Setting up MISP as a threat information source for Splunk Enterprise

Setting up MISP as a threat information source for Splunk Enterprise

By Nicholas Soysa, AusCERT

Disclaimer: The following information is only relevant to AusCERT members who are formally part of the CAUDIT-ISAC or AusCERT-ISAC. For more info on this optional add-on service, please refer to the following page

1. Get a license or free trial account.

If you’re an existing Splunk customer, then you should already have the credentials to access Splunk.

If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.

2. Install and run Splunk Enterprise.

• Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps.
• Launch the Splunk Enterprise search head
• Log into your Splunk Administrator account

IMPORTANT: MISP42Splunk 4.3.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or “Install” option (fresh installs), as usual.

3. Install and setup MISP42Splunk

• MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch,
• Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0

• Extract the ZIP archive.
• Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line.
• Return to the Splunk app and navigate to “Apps”

• Select the “Install App from file” option

• Select the archive misp42splunk.tar.gz which you created and click Upload

• Restart Splunk when prompted

4. Add MISP instance

• Create a MISP instance name. For example: “AUSCERTMISP”
• MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au)
• For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles.
• Untick the “Check SSL certificate of MISP server” box.
• We no longer require client certificate to authenticate. Untick the “Use a client certificate” if ticked.
• Press “Save”. Once the save is completed, you will be returned to the Apps page.

5. Check it works

• Navigate to the MISP42 apps (Apps dropdown -> MISP42)

• In the MISP42 app page, select Reports

• Then select, for example, mispgetioc misp_instance=AUSCERTMISP last=1d

• If the app works, then you should see Attributes from MISP event returned in the report
• It is suggested to store the feeds in an index which can be then queried in future if needed.

6. Resources

       CAUDIT-ISAC users can access the PDF version at: https://www.auscert.org.au/publications/2018-08-22-misp-integration (Member portal login required)

AusCERT-ISAC users can access the document at: https://www.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)

7. Credits

      Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.