{ "cells": [ { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# The URL of the MISP instance to connect to\n", "misp_url = 'http://127.0.0.1:8080'\n", "# Can be found in the MISP web interface under ||\n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "misp_key = 'LBelWqKY9SQyG0huZzAMqiEBl6FODxpgRRXMsZFu'\n", "# Should PyMISP verify the MISP certificate\n", "misp_verifycert = False" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Getting the API key (automatically generated on the trainig VM)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pathlib import Path\n", "\n", "api_file = Path('apikey')\n", "if api_file.exists():\n", " misp_url = 'http://127.0.0.1'\n", " misp_verifycert = False\n", " with open(api_file) as f:\n", " misp_key = f.read().strip()\n", " print(misp_key)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Initialize PyMISP - NG" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import ExpandedPyMISP\n", "\n", "misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=False)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Index Search (fast, only returns events metadata)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Search unpublished events\n", "\n", "**WARNING**: By default, the search query will only return all the events listed on teh index page" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(published=False)\n", "print(r)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get the meta data of events" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(eventid=[17217, 1717, 1721, 17218])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Search Tag & mix with other parameters" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(tags=['tlp:white'], pythonify=True)\n", "for e in r:\n", " print(e)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(tag='TODO:VT-ENRICHMENT', published=False)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(tag=['!TODO:VT-ENRICHMENT', 'tlp:white'], published=False) # ! means \"not this tag\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Full text search on event info field" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(eventinfo='circl')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Search by org" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(org='CIRCL')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Search updated events" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search_index(timestamp='1h')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Search full events (Slower, returns full events)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Getting timestamps" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from datetime import datetime, date, timedelta\n", "from dateutil.parser import parse\n", "\n", "int(datetime.now().timestamp())\n", "\n", "d = parse('2018-03-24')\n", "int(d.timestamp())\n", "\n", "today = int(datetime.today().timestamp())\n", "yesterday = int((datetime.today() - timedelta(days=1)).timestamp())\n", "\n", "print(today, yesterday)\n", "\n" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "complex_query = misp.build_complex_query(or_parameters=['uibo.lembit@mail.ee', '103.195.185.222'])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value=complex_query, pythonify=True)\n", "print(r)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(category='Payload delivery')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='uibo.lembit@mail.ee', metadata=True, pythonify=True) # no attributes" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(timestamp=['2h', '1h'])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', enforceWarninglist=True)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', deleted=True)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', publish_timestamp=1521846000) # everything published since that timestamp" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', last='1d') # everything published in the last " ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', timestamp=[yesterday, today]) # everything updated since that timestamp" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(value='8.8.8.8', withAttachments=True) # Return attachments" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Search for attributes" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(controller='attributes', value='8.8.8.9')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r = misp.search(controller='attributes', value='wrapper.no', event_timestamp='5d') # only consider events updated since this timestamp" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "r" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Because reason" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "tag_to_remove = 'foo'\n", "\n", "events = misp.search(tags=tag_to_remove, pythonify=True)\n", "\n", "for event in events:\n", " for tag in event.tags:\n", " if tag.name == tag_to_remove:\n", " print(f'Got {tag_to_remove} in {event.info}')\n", " misp.untag(event.uuid, tag_to_remove)\n", " break\n", " for attribute in event.attributes:\n", " for tag in attribute.tags:\n", " if tag.name == tag_to_remove:\n", " print(f'Got {tag_to_remove} in {attribute.value}')\n", " misp.untag(attribute.uuid, tag_to_remove)\n", " break" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "logs = misp.search_logs(model='Tag', title='tlp:white')\n", "print(logs)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "logs = misp.search_logs(model='Event', pythonify=True)\n", "#print(logs)\n", "for l in logs:\n", " print(l.title)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "log = misp.search_logs(model='Tag', title=tag_to_remove)[0]\n", "roles = misp.get_roles_list()\n", "for r in roles:\n", " if r['Role']['name'] == 'User':\n", " new_role = r['Role']['id']\n", " break\n", "user = misp.get_user(log['Log']['user_id'])\n", "user['User']['role_id'] = new_role\n", "misp.edit_user(user['User']['id'], **user['User'])" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.7" } }, "nbformat": 4, "nbformat_minor": 2 }