I'm trying to add attributes via Phantom MISP app. Adding attributes itself works fine for me when I'm just using predefined fields for specific values like 'email-dst', but I need to include also 'comment' for the attributes I'm adding. So I decided to use 'json' field of the GUI configuration, which should allow me to pass custom built attributes. And here the first issues appeared.

App documentation does not give an example how mentioned json string should look like when adding custom attributes. Initially I was basing on Automation and MISP API · User guide of MISP Malware Information Sharing Platform, a Threat Sharing ..., where json string was like this: 

{"event_id":"3542","value":"1.2.3.4","category":"Network activity","type":"ip-dst"}

But unfortunately this one was not working - no attribute was added. Via trial and error method I was able to discover that I can add attributes of defined type with following json, which is extremely different than the one mentioned in MISP API documentation: {"email-dst":"test@email.com,"}. And please note that this comma at the end is not a typo - without it, no attribute is added. I have no idea why it's working this way, but it allows me to add an attribute to an event.

However this is where I got stuck. I have no idea how to include comment field for such attribute. I've tried several combinations containing {"comment":"abc"} but then I receive 3 attributes of 'comment' type with values - 'a', 'b', 'c'.

Does maybe someone know how to add attributes with comment using Phantom MISP app?