Splunk SOAR

Phantom MISP - adding attributes with comment

dewu94
Explorer

I'm trying to add attributes via Phantom MISP app. Adding attributes itself works fine for me when I'm just using predefined fields for specific values like 'email-dst', but I need to include also 'comment' for the attributes I'm adding. So I decided to use 'json' field of the GUI configuration, which should allow me to pass custom built attributes. And here the first issues appeared.

App documentation does not give an example how mentioned json string should look like when adding custom attributes. Initially I was basing on Automation and MISP API · User guide of MISP Malware Information Sharing Platform, a Threat Sharing ..., where json string was like this: 

{"event_id":"3542","value":"1.2.3.4","category":"Network activity","type":"ip-dst"}

But unfortunately this one was not working - no attribute was added. Via trial and error method I was able to discover that I can add attributes of defined type with following json, which is extremely different than the one mentioned in MISP API documentation: {"email-dst":"test@email.com,"}. And please note that this comma at the end is not a typo - without it, no attribute is added. I have no idea why it's working this way, but it allows me to add an attribute to an event.

However this is where I got stuck. I have no idea how to include comment field for such attribute. I've tried several combinations containing {"comment":"abc"} but then I receive 3 attributes of 'comment' type with values - 'a', 'b', 'c'.

Does maybe someone know how to add attributes with comment using Phantom MISP app?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...