Merge pull request #393 from Wachizungu/feature/warninglisthits_search

Added includeWarninglistHits as a possible filter for the restsearch
pull/395/head
Alexandre Dulaunoy 2019-05-12 08:47:06 +02:00 committed by GitHub
commit 9f7f848d55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 0 deletions

View File

@ -0,0 +1,38 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from keys import misp_url, misp_key
import argparse
def init(url, key):
return PyMISP(url, key)
def loop_attributes(elem):
if 'Attribute' in elem.keys():
for attribute in elem['Attribute']:
if 'warnings' in attribute.keys():
for warning in attribute['warnings']:
print("Value {} has a hit in warninglist with name '{}' and id '{}'".format(warning['value'],
warning[
'warninglist_name'],
warning[
'warninglist_id']))
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Print all warninglist hits for an event.')
parser.add_argument("eventid", type=str, help="The event id of the event to get info of")
args = parser.parse_args()
misp = init(misp_url, misp_key)
evt = misp.search('events', eventid=args.eventid, includeWarninglistHits=1)['response'][0]['Event']
if 'warnings' in evt.keys():
print('warnings in entire event:')
print(str(evt['warnings']) + '\n')
print('Warnings at attribute levels:')
loop_attributes(evt)
if 'Object' in evt.keys():
for obj in evt['Object']:
loop_attributes(obj)

View File

@ -1190,6 +1190,7 @@ class PyMISP(object):
:param publish_timestamp: the publish timestamp
:param timestamp: the timestamp of the last modification. Can be a list (from->to)
:param enforceWarninglist: Enforce the warning lists
:param includeWarninglistHits: Include the warning list hits
:param searchall: full text search on the database
:param metadata: return only metadata if True
:param published: return only published events
@ -1251,6 +1252,7 @@ class PyMISP(object):
query['publish_timestamp'] = kwargs.pop('publish_timestamp', None)
query['timestamp'] = kwargs.pop('timestamp', None)
query['enforceWarninglist'] = kwargs.pop('enforceWarninglist', None)
query['includeWarninglistHits'] = kwargs.pop('includeWarninglistHits', None)
query['to_ids'] = kwargs.pop('to_ids', None)
query['deleted'] = kwargs.pop('deleted', None)
query['published'] = kwargs.pop('published', None)