Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass all observable tags on MISP share #508

Open
syloktools opened this issue Mar 13, 2018 · 3 comments
Open

Pass all observable tags on MISP share #508

syloktools opened this issue Mar 13, 2018 · 3 comments
Assignees
@To-om
Labels
enhancement

Comments

@syloktools
Copy link

#Import tags on MISP share

Request Type

Feature Request

Problem Description

Need to copy those handy tags from TheHive to the MISP attributes on share.
Hate to not have all that work and Cortex metadata not moving over with the event.
@nadouani
Copy link
Contributor

Hello,

MISP uses a list of defined tags, either using taxonomies or user defined tags. TheHive needs the ID of each tag to be able to tell MISP, what tags an observable has.

and AFAIK, getting tag ids from MISP is not easy. We will take a look on it with @iglocska ;)

@TheDr1ver
Copy link

I've never worked with Scala before today, so I'm well behind the learning curve, but I think this fix is really just a matter of writing the right for-loop. I'm trying to install TheHive and the ability to expot TheHive tags to MISP would really be helpful.

Like I said, I've never looked at Scala before today so I don't really understand the syntax, but looking at this PR from @To-om (#836) it seems this addition could be semi-trivial. Since I don't have a good test environment and don't know the first thing about Scala, I figured I could post this here and someone more knowledgable could run with it.

# ./thehive-misp/app/connectors/misp/MispConfig.scala
# Add below ln 47

exportAttributeTags = mispConnectionConfig.getOptional[Boolean]("exportAttributeTags").contains(true)

# change the end of the yield list

exportCaseTags,
exportAttributeTags

# ./thehive-misp/app/connectors/misp/MispConnection.scala
# change the end of the MispConnection class

exportCaseTags: Boolean,
exportAttributeTags: Boolean

This is the part where I have no idea what I'm doing and I'm sure I'm missing something, but I'm basing it off #836

# ./thehive-misp/app/connectors/misp/MispExport.scala

# ln 146 after posting the attribute TLP
.post(JsArray((attribute.tags.map(JsString.apply))))

It seems like attribute.tags would be the right fit based on seeing attribute.tlp prior, as well as this reference

If I were to do this in Python this line would essentially be:

for tag in attribute.tags:
    misp.addTag(tag)

Based on the template that renders the observable page it looks like this would only grab the tags that were manually added to the observable by the analyst and NOT the taxonomy labels generated by Cortex analyzers which is the perfect fit for this use-case.

Thanks in advance for anyone that can help with this!

@TheDr1ver TheDr1ver mentioned this issue Oct 16, 2019
Open
@Lexati
Copy link

Lexati commented Sep 28, 2022

Hello, i have some problem with export thehive tags for observable in misp. Misp ver. v2.4.158, Thehive 4.1.24-1. Help me please...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nadouani @TheDr1ver @syloktools @To-om @Lexati