MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: Moar jupyter

pull/247/head
Raphaël Vinot 2018-06-26 12:01:48 +08:00
parent 09aa74229a
commit 3dbc88d241
2 changed files with 570 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
docs/tutorial/PyMISP Objects.ipynb
View File

@ -396,6 +396,71 @@
"print(event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Generic helper\n",
"\n",
"This helper is meant to be used when you alreadu have a script that does the mapping between your own code, and the MISPObject template."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp.tools import GenericObjectGenerator\n",
"\n",
"attributeAsDict = [{'script': ':(){ :|:& };:', 'comment': 'Forkbomb'},\n",
" {'language': {'value': 'Bash', 'to_ids': False, 'disable_correlation': True}}, \n",
" {'filename': {'value': 'forkbomb.sh', 'to_ids': True}},\n",
" {'state': 'Malicious'}]\n",
"\n",
"\n",
"misp_object = GenericObjectGenerator('script', strict=True)\n",
"misp_object.generate_attributes(attributeAsDict)\n",
"\n",
"print(misp_object.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp.tools import GenericObjectGenerator\n",
"\n",
"attributeAsDict = [{'MyCoolAttribute': {'value': 'critical thing', 'type': 'text'}}, \n",
" {'MyCoolerAttribute': {'value': 'even worse', 'type': 'text'}}]\n",
"\n",
"\n",
"misp_object = GenericObjectGenerator('my-cool-template', strict=True) # This is supposed to fail due to the strict parameter\n",
"misp_object.generate_attributes(attributeAsDict)\n",
"\n",
"print(misp_object.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp.tools import GenericObjectGenerator\n",
"\n",
"attributeAsDict = [{'MyCoolAttribute': {'value': 'critical thing', 'type': 'text'}}, \n",
" {'MyCoolerAttribute': {'value': 'even worse', 'type': 'text'}}]\n",
"\n",
"\n",
"misp_object = GenericObjectGenerator('my-cool-template')\n",
"misp_object.generate_attributes(attributeAsDict)\n",
"\n",
"print(misp_object.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -565,43 +630,6 @@
"## Full example"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"from pymisp import PyMISP\n",
"\n",
"event = MISPEvent()\n",
"\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name':'tlp:amber'}]) \n",
"event.add_object(mispObject)\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'https://<URL>/'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = '<key>'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = True\n",
"\n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
"res = misp.add_event(event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
@ -650,6 +678,43 @@
"print(existing_event.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"from pymisp import PyMISP\n",
"\n",
"event = MISPEvent()\n",
"\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name':'tlp:amber'}]) \n",
"event.add_object(mispObject)\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'yB8DMS8LkfYYpcVX8bN2v7xwDZDMp4bpW0sNqNGj'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False\n",
"\n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
"res = misp.add_event(event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -680,13 +745,6 @@
"\n",
"print(event.to_json())\n"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {

468
docs/tutorial/Usage.ipynb Normal file
View File

@ -0,0 +1,468 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Using the API to interact with a remote MISP instance\n",
"\n",
"You can fetch a VM from here: https://www.circl.lu/misp-images/latest/, or connect to your dev instance.\n",
"\n",
"This box needs to be run in order to connect to the MISP instance and run the subsequent commands."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import PyMISP, MISPEvent, MISPAttribute\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'yB8DMS8LkfYYpcVX8bN2v7xwDZDMp4bpW0sNqNGj'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False\n",
"\n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Get the last events\n",
"\n",
"There are multiple definition for *last* in MISP.\n",
"\n",
"## Last *published* events"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"response = misp.search(last='1d')\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(last=['3d', '2d'])\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *updated* events"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"from datetime import datetime\n",
"\n",
"ts = int(datetime.now().timestamp())\n",
"\n",
"response = misp.search(timestamp=ts-36000)\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## On an interval"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)\n",
"\n",
"ts = int(datetime.now().timestamp())\n",
"\n",
"response = misp.search(timestamp=[ts-3600, ts])\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)\n",
" \n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert) # TODO: remove when fixed"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Get the last attributes\n",
"\n",
"## Last *published* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(controller='attributes', last='1h')\n",
"\n",
"attributes = []\n",
"for attribute in response['response']['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a.event_id, a)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(controller='attributes', last=['2h', '1h'])\n",
"\n",
"attributes = []\n",
"for attribute in response['response']['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *updated* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"ts = int(datetime.now().timestamp())\n",
"\n",
"response = misp.search(controller='attributes', timestamp=ts - 36000)\n",
"\n",
"attributes = []\n",
"for attribute in response['response']['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Fast search at index event level\n",
"\n",
"You have multiple ways to search for different values in MISP. Searching in the medadata of the events is very fast and if generally the recommended approach if your query returns lots of events."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search_index(eventinfo='Cobalt Strike')\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print('No attributes are in the event', events[0].attributes)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search_index(tag='malware_classification:malware-category=\"Ransomware\"')\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"response = misp.search_index(timestamp='1h')\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"events[0].id"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event = MISPEvent()\n",
"event.load(misp.get(events[0].id))\n",
"print(event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Search indicators"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(values=['59.157.4.2', 'hotfixmsupload.com'])\n",
"\n",
"events = []\n",
"for event in response['response']:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sightings"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting(value=e.attributes[3].value)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting_list(e.attributes[3].id)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Admin Stuff"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_sharing_groups()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## User"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_users_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.add_user('bar@foo.de', 1, 3)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_organisations_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_roles_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_feeds_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.cache_feeds_all()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.3"
}
},
"nbformat": 4,
"nbformat_minor": 2
}