PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

How to ignore case for keyword matching when using misp.search()

Open A1oha opened this issue 3 years ago • 6 comments

For example, I have the following 2 events:

  1. event1 info : APT actor Lazarus was focused on geopolitical agenda
  2. event2 info : North Korea-linked lazarus APT group has targeted the defense industry

r = misp.search(eventinfo='%Lazarus%')

When I use the keyword "Lazarus" to match, only event1 can be matched. I want to know how to ignore case and match the above 2 events at the same time.

A1oha avatar May 06 '21 09:05 A1oha

I don't think you can, but I might be wrong (cc @mokaddem @iglocska). The (not amazing) alternative is to search for %azarus%.

Rafiot avatar May 06 '21 09:05 Rafiot

@Rafiot Thank you very much, if it is "Cobalt Strike" & "cobalt strike" and "APT1" & "apt1", how should I describe it? I read the usage of misp.search() in the official documentation, and it seems that there are no parameters can control to ignore case in fuzzy query.

A1oha avatar May 06 '21 10:05 A1oha

No, there are no options for that on PyMISP side because unless I'm mistaken, MISP doesn't support ignoring the case while searching.

Rafiot avatar May 06 '21 10:05 Rafiot

thanks again.

A1oha avatar May 06 '21 10:05 A1oha

Is that search string just passed to the database as part of a LIKE query?

chrisinmtown avatar May 12 '21 17:05 chrisinmtown

no, it's not directly passed, but the format is similar.

Rafiot avatar May 14 '21 15:05 Rafiot