PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

Error code 403 over remote event update using only local tags

Open minisephirot opened this issue 1 year ago • 11 comments

Context

What: I enrich external organisation events using local tags to ensure that my semantic is not beeing propagated Why: Those tags are used to pivot on if the IOC should enter a blacklist or not.

Code

How:

        time_window: datetime = oldest_unriched_event_date + timedelta(days = 2) 
        results = self.misp_instance.search(
            controller = "events",
            date_from = oldest_unriched_event_date.strftime("%F"),
            date_to = time_window.strftime("%F"),
            include_correlations = False,
            event_tags = ['!blacklist_tag'],
            org = self.sekoia_uuid,
            deleted = "0",
            pythonify = True,
            metadata = True,
        )
        # Events tagging
        misp_event: MISPEvent
        for counter_ev, misp_event in enumerate(results):
                for tag in [My perfect tag list]:
                    misp_event.add_tag(name = tag, local = True)
                misp_instance.update_event(misp_event)

Sadly I've been using a site admin user to do this stuff while POCing so yeah.. I was able to pretty free in term of perms.

This leads me to using a more appropriated role wich was sync user, thinking that local tags wouldn't be a bother since it was described as "The long awaited feature “local tags” is now finally available. You can create tags locally if you are a member of the given MISP instance’s host organisation, enabling “in-place” tagging for synchronisation and export filtering"

Alas when running the script I get thoses: ERROR: Something went wrong (403): {'saved': False, 'name': 'Could not edit Event', 'message': 'Could not edit Event', 'url': '/events/edit/9085', 'errors': 'Event could not be saved: The user used to edit the event is not authorised to do so. This can be caused by the user not being of the same organisation as the original creator of the event whilst also not being a site administrator.', 'id': '9085'}

Event 9085 "as is": image With local tags added on GUI: image

There is probably something i've missed while considering local tags: if this is an issue of not beeing in the same organisation why can I add those tags on the same event as a same role user from another organisation on GUI ?

Sorry for the delayed issue by the way I tried to bruteforce my way beforehand to not waste your time if this was just a perm issue..

minisephirot avatar Jan 04 '24 16:01 minisephirot

If you have a 403 error, it’s a perm issue and not really an issue with PyMISP.

adulau avatar Jan 04 '24 19:01 adulau

Based on the provided information, I can safely deduce it's DNS. It's always DNS.

iglocska avatar Jan 04 '24 19:01 iglocska

I've completed my issue, sorry for the delay :)

minisephirot avatar Jan 05 '24 12:01 minisephirot

It seems to be related to those issues: https://github.com/MISP/MISP/issues/4691 & https://github.com/MISP/MISP/issues/4925 My user is in host organisation, he tries via API to update an event using only local tags -> 403

minisephirot avatar Jan 05 '24 15:01 minisephirot

@adulau

If you have a 403 error, it’s a perm issue and not really an issue with PyMISP.

I thought so too but since MISP allowed me in GUI to edit local tags I thought this was more of a MISP <-> PyMISP interaction

@Rafiot Does this issue still needs more information ?

EDIT: For now i've found a workaround, the script's user is site admin : that's the only way to bypass this issue.

minisephirot avatar Jan 10 '24 10:01 minisephirot

@minisephirot no, it doesn't. But it is going to be a MISP API issue, I don't think there is a fix on PyMISP side.

cc @iglocska

Rafiot avatar Jan 10 '24 11:01 Rafiot

@Rafiot Thank you for the feedback.

Should I close this issue and reopen it on MISP's repo or let someone transfer it ?

minisephirot avatar Jan 17 '24 09:01 minisephirot

If it works as site admin, it is definitely a perm issue.

Can you check the tag settings and make sure it is not limited to a specific user/org and you're trying to add it from another one?

Rafiot avatar Jan 17 '24 10:01 Rafiot

What do you mean by tag settings ? I've tried going from: misp_event.add_tag(name = tag, local = True) to attribute.add_tag(name = tag, local = True, exportable = True) with no significant change in MISP behaviour: is there some settings in MISP to change ?

minisephirot avatar Jan 17 '24 17:01 minisephirot

Okay, I looked at the first message again and it's a different issue: the exception happens when you call an update on the MISP event, which would makes sense if you do that against an event that isn't yours.

If I'm not mistaken (please correct me @iglocska), you can attach a local tag to a MISP event that isn't yours if you do something like that: self.misp_instance.tag(event_id, tag_name, local=True). That is assuming a tag with that tag name exists on the MISP instance.

Rafiot avatar Jan 22 '24 13:01 Rafiot

Hello, thank you for the insight. I thought that calling an update with only tags beeing changed would not trigger a "true" event update like an edition of attributes : that's a good thing to know. I specificaly avoided misp_instance.(un)tag because it directly called a request http and wanted to bulk tag/untag, I'll try using the method and see if this goes throught !

minisephirot avatar Jan 25 '24 10:01 minisephirot