PyMISP
PyMISP copied to clipboard
MISP
Event Retrieval With PyMISP.search Returns Empty List
Hi,
I am having an issue with the retrieving events with PyMISP. When I use the search() function from PyMISP class with the date_to argument, the returned list of events is always empty even though the queried events (those created before date_to) are present on MISP. Specifically, here is my implmentation:
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) results_a = misp.search(date_to=datetime.now()+timedelta(days=1))
Theoretically, all events present in MISP should be returned, as all events are guranteed to be created before the date_to time. However, on execution, results_a is [].
Is this a potential bug? Alternatively, am I doing something wrong with this search?
Out of curiosity, have you tried to use date_from too? I wouldn't be surprised MISP acts weirdly if you only pas one of the two.
Also, if you want to get a complete MISP database, you definitely also want to use limit and page so MISP doesn't returns thousands of entries and run out of memory.
If you really want to get all the events from your MISP instance, you can also use the events method.
Hi,
Yes I have also tried date_from, which seems to work. I have also tried using both date_from and date_to, which returned no events. Thus, I suspect that date_to is the issue. I have also tried limit, although that does not appear to help.
Ultimately, the objective is for my program to retrieve all events created (not updated with additional attributes, just created) between time X and Y. So, it is necessary to have the date_to argument working.
I just checked, and we have a test case for that (date_from only and date_from + date_to): https://github.com/MISP/PyMISP/blob/main/tests/testlive_comprehensive.py#L819
And it works as expected so I'm not sure why it's not working for you.
But anyway, I'm not sure you can do that: date_from and date_to are set by the user, and it can be anything: it is possible to create an event today and have a date field set to months ago. And afaik, there is no way to search for the creation timestamp (please tell me if I'm wrong @iglocska @mokaddem).
Maybe you want to use the publish timestamp instead? If an event is re-published, it will come back in your list, but it may be better than nothing?
I think I have found the issue, the in my previous code, I was passing a Datetime object, not a Date object. Once I replaced that with a string (2021-06-17), it seems to work.
I do have some follow up questions though:
- I am wondering if I can query for events by time, rather than by date. For example, could I retrieve all the events between 6:30 AM to 9:30 AM on the 2021-06-16?
- It appears that date_from and date_to permits the input of int and float. Are these used to enter Unix time (in seconds)?
- Is there a way to query for events by generation time, rather than last update time. I think this question is already answered. But, just in case you have thought of something else, please let me know.
Thanks
- no, the date field in the event doesn't have more precision than the day
- you can pass a Unix time in seconds, but it will converted as a date
- afaik, creation time isn't kept, but my colleagues might have an other idea
It appears PyMISP doesn't support datetime objects for this field as the documentation suggest.
0 Results
UnpublishTo = datetime.now() - timedelta(days=365*3)
MISP = PyMISP(URL, AuthKey)
OldEvents = MISP.search(date_to=UnpublishTo)
Expected results
UnpublishTo = datetime.now() - timedelta(days=365*3)
UnpublishToStr = UnpublishTo.strftime("%F")
MISP = PyMISP(URL, AuthKey)
OldEvents = MISP.search(date_to=UnpublishToStr)
date_from is not useful for my requirements unfortunately, however the .strftime("%F") solved the issue for me.