Splunk SOAR

Phantom MISP - searching by info/name

dewu94
Explorer

I am trying to search for MISP events by their name, which is present in 'info' field. For this purpose I'm using 'other' and putting following json: {"info":"text to search for"}.

Query does not give any error, but results are not really related to the text I specified. I'm just receiving first 10 events present in the MISP, even if I specify whole title in the query, not only the keyword. Am I doing something wrong? I've also tried approach with using format block and double braces, as mentioned here: Solved: Phantom MISP "Run Query" action - Splunk Community but no difference.

Is there any way to search for events by keywords in the 'info' field?

Labels (2)
Tags (4)
0 Karma

carl72086
Explorer

Hey,

Looks like the "info field" is incorrect...

Could you try using any of the 2 from the MISP API doco:

 

  • eventinfo: Filter on the event's info field.
  • searchall: Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.

{{"eventinfo":"search info here"}}

{{"searchall":"search keyword here"}} 

 

if it fails, not sure if you need to include the return format:

{{ "returnFormat": "json", "eventinfo": "test event name here" }}

source: https://www.circl.lu/doc/misp/automation/#search

dewu94
Explorer

Hi Carl,

I've seen this document and already checked 'eventinfo' and 'quickfilter' variants - no luck. Also, adding "returnFormat": "json" does not make any difference.

BUT, I've missed 'searchall' option before and it works perfectly for my test use case 🙂 It properly gives me an event I'm looking for (anyone facing the same issue - please remember about "%" wildcards if searching by keyword, not by full name).

However, I am a little bit worried that I cannot limit my search to event names only, so I may get some issues in the future, especially when searching by a keyword - as 'searchall' is looking also into tags, attributes, etc. So I would really love to get this 'eventinfo' option to work.

But still, you've helped me a lot Carl and I will probably use 'searchall' as a workaround for searching events by their names.

carl72086
Explorer

Hey,

Unfortunately I don't have an MISP setup so I can't actually give it a try.

But reading the documentation, it says that the controller is a required field which is for "attributes" / "events". The info field appears to be under the "Event"

Can you try  testing the below?

Create a format block for this:  (and use it as an input to the "other" field of the MISP query)

Test 1

{{"info":"search keyword here"}}

Test 2

{{"Event":{"info":"search keyword here"}}


Try doing an exact search first of the info name (e.g. "Test of the day (2016-03-16) - botnet 120"), if that works, try doing a search using a portion of the name (e.g. "Test / botnet") and see if that works too.

 

Cheers,

Carl

dewu94
Explorer

Hi Carl,

I've tried also the case you mentioned as Test 1 - results are the same. It seems that it does not matter what I put in 'other' field (as long as Python syntax is ok) as it gives me all events in response, like the filter was not even applied.

Test 2 is not working, as controller is separate field to set, it's not a part of JSON-type 'other' field. And it is properly set to 'events' in my case.

In app run details view I can see that following parameters were passed - and they look quite ok, so I don't know why it's not working:

controller = events

other = {"info":"full name of the event"}

max_results = 10

 

*edit*

Test 2 actually does not throw an error (it did, because I was missing one closing brace), but the results are exactly the same - it gives all events, like no filter was in place. Even when I put {"blabla":"blabla"} query works and gives all events. For unknown reason it does not even check this parameter, or ignores it until it's properly given, but I don't know then what is the proper way to pass this param.

0 Karma

baya151
Explorer

Hi dewu94,

Have you managed to get it working?

I experience the same issue and whatever I put in the other field, I always get all events or all attributes. I have checked MISP audit logs and no parameter is specified in the request to pass to the rest API. I don't understand how others use it as I couldn't find a proper documentation.

Best regards,

Yanko

0 Karma

dewu94
Explorer

Yeah, I suggest using pymisp library in custom functions or just performing actions related to MISP via requests with HTTP app. MISP app is just not working properly.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...