mirror of https://github.com/MISP/PyMISP
487 lines
10 KiB
Plaintext
487 lines
10 KiB
Plaintext
|
{
|
||
|
"cells": [
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Using the API to interact with a remote MISP instance\n",
|
||
|
"\n",
|
||
|
"You can fetch a VM from here: https://www.circl.lu/misp-images/latest/, or connect to your dev instance.\n",
|
||
|
"\n",
|
||
|
"This box needs to be run in order to connect to the MISP instance and run the subsequent commands."
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import ExpandedPyMISP, MISPEvent, MISPAttribute\n",
|
||
|
"\n",
|
||
|
"# The URL of the MISP instance to connect to\n",
|
||
|
"misp_url = 'http://127.0.0.1:8080'\n",
|
||
|
"# Can be found in the MISP web interface under \n",
|
||
|
"# http://+MISP_URL+/users/view/me -> Authkey\n",
|
||
|
"misp_key = 'LBelWqKY9SQyG0huZzAMqiEBl6FODxpgRRXMsZFu'\n",
|
||
|
"# Should PyMISP verify the MISP certificate\n",
|
||
|
"misp_verifycert = False"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Getting the API key (automatically generated on the trainig VM)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pathlib import Path\n",
|
||
|
"\n",
|
||
|
"api_file = Path('apikey')\n",
|
||
|
"if api_file.exists():\n",
|
||
|
" misp_url = 'http://127.0.0.1'\n",
|
||
|
" misp_verifycert = False\n",
|
||
|
" with open(api_file) as f:\n",
|
||
|
" misp_key = f.read().strip()\n",
|
||
|
" print(misp_key)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Initialize PyMISP"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Get the last events\n",
|
||
|
"\n",
|
||
|
"There are multiple definition for *last* in MISP.\n",
|
||
|
"\n",
|
||
|
"## Last *published* events"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search(publish_timestamp='2h')\n",
|
||
|
"\n",
|
||
|
"events = []\n",
|
||
|
"for event in response['response']:\n",
|
||
|
" me = MISPEvent()\n",
|
||
|
" me.load(event)\n",
|
||
|
" events.append(me)\n",
|
||
|
" \n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"events = misp.search(publish_timestamp=['120m', '100m'], pythonify=True)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Last *updated* events"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from datetime import datetime\n",
|
||
|
"\n",
|
||
|
"ts = int(datetime.now().timestamp())\n",
|
||
|
"\n",
|
||
|
"response = misp.search(timestamp=ts-36000)\n",
|
||
|
"\n",
|
||
|
"events = []\n",
|
||
|
"for event in response['response']:\n",
|
||
|
" me = MISPEvent()\n",
|
||
|
" me.load(event)\n",
|
||
|
" events.append(me)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## On an interval"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from datetime import datetime\n",
|
||
|
"ts = int(datetime.now().timestamp())\n",
|
||
|
"\n",
|
||
|
"events = misp.search(timestamp=[ts-3600, ts], pythonify=True)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Get the last attributes\n",
|
||
|
"\n",
|
||
|
"## Last *published* attributes"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search(controller='attributes', publish_timestamp='1h')\n",
|
||
|
"\n",
|
||
|
"attributes = []\n",
|
||
|
"for attribute in response['response']['Attribute']:\n",
|
||
|
" ma = MISPAttribute()\n",
|
||
|
" ma.from_dict(**attribute)\n",
|
||
|
" attributes.append(ma)\n",
|
||
|
"\n",
|
||
|
"for a in attributes:\n",
|
||
|
" print(a.event_id, a)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search(controller='attributes', publish_timestamp=['2h', '1h'])\n",
|
||
|
"\n",
|
||
|
"attributes = []\n",
|
||
|
"for attribute in response['response']['Attribute']:\n",
|
||
|
" ma = MISPAttribute()\n",
|
||
|
" ma.from_dict(**attribute)\n",
|
||
|
" attributes.append(ma)\n",
|
||
|
"\n",
|
||
|
"for a in attributes:\n",
|
||
|
" print(a)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Last *updated* attributes"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"ts = int(datetime.now().timestamp())\n",
|
||
|
"\n",
|
||
|
"response = misp.search(controller='attributes', timestamp=ts - 36000)\n",
|
||
|
"\n",
|
||
|
"attributes = []\n",
|
||
|
"for attribute in response['response']['Attribute']:\n",
|
||
|
" ma = MISPAttribute()\n",
|
||
|
" ma.from_dict(**attribute)\n",
|
||
|
" attributes.append(ma)\n",
|
||
|
"\n",
|
||
|
"for a in attributes:\n",
|
||
|
" print(a)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Fast search at index event level\n",
|
||
|
"\n",
|
||
|
"You have multiple ways to search for different values in MISP. Searching in the medadata of the events is very fast and if generally the recommended approach if your query returns lots of events."
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search_index(eventinfo='Cobalt Strike')\n",
|
||
|
"\n",
|
||
|
"events = []\n",
|
||
|
"for event in response['response']:\n",
|
||
|
" me = MISPEvent()\n",
|
||
|
" me.from_dict(**event)\n",
|
||
|
" events.append(me)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"print('No attributes are in the event', events[0].attributes)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search_index(tag='malware_classification:malware-category=\"Ransomware\"')\n",
|
||
|
"\n",
|
||
|
"events = []\n",
|
||
|
"for event in response['response']:\n",
|
||
|
" me = MISPEvent()\n",
|
||
|
" me.from_dict(**event)\n",
|
||
|
" events.append(me)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"response = misp.search_index(timestamp='1h')\n",
|
||
|
"\n",
|
||
|
"events = []\n",
|
||
|
"for event in response['response']:\n",
|
||
|
" me = MISPEvent()\n",
|
||
|
" me.from_dict(**event)\n",
|
||
|
" events.append(me)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"events[0].id"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"event = MISPEvent()\n",
|
||
|
"event.load(misp.get(events[0].id))\n",
|
||
|
"print(event.to_json())"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Search indicators"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"complex_query = misp.build_complex_query(or_parameters=['59.157.4.2', 'hotfixmsupload.com'])\n",
|
||
|
"events = misp.search(value=complex_query, pythonify=True)\n",
|
||
|
"\n",
|
||
|
"for e in events:\n",
|
||
|
" print(e)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Sightings"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.sighting(value=e.attributes[3].value)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.sighting_list(e.attributes[3].id)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Admin Stuff"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.get_sharing_groups()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## User"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.get_users_list()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.add_user('bar@foo.de', 1, 3)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.get_organisations_list()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.get_roles_list()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.get_feeds_list()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp.cache_feeds_all()"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": []
|
||
|
}
|
||
|
],
|
||
|
"metadata": {
|
||
|
"kernelspec": {
|
||
|
"display_name": "Python 3",
|
||
|
"language": "python",
|
||
|
"name": "python3"
|
||
|
},
|
||
|
"language_info": {
|
||
|
"codemirror_mode": {
|
||
|
"name": "ipython",
|
||
|
"version": 3
|
||
|
},
|
||
|
"file_extension": ".py",
|
||
|
"mimetype": "text/x-python",
|
||
|
"name": "python",
|
||
|
"nbconvert_exporter": "python",
|
||
|
"pygments_lexer": "ipython3",
|
||
|
"version": "3.6.7"
|
||
|
}
|
||
|
},
|
||
|
"nbformat": 4,
|
||
|
"nbformat_minor": 2
|
||
|
}
|