{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Using the API to interact with a remote MISP instance\n", "\n", "You can fetch a VM from here: https://www.circl.lu/misp-images/latest/, or connect to your dev instance.\n", "\n", "This box needs to be run in order to connect to the MISP instance and run the subsequent commands." ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import PyMISP, MISPEvent, MISPAttribute\n", "\n", "# The URL of the MISP instance to connect to\n", "misp_url = 'http://127.0.0.1:8080'\n", "# Can be found in the MISP web interface under \n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "misp_key = 'yB8DMS8LkfYYpcVX8bN2v7xwDZDMp4bpW0sNqNGj'\n", "# Should PyMISP verify the MISP certificate\n", "misp_verifycert = False\n", "\n", "misp = PyMISP(misp_url, misp_key, misp_verifycert)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Get the last events\n", "\n", "There are multiple definition for *last* in MISP.\n", "\n", "## Last *published* events" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "response = misp.search(last='1d')\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.load(event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search(last=['3d', '2d'])\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.load(event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Last *updated* events" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "from datetime import datetime\n", "\n", "ts = int(datetime.now().timestamp())\n", "\n", "response = misp.search(timestamp=ts-36000)\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.load(event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## On an interval" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)\n", "\n", "ts = int(datetime.now().timestamp())\n", "\n", "response = misp.search(timestamp=[ts-3600, ts])\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.load(event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)\n", " \n", "misp = PyMISP(misp_url, misp_key, misp_verifycert) # TODO: remove when fixed" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Get the last attributes\n", "\n", "## Last *published* attributes" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search(controller='attributes', last='1h')\n", "\n", "attributes = []\n", "for attribute in response['response']['Attribute']:\n", " ma = MISPAttribute()\n", " ma.from_dict(**attribute)\n", " attributes.append(ma)\n", "\n", "for a in attributes:\n", " print(a.event_id, a)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search(controller='attributes', last=['2h', '1h'])\n", "\n", "attributes = []\n", "for attribute in response['response']['Attribute']:\n", " ma = MISPAttribute()\n", " ma.from_dict(**attribute)\n", " attributes.append(ma)\n", "\n", "for a in attributes:\n", " print(a)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Last *updated* attributes" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "ts = int(datetime.now().timestamp())\n", "\n", "response = misp.search(controller='attributes', timestamp=ts - 36000)\n", "\n", "attributes = []\n", "for attribute in response['response']['Attribute']:\n", " ma = MISPAttribute()\n", " ma.from_dict(**attribute)\n", " attributes.append(ma)\n", "\n", "for a in attributes:\n", " print(a)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Fast search at index event level\n", "\n", "You have multiple ways to search for different values in MISP. Searching in the medadata of the events is very fast and if generally the recommended approach if your query returns lots of events." ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search_index(eventinfo='Cobalt Strike')\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.from_dict(**event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "print('No attributes are in the event', events[0].attributes)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search_index(tag='malware_classification:malware-category=\"Ransomware\"')\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.from_dict(**event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "response = misp.search_index(timestamp='1h')\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.from_dict(**event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "events[0].id" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "event = MISPEvent()\n", "event.load(misp.get(events[0].id))\n", "print(event.to_json())" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Search indicators" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "response = misp.search(values=['59.157.4.2', 'hotfixmsupload.com'])\n", "\n", "events = []\n", "for event in response['response']:\n", " me = MISPEvent()\n", " me.load(event)\n", " events.append(me)\n", "\n", "for e in events:\n", " print(e)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Sightings" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.sighting(value=e.attributes[3].value)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.sighting_list(e.attributes[3].id)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Admin Stuff" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.get_sharing_groups()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## User" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.get_users_list()" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.add_user('bar@foo.de', 1, 3)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.get_organisations_list()" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.get_roles_list()" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.get_feeds_list()" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "misp.cache_feeds_all()" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.3" } }, "nbformat": 4, "nbformat_minor": 2 }