-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Threat level coding misleading #729
Comments
I agree, it's not too intuitive... |
Thank you for the notification. Looking at the PyMISP library, it seems to be fine: https://github.com/CIRCL/PyMISP/blob/master/pymisp/api.py#L234 But on the viper.li misp.py module, the threat id value is increased by one and from the upload.py it's indeed incorrect in the argument definition. https://github.com/viper-framework/viper/blob/master/modules/misp.py It's indeed quite confusing. I'll fix the upload.py script. And I update the misp-book to better describe what the threat id is ;-) |
There is another issue that we should fix in the MISP tool-tip concerning the threat id:
The level 4 which is Undefined mentions "No risk" in the tool-tip. I think there is a fundamental difference between not knowing the risk level versus "No risk". I would recommend to change it "Risk level undefined/unknown". |
Good point, will change the description
|
@iglocska Can we close the ticket? |
@iglocska ping |
Fixed. |
Threat Level mapping still doesn't appear to be in the documentation(?). I've looked in the API and MISP Guide. Please advise where we should direct users for these types of questions. |
The threat level IDs to be used in the XML upload (web interface or API) seems to be:
1 = high
2 = medium
3 = low
4 = undefined
This is a) not documented anywhere and b) not intuitive
The authors of PyMISP got it wrong right away, see upload_event.py:
"The threat level ID of the newly created event, if applicatble. [0-3]"
"0" actually lets the import fail.
Should be improved one way or the other. ;-)
The text was updated successfully, but these errors were encountered: