No way to search for attributes based on first_seen or last_seen

[teward]

In order to not break our MISP feeds, we have been updating attributes and editing them with update_attribute when we have new attribute data to provide. Namely, we keep updating last_seen manually. This way, if we have an attribute on a given event that we've seen since June 1, 2021 and we have last seen it on June 28, 2022 in our events (extracted from pcap data and then processed via Bro and then ingested via an ingestion script into a sharing group for indicators for specific malware groups), anyone with a MISP instance can see if a given indicator has been seen 'recently'.

However, when using PyMISP, there is no way to search or filter on the attribute's first_seen or last_seen values.

We know this is supported on the attributes rest client (/attributes/restSearch) with the relevant field and time entry of either exact time or a relative timeperiod (such as '24h' or similar), however this is oddly enough missing from PyMISP's ability to search.

Attempting to bruteforce the argument via last_seen='24h' or similar in the args does nothing, so I have to assume this functionality does not exist or is not implemented in PyMISP.

This seems like an oversight.

[Rafiot]

I think you're right, first_seen and last_seen isn't available for the attribute level search. As you said, it is an oversight, I'll add that asap.

[teward]

Hold off on implementation juuuust yet, I think i discovered a bug in the underlying MISP API where it doesn't properly search those fields. Investigating via API calls to my test instance of MISP

[teward]

Refer to https://github.com/MISP/MISP/issues/8471 - while this does not block the implemntation of last_seen and first_seen in PyMISP API integrations, it does mean that you will get screwy results until this is fixed in the core MISP API