Skip to content

How to pull MISP data on Splunk

Jump to bottom
Remi edited this page Oct 21, 2024 · 2 revisions

With MISP42 you can collect very easily collect MISP events or attributes on Splunk, following the 2 steps

Step 1 pull MISP data

You can select the custom command that fits your need:

  • mispgetevent to use MISP API endpoint /events/restSearch (use getioc=true to also collect attributes of events)
  • mispgetioc to use MISP API endpoint /attributes/restSearch
  • mispfetch if you need to build a complete JSON request in field misp_http_body (all keys documented on MISP API can be used)
  • misprest as a versatile MISP API wrapper (all operations as on MISP REST client)

Write the data to Splunk

  • outputlookup to write data to a CSV or KV store when MISP data are used for specific action in time like the IoC retrosearches
  • collect when you want to write and keep the data on Splunk

Please note that lookups can be easily used in other SPL.

Clone this wiki locally