0
# Attribute Management
1
2
Comprehensive attribute handling for managing indicators, observables, and threat intelligence data within MISP events, including validation, correlation, and lifecycle management.
3
4
## Capabilities
5
6
### Attribute Retrieval
7
8
List and retrieve attributes with advanced filtering, correlation data, and relationship information.
9
10
```python { .api }
11
def attributes(
12
self,
13
limit: int = None,
14
page: int = None,
15
**kwargs
16
) -> list:
17
"""
18
List attributes with filtering options.
19
20
Parameters:
21
- limit: Maximum number of attributes to return
22
- page: Page number for pagination
23
- **kwargs: Filter parameters (type, value, category, etc.)
24
25
Returns:
26
List of attribute dictionaries
27
"""
28
29
def get_attribute(
30
self,
31
attribute_id: Union[int, str],
32
includeCorrelations: bool = False,
33
includeDecayScore: bool = False
34
) -> dict:
35
"""
36
Get specific attribute by ID.
37
38
Parameters:
39
- attribute_id: Attribute ID
40
- includeCorrelations: Include correlation information
41
- includeDecayScore: Include decay scoring data
42
43
Returns:
44
Attribute dictionary with details
45
"""
46
47
def attribute_exists(self, attribute_id: Union[int, str]) -> bool:
48
"""Check if attribute exists by ID."""
49
```
50
51
### Attribute Creation & Updates
52
53
Create and modify attributes with comprehensive validation and metadata support.
54
55
```python { .api }
56
def add_attribute(
57
self,
58
event_id: Union[int, str],
59
attribute: Union['MISPAttribute', dict],
60
**kwargs
61
) -> dict:
62
"""
63
Add attribute to event.
64
65
Parameters:
66
- event_id: Target event ID
67
- attribute: MISPAttribute object or attribute dictionary
68
69
Returns:
70
Created attribute data
71
"""
72
73
def update_attribute(
74
self,
75
attribute: Union['MISPAttribute', dict],
76
attribute_id: Union[int, str] = None,
77
**kwargs
78
) -> dict:
79
"""
80
Update existing attribute.
81
82
Parameters:
83
- attribute: Updated attribute data
84
- attribute_id: Attribute ID (optional if in attribute data)
85
86
Returns:
87
Updated attribute data
88
"""
89
90
def fast_update_attribute(
91
self,
92
attribute: Union['MISPAttribute', dict],
93
attribute_id: Union[int, str] = None
94
) -> dict:
95
"""Fast attribute update without full validation."""
96
```
97
98
### Attribute Deletion & Management
99
100
Delete attributes and manage attribute lifecycle with proper validation.
101
102
```python { .api }
103
def delete_attribute(self, attribute_id: Union[int, str]) -> dict:
104
"""
105
Delete attribute permanently.
106
107
Parameters:
108
- attribute_id: Attribute ID to delete
109
110
Returns:
111
Deletion confirmation
112
"""
113
114
def restore_attribute(self, attribute_id: Union[int, str]) -> dict:
115
"""Restore soft-deleted attribute."""
116
117
def set_attribute_category(
118
self,
119
attribute_id: Union[int, str],
120
category: str
121
) -> dict:
122
"""Set attribute category."""
123
124
def set_attribute_type(
125
self,
126
attribute_id: Union[int, str],
127
attribute_type: str
128
) -> dict:
129
"""Set attribute type."""
130
131
def set_attribute_value(
132
self,
133
attribute_id: Union[int, str],
134
value: str
135
) -> dict:
136
"""Set attribute value."""
137
```
138
139
### Attribute Tags & Classification
140
141
Manage attribute-level tags and classifications.
142
143
```python { .api }
144
def tag_attribute(
145
self,
146
attribute_id: Union[int, str],
147
tag: Union[str, 'MISPTag'],
148
local: bool = False
149
) -> dict:
150
"""Add tag to attribute."""
151
152
def untag_attribute(
153
self,
154
attribute_id: Union[int, str],
155
tag: Union[str, 'MISPTag']
156
) -> dict:
157
"""Remove tag from attribute."""
158
159
def add_attribute_blocklist(
160
self,
161
attribute_uuids: Union[str, List[str]],
162
**kwargs
163
) -> dict:
164
"""Add attributes to blocklist."""
165
166
def delete_attribute_blocklist(
167
self,
168
attribute_uuids: Union[str, List[str]]
169
) -> dict:
170
"""Remove attributes from blocklist."""
171
```
172
173
### Attribute Proposals & Shadow Attributes
174
175
Manage attribute change proposals and shadow attributes for collaborative editing.
176
177
```python { .api }
178
def get_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
179
"""Get attribute change proposal."""
180
181
def add_attribute_proposal(
182
self,
183
event_id: Union[int, str],
184
proposal: Union['MISPShadowAttribute', dict]
185
) -> dict:
186
"""Create attribute change proposal."""
187
188
def update_attribute_proposal(
189
self,
190
proposal: Union['MISPShadowAttribute', dict],
191
proposal_id: Union[int, str] = None
192
) -> dict:
193
"""Update attribute change proposal."""
194
195
def delete_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
196
"""Delete attribute change proposal."""
197
198
def accept_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
199
"""Accept and apply attribute change proposal."""
200
201
def discard_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
202
"""Reject and discard attribute change proposal."""
203
```
204
205
### Attribute Correlation & Analysis
206
207
Manage attribute correlations and analytical relationships.
208
209
```python { .api }
210
def get_attribute_correlations(
211
self,
212
attribute_id: Union[int, str]
213
) -> list:
214
"""Get correlations for specific attribute."""
215
216
def add_correlation_exclusion(
217
self,
218
value: str,
219
comment: str = None
220
) -> dict:
221
"""Add correlation exclusion rule."""
222
223
def get_correlation_exclusions(self) -> list:
224
"""Get all correlation exclusion rules."""
225
226
def delete_correlation_exclusion(self, exclusion_id: Union[int, str]) -> dict:
227
"""Delete correlation exclusion rule."""
228
```
229
230
## Usage Examples
231
232
### Basic Attribute Operations
233
234
```python
235
from pymisp import PyMISP, MISPAttribute
236
237
misp = PyMISP('https://misp.example.com', 'your-api-key')
238
239
# Create a new attribute
240
attribute = MISPAttribute()
241
attribute.type = 'ip-dst'
242
attribute.value = '192.168.1.100'
243
attribute.category = 'Network activity'
244
attribute.comment = 'Malicious IP address from campaign X'
245
attribute.to_ids = True # Mark for IDS export
246
247
# Add to event
248
response = misp.add_attribute(event_id, attribute)
249
attribute_id = response['Attribute']['id']
250
```
251
252
### Attribute Types & Categories
253
254
```python
255
# Common attribute types and categories
256
network_indicators = [
257
{'type': 'ip-dst', 'value': '10.0.0.1', 'category': 'Network activity'},
258
{'type': 'domain', 'value': 'malware.example.com', 'category': 'Network activity'},
259
{'type': 'url', 'value': 'http://evil.com/payload', 'category': 'Network activity'},
260
{'type': 'hostname', 'value': 'c2.badguy.net', 'category': 'Network activity'}
261
]
262
263
file_indicators = [
264
{'type': 'md5', 'value': 'd41d8cd98f00b204e9800998ecf8427e', 'category': 'Payload delivery'},
265
{'type': 'sha1', 'value': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'category': 'Payload delivery'},
266
{'type': 'filename', 'value': 'malware.exe', 'category': 'Payload delivery'},
267
{'type': 'size-in-bytes', 'value': '1024', 'category': 'Payload delivery'}
268
]
269
270
# Add multiple attributes
271
for attr_data in network_indicators:
272
attr = MISPAttribute()
273
attr.from_dict(**attr_data)
274
misp.add_attribute(event_id, attr)
275
```
276
277
### Attribute Search & Filtering
278
279
```python
280
# Search attributes by type
281
ip_attributes = misp.attributes(type='ip-dst', limit=100)
282
283
# Search by value pattern
284
domain_attrs = misp.attributes(value='%.example.com', limit=50)
285
286
# Search by category
287
network_attrs = misp.attributes(category='Network activity')
288
289
# Search with multiple filters
290
recent_ips = misp.attributes(
291
type='ip-dst',
292
timestamp='7d',
293
to_ids=True,
294
limit=200
295
)
296
```
297
298
### Attribute Updates & Management
299
300
```python
301
# Update attribute value
302
misp.set_attribute_value(attribute_id, '192.168.1.200')
303
304
# Update attribute category
305
misp.set_attribute_category(attribute_id, 'Artifacts dropped')
306
307
# Add tags to attribute
308
misp.tag_attribute(attribute_id, 'apt')
309
misp.tag_attribute(attribute_id, 'high-confidence')
310
311
# Update full attribute
312
updated_attr = {
313
'comment': 'Updated: Confirmed malicious through analysis',
314
'to_ids': True,
315
'distribution': 1
316
}
317
misp.update_attribute(updated_attr, attribute_id)
318
```
319
320
### Attribute Proposals & Collaboration
321
322
```python
323
from pymisp import MISPShadowAttribute
324
325
# Create attribute change proposal
326
proposal = MISPShadowAttribute()
327
proposal.type = 'ip-dst'
328
proposal.value = '192.168.1.150' # Corrected value
329
proposal.comment = 'Correction: Original IP was incorrect'
330
proposal.to_ids = True
331
332
# Submit proposal
333
misp.add_attribute_proposal(event_id, proposal)
334
335
# List pending proposals for event
336
proposals = misp.get_attribute_proposals(event_id)
337
338
# Accept a proposal
339
misp.accept_attribute_proposal(proposal_id)
340
```
341
342
### Correlation Management
343
344
```python
345
# Get correlations for attribute
346
correlations = misp.get_attribute_correlations(attribute_id)
347
print(f"Found {len(correlations)} correlations")
348
349
# Add correlation exclusion
350
misp.add_correlation_exclusion(
351
value='192.168.1.1',
352
comment='Private IP - exclude from correlation'
353
)
354
355
# Get all correlation exclusions
356
exclusions = misp.get_correlation_exclusions()
357
```
358
359
## Types
360
361
```python { .api }
362
from typing import Union, List, Dict, Optional
363
364
AttributeID = Union[int, str]
365
AttributeType = str # 'ip-dst', 'domain', 'md5', 'sha1', etc.
366
AttributeCategory = str # 'Network activity', 'Payload delivery', etc.
367
AttributeValue = Union[str, int, float]
368
CorrelationData = Dict[str, Union[str, int, List]]
369
```