Post Archive

MISP Auto Tagging: In Organizations We Trust

Published May 10, 2022

When working with MISP, there are situations where you need one or more local tags on events from specific organizations you trust, so downstream automation can act on that source context.

What The Tool Does

This small Python tool was released to help organizations using MISP automatically add local tags to all events from specific organization UUIDs.

The tool supports both adding and removing a predefined set of local tags.

Github Project - MISP-autotagging

Examples

# venv/bin/python3 misp-autotagging.py -h
eCrimeLabs MISP autotagging tool
usage: misp-autotagging.py [-h] [-a] [-r] [-d DAYS]

optional arguments:
  -h, --help            show this help message and exit
  -a, --add             Add local tags to Event(s)
  -r, --remove          Remove local tags to Event(s)
  -d DAYS, --days DAYS  Number of days to look back for events (Default: 2)

The below adds tags to organizations for events created within the last 20 days.

# venv/bin/python3 misp-autotagging.py -a -d 20
eCrimeLabs MISP autotagging tool
 + Remove local tags to Event(s)
   - 2022-05-10 16:00:51 UTC - Successfully added local tag: ecrimelabs:custom-tag=1 to Event UUID: c303c3c9-8623-45cd-9173-c61de12635b0
   - 2022-05-10 16:00:51 UTC - Successfully added local tag: ecrimelabs:custom-tag=2 to Event UUID: c303c3c9-8623-45cd-9173-c61de12635b0

The event now has two local tags added, without modifying the original event content from the source organization.

MISP event with custom local tags applied

Back to Posts