PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

Updating event and adding attributes

Open MrDuckBr opened this issue 2 years ago • 5 comments

I'm trying to update an event by adding new attributes to it, I tried to use the full complete example, available in the repository, but it has an error and even after some readings and examples found, it still isn't working correctly.

  misp = ExpandedPyMISP(urlEventsSearch, apikey, False)


    event = misp.get_event('1513')
    
    #try with a string
    event.add_attribute('test','teste.com')
    #try with a urls list
    event.add_attribute('url', listOfUrls)
    
    misp.update_event(event,event.id)

I used ExpandedMisp to add an attribute and update the event, but it shows the error:

event.add_attribute('url', listOfUrls) AttributeError: 'dict' object has no attribute 'add_attribute'

MrDuckBr avatar Dec 23 '21 17:12 MrDuckBr

event.add_attribute('test','teste.com') <= this call is definitely not working, test isn't a valid type.

And in order to get a MISP event in a pythonesque format, you need to do event = misp.get_event('1513', pythonify=True)

Can you please point to the non-functional examples?

Rafiot avatar Dec 28 '21 16:12 Rafiot

I believe that with a non-functional example, I am asking about what I want to do.

In this case I want to add attributes to an event that already exists. Later add or update the tags in these attributes that I will add.

MrDuckBr avatar Dec 29 '21 14:12 MrDuckBr

Have you tried the examples above?

  1. test isn't a valid MISP type, the call doesn't work and should raise an exception.
  2. you need to pass pythonify=True to the get_event call to get the event as a MISPEvent instead of a python dictionary.

Rafiot avatar Dec 29 '21 14:12 Rafiot

Yes, I made the modifications to catch the event with pythonify so that a MispEvent comes up and not a Python dictionary anymore.

  1. Previously when I created the event and was adding attributes to it, it was accepting that I put a string which in this case is the "url" as the attribute type, in this case I should create a MispAttribute to add to the event I got using the get_event and then update the event?

When I was making the changes that I had commented on previously and reading the documentation I understood that the parameters I was passing were not being allocated where I wanted, when I explicitly passed it started to work, where it stayed that way

     misp = ExpandedPyMISP(urlEventsSearch, apikey, False)

    event = misp.get_event('1513',pythonify=True)
 
    event.add_attribute(type='url', value='isTest', disable_correlation=True)

MrDuckBr avatar Dec 30 '21 13:12 MrDuckBr

I'm not totally sure to understand your question, so I'm sorry if I don't answer it.

If you want to add one attribute to an existing MISP event (and you know the UUID/ID of said event), you can create a MISPAttribute and use misp.add_attribute to add that specific attribute to the event on the MISP instance, no need to use get_event first.

And one more thing: ExpandedPyMISP is deprecated and just an alias to PyMISP, so you can just use PyMISP directly.

Rafiot avatar Jan 04 '22 12:01 Rafiot