PyMISP/docs/tutorial/Search.ipynb

{
 "cells": [
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# The URL of the MISP instance to connect to\n",
    "misp_url = 'http://127.0.0.1:8080'\n",
    "# Can be found in the MISP web interface under \n",
    "# http://+MISP_URL+/users/view/me -> Authkey\n",
    "misp_key = 'LBelWqKY9SQyG0huZzAMqiEBl6FODxpgRRXMsZFu'\n",
    "# Should PyMISP verify the MISP certificate\n",
    "misp_verifycert = False"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Getting the API key (automatically generated on the trainig VM)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pathlib import Path\n",
    "\n",
    "api_file = Path('apikey')\n",
    "if api_file.exists():\n",
    "    misp_url = 'http://127.0.0.1'\n",
    "    misp_verifycert = False\n",
    "    with open(api_file) as f:\n",
    "        misp_key = f.read().strip()\n",
    "    print(misp_key)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Initialize PyMISP"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pymisp import PyMISP\n",
    "\n",
    "misp = PyMISP(misp_url, misp_key, misp_verifycert, debug=False)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Index Search (fast, only returns events metadata)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Search unpublished events\n",
    "\n",
    "**WARNING**: By default, the search query will only return all the events listed on teh index page"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(published=False)\n",
    "print(r)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get the meta data of events"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(eventid=[17217, 1717, 1721, 17218])"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Search Tag & mix with other parameters"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(tags=['tlp:white'])\n",
    "for e in r:\n",
    "    print(e)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(tag='TODO:VT-ENRICHMENT', published=False)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(tag=['!TODO:VT-ENRICHMENT', 'tlp:white'], published=False)  # ! means \"not this tag\""
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Full text search on event info field"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(eventinfo='circl')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Search in the values of each attributes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(attribute='8.8.8.8')\n",
    "print(r)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Search by org"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(org='CIRCL')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Search updated events"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search_index(timestamp='1h')\n",
    "print(r)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Search full events (Slower, returns full events)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Getting timestamps"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from datetime import datetime, date, timedelta\n",
    "from dateutil.parser import parse\n",
    "\n",
    "int(datetime.now().timestamp())\n",
    "\n",
    "d = parse('2018-03-24')\n",
    "int(d.timestamp())\n",
    "\n",
    "today = int(datetime.today().timestamp())\n",
    "yesterday = int((datetime.today() - timedelta(days=1)).timestamp())\n",
    "\n",
    "print(today, yesterday)\n",
    "\n"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8')\n",
    "print(r)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(not_values='8.8.8.8')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(category='Payload delivery')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', metadata=True) # no attributes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(timestamp=['2h', '1h'])"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', enforceWarninglist=True)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', deleted=True)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', publish_timestamp=1521846000)  # everything published since that timestamp"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', last='1d')  # everything published in the last <interval>"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', timestamp=[yesterday, today])  # everything updated since that timestamp"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(values='8.8.8.8', withAttachments=True)  # Return attachments"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Search for attributes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(controller='attributes', value='8.8.8.9')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r = misp.search(controller='attributes', value='wrapper.no', event_timestamp='5d')  # only consider events updated since this timestamp"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "r"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Because reason"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "tag_to_remove = 'foo'\n",
    "\n",
    "events = misp.search(tags=tag_to_remove, pythonify=True)\n",
    "\n",
    "for event in events:\n",
    "    for tag in event.tags:\n",
    "        if tag.name == tag_to_remove:\n",
    "            print(f'Got {tag_to_remove} in {event.info}')\n",
    "            misp.untag(event.uuid, tag_to_remove)\n",
    "            break\n",
    "    for attribute in event.attributes:\n",
    "        for tag in attribute.tags:\n",
    "            if tag.name == tag_to_remove:\n",
    "                print(f'Got {tag_to_remove} in {attribute.value}')\n",
    "                misp.untag(attribute.uuid, tag_to_remove)\n",
    "                break"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "logs = misp.search_logs(model='Tag', title='tlp:white')\n",
    "print(logs)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "logs = misp.search_logs(model='Event', pythonify=True)\n",
    "#print(logs)\n",
    "for l in logs:\n",
    "    print(l.title)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "log = misp.search_logs(model='Tag', title=tag_to_remove)[0]\n",
    "roles = misp.get_roles_list()\n",
    "for r in roles:\n",
    "    if r['Role']['name'] == 'User':\n",
    "        new_role = r['Role']['id']\n",
    "        break\n",
    "user = misp.get_user(log['Log']['user_id'])\n",
    "user['User']['role_id'] = new_role\n",
    "misp.edit_user(user['User']['id'], **user['User'])"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.6.7"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}