This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Google Cloud Security
- Security Forums
- SecOps SIEM
- Re: MISP SecOps Rules issues with Time Matches
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Solved
LinkedIn
Twitter
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am having issues with MISP rules in SecOps. We have integrated via the documentation here using a Webhook: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp
The parser itself whilst it does extract some fields is still raw and doesn't correlate timeframes. We aren't interested in the time the IoC was ingested from MISP but rather the time ti was published from the third party threat provider in a field known as
extracted.fields["Event.date"])
Using this field we can concatenate '00:00:00' to it to convert it into UTC:
strings.concat($g.extracted.fields["Event.date"], " 00:00:00")
The issue is that it is supposed to look for all fields of this value within the past 6 months and then correlate these to new events of other log sources with field 'IP'. The date of ingestion for MISP events really isn't important here. You can see the code snippet for this below:
events:
$ip = $e.principal.ip
$userid = $e.target.user.userid
// MISP IOC data (joined via IP)
$e.principal.ip = $g.extracted.fields["Event._AttributeFlattened[0].value"]
$g.metadata.log_type = "MISP_IOC"
$g.extracted.fields["Event.Attribute[0].category"] = "Network activity"
$ioc_event_date = ($g.extracted.fields["Event.date"])
$ioc_event_timestamp = strings.concat($g.extracted.fields["Event.date"], " 00:00:00")
match:
$userid over 1m
outcome:
// Parse timestamp
$event_time = max($e.metadata.event_timestamp.seconds)
// Parse MISP date
$misp_time = max(timestamp.as_unix_seconds($ioc_event_timestamp, "GMT"))
// Calculate delta in days
$ioc_delta = ($event_time - $misp_time) / 86400
// Risk scoring
$risk_score = max(35)
+ if($ioc_delta <= 1, 45, 0)
+ if($ioc_delta <= 7 and $ioc_delta > 1, 30, 0)
+ if($ioc_delta <= 30.44 and $ioc_delta > 7, 10, 0)
+ if($ioc_delta <= 60 and $ioc_delta > 30.44, 0, 0)
- if($ioc_delta > 60, 10, 0)
condition:
$e and $g and $ioc_delta < 180
}If someone has had any experience with authoring rules from webhook methodology that could help resolve this issue that would be greatly appreciated. I am not interested in importing CSVs as this is a very static approach and we want to keep things as automated as possible.
Thank you in advance.
1
32
1,208
Topic Labels
- Labels:
-
SecOps
32 REPLIES 32
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Surely someone has had a similar issue?
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a great blog post that walks through the process of writing rules like, but does assume you've already successfully ingested the MISP IOCs, this should be some help once you get going: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Building-Rules-with-Your...
But before you can use that we need to ensure the MISP data is being ingested into the Entity Graph (instead of the Event data model) to allow proper matching and handling of the IOC validity period. The MISP parser should do this be default but either you have the wrong fields in your rule or there might be an issue where the parser isn't expecting the format your data is being sent.
Thankfully we've recently enabled a new function that will allow you to search the entity graph from the search box which will make this easier to investigate. Take a quick search for graph.metadata.vendor_name = "MISP" and see if you have any entity results. I don't have any MISP iocs in my lab but I have some from GCTI and your results should be similar. Note the "Graph" in the UDM path, and the results window says "Entities" instead of events.
As long as you are creating entities you should be good to follow John's blog post and adapt it to your needs.
If you don't see the entities on that search, but do see your MISP data if you do a search on the event model for 'metadata.log_type = "MISP_IOC"' that would indicate the parser is failing to properly extract the data and is instead relying on automatic field extraction (which writes events instead of entities). In that case you'll need to investigate why your MISP data isn't being parsed properly.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JeremyLand thanks for your response. It is in Event Data Model from following the webhook instructions here. How would I be able to switch over to Entity Graph still using this webhook? We have already created a custom parser for IOC types such as sha256 and IP address although entity values are not showing sadly
Thank you!
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you share a log sample and the custom parser used ?
The entity values will require entity data model not the event data model so this could be the reason.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Snippet of UDM data from an example:
metadata:(6)
base_labels:(2)
event_timestamp:"2025-06-10T00:01:00.125877Z"
event_type:"GENERIC_EVENT"
id:b"AAAAAKG1mRITOREotGSXNYahKhkAAAAAFAAAABAAAAA="
ingested_timestamp:"2025-06-10T00:01:00.125877Z"
log_type:"MISP_IOC"
extracted:(221)
fields["Event._AttributeFlattened[0]._allTags[0].colour"]:"#33FF00"
fields["Event._AttributeFlattened[0]._allTags[0].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[0].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[0].id"]:"10"
fields["Event._AttributeFlattened[0]._allTags[0].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[0].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[0].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[0].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[0].name"]:"tlp:green"
fields["Event._AttributeFlattened[0]._allTags[0].user_id"]:"0"
fields["Event._AttributeFlattened[0]._allTags[1].colour"]:"#185dda"
fields["Event._AttributeFlattened[0]._allTags[1].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[1].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[1].id"]:"2082"
fields["Event._AttributeFlattened[0]._allTags[1].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[1].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[1].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[1].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[1].name"]:"audience-industry:Retail Banking"
fields["Event._AttributeFlattened[0]._allTags[1].user_id"]:"0"
fields["Event._AttributeFlattened[0]._allTags[2].colour"]:"#8d99c8"
fields["Event._AttributeFlattened[0]._allTags[2].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[2].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[2].id"]:"2088"
fields["Event._AttributeFlattened[0]._allTags[2].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[2].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[2].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[2].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[2].name"]:"attack-pattern:malspam"
fields["Event._AttributeFlattened[0]._allTags[2].user_id"]:"0"
fields["Event._AttributeFlattened[0]._allTags[3].colour"]:"#94db0f"
fields["Event._AttributeFlattened[0]._allTags[3].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[3].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[3].id"]:"2142"
fields["Event._AttributeFlattened[0]._allTags[3].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[3].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[3].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[3].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[3].name"]:"malware:SocGholish"
fields["Event._AttributeFlattened[0]._allTags[3].user_id"]:"0"
fields["Event._AttributeFlattened[0]._allTags[4].colour"]:"#d0832e"
fields["Event._AttributeFlattened[0]._allTags[4].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[4].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[4].id"]:"2083"
fields["Event._AttributeFlattened[0]._allTags[4].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[4].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[4].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[4].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[4].name"]:"audience-region:Americas"
fields["Event._AttributeFlattened[0]._allTags[4].user_id"]:"0"
fields["Event._AttributeFlattened[0]._allTags[5].colour"]:"#5d7d17"
fields["Event._AttributeFlattened[0]._allTags[5].exportable"]:"true"
fields["Event._AttributeFlattened[0]._allTags[5].hide_tag"]:"false"
fields["Event._AttributeFlattened[0]._allTags[5].id"]:"2179"
fields["Event._AttributeFlattened[0]._allTags[5].inherited"]:"true"
fields["Event._AttributeFlattened[0]._allTags[5].is_custom_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[5].is_galaxy"]:"false"
fields["Event._AttributeFlattened[0]._allTags[5].local_only"]:"false"
fields["Event._AttributeFlattened[0]._allTags[5].name"]:"attack-pattern:Ransomware"
fields["Event._AttributeFlattened[0]._allTags[5].user_id"]:"0"
fields["Event._AttributeFlattened[0].category"]:"Network activity"
fields["Event._AttributeFlattened[0].comment"]:""
fields["Event._AttributeFlattened[0].deleted"]:"false"
fields["Event._AttributeFlattened[0].disable_correlation"]:"false"
fields["Event._AttributeFlattened[0].distribution"]:"5"
fields["Event._AttributeFlattened[0].event_id"]:"58409"
fields["Event._AttributeFlattened[0].id"]:"1326451"
fields["Event._AttributeFlattened[0].object_id"]:"0"
fields["Event._AttributeFlattened[0].sharing_group_id"]:"0"
fields["Event._AttributeFlattened[0].timestamp"]:"1749497478"
fields["Event._AttributeFlattened[0].to_ids"]:"true"
fields["Event._AttributeFlattened[0].type"]:"url"
fields["Event._AttributeFlattened[0].uuid"]:"ced2b6f1-d240-43d9-990f-08700d740860"
fields["Event._AttributeFlattened[0].value"]:"https://rkojg.cn/hcybvm"
fields["Event.analysis"]:"0"
fields["Event.attribute_count"]:"32"
fields["Event.Attribute[0]._allTags[0].colour"]:"#33FF00"
fields["Event.Attribute[0]._allTags[0].exportable"]:"true"
fields["Event.Attribute[0]._allTags[0].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[0].id"]:"10"
fields["Event.Attribute[0]._allTags[0].inherited"]:"true"
fields["Event.Attribute[0]._allTags[0].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[0].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[0].local_only"]:"false"
fields["Event.Attribute[0]._allTags[0].name"]:"tlp:green"
fields["Event.Attribute[0]._allTags[0].user_id"]:"0"
fields["Event.Attribute[0]._allTags[1].colour"]:"#185dda"
fields["Event.Attribute[0]._allTags[1].exportable"]:"true"
fields["Event.Attribute[0]._allTags[1].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[1].id"]:"2082"
fields["Event.Attribute[0]._allTags[1].inherited"]:"true"
fields["Event.Attribute[0]._allTags[1].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[1].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[1].local_only"]:"false"
fields["Event.Attribute[0]._allTags[1].name"]:"audience-industry:Retail Banking"
fields["Event.Attribute[0]._allTags[1].user_id"]:"0"
fields["Event.Attribute[0]._allTags[2].colour"]:"#8d99c8"
fields["Event.Attribute[0]._allTags[2].exportable"]:"true"
fields["Event.Attribute[0]._allTags[2].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[2].id"]:"2088"
fields["Event.Attribute[0]._allTags[2].inherited"]:"true"
fields["Event.Attribute[0]._allTags[2].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[2].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[2].local_only"]:"false"
fields["Event.Attribute[0]._allTags[2].name"]:"attack-pattern:malspam"
fields["Event.Attribute[0]._allTags[2].user_id"]:"0"
fields["Event.Attribute[0]._allTags[3].colour"]:"#94db0f"
fields["Event.Attribute[0]._allTags[3].exportable"]:"true"
fields["Event.Attribute[0]._allTags[3].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[3].id"]:"2142"
fields["Event.Attribute[0]._allTags[3].inherited"]:"true"
fields["Event.Attribute[0]._allTags[3].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[3].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[3].local_only"]:"false"
fields["Event.Attribute[0]._allTags[3].name"]:"malware:SocGholish"
fields["Event.Attribute[0]._allTags[3].user_id"]:"0"
fields["Event.Attribute[0]._allTags[4].colour"]:"#d0832e"
fields["Event.Attribute[0]._allTags[4].exportable"]:"true"
fields["Event.Attribute[0]._allTags[4].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[4].id"]:"2083"
fields["Event.Attribute[0]._allTags[4].inherited"]:"true"
fields["Event.Attribute[0]._allTags[4].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[4].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[4].local_only"]:"false"
fields["Event.Attribute[0]._allTags[4].name"]:"audience-region:Americas"
fields["Event.Attribute[0]._allTags[4].user_id"]:"0"
fields["Event.Attribute[0]._allTags[5].colour"]:"#5d7d17"
fields["Event.Attribute[0]._allTags[5].exportable"]:"true"
fields["Event.Attribute[0]._allTags[5].hide_tag"]:"false"
fields["Event.Attribute[0]._allTags[5].id"]:"2179"
fields["Event.Attribute[0]._allTags[5].inherited"]:"true"
fields["Event.Attribute[0]._allTags[5].is_custom_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[5].is_galaxy"]:"false"
fields["Event.Attribute[0]._allTags[5].local_only"]:"false"
fields["Event.Attribute[0]._allTags[5].name"]:"attack-pattern:Ransomware"
fields["Event.Attribute[0]._allTags[5].user_id"]:"0"
fields["Event.Attribute[0].category"]:"Network activity"
fields["Event.Attribute[0].comment"]:""
fields["Event.Attribute[0].deleted"]:"false"
fields["Event.Attribute[0].disable_correlation"]:"false"
fields["Event.Attribute[0].distribution"]:"5"
fields["Event.Attribute[0].event_id"]:"58409"
fields["Event.Attribute[0].id"]:"1326451"
fields["Event.Attribute[0].object_id"]:"0"
fields["Event.Attribute[0].sharing_group_id"]:"0"
fields["Event.Attribute[0].timestamp"]:"1749497478"
fields["Event.Attribute[0].to_ids"]:"true"
fields["Event.Attribute[0].type"]:"url"
fields["Event.Attribute[0].uuid"]:"ced2b6f1-d240-43d9-990f-08700d740860"
fields["Event.Attribute[0].value"]:"https://rkojg.cn/hcybvm"
fields["Event.date"]:"2025-06-09"
fields["Event.disable_correlation"]:"false"
fields["Event.distribution"]:"0"
fields["Event.extends_uuid"]:""
fields["Event.id"]:"58409"
fields["Event.info"]:"Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)"
fields["Event.locked"]:"true"
fields["Event.org_id"]:"1"
fields["Event.orgc_id"]:"31"
fields["Event.proposal_email_lock"]:"false"
fields["Event.publish_timestamp"]:"1749513622"
fields["Event.published"]:"true"
fields["Event.sharing_group_id"]:"0"
fields["Event.sighting_timestamp"]:"0"
fields["Event.Tag[0].colour"]:"#33FF00"
fields["Event.Tag[0].exportable"]:"true"
fields["Event.Tag[0].hide_tag"]:"false"
fields["Event.Tag[0].id"]:"10"
fields["Event.Tag[0].is_custom_galaxy"]:"false"
fields["Event.Tag[0].is_galaxy"]:"false"
fields["Event.Tag[0].local_only"]:"false"
fields["Event.Tag[0].name"]:"tlp:green"
fields["Event.Tag[0].user_id"]:"0"
fields["Event.Tag[1].colour"]:"#185dda"
fields["Event.Tag[1].exportable"]:"true"
fields["Event.Tag[1].hide_tag"]:"false"
fields["Event.Tag[1].id"]:"2082"
fields["Event.Tag[1].is_custom_galaxy"]:"false"
fields["Event.Tag[1].is_galaxy"]:"false"
fields["Event.Tag[1].local_only"]:"false"
fields["Event.Tag[1].name"]:"audience-industry:Retail Banking"
fields["Event.Tag[1].user_id"]:"0"
fields["Event.Tag[2].colour"]:"#8d99c8"
fields["Event.Tag[2].exportable"]:"true"
fields["Event.Tag[2].hide_tag"]:"false"
fields["Event.Tag[2].id"]:"2088"
fields["Event.Tag[2].is_custom_galaxy"]:"false"
fields["Event.Tag[2].is_galaxy"]:"false"
fields["Event.Tag[2].local_only"]:"false"
fields["Event.Tag[2].name"]:"attack-pattern:malspam"
fields["Event.Tag[2].user_id"]:"0"
fields["Event.Tag[3].colour"]:"#94db0f"
fields["Event.Tag[3].exportable"]:"true"
fields["Event.Tag[3].hide_tag"]:"false"
fields["Event.Tag[3].id"]:"2142"
fields["Event.Tag[3].is_custom_galaxy"]:"false"
fields["Event.Tag[3].is_galaxy"]:"false"
fields["Event.Tag[3].local_only"]:"false"
fields["Event.Tag[3].name"]:"malware:SocGholish"
fields["Event.Tag[3].user_id"]:"0"
fields["Event.Tag[4].colour"]:"#d0832e"
fields["Event.Tag[4].exportable"]:"true"
fields["Event.Tag[4].hide_tag"]:"false"
fields["Event.Tag[4].id"]:"2083"
fields["Event.Tag[4].is_custom_galaxy"]:"false"
fields["Event.Tag[4].is_galaxy"]:"false"
fields["Event.Tag[4].local_only"]:"false"
fields["Event.Tag[4].name"]:"audience-region:Americas"
fields["Event.Tag[4].user_id"]:"0"
fields["Event.Tag[5].colour"]:"#5d7d17"
fields["Event.Tag[5].exportable"]:"true"
fields["Event.Tag[5].hide_tag"]:"false"
fields["Event.Tag[5].id"]:"2179"
fields["Event.Tag[5].is_custom_galaxy"]:"false"
fields["Event.Tag[5].is_galaxy"]:"false"
fields["Event.Tag[5].local_only"]:"false"
fields["Event.Tag[5].name"]:"attack-pattern:Ransomware"
fields["Event.Tag[5].user_id"]:"0"
fields["Event.threat_level_id"]:"4"
fields["Event.timestamp"]:"1749497477"
fields["Event.uuid"]:"2ac6da95-8758-48ab-9db5-7544f59ffcd1"Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Snippet of raw log:
{
"Event": {
"id": "58409",
"org_id": "1",
"date": "2025-06-09",
"info": "Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)",
"uuid": "2ac6da95-8758-48ab-9db5-7544f59ffcd1",
"published": true,
"analysis": "0",
"attribute_count": "32",
"orgc_id": "31",
"timestamp": "1749497477",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1749513622",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1326451",
"event_id": "58409",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "ced2b6f1-d240-43d9-990f-08700d740860",
"timestamp": "1749497478",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rkojg.cn/hcybvm",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1326451",
"event_id": "58409",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "ced2b6f1-d240-43d9-990f-08700d740860",
"timestamp": "1749497478",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rkojg.cn/hcybvm",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have 8 extension options which I have screenshotted. We are basically ensuring the log knows when each value is related to SHA256/IP/Domain etc. via the precondition paths.
One issue we had was that there are no values for 'MISP' so we can't just map graph.metadata.vendor_name value from the raw log.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your webhook is sending an additional outer "Event" layer in the json that the parser isn't expecting. I don't have a test MISP instance handy to check on but double check the trigger events output to see if you can get it to send just the contents of Event without sending the entire object, or a processing step that scan strip {"Event": from the begining and } from the end of your body.
If your MISP setup doesn't allow you to make those changes you can either use the custom parser option to modify the MISP_IOC parser to handle the format of your JSON or submit a support case for the parser dev team to add handling for that additional event layer. If you submit a support case be sure to include sample logs and a description of the desired behavior (a link to this thread would be helpfull)
Example of json structure MISP_IOC that does parse correctly:
{
"id": "58409",
"org_id": "1",
"date": "2025-06-09",
"info": "Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)",
"uuid": "2ac6da95-8758-48ab-9db5-7544f59ffcd1",
"published": true,
"analysis": "0",
"attribute_count": "32",
"orgc_id": "31",
"timestamp": "1749497477",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1749513622",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1326451",
"event_id": "58409",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "ced2b6f1-d240-43d9-990f-08700d740860",
"timestamp": "1749497478",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rkojg.cn/hcybvm",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1326451",
"event_id": "58409",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "ced2b6f1-d240-43d9-990f-08700d740860",
"timestamp": "1749497478",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rkojg.cn/hcybvm",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2142",
"name": "malware:SocGholish",
"colour": "#94db0f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}Which will produce this UDM output, which is written to the entity data model and will allow for proper IOC matching:
metadata.product_entity_id"ced2b6f1-d240-43d9-990f-08700d740860"
metadata.collected_timestamp"2025-06-16T17:18:00Z"
metadata.entity_type"URL"
metadata.description"Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)"
metadata.interval.start_time"1970-01-01T00:00:01Z"
metadata.interval.end_time"9999-12-31T23:59:59Z"
metadata.threat[0].category_details[0]"Network activity"
metadata.threat[0].detection_fields[0].key"Attribute id"
metadata.threat[0].detection_fields[0].value"1326451"
metadata.threat[0].detection_fields[1].key"Attribute event_id"
metadata.threat[0].detection_fields[1].value"58409"
metadata.threat[0].detection_fields[2].key"Attribute to_ids"
metadata.threat[0].detection_fields[2].value"true"
metadata.threat[0].detection_fields[3].key"Attribute timestamp"
metadata.threat[0].detection_fields[3].value"1749497478"
metadata.threat[0].detection_fields[4].key"Attribute comment"
metadata.threat[0].detection_fields[5].key"Attribute deleted"
metadata.threat[0].detection_fields[5].value"false"
metadata.threat[0].detection_fields[6].key"published"
metadata.threat[0].detection_fields[6].value"true"
metadata.threat[0].detection_fields[7].key"tag colour"
metadata.threat[0].detection_fields[7].value"#33FF00"
metadata.threat[0].detection_fields[8].key"tag exportable"
metadata.threat[0].detection_fields[8].value"true"
metadata.threat[0].detection_fields[9].key"tag hide_tag"
metadata.threat[0].detection_fields[9].value"false"
metadata.threat[0].detection_fields[10].key"tag id"
metadata.threat[0].detection_fields[10].value"10"
metadata.threat[0].detection_fields[11].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[11].value"false"
metadata.threat[0].detection_fields[12].key"tag is_galaxy"
metadata.threat[0].detection_fields[12].value"false"
metadata.threat[0].detection_fields[13].key"tag local_only"
metadata.threat[0].detection_fields[13].value"false"
metadata.threat[0].detection_fields[14].key"tag name"
metadata.threat[0].detection_fields[14].value"tlp:green"
metadata.threat[0].detection_fields[15].key"tag user_id"
metadata.threat[0].detection_fields[15].value"0"
metadata.threat[0].detection_fields[16].key"tag colour"
metadata.threat[0].detection_fields[16].value"#185dda"
metadata.threat[0].detection_fields[17].key"tag exportable"
metadata.threat[0].detection_fields[17].value"true"
metadata.threat[0].detection_fields[18].key"tag hide_tag"
metadata.threat[0].detection_fields[18].value"false"
metadata.threat[0].detection_fields[19].key"tag id"
metadata.threat[0].detection_fields[19].value"2082"
metadata.threat[0].detection_fields[20].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[20].value"false"
metadata.threat[0].detection_fields[21].key"tag is_galaxy"
metadata.threat[0].detection_fields[21].value"false"
metadata.threat[0].detection_fields[22].key"tag local_only"
metadata.threat[0].detection_fields[22].value"false"
metadata.threat[0].detection_fields[23].key"tag name"
metadata.threat[0].detection_fields[23].value"audience-industry:Retail Banking"
metadata.threat[0].detection_fields[24].key"tag user_id"
metadata.threat[0].detection_fields[24].value"0"
metadata.threat[0].detection_fields[25].key"tag colour"
metadata.threat[0].detection_fields[25].value"#8d99c8"
metadata.threat[0].detection_fields[26].key"tag exportable"
metadata.threat[0].detection_fields[26].value"true"
metadata.threat[0].detection_fields[27].key"tag hide_tag"
metadata.threat[0].detection_fields[27].value"false"
metadata.threat[0].detection_fields[28].key"tag id"
metadata.threat[0].detection_fields[28].value"2088"
metadata.threat[0].detection_fields[29].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[29].value"false"
metadata.threat[0].detection_fields[30].key"tag is_galaxy"
metadata.threat[0].detection_fields[30].value"false"
metadata.threat[0].detection_fields[31].key"tag local_only"
metadata.threat[0].detection_fields[31].value"false"
metadata.threat[0].detection_fields[32].key"tag name"
metadata.threat[0].detection_fields[32].value"attack-pattern:malspam"
metadata.threat[0].detection_fields[33].key"tag user_id"
metadata.threat[0].detection_fields[33].value"0"
metadata.threat[0].detection_fields[34].key"tag colour"
metadata.threat[0].detection_fields[34].value"#94db0f"
metadata.threat[0].detection_fields[35].key"tag exportable"
metadata.threat[0].detection_fields[35].value"true"
metadata.threat[0].detection_fields[36].key"tag hide_tag"
metadata.threat[0].detection_fields[36].value"false"
metadata.threat[0].detection_fields[37].key"tag id"
metadata.threat[0].detection_fields[37].value"2142"
metadata.threat[0].detection_fields[38].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[38].value"false"
metadata.threat[0].detection_fields[39].key"tag is_galaxy"
metadata.threat[0].detection_fields[39].value"false"
metadata.threat[0].detection_fields[40].key"tag local_only"
metadata.threat[0].detection_fields[40].value"false"
metadata.threat[0].detection_fields[41].key"tag name"
metadata.threat[0].detection_fields[41].value"malware:SocGholish"
metadata.threat[0].detection_fields[42].key"tag user_id"
metadata.threat[0].detection_fields[42].value"0"
metadata.threat[0].detection_fields[43].key"tag colour"
metadata.threat[0].detection_fields[43].value"#d0832e"
metadata.threat[0].detection_fields[44].key"tag exportable"
metadata.threat[0].detection_fields[44].value"true"
metadata.threat[0].detection_fields[45].key"tag hide_tag"
metadata.threat[0].detection_fields[45].value"false"
metadata.threat[0].detection_fields[46].key"tag id"
metadata.threat[0].detection_fields[46].value"2083"
metadata.threat[0].detection_fields[47].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[47].value"false"
metadata.threat[0].detection_fields[48].key"tag is_galaxy"
metadata.threat[0].detection_fields[48].value"false"
metadata.threat[0].detection_fields[49].key"tag local_only"
metadata.threat[0].detection_fields[49].value"false"
metadata.threat[0].detection_fields[50].key"tag name"
metadata.threat[0].detection_fields[50].value"audience-region:Americas"
metadata.threat[0].detection_fields[51].key"tag user_id"
metadata.threat[0].detection_fields[51].value"0"
metadata.threat[0].detection_fields[52].key"tag colour"
metadata.threat[0].detection_fields[52].value"#5d7d17"
metadata.threat[0].detection_fields[53].key"tag exportable"
metadata.threat[0].detection_fields[53].value"true"
metadata.threat[0].detection_fields[54].key"tag hide_tag"
metadata.threat[0].detection_fields[54].value"false"
metadata.threat[0].detection_fields[55].key"tag id"
metadata.threat[0].detection_fields[55].value"2179"
metadata.threat[0].detection_fields[56].key"tag is_custom_galaxy"
metadata.threat[0].detection_fields[56].value"false"
metadata.threat[0].detection_fields[57].key"tag is_galaxy"
metadata.threat[0].detection_fields[57].value"false"
metadata.threat[0].detection_fields[58].key"tag local_only"
metadata.threat[0].detection_fields[58].value"false"
metadata.threat[0].detection_fields[59].key"tag name"
metadata.threat[0].detection_fields[59].value"attack-pattern:Ransomware"
metadata.threat[0].detection_fields[60].key"tag user_id"
metadata.threat[0].detection_fields[60].value"0"
entity.url"https://rkojg.cn/hcybvm"
entity.labels[0].key"threat_level_id"
entity.labels[0].value"4"Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will add to @JeremyLand 's suggestion :
You could add these 2 lines in the existing MISP parser -and maintain them in case of parser updates- ;
mutate { gsub => [ "message"," \"Event\": \\{\\n ",""]}
mutate { gsub => [ "message","\\n \\}\\n\\}","}"]}
as in ;
This should give you the required mapping @JeremyLand mentioned , and should allow the entities creation ;
Thanks,
Hafez
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @AbdElHafez. I have tried this and entities are still not showing when running a search:
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Custom Parser results:
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you share few more samples with different event types/categories ?
Also could you share more details on how the logs are being sent ? did you follow https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp#install_the_bindplane_agent_o... ?
Thanks,
Hafez
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AbdElHafez , these are not the initial instructions you had on this page, have you gotten rid of the webhook method because of this ticket? It should remain a valid method for ingesting MISP data, no?
Google caching even shows the webhook method before updates to the page were made:
I have followed the instructions that were on this web page before you updated them:
Configure a feed in Google SecOps to ingest the MISP Threat Intelligence logs
Go to SIEM Settings > Feeds.
Click Add new.
In the Feed name field, enter a name for the feed (for example, MISP Logs).
Select Webhook as the Source type.
Select MISP Threat Intelligence as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as \n.
Asset namespace: the asset namespace.
Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Click Done.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heres a couple more:
{
"Event": {
"id": "58557",
"org_id": "1",
"date": "2025-06-18",
"info": "Member Submission: Phishing, Credential pharming activity (Alert ID: 96584937)",
"uuid": "65113e36-2c71-4043-b4ac-5b8fd6318a08",
"published": true,
"analysis": "0",
"attribute_count": "3",
"orgc_id": "31",
"timestamp": "1750264239",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1750291245",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1327878",
"event_id": "58557",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "ip-dst",
"to_ids": false,
"uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
"timestamp": "1750264235",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "143.55.232.13",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2094",
"name": "audience-industry:Securities & Investments",
"colour": "#111cf7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2079",
"name": "audience-region:Europe",
"colour": "#6197ca",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2094",
"name": "audience-industry:Securities & Investments",
"colour": "#111cf7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2079",
"name": "audience-region:Europe",
"colour": "#6197ca",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1327878",
"event_id": "58557",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "ip-dst",
"to_ids": false,
"uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
"timestamp": "1750264235",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "143.55.232.13",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2094",
"name": "audience-industry:Securities & Investments",
"colour": "#111cf7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2079",
"name": "audience-region:Europe",
"colour": "#6197ca",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58535",
"org_id": "1",
"date": "2025-06-17",
"info": "Member Submission: Payroll Diversion activity (Alert ID: f7e893ae)",
"uuid": "4b4cbfe8-3211-4d19-906f-a85153db70d5",
"published": true,
"analysis": "0",
"attribute_count": "1",
"orgc_id": "31",
"timestamp": "1750183271",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1750204819",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1327657",
"event_id": "58535",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "email-src",
"to_ids": true,
"uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
"timestamp": "1750183272",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "mystubresource@gmail.com",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2124",
"name": "attack-pattern:Payroll Diversion",
"colour": "#887eff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2124",
"name": "attack-pattern:Payroll Diversion",
"colour": "#887eff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1327657",
"event_id": "58535",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "email-src",
"to_ids": true,
"uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
"timestamp": "1750183272",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "mystubresource@gmail.com",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2124",
"name": "attack-pattern:Payroll Diversion",
"colour": "#887eff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58243",
"org_id": "1",
"date": "2021-01-05",
"info": "Partner Submission: Ransomware, malspam activity potentially associated with MUMMY SPIDER, Dridex, Emotet, TrickBot, Qakbot. Reported on 05 January 2021. (Alert ID: 4fe45ac9)",
"uuid": "861e0297-893f-4c4b-83a8-c1c63216b071",
"published": true,
"analysis": "0",
"attribute_count": "130",
"orgc_id": "31",
"timestamp": "1627412846",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1747893242",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1323097",
"event_id": "58243",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "ip-dst",
"to_ids": true,
"uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
"timestamp": "1627412847",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "177.85.167.10",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "1574",
"name": "malware:emotet",
"colour": "#ad00ff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2505",
"name": "malware:Dridex",
"colour": "#691672",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2268",
"name": "malware:Qakbot",
"colour": "#0d53a3",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2388",
"name": "threat-actor:MUMMY SPIDER",
"colour": "#1cb6e7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2343",
"name": "malware:TrickBot",
"colour": "#96e38c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "1574",
"name": "malware:emotet",
"colour": "#ad00ff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2505",
"name": "malware:Dridex",
"colour": "#691672",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2268",
"name": "malware:Qakbot",
"colour": "#0d53a3",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2388",
"name": "threat-actor:MUMMY SPIDER",
"colour": "#1cb6e7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2343",
"name": "malware:TrickBot",
"colour": "#96e38c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1323097",
"event_id": "58243",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "ip-dst",
"to_ids": true,
"uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
"timestamp": "1627412847",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "177.85.167.10",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "1574",
"name": "malware:emotet",
"colour": "#ad00ff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2505",
"name": "malware:Dridex",
"colour": "#691672",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2268",
"name": "malware:Qakbot",
"colour": "#0d53a3",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2388",
"name": "threat-actor:MUMMY SPIDER",
"colour": "#1cb6e7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2343",
"name": "malware:TrickBot",
"colour": "#96e38c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2179",
"name": "attack-pattern:Ransomware",
"colour": "#5d7d17",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58297",
"org_id": "1",
"date": "2025-05-28",
"info": "Member Submission: Phishing, malspam, Credential pharming activity potentially associated with Astaroth, Remcos, Agent Tesla, Netsupport RAT, ZPHP (Alert ID: c9e9d8f9)",
"uuid": "cdd13659-ab51-4b33-bd60-0dde0443f71f",
"published": true,
"analysis": "0",
"attribute_count": "16",
"orgc_id": "31",
"timestamp": "1748464239",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1748476827",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1324223",
"event_id": "58297",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "sha256",
"to_ids": true,
"uuid": "14e999a2-2622-427d-9698-a5120da6dc74",
"timestamp": "1748464239",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "3c54060447cd33a5aa4ce88e0dceec813b5c1917653c414aa101b7e4df321f28",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2128",
"name": "tactic:Defense Evasion",
"colour": "#518465",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2163",
"name": "malware:ZPHP",
"colour": "#63867e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2118",
"name": "malware:Netsupport RAT",
"colour": "#7b6da8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2089",
"name": "malware:Astaroth",
"colour": "#34101f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2129",
"name": "tactic:Credential Access",
"colour": "#f2b63f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2130",
"name": "malware:Agent Tesla",
"colour": "#dfc4e0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2132",
"name": "tactic:Collection",
"colour": "#b33ab0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2140",
"name": "malware:Remcos",
"colour": "#9e7dc6",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2134",
"name": "tactic:Discovery",
"colour": "#c01e03",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2128",
"name": "tactic:Defense Evasion",
"colour": "#518465",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2163",
"name": "malware:ZPHP",
"colour": "#63867e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2118",
"name": "malware:Netsupport RAT",
"colour": "#7b6da8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2089",
"name": "malware:Astaroth",
"colour": "#34101f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2129",
"name": "tactic:Credential Access",
"colour": "#f2b63f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2130",
"name": "malware:Agent Tesla",
"colour": "#dfc4e0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2132",
"name": "tactic:Collection",
"colour": "#b33ab0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2140",
"name": "malware:Remcos",
"colour": "#9e7dc6",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2134",
"name": "tactic:Discovery",
"colour": "#c01e03",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1324223",
"event_id": "58297",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "sha256",
"to_ids": true,
"uuid": "14e999a2-2622-427d-9698-a5120da6dc74",
"timestamp": "1748464239",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "3c54060447cd33a5aa4ce88e0dceec813b5c1917653c414aa101b7e4df321f28",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2128",
"name": "tactic:Defense Evasion",
"colour": "#518465",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2163",
"name": "malware:ZPHP",
"colour": "#63867e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2118",
"name": "malware:Netsupport RAT",
"colour": "#7b6da8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2089",
"name": "malware:Astaroth",
"colour": "#34101f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2129",
"name": "tactic:Credential Access",
"colour": "#f2b63f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2130",
"name": "malware:Agent Tesla",
"colour": "#dfc4e0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2132",
"name": "tactic:Collection",
"colour": "#b33ab0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2140",
"name": "malware:Remcos",
"colour": "#9e7dc6",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2134",
"name": "tactic:Discovery",
"colour": "#c01e03",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not have control over the documentation. I can only see it was updated yesterday.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using the webhook method, I have shared the logs - can you check what might be the issue please?
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try these 2 lines instead, I updated the regex to match the samples you shared ;
mutate { gsub => [ "message"," \"Event\": \\{\\n ",""]}
mutate { gsub => [ "message","\\}\\n\\}\\n?","}"]}
as in ;
- The problem is in the logs sent not the parser or due to the webhook as @JeremyLand mentioned, if there is a log template you are using in MISP for formatting the logs then please share it and we could take a look.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, this is done the standard way via web hook after an attribute-after-save trigger following the instructions you provided. Content type is application/json, http request method is POST. There are no fields in header/payload changed, as per the instructions you initially had.
Where in MISP can i find the templates you are referring to? We import from third-parties provided and have not changed any of the default settings.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you could refer to this document https://www.misp-project.org/misp-training/3.3-misp-object-template.pdf
Did you try the modifications I sent earlier ?
I would also suggest opening a ticket with support to check if they have one or if there is an alternative way of removing the parent field "Event" from the existing log template.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AbdElHafez thanks for your response. We did try your response above but have had no luck.
Thanks we've taken some time to look within the various objects. We are ingesting all kinds of IOCs from our list not just restricted to the ones in the screenshot for future use although for now we can limit it to:
- SHA256
- Domain
- URL
- MD5
- Email-src
- Hostname
- Ip-src
- Ip-dst
There are over 359 objects default within MISP, I do not think this is what you are looking for here but here is a snippet of two objects that should be relevant.
Domain-IP:
{
"attributes": {
"domain": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain name",
"misp-attribute": "domain",
"multiple": true,
"ui-priority": 1
},
"first-seen": {
"description": "First time the tuple has been seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"hostname": {
"description": "Hostname related to the IP",
"misp-attribute": "hostname",
"ui-priority": 1
},
"ip": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IP Address",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"last-seen": {
"description": "Last time the tuple has been seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"port": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Associated TCP port with the domain",
"misp-attribute": "port",
"multiple": true,
"ui-priority": 1
},
"registration-date": {
"description": "Registration date of domain",
"disable_correlation": false,
"misp-attribute": "datetime",
"ui-priority": 0
},
"text": {
"description": "A description of the tuple",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
}
},
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"requiredOneOf": [
"ip",
"domain",
"hostname"
],
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"version": 11
URL:
{
"attributes": {
"credential": {
"description": "Credential (username, password)",
"misp-attribute": "text",
"ui-priority": 0
},
"dom-hash": {
"description": "Dom-hash of the URL",
"misp-attribute": "dom-hash",
"ui-priority": 0
},
"domain": {
"description": "Full domain",
"misp-attribute": "domain",
"ui-priority": 0
},
"domain_without_tld": {
"description": "Domain without Top-Level Domain",
"misp-attribute": "text",
"ui-priority": 0
},
"first-seen": {
"description": "First time this URL has been seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"fragment": {
"description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"host": {
"description": "Full hostname",
"misp-attribute": "hostname",
"ui-priority": 0
},
"ip": {
"description": "Better type when the host is an IP.",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 0
},
"last-seen": {
"description": "Last time this URL has been seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"port": {
"description": "Port number",
"disable_correlation": true,
"misp-attribute": "port",
"ui-priority": 0
},
"query_string": {
"description": "Query (after path, preceded by '?')",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"resource_path": {
"description": "Path (between hostname:port and query)",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"scheme": {
"description": "Scheme",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"http",
"https",
"ftp",
"gopher",
"sip"
],
"ui-priority": 0
},
"subdomain": {
"description": "Subdomain",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"text": {
"description": "Description of the URL ",
"misp-attribute": "text",
"ui-priority": 0
},
"tld": {
"description": "Top-Level Domain",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"url": {
"description": "Full URL",
"misp-attribute": "url",
"ui-priority": 1
}
},
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"requiredOneOf": [
"url",
"resource_path"
],
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"version": 10
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it.
In that case I think a ticket is the best option.
Also since even my last iteration failed, could you share some specific samples that failed the validation ?
I initially thought you are ingesting only samples like the one you shared earlier, so I might need to add some more conditions to only do the replacement when the ingested IOC is related to phishing.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm ingesting IOCs from events in MISP where the events themselves are grouped under the same ID although the types of IOCs are split up into singular events within SecOps. They all failed validiation as the parameters dropped
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58446",
"org_id": "1",
"date": "2025-06-12",
"info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
"uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
"published": true,
"analysis": "0",
"attribute_count": "62",
"orgc_id": "31",
"timestamp": "1749763867",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1749772836",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1327102",
"event_id": "58446",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
"timestamp": "1749763867",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rvzdm.cn/ketnai",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1327102",
"event_id": "58446",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
"timestamp": "1749763867",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://rvzdm.cn/ketnai",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58446",
"org_id": "1",
"date": "2025-06-12",
"info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
"uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
"published": true,
"analysis": "0",
"attribute_count": "62",
"orgc_id": "31",
"timestamp": "1749763867",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1749772836",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1327118",
"event_id": "58446",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "605f7208-2813-4ca6-971b-c849197900dc",
"timestamp": "1749763867",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://fxlao.cn/ctaoie",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1327118",
"event_id": "58446",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "url",
"to_ids": true,
"uuid": "605f7208-2813-4ca6-971b-c849197900dc",
"timestamp": "1749763867",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "https://fxlao.cn/ctaoie",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2218",
"name": "malware:Vidar",
"colour": "#3d5116",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2082",
"name": "audience-industry:Retail Banking",
"colour": "#185dda",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2207",
"name": "malware:VHD",
"colour": "#b1f090",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2088",
"name": "attack-pattern:malspam",
"colour": "#8d99c8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2256",
"name": "malware:AutoIT",
"colour": "#c4cb5f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2077",
"name": "attack-pattern:Phishing",
"colour": "#2976dc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2095",
"name": "malware:Lumma Stealer",
"colour": "#897c44",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2160",
"name": "malware:XWorm",
"colour": "#43e90c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2175",
"name": "malware:HijackLoader",
"colour": "#25c516",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2133",
"name": "malware:Snake Keylogger",
"colour": "#13739f",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2102",
"name": "tactic:Impact",
"colour": "#ea268e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2150",
"name": "attack-pattern:VBS",
"colour": "#6f2df7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2702",
"name": "malware:DarkCloud",
"colour": "#7b4f6d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2084",
"name": "attack-pattern:Credential pharming",
"colour": "#25961b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"Event": {
"id": "58436",
"org_id": "1",
"date": "2025-06-11",
"info": "Member Submission: Unidentified activity (Alert ID: 456dd77f)",
"uuid": "bb44d78e-edb1-4220-99e3-b980c1103876",
"published": true,
"analysis": "0",
"attribute_count": "36",
"orgc_id": "31",
"timestamp": "1749657767",
"distribution": "0",
"sharing_group_id": "0",
"proposal_email_lock": false,
"locked": true,
"threat_level_id": "4",
"publish_timestamp": "1749686436",
"sighting_timestamp": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"Attribute": [
{
"id": "1326789",
"event_id": "58436",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "sha256",
"to_ids": true,
"uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
"timestamp": "1749657768",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
],
"Tag": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false
}
],
"_AttributeFlattened": [
{
"id": "1326789",
"event_id": "58436",
"object_id": "0",
"object_relation": null,
"category": "Payload delivery",
"type": "sha256",
"to_ids": true,
"uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
"timestamp": "1749657768",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": null,
"last_seen": null,
"value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
"Sighting": [],
"_allTags": [
{
"id": "10",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2083",
"name": "audience-region:Americas",
"colour": "#d0832e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
},
{
"id": "2097",
"name": "audience-industry:Payments",
"colour": "#3eb067",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"inherited": true
}
]
}
]
}
}
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I modified the parser regex to match the new samples, just FYI you would need to be accurate in providing the end tail of the JSON logs as having different spaces/new lines pattern can mess with the few lines I added. Again the main fix will be to remove the "Event" level from the json objects.
mutate { gsub => [ "message"," \"Event\": \\{\\n ",""]}
mutate { gsub => [ "message","\\n*\s*\\}\\n*\\}\\s*\\n*$","}"]}As in
For the other IOCs you shared (Domain-IP and URL) ; Their JSON structure is entirely different, with or without my modifications the default parser won't capture them, if you cannot control or unify the formats then you would need to pass 2 different streams or have a different parser written from scratch, both will require a case.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This unfortunately has not been able to solve this and no entities are appearing when searching this - this will likely mean we will need further assistance via a Google ticket. We haven't changed anything outside of MISP's default settings so its very surprising it hasn't been parsed by your default parser here.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but is Entity Graph an Enterprise + only feature?
Top Labels in this Space
-
Admin
73 -
AI
11 -
API
83 -
Applied Analytics
5 -
BigQuery
11 -
Browser Management
4 -
Chrome Enterprise
5 -
Chronicle
327 -
Compliance
10 -
Curated Detections
38 -
Custom List
1 -
Dashboard
90 -
Data Management
63 -
Ingestion
213 -
Investigation
54 -
Logs
2 -
MCP
7 -
Parsers
178 -
Rules Engine
171 -
Search
89 -
SecOps
358 -
Security Command Center
1 -
SIEM
588 -
Siemplify
1 -
Slack
1 -
SOAR
71 -
Spotlight series
1 -
Threat Intelligence
50 -
Troubleshooting
77
- « Previous
- Next »
