Setting up MISP as a threat information source for Splunk Enterprise 4 Mar 2019
Setting up MISP as a threat information source for Splunk Enterprise
By Nicholas Soysa, AusCERT
- Get a license or free trial account.
If you’re an existing Splunk customer, then you should already have the credentials to access Splunk.
If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.
- Install and run Splunk Enterprise.
- Download the appropriate installer for your platform (32- or 64-bit) and follow the installation steps.
- Launch the Splunk Enterprise search head
- Log into your Splunk Administrator account
3. Install and setup MISP42Splunk 2.2.0
- MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, you will be able to update using the “Upgrade App” (exisitng app) or "Install" option (fresh installs), as usual.
- Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0
- Extract the ZIP archive.
- Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line.
- Return to the Splunk app and navigate to “Apps”
- Select the “Install App from file” option
- Select the archive misp42splunk.tar.gz which you created and click Upload
- Restart Splunk when prompted
4. Setup MISP42Splunk.
- Enter the relevant values
- MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au)
- For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles.
- Untick the “Check SSL certificate of MISP server” box
- Tick “Use a client certificate to authenticate on default instance”
- Enter the full path for the .PEM format client certificate file (C:\User\John\certs\johncert.pem)
- Press “Save”. Once the save is completed, you will be returned to the Apps page. You’ll see the version has been updated to 2.2.0.
5. Check it works
- Navigate to the MISP42 apps (Apps dropdown -> MISP42)
- In the MISP42 app page, select Reports
- Then select, for example, MISP_file_intel_last1d
- If the app works, then you should see Attributes from MISP event returned in the report
CAUDIT-ISAC users can access the PDF version at: https://www.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)
AusCERT general users can access the document at: https://www.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)
Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.
« Back to all blog entries