From 50c4cabb434115e66888947eea471adf41bdecba Mon Sep 17 00:00:00 2001 From: grokas Date: Mon, 19 Aug 2024 09:28:50 -0700 Subject: [PATCH 1/6] PAPP-34531 tags addition added for event create and update --- misp.json | 28 ++++++++++++++++++++++++++-- misp_connector.py | 20 ++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/misp.json b/misp.json index ac80596..9a1262c 100644 --- a/misp.json +++ b/misp.json @@ -238,10 +238,15 @@ "order": 11, "primary": true }, + "tags": { + "description": "Comma separated list of tags", + "data_type": "string", + "order": 12 + }, "json": { "description": "JSON key value list of attributes", "data_type": "string", - "order": 12 + "order": 13 } }, "render": { @@ -370,6 +375,13 @@ "https://test.com" ] }, + { + "data_path": "action_result.parameter.tags", + "data_type": "string", + "example_values": [ + "test_1" + ] + }, { "data_path": "action_result.data.*.Org.id", "data_type": "string", @@ -750,10 +762,15 @@ "order": 7, "primary": true }, + "tags": { + "description": "Comma separated list of tags", + "data_type": "string", + "order": 8 + }, "json": { "description": "JSON key value list of attributes", "data_type": "string", - "order": 8 + "order": 9 } }, "render": { @@ -811,6 +828,13 @@ 686 ] }, + { + "data_path": "action_result.parameter.tags", + "data_type": "string", + "example_values": [ + "test_1" + ] + }, { "data_path": "action_result.parameter.json", "data_type": "string", diff --git a/misp_connector.py b/misp_connector.py index 9342ced..9cf47a8 100644 --- a/misp_connector.py +++ b/misp_connector.py @@ -296,6 +296,16 @@ def _create_event(self, param): action_result.set_summary({"message": "Event created with id: {0}".format(self._event.id)}) + tags = param.get("tags", "") + tag_list = [tag.strip() for tag in tags.split(",")] if tags else [] + if tag_list: + try: + for tag in tag_list: + self._misp.tag(self._event, tag) + except Exception as e: + error_message = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message)) + addAttributes = param.get("add_attributes", True) if addAttributes: ret_val = self._perform_adds(param, action_result, add_data=True) @@ -483,6 +493,16 @@ def _add_attributes(self, param): for attribute in attributes: action_result.add_data(attribute) + tags = param.get("tags", "") + tag_list = [tag.strip() for tag in tags.split(",")] if tags else [] + if tag_list: + try: + for tag in tag_list: + self._misp.tag(self._event, tag) + except Exception as e: + error_message = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message)) + if hasattr(self._event, "id"): summary = {} summary["message"] = "Attributes added to event: {0}".format(self._event.id) From 7db4f103895fd1d6c662f3352101a437f5b92367 Mon Sep 17 00:00:00 2001 From: grokas Date: Mon, 19 Aug 2024 09:59:17 -0700 Subject: [PATCH 2/6] PAPP-34531 release notes updated --- release_notes/unreleased.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index fbcb2fd..c136161 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1 +1,3 @@ **Unreleased** + +* Tags can now be added during an event create or update [PAPP-34531] \ No newline at end of file From 8f07de00d88d2dca30fc21de7c3fb570848cd4ad Mon Sep 17 00:00:00 2001 From: grokas Date: Mon, 19 Aug 2024 10:27:01 -0700 Subject: [PATCH 3/6] PAPP-34531 documentation updated --- misp.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misp.json b/misp.json index 9a1262c..9066000 100644 --- a/misp.json +++ b/misp.json @@ -379,7 +379,7 @@ "data_path": "action_result.parameter.tags", "data_type": "string", "example_values": [ - "test_1" + "test_1,test_2" ] }, { @@ -832,7 +832,7 @@ "data_path": "action_result.parameter.tags", "data_type": "string", "example_values": [ - "test_1" + "test_1,test2" ] }, { From 14e3ab7dbd2070c2aade2dc600e333a170c775fd Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Mon, 19 Aug 2024 17:27:37 +0000 Subject: [PATCH 4/6] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index cce4c92..a6d7d81 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **source_emails** | optional | Source email addresses to be added as attributes | string | `email` **dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` **urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags | string | **json** | optional | JSON key value list of attributes | string | #### Action Output @@ -175,6 +176,7 @@ action_result.parameter.source_ips | string | `ip` | 122.122.122.122 action_result.parameter.threat_level_id | string | | undefined action_result.parameter.to_ids | boolean | | True False action_result.parameter.urls | string | `url` | https://test.com +action_result.parameter.tags | string | | test_1,test_2 action_result.data.\*.Org.id | string | | 1 action_result.data.\*.Org.local | boolean | | True False action_result.data.\*.Org.name | string | | ORGNAME @@ -236,6 +238,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **source_emails** | optional | Source email addresses to be added as attributes | string | `email` **dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` **urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags | string | **json** | optional | JSON key value list of attributes | string | #### Action Output @@ -246,6 +249,7 @@ action_result.parameter.dest_emails | string | `email` | test@test.com action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 action_result.parameter.domains | string | `domain` | www.test.com action_result.parameter.event_id | numeric | `misp event id` | 686 +action_result.parameter.tags | string | | test_1,test2 action_result.parameter.json | string | | {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} action_result.parameter.source_emails | string | `email` | test@test.com action_result.parameter.source_ips | string | `ip` | 122.122.122.122 From 3754382cfca011ad7d096eeee461cc63711aeaa9 Mon Sep 17 00:00:00 2001 From: grokas Date: Mon, 19 Aug 2024 11:25:26 -0700 Subject: [PATCH 5/6] PAPP-34531 add replace tags option on update --- misp.json | 18 ++++++++++++++++-- misp_connector.py | 6 ++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/misp.json b/misp.json index 9066000..6ccd9e9 100644 --- a/misp.json +++ b/misp.json @@ -763,14 +763,20 @@ "primary": true }, "tags": { - "description": "Comma separated list of tags", + "description": "Comma separated list of tags (append to existing tags default)", "data_type": "string", "order": 8 }, + "replace_tags": { + "description": "Replace tags with new provided tags", + "data_type": "boolean", + "default": false, + "order": 9 + }, "json": { "description": "JSON key value list of attributes", "data_type": "string", - "order": 9 + "order": 10 } }, "render": { @@ -835,6 +841,14 @@ "test_1,test2" ] }, + { + "data_path": "action_result.parameter.replace_tags", + "data_type": "boolean", + "example_values": [ + true, + false + ] + }, { "data_path": "action_result.parameter.json", "data_type": "string", diff --git a/misp_connector.py b/misp_connector.py index 9cf47a8..eff662e 100644 --- a/misp_connector.py +++ b/misp_connector.py @@ -494,9 +494,15 @@ def _add_attributes(self, param): action_result.add_data(attribute) tags = param.get("tags", "") + replace_tags = param.get("replace_tags", False) tag_list = [tag.strip() for tag in tags.split(",")] if tags else [] if tag_list: try: + if replace_tags: + existing_tags = self._event.tags + for tag in existing_tags: + self._misp.untag(self._event, tag.name) + for tag in tag_list: self._misp.tag(self._event, tag) except Exception as e: From 585a1fd09c6519387928632268389b218277d107 Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Mon, 19 Aug 2024 18:26:09 +0000 Subject: [PATCH 6/6] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a6d7d81..4f6f4ce 100644 --- a/README.md +++ b/README.md @@ -238,7 +238,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **source_emails** | optional | Source email addresses to be added as attributes | string | `email` **dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` **urls** | optional | URLs to be added as attributes | string | `url` -**tags** | optional | Comma separated list of tags | string | +**tags** | optional | Comma separated list of tags (append to existing tags default) | string | +**replace_tags** | optional | Replace tags with new provided tags | boolean | **json** | optional | JSON key value list of attributes | string | #### Action Output @@ -250,6 +251,7 @@ action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 action_result.parameter.domains | string | `domain` | www.test.com action_result.parameter.event_id | numeric | `misp event id` | 686 action_result.parameter.tags | string | | test_1,test2 +action_result.parameter.replace_tags | boolean | | True False action_result.parameter.json | string | | {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} action_result.parameter.source_emails | string | `email` | test@test.com action_result.parameter.source_ips | string | `ip` | 122.122.122.122