[Question] Export only NEW observables to EXISTING event in MISP

[mihdim777]

Hello!

Is there any way to export to MISP ONLY new observables (marked as IOC) added AFTER a case was exported to MISP without creating a new event and use PREVIOUS event that was created?

Thank you!

[nadouani]

The MISP export feature is quit simple: we export ALL observable marked as IOC.

[mihdim777]

Yes, @nadouani . I understood that from the first time. But my question is different. I want to export observables marked as IOC from a case that has been already exported to the same existing event created in MISP.

For example if I export case #1 with 3 observables marked as IOC, it will create event event #1 in MISP.
After that I will add a new observable also marked with IOC to case #1 and I want to export that observable also to MISP to the same event #1, not creating event #2.

Maybe I explained a little bit more clear my question now?

[nadouani]

TheHive MISP connector does the following:

• create a MISP event if the case is not related to an existing MISP event
• create an extended MISP event for the case related existing MISP event