howto add galaxy and/or cluster to event or attribute

[github-germ]

Hi, is there a method with PyMISP to add a pre-existing galaxy and/or galaxy-cluster to an event or attribute?

I did see mention in #1 re' creating galaxies and clusters. I might be interested in that also. Wasn't sure how I'd do that from a python client when you say to use the JSON file.

Thanks!

[Rafiot]

Add the tag representing the galaxy, MISP will do the rest

[dieee]

UPDATE GALAXY FROM MISP TO MISP

Hello everyone. I am trying to update a galaxy that has an attribute in another misp. In the other misp there is the attribute but it does not have the updated "galaxy"

update_attribute with "attr['Galaxy']" in a for bucle, no update the Galaxy in the attribute. Only update this fields "{'Attribute': {'id': '', 'event_id': '', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'domain', 'to_ids': True, 'uuid': '', 'timestamp': '', 'distribution': '', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'value': ''}}"
How can I update a galaxy of a specific attribute? (I pick up from another misp) .My example:

`for a in atributesOtherMisp:

 for b in atributesMisp:
   if b['uuid'] == a['uuid']:
    if b['comment'] != a['comment']:
      ExpandedPymispObject.update_attribute('uuid':a['uuid'] ....  'Galaxy':a['Galaxy'])`

The comment is updated. The Galaxy does not
What is the way to do it?
Many Thanks

[Rafiot]

Try to use the add_tag method instead, with the name in that format: misp-galaxy:Ransomware="CryptoWall", that should work.

[dieee]

Hi thank for the reply :)
But that "add a tag to misp" or "add tag to event". I want to add the tag to the specific attribute. I tried with "tag" and "add_tag" and still not working.
With tag:
{'errors': (403, {'name': 'Could not attachTagToObject Tag', 'message': 'Could not attachTagToObject Tag', 'url': '/tags/attachTagToObject', 'errors': 'Failed to attach tag to object.'})}
With add_tag:
add/tag to MISP no to attribute

[Rafiot]

You will have to show me the code, because both methods work in the test cases (https://github.com/MISP/PyMISP/blob/master/tests/testlive_comprehensive.py).

[dieee]

Now It works! but with the function 'tag':
for at in attribute1['Tag']: mispObject.tag(attribute2['uuid'],at['name'])

I'm going to look this test cases. Thanks a lot!

[Rafiot]

Objects don't have tags currently. You can either tag an event, or an attribute (or an object attribute), but not the object itself.

[Sashaank]

@Rafiot Hey Raphaël, can objects not be tagged still? What's the way to tag an object attribute? Like the src or dst IP for e.g.

[Rafiot]

objects cannot be tagged.

For tagging an attribute inside an object, it is explained above.

[Sashaank]

@Rafiot and an event is tagged like this right?
event.add_tag("misp-galaxy:mitre-attack-pattern='ABC')
It doesn't seem to work unfortunately

[Rafiot]

It depends what event is there (a MISPEvent, or a PyMISP instance). If it is a MISPEvent, you then need to update the event on the MISP Instance using the update_event method.

Regardless, please open a new issue in the PyMISP repository with a complete code sample, it will be easier than handling it in a closed and unrelated issue.

[Sashaank]

@Rafiot thank you very much for your quick responses, it seems to work somehow now :)