PyMISP/examples/last.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pymisp import ExpandedPyMISP
from keys import misp_url, misp_key, misp_verifycert
try:
    from keys import misp_client_cert
except ImportError:
    misp_client_cert = ''
import argparse
import os


# Usage for pipe masters: ./last.py -l 5h | jq .
# Usage in case of large data set and pivoting page by page: python3 last.py  -l 48h  -m 10 -p 2  | jq .[].Event.info

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Download latest events from a MISP instance.')
    parser.add_argument("-l", "--last", required=True, help="can be defined in days, hours, minutes (for example 5d or 12h or 30m).")
    parser.add_argument("-m", "--limit", required=False, default="10", help="Add the limit of records to get (by default, the limit is set to 10)")
    parser.add_argument("-p", "--page", required=False, default="1", help="Add the page to request to paginate over large dataset (by default page is set to 1)")
    parser.add_argument("-o", "--output", help="Output file")

    args = parser.parse_args()

    if args.output is not None and os.path.exists(args.output):
        print('Output file already exists, aborted.')
        exit(0)

    if misp_client_cert == '':
        misp_client_cert = None
    else:
        misp_client_cert = (misp_client_cert)

    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, cert=misp_client_cert)
    result = misp.search(publish_timestamp=args.last, limit=args.limit, page=args.page, pythonify=True)

    if not result:
        print('No results for that time period')
        exit(0)

    if args.output:
        with open(args.output, 'w') as f:
            for r in result:
                f.write(r.to_json() + '\n')
    else:
        for r in result:
            print(r.to_json())
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

chg: Bump examples to python3 2019-07-17 16:46:47 +02:00			`from pymisp import ExpandedPyMISP`
chg: Refactorize typing, validate 2020-01-23 10:27:40 +01:00			`from keys import misp_url, misp_key, misp_verifycert`
			`try:`
			`from keys import misp_client_cert`
			`except ImportError:`
			`misp_client_cert = ''`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`import argparse`
			`import os`


			`# Usage for pipe masters: ./last.py -l 5h \| jq .`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`# Usage in case of large data set and pivoting page by page: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00
			`if __name__ == '__main__':`
			`parser = argparse.ArgumentParser(description='Download latest events from a MISP instance.')`
			`parser.add_argument("-l", "--last", required=True, help="can be defined in days, hours, minutes (for example 5d or 12h or 30m).")`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`parser.add_argument("-m", "--limit", required=False, default="10", help="Add the limit of records to get (by default, the limit is set to 10)")`
			`parser.add_argument("-p", "--page", required=False, default="1", help="Add the page to request to paginate over large dataset (by default page is set to 1)")`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`parser.add_argument("-o", "--output", help="Output file")`

			`args = parser.parse_args()`

			`if args.output is not None and os.path.exists(args.output):`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`print('Output file already exists, aborted.')`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`exit(0)`

Make client_certs out of the box friendly 2019-09-12 04:42:22 +02:00			`if misp_client_cert == '':`
			`misp_client_cert = None`
			`else:`
			`misp_client_cert = (misp_client_cert)`

			`misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, cert=misp_client_cert)`
chg: Bump examples to python3 2019-07-17 16:46:47 +02:00			`result = misp.search(publish_timestamp=args.last, limit=args.limit, page=args.page, pythonify=True)`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00
chg: Bump examples to python3 2019-07-17 16:46:47 +02:00			`if not result:`
			`print('No results for that time period')`
			`exit(0)`

			`if args.output:`
			`with open(args.output, 'w') as f:`
			`for r in result:`
			`f.write(r.to_json() + '\n')`
			`else:`
			`for r in result:`
			`print(r.to_json())`