to_ids="False" not working via sendalert

[hkelley]

The to_ids flag is not being set in my attributes generated by this command:

| sendalert misp_alert_create_event param.misp_instance=MISP_Feed param.eventid="9999" param.title=SquatDomain param.description=description 
param.distribution=0 
param.analysis=0 
param.tlp="TLP_AMBER" 
param.pap="PAP_AMBER" 
param.publish_on_creation="0" 
param.to_ids="False"

Per the notes in the misp_alert_create_event page of the app.

misp_to_ids | String 'True' or 'False' (case sensitive) to define to_ids for all attributes on the same row. (If not provided, default values defined in MISP will apply to each attribute).

[hkelley]

but it does work if you set it as a result field, so there is a fairly simple workaround.

| eval misp_time=round(_time,0) 
| eval misp_to_ids="False"

Am I correct in inferring that the attribute properties must be set per-row (only event properties may be set via the param.* syntax)?

[remg427]

Hello, thank you for using misp42 and sorry for late reply. to_ids is not a parameter of alert action as indeed it apllies to attributes i.e. per result row. if you have several attrributes on the same row all of them will share the same to_ids status if you set misp_to_ids and if not each attribute will get the default value for its type.