MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Update misp_retention.py to new api, use local tags

pull/5312/head
Richard van den Berg 2019-10-14 13:56:19 +02:00
parent 2a3e7a53a4
commit 91f40e6641
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
tools/misp_retention.py Executable file → Normal file
View File

@ -1,13 +1,13 @@
#!/usr/bin/env python #!/usr/bin/env python3
# #
# This script requires the MISP retention taxonomy is installed and enabled # This script requires the MISP retention taxonomy is installed and enabled
# See https://github.com/MISP/misp-taxonomies/tree/master/retention/retention # See https://github.com/MISP/misp-taxonomies/tree/master/retention/retention
from pymisp import PyMISP, MISPEvent from pymisp import ExpandedPyMISP, MISPEvent
from datetime import datetime from datetime import datetime
from dateutil.relativedelta import relativedelta from dateutil.relativedelta import relativedelta
import re import re
from keys import misp_url, misp_key, misp_verifycert from keys import misp_url, misp_key
# pip install pymisp python-dateutil # pip install pymisp python-dateutil
@ -18,16 +18,15 @@ class misphelper(object):
expiredTag = "retention:expired" expiredTag = "retention:expired"
def __init__(self): def __init__(self):
self.misp = PyMISP(url=misp_url, self.misp = ExpandedPyMISP(url=misp_url,
key=misp_key, key=misp_key,
ssl=misp_verifycert, ssl=True)
out_type="json")
self.taxonomyId = self.searchTaxonomy() self.taxonomyId = self.searchTaxonomy()
def searchTaxonomy(self): def searchTaxonomy(self):
res = self.misp.get_taxonomies_list() res = self.misp.taxonomies()
for tax in res["response"]: for tax in res:
if (tax["Taxonomy"]["namespace"] == "retention" and tax["Taxonomy"]["enabled"]): if (tax["Taxonomy"]["namespace"] == "retention" and tax["Taxonomy"]["enabled"]):
return tax["Taxonomy"]["id"] return tax["Taxonomy"]["id"]
@ -44,12 +43,12 @@ class misphelper(object):
changed = True changed = True
attr["to_ids"] = False attr["to_ids"] = False
self.misp.tag(mevent, self.expiredTag, True)
if changed: if changed:
mevent.add_tag(self.expiredTag)
res = self.misp.update_event(mevent.id, mevent) res = self.misp.update_event(mevent.id, mevent)
def findEventsAfterRetention(self, events, retention): def findEventsAfterRetention(self, events, retention):
for event in events["response"]: for event in events:
ts = datetime.strptime(event["Event"]["date"], "%Y-%m-%d") ts = datetime.strptime(event["Event"]["date"], "%Y-%m-%d")
now = datetime.utcnow() now = datetime.utcnow()
@ -66,12 +65,13 @@ class misphelper(object):
self.processEvent(event["Event"]) self.processEvent(event["Event"])
def queryRetentionTags(self): def queryRetentionTags(self):
res = self.misp.get_taxonomy_tags_list(self.taxonomyId) res = self.misp.get_taxonomy(self.taxonomyId)
for tag in res: for tag in res['entries']:
m = re.match(r"^retention:([0-9]+)([d,w,m,y])$", tag["tag"]) m = re.match(r"^retention:([0-9]+)([d,w,m,y])$", tag["tag"])
if m: if m:
events = self.misp.search(published=True, tags=tag["tag"], not_tags=self.expiredTag) tagSearch = self.misp.build_complex_query(and_parameters = tag["tag"], not_parameters = self.expiredTag)
events = self.misp.search(published=True, tags=tagSearch)
self.findEventsAfterRetention(events, (m.group(1), m.group(2))) self.findEventsAfterRetention(events, (m.group(1), m.group(2)))
else: else: