add new env MISP_DATE_FILTER_FIELD

external-import/misp/README.md

@@ -27,7 +27,8 @@ If you are using it independently, remember that the connector will try to conne
 | `misp_key`                               | `MISP_KEY`                        | Yes          | The MISP instance key.                                                                               |
 | `misp_client_cert`                       | `MISP_CLIENT_CERT`                | No           | The client certificate of the MISP instance. It must be a path to the client certificate and readable |
 | `misp_ssl_verify`                        | `MISP_SSL_VERIFY`                 | Yes          | A boolean (`True` or `False`), check if the SSL certificate is valid when using `https`.             |
-| `misp_datetime_attribute`                | `MISP_DATETIME_ATTRIBUTE`         | Yes          | The attribute to be used in filter to query new MISP events.                                         |
+| `misp_datetime_attribute`                | `MISP_DATETIME_ATTRIBUTE`         | Yes          | The attribute to be used to get the date of the event.                                         |
+| `date_filter_field`                      | `MISP_DATE_FILTER_FIELD`         | Yes          | The attribute to be used in filter to query new MISP events.                                         |
 | `misp_report_description_attribute_filter`                | `MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER`         | No          |  Filter to be used to find the attribute with report description (example: "type=comment,category=Internal reference").                                         |
 | `misp_create_reports`                    | `MISP_CREATE_REPORTS`             | Yes          | A boolean (`True` or `False`), create reports for each imported MISP event.                          |
 | `misp_create_object_observables`         | `MISP_CREATE_OBJECT_OBSERVABLES`         | Yes          | A boolean (`True` or `False`), create a text observable for each imported MISP object.               |

external-import/misp/docker-compose.yml

@@ -1,4 +1,4 @@
-version: '3'
+version: "3"
 services:
   connector-misp:
     image: opencti/connector-misp:6.1.12
@@ -43,4 +43,5 @@ services:
       - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT=false #  Optional, import unsupported observable as x_opencti_text
       - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT_TRANSPARENT=true #  Optional, import unsupported observable as x_opencti_text just with the value
       - MISP_INTERVAL=5 # Required, in minutes
+      - MISP_DATE_FILTER_FIELD=date_from # Required, field to filter on date
     restart: always

external-import/misp/src/config.yml.sample

@@ -18,7 +18,8 @@ misp:
   key: 'ChangeMe' # Required
   ssl_verify: true # Required
   client_cert: '' # Optional, Path to the client certificate eg. /app/cert/clientcert.pem
-  datetime_attribute: 'timestamp' # Required, filter to be used in query for new MISP events
+  date_filter_field: 'date_from' # Required, filter to be used in query for new MISP events
+  datetime_attribute: 'timestamp' # Required, field to be used to get the date of the event
   create_reports: true # Required, create report for MISP event
   create_indicators: true # Required, create indicators for attributes
   create_observables: true # Required, create observables for attributes
@@ -47,4 +48,4 @@ misp:
   import_to_ids_no_score: 40 # Optional, use as a score for the indicator/observable if the attribute to_ids is no
   import_unsupported_observables_as_text: false # Optional, import unsupported observable as x_opencti_text
   import_unsupported_observables_as_text_transparent: true # Optional, import unsupported observable as x_opencti_text just with the value
-  interval: 5 # Required, in minutes
+  interval: 5 # Required, in minutes

external-import/misp/src/misp.py

@@ -132,6 +132,13 @@ def __init__(self):
             False,
             "timestamp",
         )
+        self.misp_filter_date_attribute = get_config_variable(
+            "MISP_DATE_FILTER_FIELD",
+            ["misp", "date_filter_field"],
+            config,
+            False,
+            "date_from",
+        )
         self.misp_report_description_attribute_filter = parse_filter_config(
             get_config_variable(
                 "MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER",
@@ -359,7 +366,7 @@ def run(self):
 
             # Put the date
             next_event_timestamp = last_event_timestamp + 1
-            kwargs[self.misp_datetime_attribute] = next_event_timestamp
+            kwargs[self.misp_filter_date_attribute] = next_event_timestamp
 
             # Complex query date
             if complex_query_tag is not None: