Sync Sightings: add sightings discards sighting UUID passed on

[imranmmd17]

Exported sightings from one MISP and trying to add them to another MISP (basically Sync Sightings), we are able to add the sightings, however it does NOT use the given sighting_uuid. Instead the PyMISP API calls allocates a new sighting UUID. Basically making it as a new sighing instead of sync sighting.

We tried with MISP API calls: misp.add_sighting and attribute.add_sighting

Please advise how can we mimic the Sync Sightings with PyMISP API v 2.4.194

[Rafiot]

As far as I know, you can't. The sightings UUIDs are always re-created by MISP and ignored if you pass them from the API.

@iglocska @mokaddem can you confirm that?

[imranmmd17]

Thanks @Rafiot.

In case of MISP to MISP Sync, the Sightings UUID match. Wondering how is that achieved.

My understanding is Sync also internally uses APIs or is the Sync is over a MISP proprietary protocol?

[tomking2]

Hi @imranmmd17,

MISP does use the same APIs for pulling data, but it has specific code just for MISP-MISP sync that stores sightings once it receives them; it doesn't use the add_sighting API here. You may be able to re-purpose the PUSH mechanism that uses this function to bulk ingest sightings: https://github.com/MISP/MISP/blob/2.5/app/Controller/SightingsController.php#L334

It should keep the same UUID. However it's worth noting this API isn't provided through PyMISP or documented via OpenAPI as it's primarily designed for MISP syncing