Recently, I installed MISP42Splunk in my environment in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.
1. Pull IOC from MISP and outputlookup to a csv.
2. Use SPL to format the CSV
3. outputlookup to xxx_intel like ip_intel, email_intel.
But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks.
Is that mean if I can search that IOC on Threat Artifacts no matter the threat_group and threat_category is undefined or not, the rules is fine?
Wanted to check if you validated same inES APP >> Security Intelligence >> Threat Artifactsor try this search
| inputlookup append=T service_intel where *
| eval file_name=mvappend(service_file_name,service_dll_file_name), file_path=mvappend(service_file_path, service_dll_file_path), file_hash=mvappend(service_file_hash, service_dll_file_hash)
| inputlookup append=T process_intel where *
| eval ip=mvappend(src, dest), domain=mvappend(src, dest)
| inputlookup append=T file_intel where *
| inputlookup append=T certificate_intel where *
| mvexpand certificate_serial
| eventstats values(certificate_serial) as certificate_serial,values(certificate_serial_clean) as certificate_serial_clean,values(certificate_serial_dec) as certificate_serial_dec by _key
| dedup _key,threat_collection
| inputlookup append=T email_intel where *
| inputlookup append=T http_intel where *
| inputlookup append=T ip_intel where *
| inputlookup append=T registry_intel where *
| inputlookup append=T user_intel where *
| fillnull value=0 updated,disabled
| eval file_hash=coalesce(certificate_file_hash,file_hash), src_user=coalesce(certificate_issuer_email,src_user), actual_src_user=coalesce(certificate_subject_email,actual_src_user), ip=coalesce(embedded_ip,ip), domain=coalesce(embedded_domain,domain), file_name=coalesce(process_file_name,file_name), file_path=coalesce(process_file_path,file_path)
| stats dc(file_hash) as file_hash_count, dc(file_name) as file_name_count, dc(certificate_serial) as certificate_serial_count, dc(certificate_issuer_common_name) as certificate_issuer_common_name_count, dc(src_user) as src_user_count, dc(certificate_issuer_organization) as certificate_issuer_organization_count, dc(certificate_issuer_unit) as certificate_issuer_unit_count, dc(certificate_subject_common_name) as certificate_subject_common_name_count, dc(actual_src_user) as actual_src_user_count, dc(certificate_subject_organization) as certificate_subject_organization_count, dc(certificate_subject_unit) as certificate_subject_unit_count, dc(ip) as ip_count, dc(domain) as domain_count, dc(subject) as subject_count, dc(http_user_agent) as http_user_agent_count, dc(http_referrer) as http_referrer_count, dc(url) as url_count, dc(header) as header_count, dc(process) as process_count, dc(process_handle_name) as process_handle_name_count, dc(registry_path) as registry_path_count, dc(registry_value_name) as registry_value_name_count, dc(registry_value_text) as registry_value_text_count, dc(service) as service_count, dc(user) as user_count by threat_key
| addtotals fieldname=count *_count
| fields source_id, source_path, source_type, threat_group, threat_category, malware_alias, count
| sort + threat_group, threat_category, - count
Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?