Splunk SOAR

Phantom MISP - searching by info/name

dewu94
Explorer

I am trying to search for MISP events by their name, which is present in 'info' field. For this purpose I'm using 'other' and putting following json: {"info":"text to search for"}.

Query does not give any error, but results are not really related to the text I specified. I'm just receiving first 10 events present in the MISP, even if I specify whole title in the query, not only the keyword. Am I doing something wrong? I've also tried approach with using format block and double braces, as mentioned here: Solved: Phantom MISP "Run Query" action - Splunk Community but no difference.

Is there any way to search for events by keywords in the 'info' field?

Labels (2)
Tags (4)
0 Karma

carl72086
Explorer

Hey,

Looks like the "info field" is incorrect...

Could you try using any of the 2 from the MISP API doco:

 

  • eventinfo: Filter on the event's info field.
  • searchall: Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.

{{"eventinfo":"search info here"}}

{{"searchall":"search keyword here"}} 

 

if it fails, not sure if you need to include the return format:

{{ "returnFormat": "json", "eventinfo": "test event name here" }}

source: https://www.circl.lu/doc/misp/automation/#search

dewu94
Explorer

Hi Carl,

I've seen this document and already checked 'eventinfo' and 'quickfilter' variants - no luck. Also, adding "returnFormat": "json" does not make any difference.

BUT, I've missed 'searchall' option before and it works perfectly for my test use case 🙂 It properly gives me an event I'm looking for (anyone facing the same issue - please remember about "%" wildcards if searching by keyword, not by full name).

However, I am a little bit worried that I cannot limit my search to event names only, so I may get some issues in the future, especially when searching by a keyword - as 'searchall' is looking also into tags, attributes, etc. So I would really love to get this 'eventinfo' option to work.

But still, you've helped me a lot Carl and I will probably use 'searchall' as a workaround for searching events by their names.

carl72086
Explorer

Hey,

Unfortunately I don't have an MISP setup so I can't actually give it a try.

But reading the documentation, it says that the controller is a required field which is for "attributes" / "events". The info field appears to be under the "Event"

Can you try  testing the below?

Create a format block for this:  (and use it as an input to the "other" field of the MISP query)

Test 1

{{"info":"search keyword here"}}

Test 2

{{"Event":{"info":"search keyword here"}}


Try doing an exact search first of the info name (e.g. "Test of the day (2016-03-16) - botnet 120"), if that works, try doing a search using a portion of the name (e.g. "Test / botnet") and see if that works too.

 

Cheers,

Carl

dewu94
Explorer

Hi Carl,

I've tried also the case you mentioned as Test 1 - results are the same. It seems that it does not matter what I put in 'other' field (as long as Python syntax is ok) as it gives me all events in response, like the filter was not even applied.

Test 2 is not working, as controller is separate field to set, it's not a part of JSON-type 'other' field. And it is properly set to 'events' in my case.

In app run details view I can see that following parameters were passed - and they look quite ok, so I don't know why it's not working:

controller = events

other = {"info":"full name of the event"}

max_results = 10

 

*edit*

Test 2 actually does not throw an error (it did, because I was missing one closing brace), but the results are exactly the same - it gives all events, like no filter was in place. Even when I put {"blabla":"blabla"} query works and gives all events. For unknown reason it does not even check this parameter, or ignores it until it's properly given, but I don't know then what is the proper way to pass this param.

0 Karma

baya151
Explorer

Hi dewu94,

Have you managed to get it working?

I experience the same issue and whatever I put in the other field, I always get all events or all attributes. I have checked MISP audit logs and no parameter is specified in the request to pass to the rest API. I don't understand how others use it as I couldn't find a proper documentation.

Best regards,

Yanko

0 Karma

dewu94
Explorer

Yeah, I suggest using pymisp library in custom functions or just performing actions related to MISP via requests with HTTP app. MISP app is just not working properly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...