Error code 403 over remote event update using only local tags

[minisephirot]

Context

What: I enrich external organisation events using local tags to ensure that my semantic is not beeing propagated
Why: Those tags are used to pivot on if the IOC should enter a blacklist or not.

Code

How:

        time_window: datetime = oldest_unriched_event_date + timedelta(days = 2) 
        results = self.misp_instance.search(
            controller = "events",
            date_from = oldest_unriched_event_date.strftime("%F"),
            date_to = time_window.strftime("%F"),
            include_correlations = False,
            event_tags = ['!blacklist_tag'],
            org = self.sekoia_uuid,
            deleted = "0",
            pythonify = True,
            metadata = True,
        )
        # Events tagging
        misp_event: MISPEvent
        for counter_ev, misp_event in enumerate(results):
                for tag in [My perfect tag list]:
                    misp_event.add_tag(name = tag, local = True)
                misp_instance.update_event(misp_event)

Sadly I've been using a site admin user to do this stuff while POCing so yeah.. I was able to pretty free in term of perms.

This leads me to using a more appropriated role wich was sync user, thinking that local tags wouldn't be a bother since it was described as "The long awaited feature “local tags” is now finally available. You can create tags locally if you are a member of the given MISP instance’s host organisation, enabling “in-place” tagging for synchronisation and export filtering"

Alas when running the script I get thoses:
ERROR: Something went wrong (403): {'saved': False, 'name': 'Could not edit Event', 'message': 'Could not edit Event', 'url': '/events/edit/9085', 'errors': 'Event could not be saved: The user used to edit the event is not authorised to do so. This can be caused by the user not being of the same organisation as the original creator of the event whilst also not being a site administrator.', 'id': '9085'}

Event 9085 "as is":

With local tags added on GUI:

There is probably something i've missed while considering local tags: if this is an issue of not beeing in the same organisation why can I add those tags on the same event as a same role user from another organisation on GUI ?

Sorry for the delayed issue by the way I tried to bruteforce my way beforehand to not waste your time if this was just a perm issue..

[adulau]

If you have a 403 error, it’s a perm issue and not really an issue with PyMISP.

[iglocska]

Based on the provided information, I can safely deduce it's DNS. It's always DNS.

[minisephirot]

I've completed my issue, sorry for the delay :)

[minisephirot]

It seems to be related to those issues: MISP/MISP#4691 & MISP/MISP#4925
My user is in host organisation, he tries via API to update an event using only local tags -> 403

[minisephirot]

@adulau

If you have a 403 error, it’s a perm issue and not really an issue with PyMISP.

I thought so too but since MISP allowed me in GUI to edit local tags I thought this was more of a MISP <-> PyMISP interaction

@Rafiot
Does this issue still needs more information ?

EDIT: For now i've found a workaround, the script's user is site admin : that's the only way to bypass this issue.

[Rafiot]

@minisephirot no, it doesn't. But it is going to be a MISP API issue, I don't think there is a fix on PyMISP side.

cc @iglocska

[minisephirot]

@Rafiot Thank you for the feedback.

Should I close this issue and reopen it on MISP's repo or let someone transfer it ?

[Rafiot]

If it works as site admin, it is definitely a perm issue.

Can you check the tag settings and make sure it is not limited to a specific user/org and you're trying to add it from another one?

[minisephirot]

What do you mean by tag settings ?
I've tried going from:
misp_event.add_tag(name = tag, local = True)
to
attribute.add_tag(name = tag, local = True, exportable = True)
with no significant change in MISP behaviour: is there some settings in MISP to change ?

[Rafiot]

Okay, I looked at the first message again and it's a different issue: the exception happens when you call an update on the MISP event, which would makes sense if you do that against an event that isn't yours.

If I'm not mistaken (please correct me @iglocska), you can attach a local tag to a MISP event that isn't yours if you do something like that: self.misp_instance.tag(event_id, tag_name, local=True). That is assuming a tag with that tag name exists on the MISP instance.

[minisephirot]

Hello, thank you for the insight.
I thought that calling an update with only tags beeing changed would not trigger a "true" event update like an edition of attributes : that's a good thing to know.
I specificaly avoided misp_instance.(un)tag because it directly called a request http and wanted to bulk tag/untag, I'll try using the method and see if this goes throught !