Filtering on tags seems broken

[coolacid]

Clean MISP install (via Docker), screen shot of events above. One with TEST in info and the other TEST as a tag. Tag is listed as exportable, and not hidden.

Using the example feed-generator:

• filters = {'published':'true'} produces an output of two events, as expected.
• filters = {'published':'true', 'tag': 'TEST'} per example yields zero events
• filters = {'published':'true', 'tags': 'TEST'} yields zero events
• filters = {'published':'true', 'tag': ['TEST']} yields zero events
• filters = {'published':'true', 'tags': ['TEST']} yields zero events
• filters = {'published':'true', 'tag': 'TEST|feed-export'} yields zero events
• filters = {'published':'true', 'tags': 'TEST|feed-export'} yields zero events

What lead me down to test this, in our prod environment, I set: filters = {'published':'true', 'tag': '$keyword'} ([keyword being our internal keyword) and MISP returns an event where that is not tagged but $keyword is in the info section. Testing with tags also yielded the same event.

I thought maybe because keyword was encased in [] in the info section, so I added [TEST] event, and it still didn't return the event like it does in our prod - so I can't quantify why event with $keyword is being returned.

[coolacid]

For those that come across this problem:

1. Dev was not returning because the events did not have any attributes. Adding attributes, gave the expected results.

2. Checking the prod, event was tagged with $keyword, however the tag did not get added to the output.

[coolacid]

3. So, tag is exportable, but added as a local tag.

So, this is a non-issue. ;)

[coolacid]

Re-opening for @iglocska -- Wants todo A FAQ on this.