New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warning-List not used in the API ? #1922
Comments
Just to be sure that I got it, you want to have the warning-lists searchable via the API? It's an interesting idea. Right now, we use the warning-lists to filter out the ones matching via the enforceWarninglist option. But we could expand the result set to the warning-lists to have an additional output with just the warning list (outside the scope of the event). |
I think what he means (and @Maijin, please correct me if I misunderstood) is simply including the warninglist hits in the returned results. Right now if you view an event via the UI you see warninglist hits, however, if you view the same thing via the warninglist you get no indication of potential false positives. It would be handy to have a warninglist git shown via the API too. For example:
|
Yes including it in the results somehow :) |
Following a discussion at a training, creating an exception (via PyMISP / MISP API) when importing data into MISP and being part of the warning-list. |
Bump. Just looking for very similar functionality. We want to return a list of events that have attributes that have warning flags against them based on the warning lists we have enabled. |
This is indeed an interesting feature to support automations based on querying the MISP for lists of indicators. |
Interested in this as well. It would be nice to be able to pull with PyMisp a list of all the warninglists enabled in MISP. Possibly setting the type field to "warning-lists" or something similar. For my use case I'm wanting to pull all the warning lists present in MISP and export them to a lookup table for our logging infrastructure so we can then flag them as false positives. And to tag those false positives with list names such as cisco top 1k.
Something like this would be very useful:
Edit: I see that pymispwarninglists is a module that may do some of what I want. But it would still be nice to have the information returned in the event itself. |
Greetings guys o/
I realised that when something is found in the misp-warninglists (But maybe i forgot something ?) - https://github.com/MISP/misp-warninglists, there is nothing retrieved from the API when doing a searchall via pymisp which is sad given the usefulness of this list 😢.
One simple solution would be to have a "fake" MISP event that would "contain" all the warning-list and be return by the API if the indicator is found in it.
The text was updated successfully, but these errors were encountered: