MISP42Splunk accessing remote MISP instance with a...

nick25 · ‎02-28-2019

I'm trying to access a MISP instance from the MISP42Splunk App. I've configured the correct API key and MISP Base URL. I do not however, see an option to specify a client certificate to be presented to the MISP server and i think that breaks the integration. Do you know if there is an option to specify a client cert in MISP42Splunk or some other means?

Thanks.

remiseguy · ‎03-01-2019

Hi,
This is not available yet. Could you open an issue on github to get it implemented

remiseguy · ‎03-02-2019

Please check version 2.2.0 on github as I don’t have a lab set up yet to test it

nick25 · ‎03-03-2019

Thanks a million Remi. MISP42Splunk 2.2.0 works on Windows 10.

Manually deleted the MISP42splunk folder in the Splunk /etc folder . Reinstalled MISP42Splunk using "install App from file" option. Restarted Splunk.

Specified the Client certificate as .PEM file, the same format as usually presented via the MISP API.

Ran reports on the dashboard and saw event data being successfully captured from the MISP instance.

Thanks for the prompt action.

MISP42Splunk accessing remote MISP instance with a client certificate

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation