PyMISP/examples/last.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
import argparse
import os
import json


# Usage for pipe masters: ./last.py -l 5h | jq .
# Usage in case of large data set and pivoting page by page: python3 last.py  -l 48h  -m 10 -p 2  | jq .[].Event.info

def init(url, key):
    return PyMISP(url, key, misp_verifycert, 'json')


def download_last(m, last, limit='10', page='1', out=None):
    result = m.search(last=last, limit=limit, page=page)
    if out is None:
        if 'response' in result:
            print(json.dumps(result['response']))
        else:
            print('No results for that time period')
            exit(0)
    else:
        with open(out, 'w') as f:
            f.write(json.dumps(result['response']))

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Download latest events from a MISP instance.')
    parser.add_argument("-l", "--last", required=True, help="can be defined in days, hours, minutes (for example 5d or 12h or 30m).")
    parser.add_argument("-m", "--limit", required=False, default="10", help="Add the limit of records to get (by default, the limit is set to 10)")
    parser.add_argument("-p", "--page", required=False, default="1", help="Add the page to request to paginate over large dataset (by default page is set to 1)")
    parser.add_argument("-o", "--output", help="Output file")

    args = parser.parse_args()

    if args.output is not None and os.path.exists(args.output):
        print('Output file already exists, aborted.')
        exit(0)

    misp = init(misp_url, misp_key)

    download_last(misp, args.last, limit=args.limit, page=args.page, out=args.output)
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

			`from pymisp import PyMISP`
Improve examples 2016-03-21 21:24:15 +01:00			`from keys import misp_url, misp_key, misp_verifycert`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`import argparse`
			`import os`
			`import json`


			`# Usage for pipe masters: ./last.py -l 5h \| jq .`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`# Usage in case of large data set and pivoting page by page: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00
			`def init(url, key):`
Update last.py 2016-02-12 11:30:56 +01:00			`return PyMISP(url, key, misp_verifycert, 'json')`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00

chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`def download_last(m, last, limit='10', page='1', out=None):`
			`result = m.search(last=last, limit=limit, page=page)`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`if out is None:`
Fix KeyError when no results in time period Fix a KeyError when no results were found for the specified time period. 2015-11-22 23:52:12 +01:00			`if 'response' in result:`
Fixed the JSON output format (\n breaks JSON loading afterwards) 2017-05-02 16:27:37 +02:00			`print(json.dumps(result['response']))`
Fix KeyError when no results in time period Fix a KeyError when no results were found for the specified time period. 2015-11-22 23:52:12 +01:00			`else:`
			`print('No results for that time period')`
			`exit(0)`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`else:`
			`with open(out, 'w') as f:`
Update last.py 2017-04-06 14:23:04 +02:00			`f.write(json.dumps(result['response']))`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00
			`if __name__ == '__main__':`
			`parser = argparse.ArgumentParser(description='Download latest events from a MISP instance.')`
			`parser.add_argument("-l", "--last", required=True, help="can be defined in days, hours, minutes (for example 5d or 12h or 30m).")`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`parser.add_argument("-m", "--limit", required=False, default="10", help="Add the limit of records to get (by default, the limit is set to 10)")`
			`parser.add_argument("-p", "--page", required=False, default="1", help="Add the page to request to paginate over large dataset (by default page is set to 1)")`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`parser.add_argument("-o", "--output", help="Output file")`

			`args = parser.parse_args()`

			`if args.output is not None and os.path.exists(args.output):`
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`print('Output file already exists, aborted.')`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00			`exit(0)`

Auth parameters normalized 2015-11-06 10:14:45 +01:00			`misp = init(misp_url, misp_key)`
Add last param to restSearch + example script 2015-08-05 17:20:59 +02:00
chg: [last] You can now paginate over multiple results in the last example command You can do stuff like this: python3 last.py -l 48h -m 10 -p 2 \| jq .[].Event.info which means the last 10 events on second page which are between a time range of 0 and 48 hours. 2019-06-24 15:55:01 +02:00			`download_last(misp, args.last, limit=args.limit, page=args.page, out=args.output)`