MISP expansion (as extended event)

[adulau]

It would be nice to have the ability to do the MISP expansion (as extended event) if you are not the owner of the MISP event.

[Rafiot]

We can do that, but I think it will require to do something on MISP side (cc @iglocska): when I push an update to an event, MISP need to either

• answer "you're not the owner" => and PyMISP resend the event as expention of the the original one
• directly create the expanded event without asking (potentially only do that if I pass a specific key)

Other question: what to do with admin users that can do whatever they want any way and updating an event what is not owned by them doesn't return an error?

[iglocska]

This is definitely tricky. An event edit does not always map well to an extended event, so we might not end up with the expected result. An edit basically also involves the removal and modification of existing attributes/objects - something that an extended event is not the right vehicle for. I would definitely prefer the dialogue option (respond back with that an edit is not possible and the user would have to rethink what they want to do.

MISP already replies with the above, the 405 error code is returned when the user is not authorised to edit an event.

For the admin question: This is something we should not change. MISP is used in two main scenarios (very simplified, but you get the gist): 1. as a sharing hub, 2 as a tool to ingest and work with data. Whilst mangling the data and sharing it back with the community in scenario 1 is highly destructive (luckily we have some protective measures to contain it though) - option 2 requires site admins (often the only users of "end point" MISPs) to be able to play with the data.