-
Notifications
You must be signed in to change notification settings - Fork 281
/
Copy pathcopyTagsFromAttributesToEvent.py
executable file
·68 lines (51 loc) · 1.99 KB
/
copyTagsFromAttributesToEvent.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
import argparse
import os
SILENT = False
def getTagToApplyToEvent(event):
tags_to_apply = set()
event_tags = { tag.name for tag in event.tags }
for galaxy in event.galaxies:
for cluster in galaxy.clusters:
event_tags.add(cluster.tag_name)
for attribute in event.attributes:
for attribute_tag in attribute.tags:
if attribute_tag.name not in event_tags:
tags_to_apply.add(attribute_tag.name)
return tags_to_apply
def TagEvent(event, tags_to_apply):
for tag in tags_to_apply:
event.add_tag(tag)
return event
def condPrint(text):
if not SILENT:
print(text)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Get an event from a MISP instance.')
parser.add_argument("-e", "--event", required=True, help="Event ID to get.")
parser.add_argument("-y", "--yes", required=False, default=False, action='store_true', help="Automatically accept prompt.")
parser.add_argument("-s", "--silent", required=False, default=False, action='store_true', help="No output to stdin.")
args = parser.parse_args()
SILENT = args.silent
misp = PyMISP(misp_url, misp_key, misp_verifycert)
event = misp.get_event(args.event, pythonify=True)
tags_to_apply = getTagToApplyToEvent(event)
condPrint('Tag to apply at event level:')
for tag in tags_to_apply:
condPrint(f'- {tag}')
confirmed = False
if args.yes:
confirmed = True
else:
confirm = input('Confirm [Y/n]: ')
confirmed = len(confirm) == 0 or confirm == 'Y' or confirm == 'y'
if confirmed:
event = TagEvent(event, tags_to_apply)
condPrint(f'Updating event {args.event}')
misp.update_event(event)
condPrint(f'Event {args.event} tagged with {len(tags_to_apply)} tags')
else:
condPrint('Operation cancelled')