search

MISP / PyMISP

Python library using the MISP Rest API
Other
444 stars 279 forks source link

Cant' get custom taxonomy tags from PyMISP #1289

Closed RR19MR closed 2 months ago

RR19MR commented 2 months ago

Attribute in MISP: image

Can't get custom tag (aaa:action="block3m") from custom taxonomy via PyMISP search function

r = misp.search(
    include_sightings=True,
    controller='attributes', 
    type_attribute=['domain','hostname'],
    pythonify=False,
    value='test.test',
    published=True
    )
# Print

{'Attribute': [{'id': '165941700', 'event_id': '1093746', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'domain', 'to_ids': False, 'uuid': '50e02472-59a3-43fa-bc36-7abf4e69d4bb', 'timestamp': '1724657189', 'distribution': '5', 'sharing_group_id': '0', 'comment': 'for test', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'test.test', 'Sighting': [], 'Event': {'org_id': '1', 'distribution': '1', 'id': '1093746', 'info': '[TEST]Phishing domains 8/2024', 'orgc_id': '1', 'uuid': '7ae2d0a0-19ce-44b6-8b9a-7fafc6e9f011'}, 'Tag': [{'id': '38', 'name': 'admiralty-scale:source-reliability="b"', 'colour': '#075200', 'numerical_value': '75', 'is_galaxy': False, 'local': True}]}]}

aaa:action="block3m" tag is from local taxonomy. However, this tag I can access via PyMISP search_tags function

# get ID by name
r= misp.search_tags(
    tagname='aaa:action="block3m"',
    pythonify=False
)
print(r)
[{'Tag': {'id': '16397', 'name': 'aaa:action="block3m"', 'colour': '#ff0000', 'exportable': False, 'org_id': '0', 'user_id': '0', 'hide_tag': False, 'numerical_value': None, 'is_galaxy': False, 'is_custom_galaxy': False, 'local_only': False}, 'Taxonomy': {'id': '205', 'namespace': 'aaa', 'description': 'Test Taxonomy ', 'version': '4', 'enabled': True, 'exclusive': False, 'required': False, 'highlighted': False}, 'TaxonomyPredicate': {'id': '1300', 'taxonomy_id': '205', 'value': 'action', 'expanded': 'IoC action policy', 'colour': None, 'description': 'tttttttttttttt', 'exclusive': False, 'numerical_value': None, 'TaxonomyEntry': [{'id': '10549', 'taxonomy_predicate_id': '1300', 'value': 'block3m', 'expanded': 'Block indicator for 3 month', 'colour': '#ff0000', 'description': 'Block indicator for 3 month', 'numerical_value': None}]}}]

Bug ?

Rafiot commented 2 months ago

The issue seems that the tag is non-exportable, so it will not be search results.

{'id': '16397', 'name': 'aaa:action="block3m"', 'colour': '#ff0000', 'exportable': False, 'org_id': '0', 'user_id': '0', 'hide_tag': False, 'numerical_value': None, 'is_galaxy': False, 'is_custom_galaxy': False, 'local_only': False}
RR19MR commented 2 months ago

The issue seems that the tag is non-exportable, so it will not be search results.

{'id': '16397', 'name': 'aaa:action="block3m"', 'colour': '#ff0000', 'exportable': False, 'org_id': '0', 'user_id': '0', 'hide_tag': False, 'numerical_value': None, 'is_galaxy': False, 'is_custom_galaxy': False, 'local_only': False}

Thanks, it helped