PyMISP
PyMISP copied to clipboard
MISP
Attribute export not show Decay
Hello guys, i want to disable the ids flag if the Decay Score is 0, but i have a problem with my code.
When i try to include decay score in rest client on misp, i have the value:
"includeDecayScore": "true"
With this python code when i try to print "result", the output hasn,t the decay score.
result = misp.search('attributes', to_ids=1, includeDecayScore="True", pythonify=True) print (result) if 'Attribute' in result: for attribute in result['Attribute']: attribute_uuid = attribute['uuid'] event_id = attribute['event_id'] if int(attribute['score']) == 0: misp.update_attribute( { 'uuid': attribute_uuid, 'to_ids': 0})
Thanks!
just making sure, it should be attribute['decay_score']['score'] and not attribute['score']. Or is it a typo in the code above?
Hello Rafiot, yes it's a typo, this is the correct code:
# Fetch all the attributes
result = misp.search('attributes', to_ids=1, includeDecayScore=True, pythonify=True)
if 'Attribute' in result:
for attribute in result['Attribute']:
attribute_uuid = attribute['uuid']
event_id = attribute['event_id']
if int(attribute['decay_score']['score']) == 0:
misp.update_attribute( { 'uuid': attribute_uuid, 'to_ids': 0})
This is the output of "result" in a txt:
"uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category
""1491fc2a-1ae7-421e-a9f3-38bbe44ded87"",1566,""Network activity"",""ip-dst"",""192.99.2.94"","""",1,1668703992,"""","""","""","""",""""
""0d82f7b9-557b-4931-8d59-2ba820c1fb4b"",1566,""Network activity"",""url"",""http://192.99.2.94/~sadrenam/mmt/Panel/five/fre.php"","""",1,1668703993,"""","""","""","""",""""
""6906f3b7-f68d-4efb-86d4-698601292bea"",1566,""Network activity"",""url"",""http://test.su/gl24/v.php"","""",1,1668703994,"""","""","""","""",""""
""33c8420f-b8c0-4136-85ef-e9a12e482739"",1566,""Network
activity"",""url"",""http://test.su/gm4/c.php"","""",1,1668703995,"""","""","""","""",""""
""4365da98-74c6-4123-afe6-9fbc90311a4f"",1566,""Network activity"",""url"",""http://try.co/Panel/fre.php"","""",1,1668703996,"""","""","""","""",""""
""681475f2-ce76-4536-af26-936fded50b0a"",1566,""Network activity"",""ip-dst"",""69.22.150.1"","""",1,1668703997,"""","""","""","""",""""
""f5b1afbb-e837-4a0f-bde7-f0e6663771dd"",1590,""Network activity"",""domain"",""test.com"","""",1,1668704000,"""","""","""","""",""""
""e865b216-9d0c-4b3a-971c-837762ac01ef"",1595,""Network activity"",""domain"",""test.com"","""",1,1668704002,"""","""","""","""",""""
""f0053c82-a55a-4dec-b868-868dca518430"",1596,""Network activity"",""domain"",""test.com"","""",1,1668704004,"""","""","""","""",""""
""855633fc-c42a-4ebe-819b-79b501980ccf"",1597,""Network activity"",""domain"",""test.com"","""",1,1668704005,"""","""","""","""",""""
""f9a50379-12f2-4d74-a8b4-f189e8a006af"",1597,""Network activity"",""ip-dst"",""1.1.1.1"","""",1,1669047833,"""","""","""","""",""""
""54f59a16-fe98-4acf-a759-766e6bb309fa"",1597,""Network activity"",""url"",""https://test.com/url"","""",1,1669108089,"""","""","""","""",""""
The script doesn't include the decay score. My use case is to change "to_ids" from 1 to 0 when the decay score is 0 and schedule the script with a cronjoc, in your opinion is there a better way to do this?
Editing all the to_ids flags for the decayed attributes seems to be extremely overkill and will probably not scale by the time you have a lot of data in your MISP instance. And doing that will edit events that aren't your (=sync'ed from other sources), and if you modify them, you won't get updates on the events. I'd recommend you to export the decayed attributes only and do what I want to do with them, instead of editing the to_ids flag.
I'm having a look at the issue you have with the missing decay score in the search query, this sounds like a bug.
EDIT: passing includeDecayScore=True works, the score is in the response. It initially didn't for me because I had no decaying models enabled.