{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# PyMISP - An interactive tutorial: Basics" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Connecting to MISP\n", "### Your configuration" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# The URL of the MISP instance to connect to\n", "misp_url = 'http://127.0.0.1:8080/'\n", "# Can be found in the MISP web interface under \n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n", "# Should PyMISP verify the MISP certificate\n", "misp_verifycert = False" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Getting the API key (automatically generated on the trainig VM)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pathlib import Path\n", "\n", "api_file = Path('apikey')\n", "if api_file.exists():\n", " misp_url = 'http://127.0.0.1'\n", " misp_verifycert = False\n", " with open(api_file) as f:\n", " misp_key = f.read().strip()\n", " print(misp_key)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Initialize PyMISP" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import ExpandedPyMISP, PyMISP\n", "\n", "misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)\n", "misp_old = PyMISP(misp_url, misp_key, misp_verifycert)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Creating a MISP Event" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Directly" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "event = misp.new_event(distribution=1,\n", " threat_level_id=1,\n", " analysis=1,\n", " info=\"Event from notebook\")\n", "print(\"Event id: %s\" % event.id)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "event = misp_old.new_event(distribution=1,\n", " threat_level_id=1,\n", " analysis=1,\n", " info=\"Event from notebook\")\n", "print(\"Event id: %s\" % event['Event']['id'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Using the MISPEvent constructor" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import MISPEvent\n", "\n", "event_obj = MISPEvent()\n", "event_obj.distribution = 1\n", "event_obj.threat_level_id = 1\n", "event_obj.analysis = 1\n", "event_obj.info = \"Event from notebook 2\"\n", "event = misp.add_event(event_obj)\n", "event_id = event.id\n", "print(\"Event id: %s\" % event_id)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Fetching a MISP Event" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Fetch by ID\n", "event = misp.get_event(event_id)\n", "print(event)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Fetch by ID\n", "event = misp_old.get_event(event_id)\n", "print(event)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Adding Attribute to an event" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Adding directly" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "attr_type = \"ip-src\"\n", "value = \"8.8.8.8\"\n", "category = \"Network activity\"\n", "to_ids = False\n", "proposal = False\n", "updated_event = misp.add_named_attribute(event,\n", " attr_type,\n", " value,\n", " category=category,\n", " to_ids=to_ids,\n", " proposal=proposal)\n", "print(updated_event)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Using the MISPAttribute constructor" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import MISPAttribute\n", "\n", "# Attribute data already defined\n", "attribute = MISPAttribute()\n", "attribute.type = attr_type\n", "attribute.value = value\n", "attribute.category = category\n", "attribute.proposal = proposal\n", "print(attribute)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# An attribute can also be loaded directly from a JSON\n", "json = '''{\n", " \"type\": \"ip-dst\",\n", " \"value\": \"127.0.0.1\",\n", " \"category\": \"Network activity\",\n", " \"to_ids\": false,\n", " \"proposal\": false\n", " }'''\n", "\n", "attribute = MISPAttribute()\n", "attribute.from_json(json)\n", "print(attribute)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### And then, update the event" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": false }, "outputs": [], "source": [ "# Add the attribute to the event\n", "## Fetch the event from MISP\n", "event_dict = misp_old.get(event_id)['Event']\n", "\n", "## Convert it to a PyMISP Event\n", "event = MISPEvent()\n", "event.from_dict(**event_dict)\n", "\n", "## Add the attribute to the event\n", "event.add_attribute(**attribute)\n", "event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n", "\n", "## Push the updated event to MISP\n", "event_dict = misp.update_event(event)\n", "print(event_dict)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# New Python 3.6 API\n", "event = misp.get(event_id)\n", "\n", "## Add the attribute to the event\n", "event.add_attribute(**attribute)\n", "event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n", "\n", "## Push the updated event to MISP\n", "event_dict = misp.update_event(event)\n", "print(event_dict)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Performing search" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Events by their info fields" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "results = misp.search_index(eventinfo='notebook')\n", "\n", "for event in results:\n", " print(event['id'], ':', event['info'])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "results[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Attributes by their values" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Search in all attributes" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "# Search attributes (specified in controller) where the attribute type is 'ip-src'\n", "# And the to_ids flag is set\n", "attributes = misp.search(controller='attributes', type_attribute='ip-src', to_ids=0, pythonify=True)\n", "\n", "event_ids = set()\n", "for attr in attributes:\n", " event_ids.add(event_id)\n", "\n", "# Fetch all related events\n", "for event_id in event_ids:\n", " event = misp.get_event(event_id)\n", " print(event.info)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Creating and adding a MISP Object" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from pymisp import MISPObject\n", "\n", "object_name = 'email'\n", "object_data = {\n", " 'from': 'admin@admin.test',\n", " 'to': 'admin@foo.bar',\n", " 'subject': 'An email',\n", "}\n", "\n", "# Create the MISP Object\n", "misp_obj = MISPObject(object_name)\n", "for obj_relation, value in object_data.items():\n", " if obj_relation == 'subject':\n", " misp_obj.add_attribute(obj_relation, value=value, comment='My fancy subject', disable_correlation=True)\n", " else: \n", " misp_obj.add_attribute(obj_relation, value=value)\n", "\n", "template_id = misp.get_object_template_id(misp_obj.template_uuid)\n", "\n", "# Add the object to MISP\n", "response = misp.add_object(event_id,\n", " template_id,\n", " misp_obj)\n", "print('Event ID', event_id)\n", "print(response)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Direct call, no validation" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# The URL of the MISP instance to connect to\n", "#misp_url = 'http://127.0.0.1:8080/'\n", "# Can be found in the MISP web interface under \n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "#misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n", "# Should PyMISP verify the MISP certificate\n", "#misp_verifycert = False\n", "\n", "from pymisp import PyMISP\n", "\n", "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n", "misp.direct_call('attributes/add/58', {'type': 'ip-dst', 'value': '8.11.8.8'})" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# The URL of the MISP instance to connect to\n", "misp_url = 'http://127.0.0.1:8080/'\n", "# Can be found in the MISP web interface under \n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n", "# Should PyMISP verify the MISP certificate\n", "misp_verifycert = False\n", "\n", "from pymisp import PyMISP\n", "\n", "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n", "misp.direct_call('attributes/add/2167', '{\"type\": \"ip-dst\", \"value\": \"8.8.8.9\"}')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# The URL of the MISP instance to connect to\n", "#misp_url = 'http://127.0.0.1:8080/'\n", "# Can be found in the MISP web interface under \n", "# http://+MISP_URL+/users/view/me -> Authkey\n", "#misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n", "# Should PyMISP verify the MISP certificate\n", "#misp_verifycert = False\n", "\n", "from pymisp import PyMISP\n", "\n", "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n", "misp.direct_call('events')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.7" } }, "nbformat": 4, "nbformat_minor": 2 }