//Blogs - 16 September 2019

Setting up MISP as a threat information source for Splunk Enterprise

Setting up MISP as a threat information source for Splunk Enterprise

By Nicholas Soysa, AusCERT

Disclaimer: The following information is only relevant to AusCERT members who are formally part of the CAUDIT-ISAC or AusCERT-ISAC. For more info on this optional add-on service, please refer to the following page

 

  1. Get a license or free trial account.

           If you’re an existing Splunk customer, then you should already have the credentials to access Splunk.

           If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.

 

  1. Install and run Splunk Enterprise.
  • Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps.
  • Launch the Splunk Enterprise search head

       

  • Log into your Splunk Administrator account

       

       IMPORTANT: MISP42Splunk 2.2.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or "Install" option (fresh installs), as usual.

       

      3. Install and setup MISP42Splunk 2.2.0 

 

  • MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, 
  • Extract the ZIP archive.
  • Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line.
  • Return to the Splunk app and navigate to “Apps”
  • Select the “Install App from file” option
  • Select the archive misp42splunk.tar.gz which you created and click Upload
  • Restart Splunk when prompted

 

       4. Setup MISP42Splunk.

 

  • Enter the relevant values

 

  1. MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au)
  2. For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles.
  3. Untick the “Check SSL certificate of MISP server” box
  4. Tick “Use a client certificate to authenticate on default instance”
  5. Enter the full path for the .PEM format client certificate file (C:\User\John\certs\johncert.pem)

 

  • Press “Save”. Once the save is completed, you will be returned to the Apps page. You’ll see the version has been updated to 2.2.0.

        5. Check it works

  • Navigate to the MISP42 apps (Apps dropdown -> MISP42)
  • In the MISP42 app page, select Reports
  • Then select, for example, MISP_file_intel_last1d
  • If the app works, then you should see Attributes from MISP event returned in the report

 

       6. Resources

       CAUDIT-ISAC users can access the PDF version at: https://www.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)

       AusCERT general users can access the document at: https://www.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)

 

      7. Credits

 

      Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.