9-47e2950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"Twitter\", \"disable_correlation\": true, \"object_relation\": \"type\", \"type\": \"text\"}, {\"comment\": \"\", \"category\": \"External analysis\", \"uuid\": \"5a09ab2f-db38-4066-9878-4865950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": true, \"value\": \"https://mobile.twitter.com/ClearskySec/status/929998314002673666\", \"disable_correlation\": false, \"object_relation\": \"link\", \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-13c0-4417-9869-42c4950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"2017/11/13\", \"disable_correlation\": false, \"object_relation\": \"creation-date\", \"type\": \"datetime\"}, {\"comment\": \"\", \"category\": \"Other\", \"uuid\": \"5a09ab2f-9960-4d5f-a028-4b36950d210f\", \"timestamp\": \"1510583087\", \"to_ids\": false, \"value\": \"@ClearskySec\", \"disable_correlation\": false, \"object_relation\": \"username\", \"type\": \"text\"}], \"distribution\": \"5\", \"meta-category\": \"misc\", \"name\": \"microblog\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09abf7-7304-4831-b206-46b8950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583287\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-76f0-4ca2-aa9c-4db4950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"aede654e77e92dbd77ca512e19f495b8\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-952c-4203-934c-423d950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"2017-11-13 \\u201cSaudi Arabia's 'Game of Thobes'.doc\", \"disable_correlation\": false, \"object_relation\": \"filename\", \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-970c-4251-b73f-42d6950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09abf7-cfc0-499a-8a40-4f86950d210f\", \"timestamp\": \"1510583287\", \"to_ids\": true, \"value\": \"d9fac68b6c49c485675d9141f375799d10572999\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09ad27-2430-434c-ad1b-47ea950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510583591\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-2694-4e83-a1a5-498e950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"b76f4c8c22b84600ac3cff64dadfaf8b\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-47e8-4ede-a675-40ef950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"%TEMP%\\\\vcpkgs.exe\", \"disable_correlation\": false, \"object_relation\": \"filename\", \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-1a0c-4042-a259-4aa1950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"5ae0a582ed5d60324d6d1397be3deb0c704a1d77c9ef3d5f486455f99da32e7f\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09ad28-fadc-440f-8140-40fc950d210f\", \"timestamp\": \"1510583592\", \"to_ids\": true, \"value\": \"78c0266456e33abed00895cb05d0f9fe09b83da3\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}, {\"comment\": \"\", \"template_uuid\": \"688c46fb-5edb-40a3-8273-1af7923e2215\", \"uuid\": \"5a09b25e-24f0-4913-8df2-4a94950d210f\", \"sharing_group_id\": \"0\", \"timestamp\": \"1510584926\", \"description\": \"File object describing a file with meta-information\", \"template_version\": \"4\", \"Attribute\": [{\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25e-3828-4faa-a73a-4e89950d210f\", \"timestamp\": \"1510584926\", \"to_ids\": true, \"value\": \"fea6546e3299a31a58a3aa2a6b7060c9\", \"disable_correlation\": false, \"object_relation\": \"md5\", \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25f-0a8c-4cc8-ba65-4a98950d210f\", \"timestamp\": \"1510584927\", \"to_ids\": true, \"value\": \"26c672b2537f8a89f2d59674f00bcfe9825796ca9b1ec51c96e5675dd586b87b\", \"disable_correlation\": false, \"object_relation\": \"sha256\", \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b25f-7798-4c48-8baf-4d76950d210f\", \"timestamp\": \"1510584927\", \"to_ids\": true, \"value\": \"eddf2ca780b4396c0bf5ea3f13d22275fb6822fc\", \"disable_correlation\": false, \"object_relation\": \"sha1\", \"type\": \"sha1\"}], \"distribution\": \"5\", \"meta-category\": \"file\", \"name\": \"file\"}], \"analysis\": \"2\", \"Attribute\": [{\"comment\": \"\", \"category\": \"External analysis\", \"uuid\": \"5a09ab4a-49f4-4c13-9da2-458b950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": false, \"value\": \"https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpbs2pcjjp\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-33f0-4d46-b1e4-42e7950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"45.76.106.149\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"ip-dst\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-2168-4156-b837-4462950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"45.76.36.243\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"ip-dst\"}, {\"comment\": \"C2\", \"category\": \"Network activity\", \"uuid\": \"5a09ab6e-88f4-40d1-94bd-44ba950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"saudiedi.toh.info\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"hostname\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-143c-4539-b34a-4939950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"a1047665ed9d665f5cf066e4a9902d809e7325cf\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha1\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-4234-4cfc-8aa2-4154950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"ade199b16607fd29c8e7288fb750ca2b\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09af92-f3d4-4794-9bfd-48a2950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09af92-b3a8-4ad7-a250-4fc7950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"saudiedi.toh.info/search?q=%E7%DF%5D%10&cvid=714105926300154928\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-f700-41f7-9d84-43ab950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937933.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-7710-49d4-9626-460c950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937934.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-5d74-4020-bd70-44fe950d210f\", \"timestamp\": \"1510922447\", \"to_ids\": true, \"value\": \"articles/937935.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-3ec4-4e61-a267-455f950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937936.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-d328-4cd7-8d4b-46ad950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937937.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Network activity\", \"uuid\": \"5a09afd3-9e98-4bc5-abc1-4f62950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"articles/937938.html\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"url\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b133-be00-49f3-8ee8-48c6950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"00007AA8[.]ex_\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b133-653c-413d-9682-4ac3950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"Saudi Arabia's 'Game of Thobes'[.]doc\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"filename\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-833c-48ce-8397-4034950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"8598313222c41280eb42863eda8a9490\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"md5\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-4660-4c3b-92ba-4a33950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"256c631372692a1a907b04d27a735eb0905a003e\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha1\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-bd9c-4a2e-9950-4ff8950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"50eedaf3150253cc2298446615421f4caa0482cb93658dc095855c38d425e3fb\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"\", \"category\": \"Payload delivery\", \"uuid\": \"5a09b326-1c58-4d04-afb8-46ab950d210f\", \"timestamp\": \"1510922448\", \"to_ids\": true, \"value\": \"8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"sha256\"}, {\"comment\": \"- Xchecked via VT: 8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8\", \"category\": \"External analysis\", \"uuid\": \"5a0ed8d0-a348-4851-8def-40e502de0b81\", \"timestamp\": \"1510922448\", \"to_ids\": false, \"value\": \"https://www.virustotal.com/file/8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8/analysis/1509021029/\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}, {\"comment\": \"- Xchecked via VT: d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb\", \"category\": \"External analysis\", \"uuid\": \"5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81\", \"timestamp\": \"1510922448\", \"to_ids\": false, \"value\": \"https://www.virustotal.com/file/d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb/analysis/1510308447/\", \"disable_correlation\": false, \"object_relation\": null, \"type\": \"link\"}], \"extends_uuid\": \"\", \"published\": false, \"date\": \"2017-11-13\", \"Orgc\": {\"uuid\": \"55f6ea5e-2c60-40e5-964f-47a8950d210f\", \"name\": \"CIRCL\"}, \"threat_level_id\": \"3\", \"uuid\": \"5a09aaa3-e7fc-4e3c-acda-cb8d950d210f\"}}"
| spath

Submitted to answer because it was too long.

If you can capture the logs in a different way, you can extract fields normally.

Set up and use HTTP Event Collector in Splunk Web

I think it's better to ask a separate question about this.
Sorry, I do not know.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...