CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-pymisp

Python API for MISP threat intelligence platform enabling programmatic access to MISP instances.

Overall
score

96%

Overview
Eval results
Files

attribute-management.mddocs/

Attribute Management

Comprehensive attribute handling for managing indicators, observables, and threat intelligence data within MISP events, including validation, correlation, and lifecycle management.

Capabilities

Attribute Retrieval

List and retrieve attributes with advanced filtering, correlation data, and relationship information.

def attributes(
    self,
    limit: int = None,
    page: int = None,
    **kwargs
) -> list:
    """
    List attributes with filtering options.
    
    Parameters:
    - limit: Maximum number of attributes to return
    - page: Page number for pagination
    - **kwargs: Filter parameters (type, value, category, etc.)
    
    Returns:
    List of attribute dictionaries
    """

def get_attribute(
    self, 
    attribute_id: Union[int, str],
    includeCorrelations: bool = False,
    includeDecayScore: bool = False
) -> dict:
    """
    Get specific attribute by ID.
    
    Parameters:
    - attribute_id: Attribute ID
    - includeCorrelations: Include correlation information
    - includeDecayScore: Include decay scoring data
    
    Returns:
    Attribute dictionary with details
    """

def attribute_exists(self, attribute_id: Union[int, str]) -> bool:
    """Check if attribute exists by ID."""

Attribute Creation & Updates

Create and modify attributes with comprehensive validation and metadata support.

def add_attribute(
    self,
    event_id: Union[int, str],
    attribute: Union['MISPAttribute', dict],
    **kwargs
) -> dict:
    """
    Add attribute to event.
    
    Parameters:
    - event_id: Target event ID
    - attribute: MISPAttribute object or attribute dictionary
    
    Returns:
    Created attribute data
    """

def update_attribute(
    self,
    attribute: Union['MISPAttribute', dict],
    attribute_id: Union[int, str] = None,
    **kwargs
) -> dict:
    """
    Update existing attribute.
    
    Parameters:
    - attribute: Updated attribute data
    - attribute_id: Attribute ID (optional if in attribute data)
    
    Returns:
    Updated attribute data
    """

def fast_update_attribute(
    self,
    attribute: Union['MISPAttribute', dict],
    attribute_id: Union[int, str] = None
) -> dict:
    """Fast attribute update without full validation."""

Attribute Deletion & Management

Delete attributes and manage attribute lifecycle with proper validation.

def delete_attribute(self, attribute_id: Union[int, str]) -> dict:
    """
    Delete attribute permanently.
    
    Parameters:
    - attribute_id: Attribute ID to delete
    
    Returns:
    Deletion confirmation
    """

def restore_attribute(self, attribute_id: Union[int, str]) -> dict:
    """Restore soft-deleted attribute."""

def set_attribute_category(
    self, 
    attribute_id: Union[int, str], 
    category: str
) -> dict:
    """Set attribute category."""

def set_attribute_type(
    self, 
    attribute_id: Union[int, str], 
    attribute_type: str
) -> dict:
    """Set attribute type."""

def set_attribute_value(
    self, 
    attribute_id: Union[int, str], 
    value: str
) -> dict:
    """Set attribute value."""

Attribute Tags & Classification

Manage attribute-level tags and classifications.

def tag_attribute(
    self,
    attribute_id: Union[int, str],
    tag: Union[str, 'MISPTag'],
    local: bool = False
) -> dict:
    """Add tag to attribute."""

def untag_attribute(
    self,
    attribute_id: Union[int, str], 
    tag: Union[str, 'MISPTag']
) -> dict:
    """Remove tag from attribute."""

def add_attribute_blocklist(
    self,
    attribute_uuids: Union[str, List[str]],
    **kwargs
) -> dict:
    """Add attributes to blocklist."""

def delete_attribute_blocklist(
    self,
    attribute_uuids: Union[str, List[str]]
) -> dict:
    """Remove attributes from blocklist."""

Attribute Proposals & Shadow Attributes

Manage attribute change proposals and shadow attributes for collaborative editing.

def get_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
    """Get attribute change proposal."""

def add_attribute_proposal(
    self,
    event_id: Union[int, str],
    proposal: Union['MISPShadowAttribute', dict]
) -> dict:
    """Create attribute change proposal."""

def update_attribute_proposal(
    self,
    proposal: Union['MISPShadowAttribute', dict],
    proposal_id: Union[int, str] = None
) -> dict:
    """Update attribute change proposal."""

def delete_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
    """Delete attribute change proposal."""

def accept_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
    """Accept and apply attribute change proposal."""

def discard_attribute_proposal(self, proposal_id: Union[int, str]) -> dict:
    """Reject and discard attribute change proposal."""

Attribute Correlation & Analysis

Manage attribute correlations and analytical relationships.

def get_attribute_correlations(
    self, 
    attribute_id: Union[int, str]
) -> list:
    """Get correlations for specific attribute."""

def add_correlation_exclusion(
    self,
    value: str,
    comment: str = None
) -> dict:
    """Add correlation exclusion rule."""

def get_correlation_exclusions(self) -> list:
    """Get all correlation exclusion rules."""

def delete_correlation_exclusion(self, exclusion_id: Union[int, str]) -> dict:
    """Delete correlation exclusion rule."""

Usage Examples

Basic Attribute Operations

from pymisp import PyMISP, MISPAttribute

misp = PyMISP('https://misp.example.com', 'your-api-key')

# Create a new attribute
attribute = MISPAttribute()
attribute.type = 'ip-dst'
attribute.value = '192.168.1.100'
attribute.category = 'Network activity'
attribute.comment = 'Malicious IP address from campaign X'
attribute.to_ids = True  # Mark for IDS export

# Add to event
response = misp.add_attribute(event_id, attribute)
attribute_id = response['Attribute']['id']

Attribute Types & Categories

# Common attribute types and categories
network_indicators = [
    {'type': 'ip-dst', 'value': '10.0.0.1', 'category': 'Network activity'},
    {'type': 'domain', 'value': 'malware.example.com', 'category': 'Network activity'},
    {'type': 'url', 'value': 'http://evil.com/payload', 'category': 'Network activity'},
    {'type': 'hostname', 'value': 'c2.badguy.net', 'category': 'Network activity'}
]

file_indicators = [
    {'type': 'md5', 'value': 'd41d8cd98f00b204e9800998ecf8427e', 'category': 'Payload delivery'},
    {'type': 'sha1', 'value': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'category': 'Payload delivery'},
    {'type': 'filename', 'value': 'malware.exe', 'category': 'Payload delivery'},
    {'type': 'size-in-bytes', 'value': '1024', 'category': 'Payload delivery'}
]

# Add multiple attributes
for attr_data in network_indicators:
    attr = MISPAttribute()
    attr.from_dict(**attr_data)
    misp.add_attribute(event_id, attr)

Attribute Search & Filtering

# Search attributes by type
ip_attributes = misp.attributes(type='ip-dst', limit=100)

# Search by value pattern
domain_attrs = misp.attributes(value='%.example.com', limit=50)

# Search by category
network_attrs = misp.attributes(category='Network activity')

# Search with multiple filters
recent_ips = misp.attributes(
    type='ip-dst',
    timestamp='7d',
    to_ids=True,
    limit=200
)

Attribute Updates & Management

# Update attribute value
misp.set_attribute_value(attribute_id, '192.168.1.200')

# Update attribute category
misp.set_attribute_category(attribute_id, 'Artifacts dropped')

# Add tags to attribute
misp.tag_attribute(attribute_id, 'apt')
misp.tag_attribute(attribute_id, 'high-confidence')

# Update full attribute
updated_attr = {
    'comment': 'Updated: Confirmed malicious through analysis',
    'to_ids': True,
    'distribution': 1
}
misp.update_attribute(updated_attr, attribute_id)

Attribute Proposals & Collaboration

from pymisp import MISPShadowAttribute

# Create attribute change proposal
proposal = MISPShadowAttribute()
proposal.type = 'ip-dst'
proposal.value = '192.168.1.150'  # Corrected value
proposal.comment = 'Correction: Original IP was incorrect'
proposal.to_ids = True

# Submit proposal
misp.add_attribute_proposal(event_id, proposal)

# List pending proposals for event
proposals = misp.get_attribute_proposals(event_id)

# Accept a proposal
misp.accept_attribute_proposal(proposal_id)

Correlation Management

# Get correlations for attribute
correlations = misp.get_attribute_correlations(attribute_id)
print(f"Found {len(correlations)} correlations")

# Add correlation exclusion
misp.add_correlation_exclusion(
    value='192.168.1.1',
    comment='Private IP - exclude from correlation'
)

# Get all correlation exclusions
exclusions = misp.get_correlation_exclusions()

Types

from typing import Union, List, Dict, Optional

AttributeID = Union[int, str]
AttributeType = str  # 'ip-dst', 'domain', 'md5', 'sha1', etc.
AttributeCategory = str  # 'Network activity', 'Payload delivery', etc.
AttributeValue = Union[str, int, float]
CorrelationData = Dict[str, Union[str, int, List]]

Install with Tessl CLI

npx tessl i tessl/pypi-pymisp

docs

attribute-management.md

core-api.md

data-models.md

event-management.md

index.md

object-generators.md

object-management.md

search-query.md

server-sync.md

tag-taxonomy.md

user-org-management.md

tile.json