mirror of https://github.com/MISP/PyMISP
509 lines
12 KiB
Plaintext
509 lines
12 KiB
Plaintext
|
{
|
||
|
"cells": [
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# PyMISP - An interactive tutorial: Basics"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Connecting to MISP\n",
|
||
|
"### Your configuration"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# The URL of the MISP instance to connect to\n",
|
||
|
"misp_url = 'http://127.0.0.1:8080/'\n",
|
||
|
"# Can be found in the MISP web interface under \n",
|
||
|
"# http://+MISP_URL+/users/view/me -> Authkey\n",
|
||
|
"misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n",
|
||
|
"# Should PyMISP verify the MISP certificate\n",
|
||
|
"misp_verifycert = False"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Getting the API key (automatically generated on the trainig VM)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pathlib import Path\n",
|
||
|
"\n",
|
||
|
"api_file = Path('apikey')\n",
|
||
|
"if api_file.exists():\n",
|
||
|
" misp_url = 'http://127.0.0.1'\n",
|
||
|
" misp_verifycert = False\n",
|
||
|
" with open(api_file) as f:\n",
|
||
|
" misp_key = f.read().strip()\n",
|
||
|
" print(misp_key)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Initialize PyMISP"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import ExpandedPyMISP, PyMISP\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)\n",
|
||
|
"misp_old = PyMISP(misp_url, misp_key, misp_verifycert)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Creating a MISP Event"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Directly"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"event = misp.new_event(distribution=1,\n",
|
||
|
" threat_level_id=1,\n",
|
||
|
" analysis=1,\n",
|
||
|
" info=\"Event from notebook\")\n",
|
||
|
"print(\"Event id: %s\" % event.id)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"event = misp_old.new_event(distribution=1,\n",
|
||
|
" threat_level_id=1,\n",
|
||
|
" analysis=1,\n",
|
||
|
" info=\"Event from notebook\")\n",
|
||
|
"print(\"Event id: %s\" % event['Event']['id'])"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Using the MISPEvent constructor"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import MISPEvent\n",
|
||
|
"\n",
|
||
|
"event_obj = MISPEvent()\n",
|
||
|
"event_obj.distribution = 1\n",
|
||
|
"event_obj.threat_level_id = 1\n",
|
||
|
"event_obj.analysis = 1\n",
|
||
|
"event_obj.info = \"Event from notebook 2\"\n",
|
||
|
"event = misp.add_event(event_obj)\n",
|
||
|
"event_id = event.id\n",
|
||
|
"print(\"Event id: %s\" % event_id)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Fetching a MISP Event"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Fetch by ID\n",
|
||
|
"event = misp.get_event(event_id)\n",
|
||
|
"print(event)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Fetch by ID\n",
|
||
|
"event = misp_old.get_event(event_id)\n",
|
||
|
"print(event)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Adding Attribute to an event"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Adding directly"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"attr_type = \"ip-src\"\n",
|
||
|
"value = \"8.8.8.8\"\n",
|
||
|
"category = \"Network activity\"\n",
|
||
|
"to_ids = False\n",
|
||
|
"proposal = False\n",
|
||
|
"updated_event = misp.add_named_attribute(event,\n",
|
||
|
" attr_type,\n",
|
||
|
" value,\n",
|
||
|
" category=category,\n",
|
||
|
" to_ids=to_ids,\n",
|
||
|
" proposal=proposal)\n",
|
||
|
"print(updated_event)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Using the MISPAttribute constructor"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import MISPAttribute\n",
|
||
|
"\n",
|
||
|
"# Attribute data already defined\n",
|
||
|
"attribute = MISPAttribute()\n",
|
||
|
"attribute.type = attr_type\n",
|
||
|
"attribute.value = value\n",
|
||
|
"attribute.category = category\n",
|
||
|
"attribute.proposal = proposal\n",
|
||
|
"print(attribute)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# An attribute can also be loaded directly from a JSON\n",
|
||
|
"json = '''{\n",
|
||
|
" \"type\": \"ip-dst\",\n",
|
||
|
" \"value\": \"127.0.0.1\",\n",
|
||
|
" \"category\": \"Network activity\",\n",
|
||
|
" \"to_ids\": false,\n",
|
||
|
" \"proposal\": false\n",
|
||
|
" }'''\n",
|
||
|
"\n",
|
||
|
"attribute = MISPAttribute()\n",
|
||
|
"attribute.from_json(json)\n",
|
||
|
"print(attribute)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### And then, update the event"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": false
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Add the attribute to the event\n",
|
||
|
"## Fetch the event from MISP\n",
|
||
|
"event_dict = misp_old.get(event_id)['Event']\n",
|
||
|
"\n",
|
||
|
"## Convert it to a PyMISP Event\n",
|
||
|
"event = MISPEvent()\n",
|
||
|
"event.from_dict(**event_dict)\n",
|
||
|
"\n",
|
||
|
"## Add the attribute to the event\n",
|
||
|
"event.add_attribute(**attribute)\n",
|
||
|
"event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n",
|
||
|
"\n",
|
||
|
"## Push the updated event to MISP\n",
|
||
|
"event_dict = misp.update_event(event)\n",
|
||
|
"print(event_dict)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# New Python 3.6 API\n",
|
||
|
"event = misp.get(event_id)\n",
|
||
|
"\n",
|
||
|
"## Add the attribute to the event\n",
|
||
|
"event.add_attribute(**attribute)\n",
|
||
|
"event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n",
|
||
|
"\n",
|
||
|
"## Push the updated event to MISP\n",
|
||
|
"event_dict = misp.update_event(event)\n",
|
||
|
"print(event_dict)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Performing search"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Events by their info fields"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"result = misp.search_index(eventinfo='notebook')\n",
|
||
|
"events = result['response']\n",
|
||
|
"\n",
|
||
|
"print('Found ', len(events), ' events!')\n",
|
||
|
"for event in events:\n",
|
||
|
" print(event['id'], ':', event['info'])"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"results[0]"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Attributes by their values"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Search in all attributes"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Search attributes (specified in controller) where the attribute type is 'ip-src'\n",
|
||
|
"# And the to_ids flag is set\n",
|
||
|
"attributes = misp.search(controller='attributes', type_attribute='ip-src', to_ids=0, pythonify=True)\n",
|
||
|
"\n",
|
||
|
"# Collect all event_id matching the searched attribute\n",
|
||
|
"event_ids = set()\n",
|
||
|
"for attr in attributes:\n",
|
||
|
" event_ids.add(attr.event_id)\n",
|
||
|
"\n",
|
||
|
"# Fetch all related events\n",
|
||
|
"for event_id in event_ids:\n",
|
||
|
" event = misp.get_event(event_id)\n",
|
||
|
" print(event.info)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Creating and adding a MISP Object"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import MISPObject\n",
|
||
|
"\n",
|
||
|
"object_name = 'email'\n",
|
||
|
"object_data = {\n",
|
||
|
" 'from': 'admin@admin.test',\n",
|
||
|
" 'to': 'admin@foo.bar',\n",
|
||
|
" 'subject': 'An email',\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"# Create the MISP Object\n",
|
||
|
"misp_obj = MISPObject(object_name)\n",
|
||
|
"for obj_relation, value in object_data.items():\n",
|
||
|
" if obj_relation == 'subject':\n",
|
||
|
" misp_obj.add_attribute(obj_relation, value=value, comment='My fancy subject', disable_correlation=True)\n",
|
||
|
" else: \n",
|
||
|
" misp_obj.add_attribute(obj_relation, value=value)\n",
|
||
|
"\n",
|
||
|
"template_id = misp.get_object_template_id(misp_obj.template_uuid)\n",
|
||
|
"\n",
|
||
|
"# Add the object to MISP\n",
|
||
|
"response = misp.add_object(event_id,\n",
|
||
|
" template_id,\n",
|
||
|
" misp_obj)\n",
|
||
|
"print('Event ID', event_id)\n",
|
||
|
"print(response)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Direct call, no validation"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# The URL of the MISP instance to connect to\n",
|
||
|
"#misp_url = 'http://127.0.0.1:8080/'\n",
|
||
|
"# Can be found in the MISP web interface under \n",
|
||
|
"# http://+MISP_URL+/users/view/me -> Authkey\n",
|
||
|
"#misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n",
|
||
|
"# Should PyMISP verify the MISP certificate\n",
|
||
|
"#misp_verifycert = False\n",
|
||
|
"\n",
|
||
|
"from pymisp import PyMISP\n",
|
||
|
"\n",
|
||
|
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
|
||
|
"misp.direct_call('attributes/add/58', {'type': 'ip-dst', 'value': '8.11.8.8'})"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# The URL of the MISP instance to connect to\n",
|
||
|
"misp_url = 'http://127.0.0.1:8080/'\n",
|
||
|
"# Can be found in the MISP web interface under \n",
|
||
|
"# http://+MISP_URL+/users/view/me -> Authkey\n",
|
||
|
"misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n",
|
||
|
"# Should PyMISP verify the MISP certificate\n",
|
||
|
"misp_verifycert = False\n",
|
||
|
"\n",
|
||
|
"from pymisp import PyMISP\n",
|
||
|
"\n",
|
||
|
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
|
||
|
"misp.direct_call('attributes/add/2167', '{\"type\": \"ip-dst\", \"value\": \"8.8.8.9\"}')"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# The URL of the MISP instance to connect to\n",
|
||
|
"#misp_url = 'http://127.0.0.1:8080/'\n",
|
||
|
"# Can be found in the MISP web interface under \n",
|
||
|
"# http://+MISP_URL+/users/view/me -> Authkey\n",
|
||
|
"#misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n",
|
||
|
"# Should PyMISP verify the MISP certificate\n",
|
||
|
"#misp_verifycert = False\n",
|
||
|
"\n",
|
||
|
"from pymisp import PyMISP\n",
|
||
|
"\n",
|
||
|
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
|
||
|
"misp.direct_call('events')"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": []
|
||
|
}
|
||
|
],
|
||
|
"metadata": {
|
||
|
"kernelspec": {
|
||
|
"display_name": "Python 3",
|
||
|
"language": "python",
|
||
|
"name": "python3"
|
||
|
},
|
||
|
"language_info": {
|
||
|
"codemirror_mode": {
|
||
|
"name": "ipython",
|
||
|
"version": 3
|
||
|
},
|
||
|
"file_extension": ".py",
|
||
|
"mimetype": "text/x-python",
|
||
|
"name": "python",
|
||
|
"nbconvert_exporter": "python",
|
||
|
"pygments_lexer": "ipython3",
|
||
|
"version": "3.7.3"
|
||
|
}
|
||
|
},
|
||
|
"nbformat": 4,
|
||
|
"nbformat_minor": 2
|
||
|
}
|