Closed rknntns closed 3 years ago
Hi, it should be populated fine. Can you share an export (json) of the event?
Hi,
the event itself (when viewed in the webinterface) seems totally fine and the json-export via the webinterface gives me all the attributes.
The problem is the PyMISP.MispEvent
-object which seems to only include all the stuff but neither the attributes nor the attribute IDs, but only an attribute-count.
I have the same problem with all the MispEvent-objects.
The json looks like this (censored and stripped some stuff from an actual example, but the structure is the same): `{ "uuid": "59a3d08d-****", "Tag": [ { "id": "29",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"local": "0"
},
{
"id": "2",
"name": "type:OSINT",
"colour": "#8e1ab0",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"local": "0"
},
{
"id": "1",
"name": "tlp:white",
"colour": "#8f1317",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"local": "0"
},
{
"id": "30",
"name": "malware_classification:malware-category=\\"Ransomware\\"",
"colour": "#2c4f00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"local": "0"
},
{
"id": "10",
"name": "osint:source-type=\\"blog-post\\"",
"colour": "#00223b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"local": "0"
}
],
"Galaxy": [
{
"GalaxyCluster": [
{
"meta": {
"date": [
"November 2016"
],
"encryption": [
"AES + RSA-512"
],
"extensions": [
".test",
".wallet"
],
"payment-method": [
"Bitcoin - Email"
],
"ransomnotes": [
"String1",
"String2",
"String3"
],
"ransomnotes-filenames": [
"README.txt",
"README.jpg",
"FILES ENCRYPTED.txt",
"INFO.hta"
],
"ransomnotes-refs": [
"link",
"link",
"link",
"link"
],
"refs": [
"link",
"link",
"link"
]
},
"default": false,
"distribution": "0",
"uuid": "**************",
"id": "***",
"collection_uuid": "10cf658b-5d32-**********",
"type": "ransomware",
"value": "Ransomware",
"tag_name": "misp-galaxy:ransomware=\\"Ransomware\\"",
"description": "Some description text",
"galaxy_id": "41",
"source": "Various",
"authors": [
"link",
"link",
"MISP Project"
],
"version": "87",
"tag_id": "30",
"local": false
}
],
"id": "41",
"uuid": "3f44af2e-1480-*********",
"name": "Ransomware",
"type": "ransomware",
"description": "Ransomware galaxy l",
"version": "4",
"icon": "btc",
"namespace": "misp"
}
],
"info": "OSINT - *******************************",
"distribution": "3",
"threat_level_id": "3",
"analysis": "2",
"published": true,
"date": "2017-08-x",
"id": "631",
"orgc_id": "3",
"org_id": "1",
"timestamp": "...",
"publish_timestamp": 1111111111,
"sharing_group_id": "0",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "*************************",
"local": true
},
"Orgc": {
"id": "3",
"name": "ORGCName",
"uuid": "55f6ea5e-2c60-4****",
"local": false
},
"attribute_count": "7",
"proposal_email_lock": false,
"locked": false,
"disable_correlation": false,
"extends_uuid": ""
}`
I just need to know which attributes are in the Event, because everytime I run a search with e.g. misp.search(id='<id>', controller='attributes', type_attribute=['<sampleattribute>'] , metadata=True, pythonify=True )
If <sampleattribute>
does not exist for
best regards
Try without metadata=True
, this key means you only get the metadata of the event (no attributes/objects), and it's not valid on a search on the controller attributes
. Also, id='<id>'
is not a valid parameter and it will be ignored.
This current request should return all the attributes of a specific type on your whole MISP instance, which can be a lot. If you're looking for a specific value, you need to use the value
key. And it is very much recommended to also use limit
and page
to avoid very, very big responses.
Thanks a lot! Is there a way to get attributes of a certain type out of the object?
Not totally sure what you mean. If you search type on the attributes
controller, you get the attributes with that type.
Hi, MispEvent objects seem to have a list of attributes. If i use
object.attributes
it returns an empy list.Is there a proper way to get the attributes?
Best regards