From 309b767864a25e959e699dc82430a7212f9aefc2 Mon Sep 17 00:00:00 2001
From: Jeroen Pinoy <pinoy.jeroen@gmail.com>
Date: Sun, 12 May 2019 01:08:21 +0200
Subject: [PATCH] Added includeWarninglistHits as a possible filter for the
 event level restsearch.

---
 examples/fetch_warninglist_hits.py | 38 ++++++++++++++++++++++++++++++
 pymisp/api.py                      |  2 ++
 2 files changed, 40 insertions(+)
 create mode 100644 examples/fetch_warninglist_hits.py

diff --git a/examples/fetch_warninglist_hits.py b/examples/fetch_warninglist_hits.py
new file mode 100644
index 0000000..12d3f62
--- /dev/null
+++ b/examples/fetch_warninglist_hits.py
@@ -0,0 +1,38 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from keys import misp_url, misp_key
+import argparse
+
+
+def init(url, key):
+    return PyMISP(url, key)
+
+
+def loop_attributes(elem):
+    if 'Attribute' in elem.keys():
+        for attribute in elem['Attribute']:
+            if 'warnings' in attribute.keys():
+                for warning in attribute['warnings']:
+                    print("Value {} has a hit in warninglist with name '{}' and id '{}'".format(warning['value'],
+                                                                                                warning[
+                                                                                                    'warninglist_name'],
+                                                                                                warning[
+                                                                                                    'warninglist_id']))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Print all warninglist hits for an event.')
+    parser.add_argument("eventid", type=str, help="The event id of the event to get info of")
+    args = parser.parse_args()
+    misp = init(misp_url, misp_key)
+    evt = misp.search('events', eventid=args.eventid, includeWarninglistHits=1)['response'][0]['Event']
+    if 'warnings' in evt.keys():
+        print('warnings in entire event:')
+        print(str(evt['warnings']) + '\n')
+        print('Warnings at attribute levels:')
+        loop_attributes(evt)
+        if 'Object' in evt.keys():
+            for obj in evt['Object']:
+                loop_attributes(obj)
diff --git a/pymisp/api.py b/pymisp/api.py
index 48ffded..fc91619 100644
--- a/pymisp/api.py
+++ b/pymisp/api.py
@@ -1190,6 +1190,7 @@ class PyMISP(object):
         :param publish_timestamp: the publish timestamp
         :param timestamp: the timestamp of the last modification. Can be a list (from->to)
         :param enforceWarninglist: Enforce the warning lists
+        :param includeWarninglistHits: Include the warning list hits
         :param searchall: full text search on the database
         :param metadata: return only metadata if True
         :param published: return only published events
@@ -1251,6 +1252,7 @@ class PyMISP(object):
         query['publish_timestamp'] = kwargs.pop('publish_timestamp', None)
         query['timestamp'] = kwargs.pop('timestamp', None)
         query['enforceWarninglist'] = kwargs.pop('enforceWarninglist', None)
+        query['includeWarninglistHits'] = kwargs.pop('includeWarninglistHits', None)
         query['to_ids'] = kwargs.pop('to_ids', None)
         query['deleted'] = kwargs.pop('deleted', None)
         query['published'] = kwargs.pop('published', None)