search

MISP / PyMISP

Python library using the MISP Rest API
Other
434 stars 278 forks source link

MispEventObject has no attributes #747

Closed rknntns closed 3 years ago

rknntns commented 3 years ago

Hi, MispEvent objects seem to have a list of attributes. If i use object.attributes it returns an empy list.

Is there a proper way to get the attributes?

Best regards

Rafiot commented 3 years ago

Hi, it should be populated fine. Can you share an export (json) of the event?

rknntns commented 3 years ago

Hi, the event itself (when viewed in the webinterface) seems totally fine and the json-export via the webinterface gives me all the attributes. The problem is the PyMISP.MispEvent-object which seems to only include all the stuff but neither the attributes nor the attribute IDs, but only an attribute-count. I have the same problem with all the MispEvent-objects.

The json looks like this (censored and stripped some stuff from an actual example, but the structure is the same): `{ "uuid": "59a3d08d-****", "Tag": [ { "id": "29",

        "colour": "#0088cc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "local": "0"
    },
    {
        "id": "2",
        "name": "type:OSINT",
        "colour": "#8e1ab0",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "local": "0"
    },
    {
        "id": "1",
        "name": "tlp:white",
        "colour": "#8f1317",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "local": "0"
    },
    {
        "id": "30",
        "name": "malware_classification:malware-category=\\"Ransomware\\"",
        "colour": "#2c4f00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "local": "0"
    },
    {
        "id": "10",
        "name": "osint:source-type=\\"blog-post\\"",
        "colour": "#00223b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "local": "0"
    }
],
"Galaxy": [
    {
        "GalaxyCluster": [
            {
                "meta": {
                    "date": [
                        "November 2016"
                    ],
                    "encryption": [
                        "AES + RSA-512"
                    ],
                    "extensions": [
                        ".test",
                        ".wallet"   
                    ],
                    "payment-method": [
                        "Bitcoin - Email"
                    ],
                    "ransomnotes": [
                        "String1",
                        "String2",
                        "String3"
                    ],
                    "ransomnotes-filenames": [
                        "README.txt",
                        "README.jpg",
                        "FILES ENCRYPTED.txt",
                        "INFO.hta"
                    ],
                    "ransomnotes-refs": [
                        "link",
                        "link",
                        "link",
                        "link"
                    ],
                    "refs": [
                        "link",
                        "link",
                        "link"
                    ]
                },
                "default": false,
                "distribution": "0",
                "uuid": "**************",
                "id": "***",
                "collection_uuid": "10cf658b-5d32-**********",
                "type": "ransomware",
                "value": "Ransomware",
                "tag_name": "misp-galaxy:ransomware=\\"Ransomware\\"",
                "description": "Some description text",
                "galaxy_id": "41",
                "source": "Various",
                "authors": [
                    "link",
                    "link",
                    "MISP Project"
                ],
                "version": "87",
                "tag_id": "30",
                "local": false
            }
        ],
        "id": "41",
        "uuid": "3f44af2e-1480-*********",
        "name": "Ransomware",
        "type": "ransomware",
        "description": "Ransomware galaxy l",
        "version": "4",
        "icon": "btc",
        "namespace": "misp"
    }
],
"info": "OSINT - *******************************",
"distribution": "3",
"threat_level_id": "3",
"analysis": "2",
"published": true,
"date": "2017-08-x",
"id": "631",
"orgc_id": "3",
"org_id": "1",
"timestamp": "...",
"publish_timestamp": 1111111111,
"sharing_group_id": "0",
"Org": {
    "id": "1",
    "name": "ORGNAME",
    "uuid": "*************************",
    "local": true
},
"Orgc": {
    "id": "3",
    "name": "ORGCName",
    "uuid": "55f6ea5e-2c60-4****",
    "local": false
},
"attribute_count": "7",
"proposal_email_lock": false,
"locked": false,
"disable_correlation": false,
"extends_uuid": ""

}`

I just need to know which attributes are in the Event, because everytime I run a search with e.g. misp.search(id='<id>', controller='attributes', type_attribute=['<sampleattribute>'] , metadata=True, pythonify=True ) If <sampleattribute> does not exist for , both, my virtualized MISP-instance as well as my pythonscript seem to freeze instantly.

best regards

Rafiot commented 3 years ago

Try without metadata=True, this key means you only get the metadata of the event (no attributes/objects), and it's not valid on a search on the controller attributes. Also, id='<id>' is not a valid parameter and it will be ignored.

This current request should return all the attributes of a specific type on your whole MISP instance, which can be a lot. If you're looking for a specific value, you need to use the value key. And it is very much recommended to also use limit and page to avoid very, very big responses.

rknntns commented 3 years ago

Thanks a lot! Is there a way to get attributes of a certain type out of the object?

Rafiot commented 3 years ago

Not totally sure what you mean. If you search type on the attributes controller, you get the attributes with that type.