From 2418373c1f4d789bc9f0c8cc1e0677215fa1240c Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Tue, 26 Apr 2022 08:43:39 +0200
Subject: [PATCH] new: [example:copyTagsFromAttributesToEvent] Added script to
 copy tags from attributes to the event level

---
 examples/copyTagsFromAttributesToEvent.py | 68 +++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100755 examples/copyTagsFromAttributesToEvent.py

diff --git a/examples/copyTagsFromAttributesToEvent.py b/examples/copyTagsFromAttributesToEvent.py
new file mode 100755
index 0000000..68eee9d
--- /dev/null
+++ b/examples/copyTagsFromAttributesToEvent.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+import os
+
+SILENT = False
+
+
+def getTagToApplyToEvent(event):
+    tags_to_apply = set()
+
+    event_tags = { tag.name for tag in event.tags }
+    for galaxy in event.galaxies:
+        for cluster in galaxy.clusters:
+            event_tags.add(cluster.tag_name)
+
+    for attribute in event.attributes:
+        for attribute_tag in attribute.tags:
+            if attribute_tag.name not in event_tags:
+                tags_to_apply.add(attribute_tag.name)
+
+    return tags_to_apply
+
+
+def TagEvent(event, tags_to_apply):
+    for tag in tags_to_apply:
+        event.add_tag(tag)
+    return event
+
+
+def condPrint(text):
+    if not SILENT:
+        print(text)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get an event from a MISP instance.')
+    parser.add_argument("-e", "--event", required=True, help="Event ID to get.")
+    parser.add_argument("-y", "--yes", required=False, default=False, action='store_true',  help="Automatically accept prompt.")
+    parser.add_argument("-s", "--silent", required=False, default=False, action='store_true', help="No output to stdin.")
+
+    args = parser.parse_args()
+    SILENT = args.silent
+
+    misp = PyMISP(misp_url, misp_key, misp_verifycert)
+
+    event = misp.get_event(args.event, pythonify=True)
+    tags_to_apply = getTagToApplyToEvent(event)
+    condPrint('Tag to apply at event level:')
+    for tag in tags_to_apply:
+        condPrint(f'- {tag}')
+
+    confirmed = False
+    if args.yes:
+        confirmed = True
+    else:
+        confirm = input('Confirm [Y/n]: ')
+        confirmed = len(confirm) == 0 or confirm == 'Y' or confirm == 'y'
+    if confirmed:
+        event = TagEvent(event, tags_to_apply)
+        condPrint(f'Updating event {args.event}')
+        misp.update_event(event)
+        condPrint(f'Event {args.event} tagged with {len(tags_to_apply)} tags')
+    else:
+        condPrint('Operation cancelled')