Closed ykorkmaz closed 4 years ago
remg427
commented
4 years ago Hi this case several attributes of same type within a same object was not identified. Could you send me one sample of an event? I'll make a new version Have you same issue with mispgetevent getioc=true
ykorkmaz
commented
4 years ago Thanks for the response. Yes, I have the same issue with "mispgetevent getioc=true" as well.
I included the sample event which has an object with one domain and two ip attributes. When I try to retrieve all attributes of this event, only one ip is returned instead of two in the "misp_ip_dst" field.
remg427
commented
4 years ago Hi, i have a code working to keep all values I need to fix issue on tags before publishing it
remg427
commented
4 years ago fixed in 3.1.9 but use 3.1.11
Hi,
What is the best way to get all attributes of an event in separate rows including object attributes similar to attribute search in MISP?
For example, I have an event with 16 attributes, 14 of type object and 2 of type non-object. When I search for attributes of that event in Splunk, 16 attributes are returned but similar search in MISP returns 52 attributes. This is because each object attribute is listed as a separate attribute in MISP.
I tried using mispgetioc with eventid or json_request and mispgetevent together with getioc and eventid, but in every case I got only 16 results where all attributes of an object were returned within the same row.
Problem is that when there are multiple object attributes of the same type in an object, only one of them is returned, but not all as a multivalue field. As an example, if there are two object attributes of type link in an object, only one of them will be returned.
Thanks in advance,