Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning-List not used in the API ? #1922

Open
Maijin opened this issue Feb 12, 2017 · 7 comments
Open

Warning-List not used in the API ? #1922

Maijin opened this issue Feb 12, 2017 · 7 comments
Labels
T: enhancement Type: enhancement. This issue requires improving an existing feature topic: API This issue involves API usage topic: warning list This issue involves warning lists usability

Comments

@Maijin
Copy link

Maijin commented Feb 12, 2017

Greetings guys o/

I realised that when something is found in the misp-warninglists (But maybe i forgot something ?) - https://github.com/MISP/misp-warninglists, there is nothing retrieved from the API when doing a searchall via pymisp which is sad given the usefulness of this list 😢.
One simple solution would be to have a "fake" MISP event that would "contain" all the warning-list and be return by the API if the indicator is found in it.
@adulau
Copy link
Member

adulau commented Feb 12, 2017

Just to be sure that I got it, you want to have the warning-lists searchable via the API?

It's an interesting idea. Right now, we use the warning-lists to filter out the ones matching via the enforceWarninglist option. But we could expand the result set to the warning-lists to have an additional output with just the warning list (outside the scope of the event).

@iglocska
Copy link
Member

I think what he means (and @Maijin, please correct me if I misunderstood) is simply including the warninglist hits in the returned results. Right now if you view an event via the UI you see warninglist hits, however, if you view the same thing via the warninglist you get no indication of potential false positives.

It would be handy to have a warninglist git shown via the API too. For example:

{
    "Event": {
        "info": "test",
        "published": true,
        "Attribute": [
            {
                "type": "domain",
                "category": "Network activity",
                "to_ids": false,
                "value": "google.com",
                "Warninglist": [
                    "TOP 1000 WEBSITE FROM ALEXA"
                ]
            }
        ]
    }
}

@Maijin
Copy link
Author

Maijin commented Feb 12, 2017

Yes including it in the results somehow :)
My idea was to have it return as a dedicated "warninglist" event was to avoid need of querying the db twice via two different requests (1 time for warning and 1 time for the current result).

@adulau adulau added T: enhancement Type: enhancement. This issue requires improving an existing feature topic: API This issue involves API usage topic: warning list This issue involves warning lists labels Feb 12, 2017
@adulau
Copy link
Member

adulau commented May 10, 2017

Following a discussion at a training, creating an exception (via PyMISP / MISP API) when importing data into MISP and being part of the warning-list.

@cybgit
Copy link

cybgit commented Sep 18, 2020

Bump. Just looking for very similar functionality. We want to return a list of events that have attributes that have warning flags against them based on the warning lists we have enabled.

@iosonogio
Copy link

iosonogio commented Mar 2, 2022
edited

This is indeed an interesting feature to support automations based on querying the MISP for lists of indicators.
It would be a great thing if it could be implemented!

@theherodied
Copy link

theherodied commented Jan 12, 2024
edited

Interested in this as well. It would be nice to be able to pull with PyMisp a list of all the warninglists enabled in MISP. Possibly setting the type field to "warning-lists" or something similar. For my use case I'm wanting to pull all the warning lists present in MISP and export them to a lookup table for our logging infrastructure so we can then flag them as false positives. And to tag those false positives with list names such as cisco top 1k.

I think what he means (and @Maijin, please correct me if I misunderstood) is simply including the warninglist hits in the returned results. Right now if you view an event via the UI you see warninglist hits, however, if you view the same thing via the warninglist you get no indication of potential false positives.

It would be handy to have a warninglist git shown via the API too. For example:

{
    "Event": {
        "info": "test",
        "published": true,
        "Attribute": [
            {
                "type": "domain",
                "category": "Network activity",
                "to_ids": false,
                "value": "google.com",
                "Warninglist": [
                    "TOP 1000 WEBSITE FROM ALEXA"
                ]
            }
        ]
    }
}

Something like this would be very useful:

"Event": {
    "info": "test",
    "published": true,
    "Attribute": [
        {
            "type": "domain",
            "category": "Network activity",
            "to_ids": false,
            "value": "google.com",
           "warninglist":true,
            "Warninglist": [
                "TOP 1000 WEBSITE FROM ALEXA"

Edit: I see that pymispwarninglists is a module that may do some of what I want. But it would still be nice to have the information returned in the event itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: enhancement Type: enhancement. This issue requires improving an existing feature topic: API This issue involves API usage topic: warning list This issue involves warning lists usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adulau @Maijin @iglocska @iosonogio @cybgit @theherodied