Skip to content

MISP Analyzer: Unable to filter for unpublished events due to boolean logic flaw #3566

@ayushgupta704

Description

@ayushgupta704

What happened

Right now, the MISP analyzer doesn’t properly handle filtering for unpublished events. Even if published=False is selected in the configuration, that value never actually makes it into the API request sent to MISP.
This happens because of the current check:
if self.published:
Since False evaluates to falsy in Python, the condition fails and the parameter gets skipped entirely. As a result, the request is sent without any published filter.

Environment

  1. OS: Linux

What did you expect to happen

Setting published=False should send {"published": False} to the MISP API. This allows analysts to specifically hunt for fresh, indicators that analysts may want to specifically query.

How to reproduce your issue

  1. Uncheck the published box in a MISP analyzer configuration.
  2. Run any analysis.
  3. Observe that the API call sent to MISP (line 100 of misp.py) contains no published parameter
    because if self.published: evaluates to False and skips the assignment.
Image

I’ve already tested a fix for this locally. I’d be happy to take this up and open a PR please assign it to me.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions