diff --git a/examples/situational-awareness/README.md b/examples/situational-awareness/README.md new file mode 100644 index 0000000..f0e4b19 --- /dev/null +++ b/examples/situational-awareness/README.md @@ -0,0 +1,9 @@ +## Explanation + +* treemap.py is a script that will generate an interactive svg (attribute\_treemap.svg) containing a treepmap representing the distribution of attributes in a sample (data) fetched from the instance using "last" or "searchall" examples. +* It will also generate a html document with a table (attribute\_table.html) containing count for each type of attribute. +* test\_attribute\_treemap.html is a quick page made to visualize both treemap and table at the same time. + +## Requierements + +* [Pygal](https://github.com/Kozea/pygal/) diff --git a/examples/statistics/attribute_treemap.py b/examples/situational-awareness/attribute_treemap.py similarity index 100% rename from examples/statistics/attribute_treemap.py rename to examples/situational-awareness/attribute_treemap.py diff --git a/examples/situational-awareness/style.css b/examples/situational-awareness/style.css new file mode 100644 index 0000000..8c5313b --- /dev/null +++ b/examples/situational-awareness/style.css @@ -0,0 +1,46 @@ +body +{ + /*font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;*/ + font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace; +} + +h1 +{ + font-size: 16px; + width: 290px; + text-align:center; +} + +/*** Stats Tables ***/ + +table +{ + border-collapse: collapse; + border-spacing: 0; + border: 1px solid #cbcbcb; +} + +tbody +{ + font-size:12px; +} + +table td +{ + border-left: 1px solid #cbcbcb; + border-width: 0 0 0 1px; + width: 150px; + margin: 0; + padding: 0.5em 1em; +} + + +table tr:nth-child(2n-1) td +{ + background-color: #f2f2f2; +} + +table tr td:first-child +{ + font-weight: bold; +} diff --git a/examples/situational-awareness/tag_search.py b/examples/situational-awareness/tag_search.py new file mode 100644 index 0000000..a04f54a --- /dev/null +++ b/examples/situational-awareness/tag_search.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from pymisp import PyMISP +from keys import misp_url, misp_key, misp_verifycert +from datetime import datetime +import argparse +import json +import tools + +def init(url, key): + return PyMISP(url, key, misp_verifycert, 'json') + +########## fetch data ########## + +def searchall(m, search, url): + result = m.search_all(search) + with open('data', 'w') as f: + f.write(json.dumps(result)) + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Take a sample of events (based on last.py of searchall.py) and create a treemap epresenting the distribution of attributes in this sample.') + parser.add_argument("-s", "--search", help="string to search") + parser.add_argument("-t", "--tag", required=True, help="String to search in tags, can be composed. Example: \"ransomware|Ransomware\"") + parser.add_argument("-b", "--begindate", help="The research will look for Tags attached to events posted at or after the given startdate (format: yyyy-mm-dd): If no date is given, default time is epoch time (1970-1-1)") + parser.add_argument("-e", "--enddate", help="The research will look for Tags attached to events posted at or before the given enddate (format: yyyy-mm-dd): If no date is given, default time is now()") + + args = parser.parse_args() + + misp = init(misp_url, misp_key) + + searchall(misp, args.search, misp_url) + + if args.begindate is not None: + args.begindate = tools.toDatetime(args.begindate) + if args.enddate is not None: + args.enddate = tools.toDatetime(args.enddate) + + Events = tools.eventsListBuildFromArray('data') + TotalEvents = tools.getNbitems(Events) + Tags = tools.tagsListBuild(Events) + result = tools.isTagIn(Tags, args.tag) + TotalTags = len(result) + + Events = tools.selectInRange(Events, begin=args.begindate, end=args.enddate) + TotalPeriodEvents = tools.getNbitems(Events) + Tags = tools.tagsListBuild(Events) + result = tools.isTagIn(Tags, args.tag) + TotalPeriodTags = len(result) + + text = 'Studied pediod: from ' + if args.begindate is None: + text = text + '1970-01-01' + else: + text = text + str(args.begindate.date()) + text = text + ' to ' + if args.enddate is None: + text = text + str(datetime.now().date()) + else: + text = text + str(args.enddate.date()) + + print '\n========================================================' + print text + print 'During the studied pediod, ' + str(TotalPeriodTags) + ' events out of ' + str(TotalPeriodEvents) + ' contains at least one tag with ' + args.tag + '.' + if TotalTags != 0: + print 'It represents ' + str(round(100*TotalPeriodTags/TotalTags, 3)) + '% of the fetched events (' + str(TotalTags) + ') including this tag.' + if TotalEvents != 0: + print 'It also represents ' + str(round(100*TotalPeriodTags/TotalEvents, 3)) + '% of all the fetched events (' + str(TotalEvents) + ').' + diff --git a/examples/situational-awareness/tags_count.py b/examples/situational-awareness/tags_count.py new file mode 100644 index 0000000..cff5d9b --- /dev/null +++ b/examples/situational-awareness/tags_count.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from pymisp import PyMISP +from keys import misp_url, misp_key, misp_verifycert +from datetime import datetime +import argparse +import json +import tools + +def init(url, key): + return PyMISP(url, key, misp_verifycert, 'json') + +########## fetch data ########## + +def searchall(m, search, url): + result = m.search_all(search) + with open('data', 'w') as f: + f.write(json.dumps(result)) + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Take a sample of events (based on last.py of searchall.py) and create a treemap epresenting the distribution of attributes in this sample.') + parser.add_argument("-s", "--search", help="string to search") + parser.add_argument("-b", "--begindate", help="The research will look for Tags attached to events posted at or after the given startdate (format: yyyy-mm-dd): If no date is given, default time is epoch time (1970-1-1)") + parser.add_argument("-e", "--enddate", help="The research will look for Tags attached to events posted at or before the given enddate (format: yyyy-mm-dd): If no date is given, default time is now()") + + args = parser.parse_args() + + misp = init(misp_url, misp_key) + + if args.search is None: + args.search = '' + searchall(misp, args.search, misp_url) + + if args.begindate is not None: + args.begindate = tools.toDatetime(args.begindate) + if args.enddate is not None: + args.enddate = tools.toDatetime(args.enddate) + + Events = tools.eventsListBuildFromArray('data') + TotalEvents = tools.getNbitems(Events) + Tags = tools.tagsListBuild(Events) + result = tools.getNbOccurenceTags(Tags) + TotalTags = tools.getNbitems(Tags) + + Events = tools.selectInRange(Events, begin=args.begindate, end=args.enddate) + TotalPeriodEvents = tools.getNbitems(Events) + Tags = tools.tagsListBuild(Events) + result = tools.getNbOccurenceTags(Tags) + TotalPeriodTags = tools.getNbitems(Tags) + + text = 'Studied pediod: from ' + if args.begindate is None: + text = text + '1970-01-01' + else: + text = text + str(args.begindate.date()) + text = text + ' to ' + if args.enddate is None: + text = text + str(datetime.now().date()) + else: + text = text + str(args.enddate.date()) + + print '\n========================================================' + print text + print result + ''' + print 'During the studied pediod, ' + str(TotalPeriodTags) + ' events out of ' + str(TotalPeriodEvents) + ' contains at least one tag with ' + args.tag + '.' + print 'It represents ' + str(round(100*TotalPeriodTags/TotalTags,3)) + '% of the fetched events (' + str(TotalTags) + ') including this tag.' + print 'It also represents ' + str(round(100*TotalPeriodTags/TotalEvents,3)) + '% of all the fetched events (' + str(TotalEvents) + ').' + ''' diff --git a/examples/situational-awareness/test_attribute_treemap.html b/examples/situational-awareness/test_attribute_treemap.html new file mode 100644 index 0000000..d6e8fc4 --- /dev/null +++ b/examples/situational-awareness/test_attribute_treemap.html @@ -0,0 +1,26 @@ + +
+ + + ++ | + |