MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: Rework notebooks.

pull/382/head
Raphaël Vinot 2019-04-11 23:14:16 +02:00
parent 633f75db24
commit f002854e82
2 changed files with 987 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

922
docs/tutorial/PyMISP Objects.ipynb → docs/tutorial/FullOverview.ipynb
View File

@ -53,30 +53,6 @@
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Getting the API key (automatically generated on the trainig VM)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pathlib import Path\n",
"\n",
"api_file = Path('apikey')\n",
"if api_file.exists():\n",
" misp_url = 'http://127.0.0.1'\n",
" misp_verifycert = False\n",
" with open(api_file) as f:\n",
" misp_key = f.read().strip()\n",
" print(misp_key)"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -272,6 +248,15 @@
"print(attribute_second.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print(event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -312,6 +297,57 @@
"print(event.published)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## MISPAttribute"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"attr_type = 'ip-dst'\n",
"value = '1.1.1.1'"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPAttribute\n",
"\n",
"# Attribute data already defined\n",
"attribute = MISPAttribute()\n",
"attribute.type = attr_type\n",
"attribute.value = value\n",
"print(attribute)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# An attribute can also be loaded directly from a JSON\n",
"json = '''{\n",
" \"type\": \"ip-dst\",\n",
" \"value\": \"127.0.0.1\",\n",
" \"category\": \"Network activity\",\n",
" \"to_ids\": false\n",
" }'''\n",
"\n",
"attribute = MISPAttribute()\n",
"attribute.from_json(json)\n",
"print(attribute)"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -354,7 +390,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## One-liner to add an object to a MISPEvent\n",
"## Short version to add an object to a MISPEvent\n",
"\n",
"You can also add the object directly in a misp event this way"
]
@ -374,6 +410,10 @@
"misp_object.add_attribute('ip', value='149.13.33.14')\n",
"misp_object.add_attribute('first-seen', value='2018-04-11')\n",
"misp_object.add_attribute('last-seen', value='2018-06-11')\n",
"\n",
"misp_object.add_attributes('ip', {'value': '10.8.8.8', 'to_ids': False}, '10.9.8.8')\n",
"\n",
"\n",
"misp_object.add_reference(obj_attr.uuid, 'related-to', 'Expanded with passive DNS entry')\n",
"\n",
"print(event.to_json())\n"
@ -383,7 +423,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## Helpers for MISPObjects \n",
"# Helpers for MISPObjects \n",
"\n",
"For some objects, we have helpers in order to make your life easier. The most relevant example is the file object: when you have a file to push on MISP, there are plenty of indicators you can extract at once, and it is pretty simple to automate, so we made it a oneliner.\n",
"\n",
@ -424,7 +464,74 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"# Generic helper\n",
"### Excel support \n",
"\n",
"(okay, CSV, but that's the same thing, right?)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"%%bash \n",
"\n",
"cat ../../tests/csv_testfiles/valid_fieldnames.csv"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"%%bash \n",
"\n",
"cat ../../tests/csv_testfiles/invalid_fieldnames.csv"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp.tools import CSVLoader\n",
"from pymisp import MISPEvent\n",
"from pathlib import Path\n",
"\n",
"csv1 = CSVLoader(template_name='file', csv_path=Path('../../tests/csv_testfiles/valid_fieldnames.csv'))\n",
"event = MISPEvent()\n",
"event.info = 'Test event from CSV loader'\n",
"for o in csv1.load():\n",
" event.add_object(**o)\n",
"\n",
"print(event.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event = MISPEvent()\n",
"event.info = 'Test event from CSV loader'\n",
"csv2 = CSVLoader(template_name='file', csv_path=Path('../../tests/csv_testfiles/invalid_fieldnames.csv'),\n",
" fieldnames=['SHA1', 'fileName', 'size-in-bytes'], has_fieldnames=True)\n",
"\n",
"for o in csv2.load():\n",
" event.add_object(**o)\n",
" \n",
"print(event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Generic helper\n",
"\n",
"This helper is meant to be used when you alreadu have a script that does the mapping between your own code, and the MISPObject template."
]
@ -449,6 +556,13 @@
"print(misp_object.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## User defined objects"
]
},
{
"cell_type": "code",
"execution_count": null,
@ -647,98 +761,6 @@
"print(existing_event.attributes[0].to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Full example"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"from pymisp import PyMISP\n",
"\n",
"event = MISPEvent()\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name': 'tlp:amber'}])\n",
"\n",
"event.add_object(mispObject)\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'xe5okWNY2OB3O9ljR6t2cJPNsv4u1VZB0C1mKwtB'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False\n",
"\n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
"res = misp.add_event(event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename2.exe',\n",
" Tag=[{'name': 'tlp:white'}])\n",
"\n",
"existing_event.add_object(mispObject)\n",
"print(existing_event.to_json())\n",
"\n",
"res = misp.update(existing_event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"from pymisp import PyMISP\n",
"\n",
"event = MISPEvent()\n",
"\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name':'tlp:amber'}]) \n",
"event.add_object(mispObject)\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'yB8DMS8LkfYYpcVX8bN2v7xwDZDMp4bpW0sNqNGj'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False\n",
"\n",
"misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
"res = misp.add_event(event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -769,6 +791,668 @@
"\n",
"print(event.to_json())\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"***"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Getting the API key (automatically generated on the trainig VM)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pathlib import Path\n",
"\n",
"api_file = Path('apikey')\n",
"if api_file.exists():\n",
" misp_url = 'http://127.0.0.1'\n",
" misp_verifycert = False\n",
" with open(api_file) as f:\n",
" misp_key = f.read().strip()\n",
" print(misp_key)\n",
"else:\n",
" print(\"Unable to find the api key\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Initialize variables if you run the notebook locally"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080/'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'HRizIMmaxBOXAQSzKZ874rDWUsQEk4vGAGBoljQO'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import ExpandedPyMISP, PyMISP\n",
"\n",
"misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)\n",
"misp_old = PyMISP(misp_url, misp_key, misp_verifycert)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Full example"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## New API\n",
"\n",
"Returns MISPEvent."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"\n",
"event = MISPEvent()\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name': 'tlp:amber'}])\n",
"\n",
"event.add_object(mispObject)\n",
"\n",
"print(misp)\n",
"existing_event = misp.add_event(event)\n",
"print(existing_event)\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename2.exe',\n",
" Tag=[{'name': 'tlp:white'}])\n",
"\n",
"existing_event.add_object(mispObject)\n",
"print(existing_event.to_json())\n",
"\n",
"res = misp.update(existing_event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Old API\n",
"\n",
"Returns plain JSON"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent, MISPObject\n",
"\n",
"event = MISPEvent()\n",
"event.info = 'This is my new MISP event' # Required\n",
"event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config\n",
"event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config\n",
"event.analysis = 1 # Optional, defaults to 0 (initial analysis)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename.exe',\n",
" Tag=[{'name': 'tlp:amber'}])\n",
"\n",
"event.add_object(mispObject)\n",
"\n",
"print(misp)\n",
"res = misp.add_event(event)\n",
"print(res)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename2.exe',\n",
" Tag=[{'name': 'tlp:white'}])\n",
"\n",
"existing_event.add_object(mispObject)\n",
"print(existing_event.to_json())\n",
"\n",
"res = misp.update(existing_event)\n",
"existing_event = MISPEvent()\n",
"existing_event.load(res)\n",
"print(existing_event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Interacting with a MISP instance"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Creating An Event"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Directly"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event = misp.new_event(distribution=1,\n",
" threat_level_id=1,\n",
" analysis=1,\n",
" info=\"Event from notebook\")\n",
"print(\"Event id: %s\" % event.id)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event = misp_old.new_event(distribution=1,\n",
" threat_level_id=1,\n",
" analysis=1,\n",
" info=\"Event from notebook\")\n",
"print(\"Event id: %s\" % event['Event']['id'])"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Using the MISPEvent constructor"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPEvent\n",
"\n",
"event_obj = MISPEvent()\n",
"event_obj.distribution = 1\n",
"event_obj.threat_level_id = 1\n",
"event_obj.analysis = 1\n",
"event_obj.info = \"Event from notebook 2\"\n",
"event = misp.add_event(event_obj)\n",
"event_id = event.id\n",
"print(\"Event id: %s\" % event_id)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Fetching an event"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event_id = 2752"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Fetch by ID\n",
"event = misp.get_event(event_id)\n",
"print(event)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Fetch by ID\n",
"event = misp_old.get_event(event_id)\n",
"print(event)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Add an attribute to an event"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Directly"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"attr_type = \"ip-src\"\n",
"value = \"8.8.8.8\"\n",
"category = \"Network activity\"\n",
"to_ids = False"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"##### Oldish API"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"proposal = False\n",
"updated_event = misp.add_named_attribute(event_id,\n",
" attr_type,\n",
" value,\n",
" category=category,\n",
" to_ids=to_ids,\n",
" proposal=proposal)\n",
"print(updated_event)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"##### Cleaner way"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"value = \"9.8.8.8\""
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPAttribute\n",
"\n",
"# Attribute data already defined\n",
"attribute = MISPAttribute()\n",
"attribute.type = attr_type\n",
"attribute.value = value\n",
"attribute.category = category\n",
"attribute.to_ids = to_ids\n",
"\n",
"attribute_to_change = misp.add_attribute(event_id, attribute)\n",
"print(attribute_to_change.id, attribute_to_change)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"##### Propose new Attribute"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPAttribute\n",
"\n",
"attr_type = \"ip-src\"\n",
"value = \"10.8.8.8\"\n",
"category = \"Network activity\"\n",
"to_ids = False\n",
"\n",
"# Attribute data already defined\n",
"attribute = MISPAttribute()\n",
"attribute.type = attr_type\n",
"attribute.value = value\n",
"attribute.category = category\n",
"attribute.to_ids = to_ids\n",
"\n",
"proposal = misp.add_attribute_proposal(event_id, attribute)\n",
"print(proposal.id, proposal)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"##### Other things on proposals"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"proposal = misp.get_attribute_proposal(21)\n",
"print(proposal.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"proposal = misp.accept_attribute_proposal(25)\n",
"print(proposal)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"proposal = misp.discard_attribute_proposal(27)\n",
"print(proposal)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"##### Propose change to attribute"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPShadowAttribute\n",
"\n",
"proposal = MISPShadowAttribute()\n",
"proposal.type = 'ip-dst'\n",
"proposal.category = 'External analysis'\n",
"proposal.to_ids = False\n",
"\n",
"attribute = misp.update_attribute_proposal(attribute_to_change.id, proposal)\n",
"print(attribute.to_json())"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"attribute = misp.update_attribute_proposal(attribute_to_change.id, {'to_ids': False, 'comment': \"This is crap\"})\n",
"print(attribute.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Update existing event"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import MISPAttribute, MISPObject\n",
"\n",
"attr_type = \"ip-src\"\n",
"value = \"20.8.8.8\"\n",
"category = \"Network activity\"\n",
"to_ids = False\n",
"\n",
"# Attribute data already defined\n",
"attribute = MISPAttribute()\n",
"attribute.type = attr_type\n",
"attribute.value = value\n",
"attribute.category = category\n",
"attribute.to_ids = to_ids\n",
"\n",
"# New Python 3.6 API\n",
"event = misp.get(event_id)\n",
"\n",
"## Add the attribute to the event\n",
"event.add_attribute(**attribute)\n",
"event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n",
"\n",
"mispObject = MISPObject('file')\n",
"mispObject.add_attribute('filename', type='filename',\n",
" value='filename2.exe',\n",
" Tag=[{'name': 'tlp:white'}])\n",
"\n",
"event.add_object(mispObject)\n",
"\n",
"## Push the updated event to MISP\n",
"event_dict = misp.update_event(event)\n",
"print(event_dict)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Sightings"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting(value=event.attributes[1].value)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting_list(event.attributes[1].id)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Direct call, no validation"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.direct_call('attributes/add/58', {'type': 'ip-dst', 'value': '8.11.8.8'})"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.direct_call('events')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Admin Stuff"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_sharing_groups()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## User"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_users_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.add_user('bar@foo.de', 1, 3)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Organisations"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_organisations_list()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Roles"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_roles_list()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Feeds"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_feeds_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.cache_feeds_all()"
]
}
],
"metadata": {

228
docs/tutorial/Search-NG.ipynb → docs/tutorial/Search-FullOverview.ipynb
View File

@ -10,7 +10,7 @@
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under ||\n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'LBelWqKY9SQyG0huZzAMqiEBl6FODxpgRRXMsZFu'\n",
"misp_key = 'HRizIMmaxBOXAQSzKZ874rDWUsQEk4vGAGBoljQO'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False"
]
@ -70,7 +70,7 @@
"source": [
"## Search unpublished events\n",
"\n",
"**WARNING**: By default, the search query will only return all the events listed on teh index page"
"**WARNING**: By default, the search query will only return all the events listed on the index page"
]
},
{
@ -123,7 +123,7 @@
"metadata": {},
"outputs": [],
"source": [
"r = misp.search_index(tag='TODO:VT-ENRICHMENT', published=False)"
"print('No attributes are in the event', r[0].attributes)"
]
},
{
@ -132,7 +132,16 @@
"metadata": {},
"outputs": [],
"source": [
"r = misp.search_index(tag=['!TODO:VT-ENRICHMENT', 'tlp:white'], published=False) # ! means \"not this tag\""
"r = misp.search_index(tags='TODO:VT-ENRICHMENT', published=False)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search_index(tags=['!TODO:VT-ENRICHMENT', 'tlp:white'], published=False) # ! means \"not this tag\""
]
},
{
@ -227,6 +236,28 @@
"complex_query = misp.build_complex_query(or_parameters=['uibo.lembit@mail.ee', '103.195.185.222'])"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print(complex_query)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"complex_query = misp.build_complex_query(or_parameters=['59.157.4.2', 'hotfixmsupload.com', '8.8.8.8'])\n",
"events = misp.search(value=complex_query, pythonify=True)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
@ -318,6 +349,15 @@
"r = misp.search(value='8.8.8.8', withAttachments=True) # Return attachments"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print(r)"
]
},
{
"cell_type": "markdown",
"metadata": {},
@ -331,7 +371,7 @@
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='attributes', value='8.8.8.9')"
"r = misp.search(controller='attributes', value='8.8.8.8')"
]
},
{
@ -349,14 +389,7 @@
"metadata": {},
"outputs": [],
"source": [
"r"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Because reason"
"print(r)"
]
},
{
@ -365,22 +398,146 @@
"metadata": {},
"outputs": [],
"source": [
"tag_to_remove = 'foo'\n",
"# Search attributes (specified in controller) where the attribute type is 'ip-src'\n",
"# And the to_ids flag is set\n",
"attributes = misp.search(controller='attributes', type_attribute='ip-src', to_ids=0, pythonify=True)\n",
"\n",
"events = misp.search(tags=tag_to_remove, pythonify=True)\n",
"event_ids = set()\n",
"for attr in attributes:\n",
" event_ids.add(event_id)\n",
"\n",
"for event in events:\n",
" for tag in event.tags:\n",
" if tag.name == tag_to_remove:\n",
" print(f'Got {tag_to_remove} in {event.info}')\n",
" misp.untag(event.uuid, tag_to_remove)\n",
" break\n",
" for attribute in event.attributes:\n",
" for tag in attribute.tags:\n",
" if tag.name == tag_to_remove:\n",
" print(f'Got {tag_to_remove} in {attribute.value}')\n",
" misp.untag(attribute.uuid, tag_to_remove)\n",
" break"
"# Fetch all related events\n",
"for event_id in event_ids:\n",
" event = misp.get_event(event_id)\n",
" print(event.info)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *published* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"attributes = misp.search(controller='attributes', publish_timestamp='1d', pythonify=True)\n",
"\n",
"for attribute in attributes:\n",
" print(attribute.event_id, attribute)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"attributes = misp.search(controller='attributes', publish_timestamp=['2d', '1h'], pythonify=True)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *updated* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"from datetime import datetime\n",
"\n",
"ts = int(datetime.now().timestamp())\n",
"\n",
"attributes = misp.search(controller='attributes', timestamp=ts - 36000, pythonify=True)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Orther output formats\n",
"\n",
"**Warning**: For that to work, the matching event has to be published"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='attributes', value='8.8.8.8', return_format='csv')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='events', value='9.8.8.8', return_format='snort')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='events', value='9.8.8.8', return_format='suricata')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='events', value='9.8.8.8', return_format='stix')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"r = misp.search(controller='events', value='9.8.8.8', return_format='stix2')"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"print(r)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Search in logs"
]
},
{
@ -404,23 +561,6 @@
"for l in logs:\n",
" print(l.title)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"log = misp.search_logs(model='Tag', title=tag_to_remove)[0]\n",
"roles = misp.get_roles_list()\n",
"for r in roles:\n",
" if r['Role']['name'] == 'User':\n",
" new_role = r['Role']['id']\n",
" break\n",
"user = misp.get_user(log['Log']['user_id'])\n",
"user['User']['role_id'] = new_role\n",
"misp.edit_user(user['User']['id'], **user['User'])"
]
}
],
"metadata": {