PAPP-34531 MISP: Feature - Tags Allowance Added for Event Create and …

…Update (#12)

* PAPP-34531 tags addition added for event create and update

* PAPP-34531 release notes updated

* PAPP-34531 documentation updated

---------

Co-authored-by: splunk-soar-connectors-admin <admin@splunksoar>

README.md

@@ -156,6 +156,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
 **source_emails** |  optional  | Source email addresses to be added as attributes | string |  `email` 
 **dest_emails** |  optional  | Destination email addresses to be added as attributes | string |  `email` 
 **urls** |  optional  | URLs to be added as attributes | string |  `url` 
+**tags** |  optional  | Comma separated list of tags | string | 
 **json** |  optional  | JSON key value list of attributes | string | 
 
 #### Action Output
@@ -175,6 +176,7 @@ action_result.parameter.source_ips | string |  `ip`  |   122.122.122.122
 action_result.parameter.threat_level_id | string |  |   undefined 
 action_result.parameter.to_ids | boolean |  |   True  False 
 action_result.parameter.urls | string |  `url`  |   https://test.com 
+action_result.parameter.tags | string |  |   test_1,test_2 
 action_result.data.\*.Org.id | string |  |   1 
 action_result.data.\*.Org.local | boolean |  |   True  False 
 action_result.data.\*.Org.name | string |  |   ORGNAME 
@@ -236,6 +238,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
 **source_emails** |  optional  | Source email addresses to be added as attributes | string |  `email` 
 **dest_emails** |  optional  | Destination email addresses to be added as attributes | string |  `email` 
 **urls** |  optional  | URLs to be added as attributes | string |  `url` 
+**tags** |  optional  | Comma separated list of tags (append to existing tags default) | string | 
+**replace_tags** |  optional  | Replace tags with new provided tags | boolean | 
 **json** |  optional  | JSON key value list of attributes | string | 
 
 #### Action Output
@@ -246,6 +250,8 @@ action_result.parameter.dest_emails | string |  `email`  |   [email protected]
 action_result.parameter.dest_ips | string |  `ip`  |   122.122.122.122 
 action_result.parameter.domains | string |  `domain`  |   www.test.com 
 action_result.parameter.event_id | numeric |  `misp event id`  |   686 
+action_result.parameter.tags | string |  |   test_1,test2 
+action_result.parameter.replace_tags | boolean |  |   True  False 
 action_result.parameter.json | string |  |   {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} 
 action_result.parameter.source_emails | string |  `email`  |   [email protected] 
 action_result.parameter.source_ips | string |  `ip`  |   122.122.122.122 

misp.json

@@ -238,10 +238,15 @@
                     "order": 11,
                     "primary": true
                 },
+                "tags": {
+                    "description": "Comma separated list of tags",
+                    "data_type": "string",
+                    "order": 12
+                },
                 "json": {
                     "description": "JSON key value list of attributes",
                     "data_type": "string",
-                    "order": 12
+                    "order": 13
                 }
             },
             "render": {
@@ -370,6 +375,13 @@
                         "https://test.com"
                     ]
                 },
+                {
+                    "data_path": "action_result.parameter.tags",
+                    "data_type": "string",
+                    "example_values": [
+                        "test_1,test_2"
+                    ]
+                },
                 {
                     "data_path": "action_result.data.*.Org.id",
                     "data_type": "string",
@@ -750,10 +762,21 @@
                     "order": 7,
                     "primary": true
                 },
+                "tags": {
+                    "description": "Comma separated list of tags (append to existing tags default)",
+                    "data_type": "string",
+                    "order": 8
+                },
+                "replace_tags": {
+                    "description": "Replace tags with new provided tags",
+                    "data_type": "boolean",
+                    "default": false,
+                    "order": 9
+                },
                 "json": {
                     "description": "JSON key value list of attributes",
                     "data_type": "string",
-                    "order": 8
+                    "order": 10
                 }
             },
             "render": {
@@ -811,6 +834,21 @@
                         686
                     ]
                 },
+                {
+                    "data_path": "action_result.parameter.tags",
+                    "data_type": "string",
+                    "example_values": [
+                        "test_1,test2"
+                    ]
+                },
+                {
+                    "data_path": "action_result.parameter.replace_tags",
+                    "data_type": "boolean",
+                    "example_values": [
+                        true,
+                        false
+                    ]
+                },
                 {
                     "data_path": "action_result.parameter.json",
                     "data_type": "string",

misp_connector.py

@@ -296,6 +296,16 @@ def _create_event(self, param):
 
         action_result.set_summary({"message": "Event created with id: {0}".format(self._event.id)})
 
+        tags = param.get("tags", "")
+        tag_list = [tag.strip() for tag in tags.split(",")] if tags else []
+        if tag_list:
+            try:
+                for tag in tag_list:
+                    self._misp.tag(self._event, tag)
+            except Exception as e:
+                error_message = self._get_error_message_from_exception(e)
+                return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message))
+
         addAttributes = param.get("add_attributes", True)
         if addAttributes:
             ret_val = self._perform_adds(param, action_result, add_data=True)
@@ -483,6 +493,22 @@ def _add_attributes(self, param):
         for attribute in attributes:
             action_result.add_data(attribute)
 
+        tags = param.get("tags", "")
+        replace_tags = param.get("replace_tags", False)
+        tag_list = [tag.strip() for tag in tags.split(",")] if tags else []
+        if tag_list:
+            try:
+                if replace_tags:
+                    existing_tags = self._event.tags
+                    for tag in existing_tags:
+                        self._misp.untag(self._event, tag.name)
+
+                for tag in tag_list:
+                    self._misp.tag(self._event, tag)
+            except Exception as e:
+                error_message = self._get_error_message_from_exception(e)
+                return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message))
+
         if hasattr(self._event, "id"):
             summary = {}
             summary["message"] = "Attributes added to event: {0}".format(self._event.id)

release_notes/unreleased.md

@@ -1 +1,3 @@
 **Unreleased**
+
+* Tags can now be added during an event create or update [PAPP-34531]