MISP
Bug: low speed when using misp42 app splunk for mispsearch command.
Actual behavior
Hello, The truth is, I intend to extract all the domains from the Splunk logs and search them in misp as a domain using the misp search query of the Splunk app, which is itself a Python program. But the speed of getting information is really low. I don't know if the problem is from Splunk app(python program) itself or from misp. Can you help me? Also, the resources used by the system from RAM and CPU do not reach 50%.
Expected behavior
well i accept higher speed for search
Steps to reproduce
the mispsearch python file. Untitled.txt
Version
2.4.151
Operating System
ubuntu
Operating System version
20.04
PHP version
7.4
Browser
No response
Browser version
No response
Relevant log output
No response
Extra attachments
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
I would recommend doing it the other way around. Import all required IOCs from MISP to Splunk, either in a lookup table or in an index and create a lookup table from it. Importing in an index is better when you have a huge amount of IOCs. Then you can match the IOCs using lookup, or, if you are using enterprise security, then you can use Splunks Threat Intelligence Framework. When you review the reports, which are included in the MISP42 App, you will find some reports for creating lookup tables.
FYI: I will release an additional Splunk app for MISP that is able to import IOCs into an index with high performance.
I will release an additional Splunk app for MISP that is able to import IOCs into an index with high performance.
not to hijack this thread @Benni0, but i'm interested in this and hope to hear more at some point!
@Benni0 Looks very interesting, don't hesitate to contribute a blog post on misp-project.org when you release it!
@mdavis332 @adulau You can find my App here:Splunk-App-for-MISP, and also on Splunkbase Feedback is welcome!