Open crackytsi opened 5 years ago
nadouani
commented
5 years ago The purpose is related to a MISP instance. it's not global to all the MISP instances.
The ExportOnly thing works for sure, but some other users already raised the fact that TH imports alerts even if purpose = ExportOnly but we cannot reproduce it. If you can help us find how to reproduce it, we can take a look.
crackytsi
commented
5 years ago Ok, that it is related to the MISP instance was also my assumption. Actually I did set it up on 2 different TH instances, and then the alerts were regenerated. I deleted all alerts without a case (on ES Level), then pulled some new Events on MISP Level. After the next "auto-refresh" the alerts were generated again.
Request Type
Bug
Work Environment
Problem Description
I tried the configuration parameter purpose = ExportOnly but it did not work as expected. Instead of just offering me the possibility to export to a MISP instance, it imported all Events as new alerts. The documentation unforunately does not clearly describe on which level this parameter needs to be set (MISP instance or global for all MISP instances), so I tried both without success.
It would be nice, if the status of the parameter would also occoure in application.log file.
BTW if you touch this lines of code: If you have 2 Tags exclusions configured (my alternative way, as the mentioned parameter did not work) tags = ["test:OSINT","test:INTERNAL"] results to the following log-entry in application log (note the missing separator...) excluded tags: test:OSINTtest:INTERNAL