Finding MISP attribute matches within Firewall/Proxy logs MISP - syslog correlation | dbxquery query="SELECT event_id, category, value1 attribute, value2 md5, events.id, events.date, events.info FROM misp.attributes JOIN misp.events ON attributes.event_id = events.id WHERE attributes.category = \"Network activity\"" connection="MISP-Vmware" wrap=t | rename "(001) attributes.event_id.INT" AS event_id | rename "(002) attributes.category.VARCHAR" AS event_category | rename "(003) attributes.attribute.VARCHAR" AS dstip | rename "(004) attributes.md5.VARCHAR" AS event_md5 | rename "(006) events.date.DATE" AS event_date | rename "(007) events.info.VARCHAR" AS event_info | rename "(006) events.date.DATE" AS event_date | stats count values(event_date) values(event_category) values(event_info) values(event_attribute) values(event_md5) by event_id | search [search index=syslog earliest=-72h | dedup destip | table destip] | stats count values(event_date) values(event_category) values(event_info) values(dstip) values(event_md5) by event_id | sort - values(event_date) -30d@d now
Available data in my MISP | dbxquery query="SELECT event_id, category, value1 attribute, value2 md5, events.id, events.date, events.info FROM misp.attributes JOIN misp.events ON attributes.event_id = events.id WHERE attributes.category = \"Network activity\"" connection="MISP-Vmware" wrap=t | rename "(001) attributes.event_id.INT" AS event_id | rename "(002) attributes.category.VARCHAR" AS event_category | rename "(003) attributes.attribute.VARCHAR" AS event_attribute | rename "(004) attributes.md5.VARCHAR" AS event_md5 | rename "(006) events.date.DATE" AS event_date | rename "(007) events.info.VARCHAR" AS event_info | rename "(006) events.date.DATE" AS event_date | stats count values(event_date) values(event_category) values(event_info) values(event_attribute) values(event_md5) by event_id | sort - values(event_date) -24h@h now