PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

Cannot update event org

Open csirt-pj opened this issue 3 years ago • 7 comments

Hello I try to update an event's org (not orgc):

event = misp.get_event(519, pythonify=False)
event['Event']['Org']['uuid']='5dfb7cb3-19c0-421e-a120-768ebca539c9'
event['Event']['Org']['name']="REDACTED"
event['Event']['Org']['id'] = '11'
event['Event']['org_id'] = '11'
misp.update_event(event, 519)

But all I get is:

{'errors': (403,
  {'saved': False,
   'name': 'Could not edit Event',
   'message': 'Could not edit Event',
   'url': '/events/edit/519',
   'errors': 'Event could not be saved: Event in the request not newer than the local copy.'})}

csirt-pj avatar May 17 '21 14:05 csirt-pj

So two things there:

  1. the timestamp isn't changed if you modify the json manually so you have to delete the timestamp key from the dict before you push it. Alternatively, use PyMISP and it will be taken care of when needed.
  2. the parameters you're changing are ignored on MISP side because they're all set by the platform itself.

Rafiot avatar May 17 '21 15:05 Rafiot

arf, so I cannot change them ? I need to recreate the event with a different org ? we have some org issues, people not being able to modify events they should.

csirt-pj avatar May 17 '21 15:05 csirt-pj

You can change the Orgc (creator org), but not the org:

from pymisp import MISPOrganisation
orgc = MISPOrganisation()
orgc.name = 'bazbaz'
orgc.id = 15
orgc.uuid = '5888a98d-a7e8-4183-94bb-4d19950d210f'
# NOTE: Pushing this object will only work if the user has sync right (if not, the orgc key will be ignored)
event.Orgc = orgc

print(event.to_json())

That should still do the trick for allowing edits. But it should only be used if you have no other way to do it.

Rafiot avatar May 17 '21 15:05 Rafiot

It seems MISPi s not accepting it:

from pymisp import MISPOrganisation
orgc = MISPOrganisation()
orgc.name = 'babar'
orgc.id = 11
orgc.uuid = '5dfb7cb3-19c0-421e-a120-768ebca539c9'
event = misp.get_event(519, pythonify=True)
# NOTE: Pushing this object will only work if the user has sync right (if not, the orgc key will be ignored)
event.Orgc = orgc
event.timestamp=''
result = misp.update_event(event, pythonify=True)
result.orgc.name

Anyway, I think I will duplicate/recreate events, it may be simpler. Thanks !

csirt-pj avatar May 18 '21 09:05 csirt-pj

The user needs to be sync or admin. And what was the response from MISP? Creating duplicate events will cause issues if you want to share the events in the future.

Rafiot avatar May 18 '21 15:05 Rafiot

Actually nothing: it answers the same event in dict format with orgc unchanged.

csirt-pj avatar May 25 '21 16:05 csirt-pj

Right, that thing was definitely working int he past, but as I never implemented a test case, we didn't caught the regression.

Rafiot avatar Jun 01 '21 17:06 Rafiot