Re: MISP42Splunk accessing remote MISP instance wi...

nick25 · ‎02-28-2019

I'm trying to access a MISP instance from the MISP42Splunk App. I've configured the correct API key and MISP Base URL. I do not however, see an option to specify a client certificate to be presented to the MISP server and i think that breaks the integration. Do you know if there is an option to specify a client cert in MISP42Splunk or some other means?

Thanks.

remiseguy · ‎03-01-2019

Hi,
This is not available yet. Could you open an issue on github to get it implemented

remiseguy · ‎03-02-2019

Please check version 2.2.0 on github as I don’t have a lab set up yet to test it

nick25 · ‎03-03-2019

Thanks a million Remi. MISP42Splunk 2.2.0 works on Windows 10.

Manually deleted the MISP42splunk folder in the Splunk /etc folder . Reinstalled MISP42Splunk using "install App from file" option. Restarted Splunk.

Specified the Client certificate as .PEM file, the same format as usually presented via the MISP API.

Ran reports on the dashboard and saw event data being successfully captured from the MISP instance.

Thanks for the prompt action.

MISP42Splunk accessing remote MISP instance with a client certificate

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases