PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard

Published 20 hours ago verified publisher icon MISP

[Support] PyMISP Attributes returning 0 for sharing_group_id for all attributes on all events, cannot filter attribute results by sharing group ID?

Open teward opened this issue 2 years ago • 1 comments

Using PyMISP 2.4.152, interfacing with a MISP server running 2.4.148.

I am trying to interface with a MISP system using PyMISP. This MISP system has my authkey in two sharing groups, with numeric IDs of 4 and 8.

I want to pull all attributes added to all events within the past 7 days, but I want to filter it specifically by sharing group, so that only sharing group 4 gets data pulled. Currently, it doesn't seem like this is possible, and even if I pull all data and try to programmatically determine the sharing group, it's not possible.

What I'm trying to do is get all the attributes added within a given timeframe (7 days) and produce an object for them (JSON) that we can work with. Since I can't add a sharing group filter to the search command, I simply pull all data, and expect the corresponding MISPAttribute items returned to have sharing_group_id populated based on the sharing group from which it was pulled

What I've got so far is:

import datetime
import pymisp

date_to = datetime.datetime.utcnow()
date_from = date_to - datetime.timedelta(days=7)

misp = pymisp.ExtendedPyMISP(...)  # ... indicates authenticaiton and URL arguments, trimmed here for privacy)
data = misp.search(controller='attributes', date_from=date_from, date_to=date_to, pythonify=True)

Now, this will return a list of attributes. Unfortunately, when I look into each attribute or its corresponding Event entry, the sharing_group_id which I would expect to be one of the two sharing groups I am a member of - 4 or 8 - there is only the data value of 0, which means I can't actually organize this by sharing group.

I'm not sure if this is a bug in PyMISP or the MISP server, but I thought I'd ask since I can't find any other support locations for PyMISP questions that get a little complex.

Anyone know if this is a bug, or if it's possible to filter the information from a search by the sharing group that the data belongs to?

teward avatar Feb 18 '22 00:02 teward

Hi @teward,

This is intentional, as a sharing_group_id of 0 is 'Inherit', which will inherit the sharing group ID from the event. From what I see, you have two options:

  1. Add the parameter include_context=True to the search request. This returns additional context on the Event level, which includes the sharing group ID. You can therefore do something like:
data = misp.search(controller='attributes', date_from=date_from, date_to=date_to, include_context=True, pythonify=True)
for a in data:
  sgId = a.sharing_group_id
  if sgId == 0:
    sgId = a.Event.sharing_group_id
  1. I recently added the functionality to MISP and PyMISP to filter by sharing group, present in MISP v2.4.158. You can pass in the sharing group ID on the sharinggroup parameter, see https://github.com/MISP/PyMISP/blob/main/pymisp/api.py#L2435

tomking2 avatar Sep 13 '22 16:09 tomking2