Skip to main content

Hi All,

I am having issues with MISP rules in SecOps. We have integrated via the documentation here using a Webhook: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp

The parser itself whilst it does extract some fields is still raw and doesn't correlate timeframes. We aren't interested in the time the IoC was ingested from MISP but rather the time ti was published from the third party threat provider in a field known as 

extracted.fields["Event.date"])
Using this field we can concatenate '00:00:00' to it to convert it into UTC: 
strings.concat($g.extracted.fields["Event.date"], " 00:00:00")

The issue is that it is supposed to look for all fields of this value within the past 6 months and then correlate these to new events of other log sources with field 'IP'. The date of ingestion for MISP events really isn't important here. You can see the code snippet for this below:

  events:
    $ip = $e.principal.ip
    $userid = $e.target.user.userid

    // MISP IOC data (joined via IP)
    $e.principal.ip = $g.extracted.fields["Event._AttributeFlattened[0].value"]

    $g.metadata.log_type = "MISP_IOC"
    $g.extracted.fields["Event.Attribute[0].category"] = "Network activity"
    $ioc_event_date = ($g.extracted.fields["Event.date"])
    $ioc_event_timestamp = strings.concat($g.extracted.fields["Event.date"], " 00:00:00")
  match:
    $userid over 1m

  outcome:
    // Parse timestamp
    $event_time = max($e.metadata.event_timestamp.seconds)

    // Parse MISP date
    $misp_time = max(timestamp.as_unix_seconds($ioc_event_timestamp, "GMT"))


    // Calculate delta in days
    $ioc_delta = ($event_time - $misp_time) / 86400

    // Risk scoring
    $risk_score = max(35)
        + if($ioc_delta <= 1, 45, 0)
        + if($ioc_delta <= 7 and $ioc_delta > 1, 30, 0)
        + if($ioc_delta <= 30.44 and $ioc_delta > 7, 10, 0)
        + if($ioc_delta <= 60 and $ioc_delta > 30.44, 0, 0)
        - if($ioc_delta > 60, 10, 0)

  condition:
    $e and $g and $ioc_delta < 180

}

If someone has had any experience with authoring rules from webhook methodology that could help resolve this issue that would be greatly appreciated. I am not interested in importing CSVs as this is a very static approach and we want to keep things as automated as possible. 

Thank you in advance. 

Surely someone has had a similar issue? 

There's a great blog post that walks through the process of writing rules like, but does assume you've already successfully ingested the MISP IOCs, this should be some help once you get going:   https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Building-Rules-with-Your-Own-Threat-Intel/ba-p/733835

But before you can use that we need to ensure the MISP data is being ingested into the Entity Graph (instead of the Event data model) to allow proper matching and handling of the IOC validity period.  The MISP parser should do this be default but either you have the wrong fields in your rule or there might be an issue where the parser isn't expecting the format your data is being sent.

Thankfully we've recently enabled a new function that will allow you to search the entity graph from the search box which will make this easier to investigate. Take a quick search for graph.metadata.vendor_name = "MISP" and see if you have any entity results.  I don't have any MISP iocs in my lab but I have some from GCTI and your results should be similar.  Note the "Graph" in the UDM path, and the results window says "Entities" instead of events.

As long as you are creating entities you should be good to follow John's blog post and adapt it to your needs.

If you don't see the entities on that search, but do see your MISP data if you do a search on the event model for 'metadata.log_type = "MISP_IOC"' that would indicate the parser is failing to properly extract the data and is instead relying on automatic field extraction (which writes events instead of entities).  In that case you'll need to investigate why your MISP data isn't being parsed properly.

 

Hi @JeremyLand thanks for your response. It is in Event Data Model from following the webhook instructions here. How would I be able to switch over to Entity Graph still using this webhook? We have already created a custom parser for IOC types such as sha256 and IP address although entity values are not showing sadly

Thank you! 

Sorry, but is Entity Graph an Enterprise + only feature? 

Hi @JeremyLand thanks for your response. It is in Event Data Model from following the webhook instructions here. How would I be able to switch over to Entity Graph still using this webhook? We have already created a custom parser for IOC types such as sha256 and IP address although entity values are not showing sadly

Thank you! 


Could you share a log sample and the custom parser used ?
The entity values will require entity data model not the event data model so this could be the reason.

Could you share a log sample and the custom parser used ?
The entity values will require entity data model not the event data model so this could be the reason.


Snippet of UDM data from an example:

metadata:(6) base_labels:(2) event_timestamp:"2025-06-10T00:01:00.125877Z" event_type:"GENERIC_EVENT" id:b"AAAAAKG1mRITOREotGSXNYahKhkAAAAAFAAAABAAAAA=" ingested_timestamp:"2025-06-10T00:01:00.125877Z" log_type:"MISP_IOC" extracted:(221) fields["Event._AttributeFlattened[0]._allTags[0].colour"]:"#33FF00" fields["Event._AttributeFlattened[0]._allTags[0].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[0].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[0].id"]:"10" fields["Event._AttributeFlattened[0]._allTags[0].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[0].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[0].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[0].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[0].name"]:"tlp:green" fields["Event._AttributeFlattened[0]._allTags[0].user_id"]:"0" fields["Event._AttributeFlattened[0]._allTags[1].colour"]:"#185dda" fields["Event._AttributeFlattened[0]._allTags[1].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[1].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[1].id"]:"2082" fields["Event._AttributeFlattened[0]._allTags[1].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[1].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[1].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[1].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[1].name"]:"audience-industry:Retail Banking" fields["Event._AttributeFlattened[0]._allTags[1].user_id"]:"0" fields["Event._AttributeFlattened[0]._allTags[2].colour"]:"#8d99c8" fields["Event._AttributeFlattened[0]._allTags[2].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[2].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[2].id"]:"2088" fields["Event._AttributeFlattened[0]._allTags[2].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[2].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[2].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[2].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[2].name"]:"attack-pattern:malspam" fields["Event._AttributeFlattened[0]._allTags[2].user_id"]:"0" fields["Event._AttributeFlattened[0]._allTags[3].colour"]:"#94db0f" fields["Event._AttributeFlattened[0]._allTags[3].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[3].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[3].id"]:"2142" fields["Event._AttributeFlattened[0]._allTags[3].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[3].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[3].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[3].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[3].name"]:"malware:SocGholish" fields["Event._AttributeFlattened[0]._allTags[3].user_id"]:"0" fields["Event._AttributeFlattened[0]._allTags[4].colour"]:"#d0832e" fields["Event._AttributeFlattened[0]._allTags[4].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[4].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[4].id"]:"2083" fields["Event._AttributeFlattened[0]._allTags[4].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[4].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[4].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[4].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[4].name"]:"audience-region:Americas" fields["Event._AttributeFlattened[0]._allTags[4].user_id"]:"0" fields["Event._AttributeFlattened[0]._allTags[5].colour"]:"#5d7d17" fields["Event._AttributeFlattened[0]._allTags[5].exportable"]:"true" fields["Event._AttributeFlattened[0]._allTags[5].hide_tag"]:"false" fields["Event._AttributeFlattened[0]._allTags[5].id"]:"2179" fields["Event._AttributeFlattened[0]._allTags[5].inherited"]:"true" fields["Event._AttributeFlattened[0]._allTags[5].is_custom_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[5].is_galaxy"]:"false" fields["Event._AttributeFlattened[0]._allTags[5].local_only"]:"false" fields["Event._AttributeFlattened[0]._allTags[5].name"]:"attack-pattern:Ransomware" fields["Event._AttributeFlattened[0]._allTags[5].user_id"]:"0" fields["Event._AttributeFlattened[0].category"]:"Network activity" fields["Event._AttributeFlattened[0].comment"]:"" fields["Event._AttributeFlattened[0].deleted"]:"false" fields["Event._AttributeFlattened[0].disable_correlation"]:"false" fields["Event._AttributeFlattened[0].distribution"]:"5" fields["Event._AttributeFlattened[0].event_id"]:"58409" fields["Event._AttributeFlattened[0].id"]:"1326451" fields["Event._AttributeFlattened[0].object_id"]:"0" fields["Event._AttributeFlattened[0].sharing_group_id"]:"0" fields["Event._AttributeFlattened[0].timestamp"]:"1749497478" fields["Event._AttributeFlattened[0].to_ids"]:"true" fields["Event._AttributeFlattened[0].type"]:"url" fields["Event._AttributeFlattened[0].uuid"]:"ced2b6f1-d240-43d9-990f-08700d740860" fields["Event._AttributeFlattened[0].value"]:"https://rkojg.cn/hcybvm" fields["Event.analysis"]:"0" fields["Event.attribute_count"]:"32" fields["Event.Attribute[0]._allTags[0].colour"]:"#33FF00" fields["Event.Attribute[0]._allTags[0].exportable"]:"true" fields["Event.Attribute[0]._allTags[0].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[0].id"]:"10" fields["Event.Attribute[0]._allTags[0].inherited"]:"true" fields["Event.Attribute[0]._allTags[0].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[0].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[0].local_only"]:"false" fields["Event.Attribute[0]._allTags[0].name"]:"tlp:green" fields["Event.Attribute[0]._allTags[0].user_id"]:"0" fields["Event.Attribute[0]._allTags[1].colour"]:"#185dda" fields["Event.Attribute[0]._allTags[1].exportable"]:"true" fields["Event.Attribute[0]._allTags[1].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[1].id"]:"2082" fields["Event.Attribute[0]._allTags[1].inherited"]:"true" fields["Event.Attribute[0]._allTags[1].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[1].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[1].local_only"]:"false" fields["Event.Attribute[0]._allTags[1].name"]:"audience-industry:Retail Banking" fields["Event.Attribute[0]._allTags[1].user_id"]:"0" fields["Event.Attribute[0]._allTags[2].colour"]:"#8d99c8" fields["Event.Attribute[0]._allTags[2].exportable"]:"true" fields["Event.Attribute[0]._allTags[2].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[2].id"]:"2088" fields["Event.Attribute[0]._allTags[2].inherited"]:"true" fields["Event.Attribute[0]._allTags[2].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[2].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[2].local_only"]:"false" fields["Event.Attribute[0]._allTags[2].name"]:"attack-pattern:malspam" fields["Event.Attribute[0]._allTags[2].user_id"]:"0" fields["Event.Attribute[0]._allTags[3].colour"]:"#94db0f" fields["Event.Attribute[0]._allTags[3].exportable"]:"true" fields["Event.Attribute[0]._allTags[3].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[3].id"]:"2142" fields["Event.Attribute[0]._allTags[3].inherited"]:"true" fields["Event.Attribute[0]._allTags[3].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[3].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[3].local_only"]:"false" fields["Event.Attribute[0]._allTags[3].name"]:"malware:SocGholish" fields["Event.Attribute[0]._allTags[3].user_id"]:"0" fields["Event.Attribute[0]._allTags[4].colour"]:"#d0832e" fields["Event.Attribute[0]._allTags[4].exportable"]:"true" fields["Event.Attribute[0]._allTags[4].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[4].id"]:"2083" fields["Event.Attribute[0]._allTags[4].inherited"]:"true" fields["Event.Attribute[0]._allTags[4].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[4].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[4].local_only"]:"false" fields["Event.Attribute[0]._allTags[4].name"]:"audience-region:Americas" fields["Event.Attribute[0]._allTags[4].user_id"]:"0" fields["Event.Attribute[0]._allTags[5].colour"]:"#5d7d17" fields["Event.Attribute[0]._allTags[5].exportable"]:"true" fields["Event.Attribute[0]._allTags[5].hide_tag"]:"false" fields["Event.Attribute[0]._allTags[5].id"]:"2179" fields["Event.Attribute[0]._allTags[5].inherited"]:"true" fields["Event.Attribute[0]._allTags[5].is_custom_galaxy"]:"false" fields["Event.Attribute[0]._allTags[5].is_galaxy"]:"false" fields["Event.Attribute[0]._allTags[5].local_only"]:"false" fields["Event.Attribute[0]._allTags[5].name"]:"attack-pattern:Ransomware" fields["Event.Attribute[0]._allTags[5].user_id"]:"0" fields["Event.Attribute[0].category"]:"Network activity" fields["Event.Attribute[0].comment"]:"" fields["Event.Attribute[0].deleted"]:"false" fields["Event.Attribute[0].disable_correlation"]:"false" fields["Event.Attribute[0].distribution"]:"5" fields["Event.Attribute[0].event_id"]:"58409" fields["Event.Attribute[0].id"]:"1326451" fields["Event.Attribute[0].object_id"]:"0" fields["Event.Attribute[0].sharing_group_id"]:"0" fields["Event.Attribute[0].timestamp"]:"1749497478" fields["Event.Attribute[0].to_ids"]:"true" fields["Event.Attribute[0].type"]:"url" fields["Event.Attribute[0].uuid"]:"ced2b6f1-d240-43d9-990f-08700d740860" fields["Event.Attribute[0].value"]:"https://rkojg.cn/hcybvm" fields["Event.date"]:"2025-06-09" fields["Event.disable_correlation"]:"false" fields["Event.distribution"]:"0" fields["Event.extends_uuid"]:"" fields["Event.id"]:"58409" fields["Event.info"]:"Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)" fields["Event.locked"]:"true" fields["Event.org_id"]:"1" fields["Event.orgc_id"]:"31" fields["Event.proposal_email_lock"]:"false" fields["Event.publish_timestamp"]:"1749513622" fields["Event.published"]:"true" fields["Event.sharing_group_id"]:"0" fields["Event.sighting_timestamp"]:"0" fields["Event.Tag[0].colour"]:"#33FF00" fields["Event.Tag[0].exportable"]:"true" fields["Event.Tag[0].hide_tag"]:"false" fields["Event.Tag[0].id"]:"10" fields["Event.Tag[0].is_custom_galaxy"]:"false" fields["Event.Tag[0].is_galaxy"]:"false" fields["Event.Tag[0].local_only"]:"false" fields["Event.Tag[0].name"]:"tlp:green" fields["Event.Tag[0].user_id"]:"0" fields["Event.Tag[1].colour"]:"#185dda" fields["Event.Tag[1].exportable"]:"true" fields["Event.Tag[1].hide_tag"]:"false" fields["Event.Tag[1].id"]:"2082" fields["Event.Tag[1].is_custom_galaxy"]:"false" fields["Event.Tag[1].is_galaxy"]:"false" fields["Event.Tag[1].local_only"]:"false" fields["Event.Tag[1].name"]:"audience-industry:Retail Banking" fields["Event.Tag[1].user_id"]:"0" fields["Event.Tag[2].colour"]:"#8d99c8" fields["Event.Tag[2].exportable"]:"true" fields["Event.Tag[2].hide_tag"]:"false" fields["Event.Tag[2].id"]:"2088" fields["Event.Tag[2].is_custom_galaxy"]:"false" fields["Event.Tag[2].is_galaxy"]:"false" fields["Event.Tag[2].local_only"]:"false" fields["Event.Tag[2].name"]:"attack-pattern:malspam" fields["Event.Tag[2].user_id"]:"0" fields["Event.Tag[3].colour"]:"#94db0f" fields["Event.Tag[3].exportable"]:"true" fields["Event.Tag[3].hide_tag"]:"false" fields["Event.Tag[3].id"]:"2142" fields["Event.Tag[3].is_custom_galaxy"]:"false" fields["Event.Tag[3].is_galaxy"]:"false" fields["Event.Tag[3].local_only"]:"false" fields["Event.Tag[3].name"]:"malware:SocGholish" fields["Event.Tag[3].user_id"]:"0" fields["Event.Tag[4].colour"]:"#d0832e" fields["Event.Tag[4].exportable"]:"true" fields["Event.Tag[4].hide_tag"]:"false" fields["Event.Tag[4].id"]:"2083" fields["Event.Tag[4].is_custom_galaxy"]:"false" fields["Event.Tag[4].is_galaxy"]:"false" fields["Event.Tag[4].local_only"]:"false" fields["Event.Tag[4].name"]:"audience-region:Americas" fields["Event.Tag[4].user_id"]:"0" fields["Event.Tag[5].colour"]:"#5d7d17" fields["Event.Tag[5].exportable"]:"true" fields["Event.Tag[5].hide_tag"]:"false" fields["Event.Tag[5].id"]:"2179" fields["Event.Tag[5].is_custom_galaxy"]:"false" fields["Event.Tag[5].is_galaxy"]:"false" fields["Event.Tag[5].local_only"]:"false" fields["Event.Tag[5].name"]:"attack-pattern:Ransomware" fields["Event.Tag[5].user_id"]:"0" fields["Event.threat_level_id"]:"4" fields["Event.timestamp"]:"1749497477" fields["Event.uuid"]:"2ac6da95-8758-48ab-9db5-7544f59ffcd1"

Could you share a log sample and the custom parser used ?
The entity values will require entity data model not the event data model so this could be the reason.


Snippet of raw log:

{ "Event": { "id": "58409", "org_id": "1", "date": "2025-06-09", "info": "Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)", "uuid": "2ac6da95-8758-48ab-9db5-7544f59ffcd1", "published": true, "analysis": "0", "attribute_count": "32", "orgc_id": "31", "timestamp": "1749497477", "distribution": "0", "sharing_group_id": "0", "proposal_email_lock": false, "locked": true, "threat_level_id": "4", "publish_timestamp": "1749513622", "sighting_timestamp": "0", "disable_correlation": false, "extends_uuid": "", "protected": null, "Attribute": [ { "id": "1326451", "event_id": "58409", "object_id": "0", "object_relation": null, "category": "Network activity", "type": "url", "to_ids": true, "uuid": "ced2b6f1-d240-43d9-990f-08700d740860", "timestamp": "1749497478", "distribution": "5", "sharing_group_id": "0", "comment": "", "deleted": false, "disable_correlation": false, "first_seen": null, "last_seen": null, "value": "https://rkojg.cn/hcybvm", "Sighting": [], "_allTags": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true } ] } ], "Tag": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false } ], "_AttributeFlattened": [ { "id": "1326451", "event_id": "58409", "object_id": "0", "object_relation": null, "category": "Network activity", "type": "url", "to_ids": true, "uuid": "ced2b6f1-d240-43d9-990f-08700d740860", "timestamp": "1749497478", "distribution": "5", "sharing_group_id": "0", "comment": "", "deleted": false, "disable_correlation": false, "first_seen": null, "last_seen": null, "value": "https://rkojg.cn/hcybvm", "Sighting": [], "_allTags": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true } ] } ] } }

Could you share a log sample and the custom parser used ?
The entity values will require entity data model not the event data model so this could be the reason.


 

We have 8 extension options which I have screenshotted. We are basically ensuring the log knows when each value is related to SHA256/IP/Domain etc. via the precondition paths. 
 
One issue we had was that there are no values for 'MISP' so we can't just map graph.metadata.vendor_name value from the raw log. 

 

We have 8 extension options which I have screenshotted. We are basically ensuring the log knows when each value is related to SHA256/IP/Domain etc. via the precondition paths. 
 
One issue we had was that there are no values for 'MISP' so we can't just map graph.metadata.vendor_name value from the raw log. 

Hi all, still awaiting a solution for this issue.

CC: @AbdElHafez@JeremyLand 

 

Hi all, still awaiting a solution for this issue.

CC: @AbdElHafez@JeremyLand 

 


Looks like your webhook is sending an additional outer "Event" layer in the json that the parser isn't expecting.  I don't have a test MISP instance handy to check on but double check the trigger events output to see if you can get it to send just the contents of Event without sending the entire object, or a processing step that scan strip {"Event":  from the begining and } from the end of your body.

If your MISP setup doesn't allow you to make those changes you can either use the custom parser option to modify the MISP_IOC parser to handle the format of your JSON or submit a support case for the parser dev team to add handling for that additional event layer. If you submit a support case be sure to include sample logs and a description of the desired behavior (a link to this thread would be helpfull)

 

Example of json structure MISP_IOC that does parse correctly:

{ "id": "58409", "org_id": "1", "date": "2025-06-09", "info": "Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)", "uuid": "2ac6da95-8758-48ab-9db5-7544f59ffcd1", "published": true, "analysis": "0", "attribute_count": "32", "orgc_id": "31", "timestamp": "1749497477", "distribution": "0", "sharing_group_id": "0", "proposal_email_lock": false, "locked": true, "threat_level_id": "4", "publish_timestamp": "1749513622", "sighting_timestamp": "0", "disable_correlation": false, "extends_uuid": "", "protected": null, "Attribute": [ { "id": "1326451", "event_id": "58409", "object_id": "0", "object_relation": null, "category": "Network activity", "type": "url", "to_ids": true, "uuid": "ced2b6f1-d240-43d9-990f-08700d740860", "timestamp": "1749497478", "distribution": "5", "sharing_group_id": "0", "comment": "", "deleted": false, "disable_correlation": false, "first_seen": null, "last_seen": null, "value": "https://rkojg.cn/hcybvm", "Sighting": [], "_allTags": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true } ] } ], "Tag": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false } ], "_AttributeFlattened": [ { "id": "1326451", "event_id": "58409", "object_id": "0", "object_relation": null, "category": "Network activity", "type": "url", "to_ids": true, "uuid": "ced2b6f1-d240-43d9-990f-08700d740860", "timestamp": "1749497478", "distribution": "5", "sharing_group_id": "0", "comment": "", "deleted": false, "disable_correlation": false, "first_seen": null, "last_seen": null, "value": "https://rkojg.cn/hcybvm", "Sighting": [], "_allTags": [ { "id": "10", "name": "tlp:green", "colour": "#33FF00", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2082", "name": "audience-industry:Retail Banking", "colour": "#185dda", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2088", "name": "attack-pattern:malspam", "colour": "#8d99c8", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2142", "name": "malware:SocGholish", "colour": "#94db0f", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2083", "name": "audience-region:Americas", "colour": "#d0832e", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true }, { "id": "2179", "name": "attack-pattern:Ransomware", "colour": "#5d7d17", "exportable": true, "user_id": "0", "hide_tag": false, "numerical_value": null, "is_galaxy": false, "is_custom_galaxy": false, "local_only": false, "inherited": true } ] } ] }

Which will produce this UDM output, which is written to the entity data model and will allow for proper IOC matching:

metadata.product_entity_id"ced2b6f1-d240-43d9-990f-08700d740860" metadata.collected_timestamp"2025-06-16T17:18:00Z" metadata.entity_type"URL" metadata.description"Member Submission: Ransomware, malspam activity potentially associated with SocGholish (Alert ID: ed9f6629)" metadata.interval.start_time"1970-01-01T00:00:01Z" metadata.interval.end_time"9999-12-31T23:59:59Z" metadata.threat[0].category_details[0]"Network activity" metadata.threat[0].detection_fields[0].key"Attribute id" metadata.threat[0].detection_fields[0].value"1326451" metadata.threat[0].detection_fields[1].key"Attribute event_id" metadata.threat[0].detection_fields[1].value"58409" metadata.threat[0].detection_fields[2].key"Attribute to_ids" metadata.threat[0].detection_fields[2].value"true" metadata.threat[0].detection_fields[3].key"Attribute timestamp" metadata.threat[0].detection_fields[3].value"1749497478" metadata.threat[0].detection_fields[4].key"Attribute comment" metadata.threat[0].detection_fields[5].key"Attribute deleted" metadata.threat[0].detection_fields[5].value"false" metadata.threat[0].detection_fields[6].key"published" metadata.threat[0].detection_fields[6].value"true" metadata.threat[0].detection_fields[7].key"tag colour" metadata.threat[0].detection_fields[7].value"#33FF00" metadata.threat[0].detection_fields[8].key"tag exportable" metadata.threat[0].detection_fields[8].value"true" metadata.threat[0].detection_fields[9].key"tag hide_tag" metadata.threat[0].detection_fields[9].value"false" metadata.threat[0].detection_fields[10].key"tag id" metadata.threat[0].detection_fields[10].value"10" metadata.threat[0].detection_fields[11].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[11].value"false" metadata.threat[0].detection_fields[12].key"tag is_galaxy" metadata.threat[0].detection_fields[12].value"false" metadata.threat[0].detection_fields[13].key"tag local_only" metadata.threat[0].detection_fields[13].value"false" metadata.threat[0].detection_fields[14].key"tag name" metadata.threat[0].detection_fields[14].value"tlp:green" metadata.threat[0].detection_fields[15].key"tag user_id" metadata.threat[0].detection_fields[15].value"0" metadata.threat[0].detection_fields[16].key"tag colour" metadata.threat[0].detection_fields[16].value"#185dda" metadata.threat[0].detection_fields[17].key"tag exportable" metadata.threat[0].detection_fields[17].value"true" metadata.threat[0].detection_fields[18].key"tag hide_tag" metadata.threat[0].detection_fields[18].value"false" metadata.threat[0].detection_fields[19].key"tag id" metadata.threat[0].detection_fields[19].value"2082" metadata.threat[0].detection_fields[20].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[20].value"false" metadata.threat[0].detection_fields[21].key"tag is_galaxy" metadata.threat[0].detection_fields[21].value"false" metadata.threat[0].detection_fields[22].key"tag local_only" metadata.threat[0].detection_fields[22].value"false" metadata.threat[0].detection_fields[23].key"tag name" metadata.threat[0].detection_fields[23].value"audience-industry:Retail Banking" metadata.threat[0].detection_fields[24].key"tag user_id" metadata.threat[0].detection_fields[24].value"0" metadata.threat[0].detection_fields[25].key"tag colour" metadata.threat[0].detection_fields[25].value"#8d99c8" metadata.threat[0].detection_fields[26].key"tag exportable" metadata.threat[0].detection_fields[26].value"true" metadata.threat[0].detection_fields[27].key"tag hide_tag" metadata.threat[0].detection_fields[27].value"false" metadata.threat[0].detection_fields[28].key"tag id" metadata.threat[0].detection_fields[28].value"2088" metadata.threat[0].detection_fields[29].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[29].value"false" metadata.threat[0].detection_fields[30].key"tag is_galaxy" metadata.threat[0].detection_fields[30].value"false" metadata.threat[0].detection_fields[31].key"tag local_only" metadata.threat[0].detection_fields[31].value"false" metadata.threat[0].detection_fields[32].key"tag name" metadata.threat[0].detection_fields[32].value"attack-pattern:malspam" metadata.threat[0].detection_fields[33].key"tag user_id" metadata.threat[0].detection_fields[33].value"0" metadata.threat[0].detection_fields[34].key"tag colour" metadata.threat[0].detection_fields[34].value"#94db0f" metadata.threat[0].detection_fields[35].key"tag exportable" metadata.threat[0].detection_fields[35].value"true" metadata.threat[0].detection_fields[36].key"tag hide_tag" metadata.threat[0].detection_fields[36].value"false" metadata.threat[0].detection_fields[37].key"tag id" metadata.threat[0].detection_fields[37].value"2142" metadata.threat[0].detection_fields[38].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[38].value"false" metadata.threat[0].detection_fields[39].key"tag is_galaxy" metadata.threat[0].detection_fields[39].value"false" metadata.threat[0].detection_fields[40].key"tag local_only" metadata.threat[0].detection_fields[40].value"false" metadata.threat[0].detection_fields[41].key"tag name" metadata.threat[0].detection_fields[41].value"malware:SocGholish" metadata.threat[0].detection_fields[42].key"tag user_id" metadata.threat[0].detection_fields[42].value"0" metadata.threat[0].detection_fields[43].key"tag colour" metadata.threat[0].detection_fields[43].value"#d0832e" metadata.threat[0].detection_fields[44].key"tag exportable" metadata.threat[0].detection_fields[44].value"true" metadata.threat[0].detection_fields[45].key"tag hide_tag" metadata.threat[0].detection_fields[45].value"false" metadata.threat[0].detection_fields[46].key"tag id" metadata.threat[0].detection_fields[46].value"2083" metadata.threat[0].detection_fields[47].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[47].value"false" metadata.threat[0].detection_fields[48].key"tag is_galaxy" metadata.threat[0].detection_fields[48].value"false" metadata.threat[0].detection_fields[49].key"tag local_only" metadata.threat[0].detection_fields[49].value"false" metadata.threat[0].detection_fields[50].key"tag name" metadata.threat[0].detection_fields[50].value"audience-region:Americas" metadata.threat[0].detection_fields[51].key"tag user_id" metadata.threat[0].detection_fields[51].value"0" metadata.threat[0].detection_fields[52].key"tag colour" metadata.threat[0].detection_fields[52].value"#5d7d17" metadata.threat[0].detection_fields[53].key"tag exportable" metadata.threat[0].detection_fields[53].value"true" metadata.threat[0].detection_fields[54].key"tag hide_tag" metadata.threat[0].detection_fields[54].value"false" metadata.threat[0].detection_fields[55].key"tag id" metadata.threat[0].detection_fields[55].value"2179" metadata.threat[0].detection_fields[56].key"tag is_custom_galaxy" metadata.threat[0].detection_fields[56].value"false" metadata.threat[0].detection_fields[57].key"tag is_galaxy" metadata.threat[0].detection_fields[57].value"false" metadata.threat[0].detection_fields[58].key"tag local_only" metadata.threat[0].detection_fields[58].value"false" metadata.threat[0].detection_fields[59].key"tag name" metadata.threat[0].detection_fields[59].value"attack-pattern:Ransomware" metadata.threat[0].detection_fields[60].key"tag user_id" metadata.threat[0].detection_fields[60].value"0" entity.url"https://rkojg.cn/hcybvm" entity.labels[0].key"threat_level_id" entity.labels[0].value"4"

Hi all, still awaiting a solution for this issue.

CC: @AbdElHafez@JeremyLand 

 


 

I will add to @JeremyLand 's suggestion :

You could add these 2 lines in the existing MISP parser -and maintain them in case of parser updates- ;

mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} mutate { gsub => [ "message","\\\\n \\\\}\\\\n\\\\}","}"]}

 

as in ;

This should give you the required mapping @JeremyLand mentioned , and should allow the entities creation ;

Thanks,

Hafez

 

 

 

I will add to @JeremyLand 's suggestion :

You could add these 2 lines in the existing MISP parser -and maintain them in case of parser updates- ;

mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} mutate { gsub => [ "message","\\\\n \\\\}\\\\n\\\\}","}"]}

 

as in ;

This should give you the required mapping @JeremyLand mentioned , and should allow the entities creation ;

Thanks,

Hafez

 

 


Thank you @AbdElHafez. I have tried this and entities are still not showing when running a search: 

Thank you @AbdElHafez. I have tried this and entities are still not showing when running a search: 


Custom Parser results: 

Custom Parser results: 


Could you share few more samples with different event types/categories ?
Also could you share more details on how the logs are being sent ? did you follow https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp#install_the_bindplane_agent_on_misp_server ?

Thanks,

Hafez

Could you share few more samples with different event types/categories ?
Also could you share more details on how the logs are being sent ? did you follow https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp#install_the_bindplane_agent_on_misp_server ?

Thanks,

Hafez


Hi @AbdElHafez , these are not the initial instructions you had on this page, have you gotten rid of the webhook method because of this ticket? It should remain a valid method for ingesting MISP data, no? 

Google caching even shows the webhook method before updates to the page were made:

I have followed the instructions that were on this web page before you updated them: 

Configure a feed in Google SecOps to ingest the MISP Threat Intelligence logs

  1. Go to SIEM Settings > Feeds.

  2. Click Add new.

  3. In the Feed name field, enter a name for the feed (for example, MISP Logs).

  4. Select Webhook as the Source type.

  5. Select MISP Threat Intelligence as the Log type.

  6. Click Next.

  7. Optional: Specify values for the following input parameters:

    • Split delimiter: the delimiter that is used to separate log lines, such as \\n.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  8. Click Next.

  9. Review the feed configuration in the Finalize screen, and then click Submit.

  10. Click Generate Secret Key to generate a secret key to authenticate this feed.

  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.

  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.

  13. Click Done.

Hi @AbdElHafez , these are not the initial instructions you had on this page, have you gotten rid of the webhook method because of this ticket? It should remain a valid method for ingesting MISP data, no? 

Google caching even shows the webhook method before updates to the page were made:

I have followed the instructions that were on this web page before you updated them: 

Configure a feed in Google SecOps to ingest the MISP Threat Intelligence logs

  1. Go to SIEM Settings > Feeds.

  2. Click Add new.

  3. In the Feed name field, enter a name for the feed (for example, MISP Logs).

  4. Select Webhook as the Source type.

  5. Select MISP Threat Intelligence as the Log type.

  6. Click Next.

  7. Optional: Specify values for the following input parameters:

    • Split delimiter: the delimiter that is used to separate log lines, such as \\n.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  8. Click Next.

  9. Review the feed configuration in the Finalize screen, and then click Submit.

  10. Click Generate Secret Key to generate a secret key to authenticate this feed.

  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.

  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.

  13. Click Done.


Heres a couple more:

 

{
  "Event": {
    "id": "58557",
    "org_id": "1",
    "date": "2025-06-18",
    "info": "Member Submission: Phishing, Credential pharming activity (Alert ID: 96584937)",
    "uuid": "65113e36-2c71-4043-b4ac-5b8fd6318a08",
    "published": true,
    "analysis": "0",
    "attribute_count": "3",
    "orgc_id": "31",
    "timestamp": "1750264239",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1750291245",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327878",
        "event_id": "58557",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": false,
        "uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
        "timestamp": "1750264235",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "143.55.232.13",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2094",
            "name": "audience-industry:Securities & Investments",
            "colour": "#111cf7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2079",
            "name": "audience-region:Europe",
            "colour": "#6197ca",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2094",
        "name": "audience-industry:Securities & Investments",
        "colour": "#111cf7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2079",
        "name": "audience-region:Europe",
        "colour": "#6197ca",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327878",
        "event_id": "58557",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": false,
        "uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
        "timestamp": "1750264235",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "143.55.232.13",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2094",
            "name": "audience-industry:Securities & Investments",
            "colour": "#111cf7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2079",
            "name": "audience-region:Europe",
            "colour": "#6197ca",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

Heres a couple more:

 

{
  "Event": {
    "id": "58557",
    "org_id": "1",
    "date": "2025-06-18",
    "info": "Member Submission: Phishing, Credential pharming activity (Alert ID: 96584937)",
    "uuid": "65113e36-2c71-4043-b4ac-5b8fd6318a08",
    "published": true,
    "analysis": "0",
    "attribute_count": "3",
    "orgc_id": "31",
    "timestamp": "1750264239",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1750291245",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327878",
        "event_id": "58557",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": false,
        "uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
        "timestamp": "1750264235",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "143.55.232.13",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2094",
            "name": "audience-industry:Securities & Investments",
            "colour": "#111cf7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2079",
            "name": "audience-region:Europe",
            "colour": "#6197ca",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2094",
        "name": "audience-industry:Securities & Investments",
        "colour": "#111cf7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2079",
        "name": "audience-region:Europe",
        "colour": "#6197ca",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327878",
        "event_id": "58557",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": false,
        "uuid": "85aaafef-5120-4380-83a5-c025aabc8817",
        "timestamp": "1750264235",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "143.55.232.13",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2094",
            "name": "audience-industry:Securities & Investments",
            "colour": "#111cf7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2079",
            "name": "audience-region:Europe",
            "colour": "#6197ca",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

{
  "Event": {
    "id": "58535",
    "org_id": "1",
    "date": "2025-06-17",
    "info": "Member Submission: Payroll Diversion activity (Alert ID: f7e893ae)",
    "uuid": "4b4cbfe8-3211-4d19-906f-a85153db70d5",
    "published": true,
    "analysis": "0",
    "attribute_count": "1",
    "orgc_id": "31",
    "timestamp": "1750183271",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1750204819",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327657",
        "event_id": "58535",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "email-src",
        "to_ids": true,
        "uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
        "timestamp": "1750183272",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "mystubresource@gmail.com",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2124",
            "name": "attack-pattern:Payroll Diversion",
            "colour": "#887eff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2124",
        "name": "attack-pattern:Payroll Diversion",
        "colour": "#887eff",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2097",
        "name": "audience-industry:Payments",
        "colour": "#3eb067",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327657",
        "event_id": "58535",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "email-src",
        "to_ids": true,
        "uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
        "timestamp": "1750183272",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "mystubresource@gmail.com",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2124",
            "name": "attack-pattern:Payroll Diversion",
            "colour": "#887eff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}
{
  "Event": {
    "id": "58535",
    "org_id": "1",
    "date": "2025-06-17",
    "info": "Member Submission: Payroll Diversion activity (Alert ID: f7e893ae)",
    "uuid": "4b4cbfe8-3211-4d19-906f-a85153db70d5",
    "published": true,
    "analysis": "0",
    "attribute_count": "1",
    "orgc_id": "31",
    "timestamp": "1750183271",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1750204819",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327657",
        "event_id": "58535",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "email-src",
        "to_ids": true,
        "uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
        "timestamp": "1750183272",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "mystubresource@gmail.com",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2124",
            "name": "attack-pattern:Payroll Diversion",
            "colour": "#887eff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2124",
        "name": "attack-pattern:Payroll Diversion",
        "colour": "#887eff",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2097",
        "name": "audience-industry:Payments",
        "colour": "#3eb067",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327657",
        "event_id": "58535",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "email-src",
        "to_ids": true,
        "uuid": "90e8ff00-f057-4c13-b7d2-a528e2bf96b4",
        "timestamp": "1750183272",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "mystubresource@gmail.com",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2124",
            "name": "attack-pattern:Payroll Diversion",
            "colour": "#887eff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

{
  "Event": {
    "id": "58243",
    "org_id": "1",
    "date": "2021-01-05",
    "info": "Partner Submission: Ransomware, malspam activity potentially associated with MUMMY SPIDER, Dridex, Emotet, TrickBot, Qakbot. Reported on 05 January 2021. (Alert ID: 4fe45ac9)",
    "uuid": "861e0297-893f-4c4b-83a8-c1c63216b071",
    "published": true,
    "analysis": "0",
    "attribute_count": "130",
    "orgc_id": "31",
    "timestamp": "1627412846",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1747893242",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1323097",
        "event_id": "58243",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": true,
        "uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
        "timestamp": "1627412847",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "177.85.167.10",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "1574",
            "name": "malware:emotet",
            "colour": "#ad00ff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2505",
            "name": "malware:Dridex",
            "colour": "#691672",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2268",
            "name": "malware:Qakbot",
            "colour": "#0d53a3",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2388",
            "name": "threat-actor:MUMMY SPIDER",
            "colour": "#1cb6e7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2343",
            "name": "malware:TrickBot",
            "colour": "#96e38c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2179",
            "name": "attack-pattern:Ransomware",
            "colour": "#5d7d17",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "1574",
        "name": "malware:emotet",
        "colour": "#ad00ff",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2505",
        "name": "malware:Dridex",
        "colour": "#691672",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2268",
        "name": "malware:Qakbot",
        "colour": "#0d53a3",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2388",
        "name": "threat-actor:MUMMY SPIDER",
        "colour": "#1cb6e7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2343",
        "name": "malware:TrickBot",
        "colour": "#96e38c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2179",
        "name": "attack-pattern:Ransomware",
        "colour": "#5d7d17",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1323097",
        "event_id": "58243",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": true,
        "uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
        "timestamp": "1627412847",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "177.85.167.10",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "1574",
            "name": "malware:emotet",
            "colour": "#ad00ff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2505",
            "name": "malware:Dridex",
            "colour": "#691672",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2268",
            "name": "malware:Qakbot",
            "colour": "#0d53a3",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2388",
            "name": "threat-actor:MUMMY SPIDER",
            "colour": "#1cb6e7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2343",
            "name": "malware:TrickBot",
            "colour": "#96e38c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2179",
            "name": "attack-pattern:Ransomware",
            "colour": "#5d7d17",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}
{
  "Event": {
    "id": "58243",
    "org_id": "1",
    "date": "2021-01-05",
    "info": "Partner Submission: Ransomware, malspam activity potentially associated with MUMMY SPIDER, Dridex, Emotet, TrickBot, Qakbot. Reported on 05 January 2021. (Alert ID: 4fe45ac9)",
    "uuid": "861e0297-893f-4c4b-83a8-c1c63216b071",
    "published": true,
    "analysis": "0",
    "attribute_count": "130",
    "orgc_id": "31",
    "timestamp": "1627412846",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1747893242",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1323097",
        "event_id": "58243",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": true,
        "uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
        "timestamp": "1627412847",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "177.85.167.10",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "1574",
            "name": "malware:emotet",
            "colour": "#ad00ff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2505",
            "name": "malware:Dridex",
            "colour": "#691672",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2268",
            "name": "malware:Qakbot",
            "colour": "#0d53a3",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2388",
            "name": "threat-actor:MUMMY SPIDER",
            "colour": "#1cb6e7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2343",
            "name": "malware:TrickBot",
            "colour": "#96e38c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2179",
            "name": "attack-pattern:Ransomware",
            "colour": "#5d7d17",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "1574",
        "name": "malware:emotet",
        "colour": "#ad00ff",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2505",
        "name": "malware:Dridex",
        "colour": "#691672",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2268",
        "name": "malware:Qakbot",
        "colour": "#0d53a3",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2388",
        "name": "threat-actor:MUMMY SPIDER",
        "colour": "#1cb6e7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2343",
        "name": "malware:TrickBot",
        "colour": "#96e38c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2179",
        "name": "attack-pattern:Ransomware",
        "colour": "#5d7d17",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1323097",
        "event_id": "58243",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-dst",
        "to_ids": true,
        "uuid": "d1f93f40-460e-47dc-9fac-3c7431239274",
        "timestamp": "1627412847",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "177.85.167.10",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "1574",
            "name": "malware:emotet",
            "colour": "#ad00ff",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2505",
            "name": "malware:Dridex",
            "colour": "#691672",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2268",
            "name": "malware:Qakbot",
            "colour": "#0d53a3",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2388",
            "name": "threat-actor:MUMMY SPIDER",
            "colour": "#1cb6e7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2343",
            "name": "malware:TrickBot",
            "colour": "#96e38c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2179",
            "name": "attack-pattern:Ransomware",
            "colour": "#5d7d17",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

{
  "Event": {
    "id": "58297",
    "org_id": "1",
    "date": "2025-05-28",
    "info": "Member Submission: Phishing, malspam, Credential pharming activity potentially associated with Astaroth, Remcos, Agent Tesla, Netsupport RAT, ZPHP (Alert ID: c9e9d8f9)",
    "uuid": "cdd13659-ab51-4b33-bd60-0dde0443f71f",
    "published": true,
    "analysis": "0",
    "attribute_count": "16",
    "orgc_id": "31",
    "timestamp": "1748464239",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1748476827",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1324223",
        "event_id": "58297",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "14e999a2-2622-427d-9698-a5120da6dc74",
        "timestamp": "1748464239",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "3c54060447cd33a5aa4ce88e0dceec813b5c1917653c414aa101b7e4df321f28",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2128",
            "name": "tactic:Defense Evasion",
            "colour": "#518465",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2163",
            "name": "malware:ZPHP",
            "colour": "#63867e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2118",
            "name": "malware:Netsupport RAT",
            "colour": "#7b6da8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2089",
            "name": "malware:Astaroth",
            "colour": "#34101f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2129",
            "name": "tactic:Credential Access",
            "colour": "#f2b63f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2130",
            "name": "malware:Agent Tesla",
            "colour": "#dfc4e0",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2132",
            "name": "tactic:Collection",
            "colour": "#b33ab0",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2140",
            "name": "malware:Remcos",
            "colour": "#9e7dc6",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2134",
            "name": "tactic:Discovery",
            "colour": "#c01e03",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2128",
        "name": "tactic:Defense Evasion",
        "colour": "#518465",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2082",
        "name": "audience-industry:Retail Banking",
        "colour": "#185dda",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2163",
        "name": "malware:ZPHP",
        "colour": "#63867e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2118",
        "name": "malware:Netsupport RAT",
        "colour": "#7b6da8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2089",
        "name": "malware:Astaroth",
        "colour": "#34101f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2129",
        "name": "tactic:Credential Access",
        "colour": "#f2b63f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2130",
        "name": "malware:Agent Tesla",
        "colour": "#dfc4e0",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2132",
        "name": "tactic:Collection",
        "colour": "#b33ab0",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2140",
        "name": "malware:Remcos",
        "colour": "#9e7dc6",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2134",
        "name": "tactic:Discovery",
        "colour": "#c01e03",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1324223",
        "event_id": "58297",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "14e999a2-2622-427d-9698-a5120da6dc74",
        "timestamp": "1748464239",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "3c54060447cd33a5aa4ce88e0dceec813b5c1917653c414aa101b7e4df321f28",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2128",
            "name": "tactic:Defense Evasion",
            "colour": "#518465",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2163",
            "name": "malware:ZPHP",
            "colour": "#63867e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2118",
            "name": "malware:Netsupport RAT",
            "colour": "#7b6da8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2089",
            "name": "malware:Astaroth",
            "colour": "#34101f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2129",
            "name": "tactic:Credential Access",
            "colour": "#f2b63f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2130",
            "name": "malware:Agent Tesla",
            "colour": "#dfc4e0",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2132",
            "name": "tactic:Collection",
            "colour": "#b33ab0",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2140",
            "name": "malware:Remcos",
            "colour": "#9e7dc6",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2134",
            "name": "tactic:Discovery",
            "colour": "#c01e03",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

Hi @AbdElHafez , these are not the initial instructions you had on this page, have you gotten rid of the webhook method because of this ticket? It should remain a valid method for ingesting MISP data, no? 

Google caching even shows the webhook method before updates to the page were made:

I have followed the instructions that were on this web page before you updated them: 

Configure a feed in Google SecOps to ingest the MISP Threat Intelligence logs

  1. Go to SIEM Settings > Feeds.

  2. Click Add new.

  3. In the Feed name field, enter a name for the feed (for example, MISP Logs).

  4. Select Webhook as the Source type.

  5. Select MISP Threat Intelligence as the Log type.

  6. Click Next.

  7. Optional: Specify values for the following input parameters:

    • Split delimiter: the delimiter that is used to separate log lines, such as \\n.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label applied to the events from this feed.

  8. Click Next.

  9. Review the feed configuration in the Finalize screen, and then click Submit.

  10. Click Generate Secret Key to generate a secret key to authenticate this feed.

  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.

  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.

  13. Click Done.


I do not have control over the documentation. I can only see it was updated yesterday.

I do not have control over the documentation. I can only see it was updated yesterday.


We are using the webhook method, I have shared the logs - can you check what might be the issue please? 

We are using the webhook method, I have shared the logs - can you check what might be the issue please? 


Please try these 2 lines instead, I updated the regex to match the samples you shared ;

mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} mutate { gsub => [ "message","\\\\}\\\\n\\\\}\\\\n?","}"]}

as in ;

- The problem is in the logs sent not the parser or due to the webhook as @JeremyLand  mentioned, if there is a log template you are using in MISP for formatting the logs then please share it and we could take a look.

 

Please try these 2 lines instead, I updated the regex to match the samples you shared ;

mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} mutate { gsub => [ "message","\\\\}\\\\n\\\\}\\\\n?","}"]}

as in ;

- The problem is in the logs sent not the parser or due to the webhook as @JeremyLand  mentioned, if there is a log template you are using in MISP for formatting the logs then please share it and we could take a look.

 


So, this is done the standard way via web hook after an attribute-after-save trigger following the instructions you provided. Content type is application/json, http request method is POST. There are no fields in header/payload changed, as per the instructions you initially had. 

Where in MISP can i find the templates you are referring to? We import from third-parties provided and have not changed any of the default settings. 

So, this is done the standard way via web hook after an attribute-after-save trigger following the instructions you provided. Content type is application/json, http request method is POST. There are no fields in header/payload changed, as per the instructions you initially had. 

Where in MISP can i find the templates you are referring to? We import from third-parties provided and have not changed any of the default settings. 


I think you could refer to this document https://www.misp-project.org/misp-training/3.3-misp-object-template.pdf 

Did you try the modifications I sent earlier ?

I would also suggest opening a ticket with support to check if they have one or if there is an alternative way of removing the parent field "Event" from the existing log template.

 

I think you could refer to this document https://www.misp-project.org/misp-training/3.3-misp-object-template.pdf 

Did you try the modifications I sent earlier ?

I would also suggest opening a ticket with support to check if they have one or if there is an alternative way of removing the parent field "Event" from the existing log template.

 


Hi @AbdElHafez thanks for your response. We did try your response above but have had no luck. 

Thanks  we've taken some time to look within the various objects. We are ingesting all kinds of IOCs from our list not just restricted to the ones in the screenshot for future use although for now we can limit it to:

  • SHA256
  • Domain
  • URL
  • MD5
  • Email-src
  • Hostname
  • Ip-src
  • Ip-dst

There are over 359 objects default within MISP, I do not think this is what you are looking for here but here is a snippet of two objects that should be relevant.

Domain-IP:

 

{ "attributes": { "domain": { "categories": [ "Network activity", "External analysis" ], "description": "Domain name", "misp-attribute": "domain", "multiple": true, "ui-priority": 1 }, "first-seen": { "description": "First time the tuple has been seen", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "hostname": { "description": "Hostname related to the IP", "misp-attribute": "hostname", "ui-priority": 1 }, "ip": { "categories": [ "Network activity", "External analysis" ], "description": "IP Address", "misp-attribute": "ip-dst", "multiple": true, "ui-priority": 1 }, "last-seen": { "description": "Last time the tuple has been seen", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "port": { "categories": [ "Network activity", "External analysis" ], "description": "Associated TCP port with the domain", "misp-attribute": "port", "multiple": true, "ui-priority": 1 }, "registration-date": { "description": "Registration date of domain", "disable_correlation": false, "misp-attribute": "datetime", "ui-priority": 0 }, "text": { "description": "A description of the tuple", "disable_correlation": true, "misp-attribute": "text", "recommended": false, "ui-priority": 1 } }, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "requiredOneOf": [ "ip", "domain", "hostname" ], "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "version": 11

 

URL:

 

{ "attributes": { "credential": { "description": "Credential (username, password)", "misp-attribute": "text", "ui-priority": 0 }, "dom-hash": { "description": "Dom-hash of the URL", "misp-attribute": "dom-hash", "ui-priority": 0 }, "domain": { "description": "Full domain", "misp-attribute": "domain", "ui-priority": 0 }, "domain_without_tld": { "description": "Domain without Top-Level Domain", "misp-attribute": "text", "ui-priority": 0 }, "first-seen": { "description": "First time this URL has been seen", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "fragment": { "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "host": { "description": "Full hostname", "misp-attribute": "hostname", "ui-priority": 0 }, "ip": { "description": "Better type when the host is an IP.", "misp-attribute": "ip-dst", "multiple": true, "ui-priority": 0 }, "last-seen": { "description": "Last time this URL has been seen", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "port": { "description": "Port number", "disable_correlation": true, "misp-attribute": "port", "ui-priority": 0 }, "query_string": { "description": "Query (after path, preceded by '?')", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "resource_path": { "description": "Path (between hostname:port and query)", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "scheme": { "description": "Scheme", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "http", "https", "ftp", "gopher", "sip" ], "ui-priority": 0 }, "subdomain": { "description": "Subdomain", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "text": { "description": "Description of the URL ", "misp-attribute": "text", "ui-priority": 0 }, "tld": { "description": "Top-Level Domain", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "url": { "description": "Full URL", "misp-attribute": "url", "ui-priority": 1 } }, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "name": "url", "requiredOneOf": [ "url", "resource_path" ], "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "version": 10

 

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.