Add simple script to push MISP events into Neo4j

examples/make_neo4j.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from pymisp import Neo4j
+from pymisp import MISPEvent
+from keys import misp_url, misp_key
+import argparse
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get all the events matching a value.')
+    parser.add_argument("-s", "--search", required=True, help="String to search.")
+    parser.add_argument("--host", default='localhost:7474', help="Host where neo4j is running.")
+    parser.add_argument("-u", "--user", default='neo4j', help="User on neo4j.")
+    parser.add_argument("-p", "--password", default='neo4j', help="Password on neo4j.")
+    args = parser.parse_args()
+
+    neo4j = Neo4j(args.host, args.user, args.password)
+    neo4j.del_all()
+    misp = PyMISP(misp_url, misp_key)
+    result = misp.search_all(args.search)
+    for json_event in result['response']:
+        if not json_event['Event']:
+            print(json_event)
+            continue
+        print('Importing', json_event['Event']['info'], json_event['Event']['id'])
+        try:
+            misp_event = MISPEvent()
+            misp_event.load(json_event)
+            neo4j.import_event(misp_event)
+        except:
+            print('broken')

pymisp/__init__.py

@@ -3,3 +3,4 @@ __version__ = '2.4.53'
 from .exceptions import PyMISPError, NewEventError, NewAttributeError, MissingDependency, NoURL, NoKey
 from .api import PyMISP
 from .mispevent import MISPEvent, MISPAttribute, EncodeUpdate, EncodeFull
+from .tools.neo4j import Neo4j

pymisp/tools/neo4j.py

@@ -0,0 +1,59 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import glob
+import os
+from pymisp import MISPEvent
+
+try:
+    from py2neo import authenticate, Graph, Node, Relationship
+    has_py2neo = True
+except ImportError:
+    has_py2neo = False
+
+
+class Neo4j():
+
+    def __init__(self, host='localhost:7474', username='neo4j', password='neo4j'):
+        if not has_py2neo:
+            raise Exception('py2neo is required, please install: pip install py2neo')
+        authenticate(host, username, password)
+        self.graph = Graph()
+
+    def load_events_directory(self, directory):
+        self.events = []
+        for path in glob.glob(os.path.join(directory, '*.json')):
+            e = MISPEvent()
+            e.load(path)
+            self.import_event(e)
+
+    def del_all(self):
+        self.graph.delete_all()
+
+    def import_event(self, event):
+        tx = self.graph.begin()
+        event_node = Node('Event', uuid=event.uuid)
+        event_node['name'] = event.info
+        # event_node['distribution'] = event.distribution
+        # event_node['threat_level_id'] = event.threat_level_id
+        # event_node['analysis'] = event.analysis
+        # event_node['published'] = event.published
+        # event_node['date'] = event.date.isoformat()
+        tx.create(event_node)
+        for a in event.attributes:
+            attr_node = Node('Attribute', a.type, uuid=a.uuid)
+            attr_node['category'] = a.category
+            attr_node['name'] = a.value
+            # attr_node['to_ids'] = a.to_ids
+            # attr_node['comment'] = a.comment
+            # attr_node['distribution'] = a.distribution
+            tx.create(attr_node)
+            member_rel = Relationship(event_node, "is member", attr_node)
+            tx.create(member_rel)
+            val = Node('Value', name=a.value)
+            ev = Relationship(event_node, "has", val)
+            av = Relationship(attr_node, "is", val)
+            s = val | ev | av
+            tx.merge(s)
+            tx.graph.push(s)
+        tx.commit()