MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity
PyMISP/docs/tutorial/Usage-NG.ipynb

489 lines
10 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Using the API to interact with a remote MISP instance\n",
"\n",
"You can fetch a VM from here: https://www.circl.lu/misp-images/latest/, or connect to your dev instance.\n",
"\n",
"This box needs to be run in order to connect to the MISP instance and run the subsequent commands."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import ExpandedPyMISP, MISPEvent, MISPAttribute\n",
"\n",
"# The URL of the MISP instance to connect to\n",
"misp_url = 'http://127.0.0.1:8080'\n",
"# Can be found in the MISP web interface under \n",
"# http://+MISP_URL+/users/view/me -> Authkey\n",
"misp_key = 'aJAmQQoBhVL5jqUDSucIkPrEYIbFyW0wwQnxyBfc'\n",
"# Should PyMISP verify the MISP certificate\n",
"misp_verifycert = False"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Getting the API key (automatically generated on the trainig VM)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pathlib import Path\n",
"\n",
"api_file = Path('apikey')\n",
"if api_file.exists():\n",
" misp_url = 'http://127.0.0.1'\n",
" misp_verifycert = False\n",
" with open(api_file) as f:\n",
" misp_key = f.read().strip()\n",
" print(misp_key)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Initialize PyMISP"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Get the last events\n",
"\n",
"There are multiple definition for *last* in MISP.\n",
"\n",
"## Last *published* events"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"response = misp.search(publish_timestamp='2d')\n",
"\n",
"print (response)\n",
"events = []\n",
"for event in response:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
" \n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"events = misp.search(publish_timestamp=['120m', '100m'], pythonify=True)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *updated* events"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"from datetime import datetime\n",
"\n",
"ts = int(datetime.now().timestamp())\n",
"\n",
"response = misp.search(timestamp=ts-36000)\n",
"\n",
"events = []\n",
"for event in response:\n",
" me = MISPEvent()\n",
" me.load(event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## On an interval"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from datetime import datetime\n",
"ts = int(datetime.now().timestamp())\n",
"\n",
"events = misp.search(timestamp=[ts-3600, ts], pythonify=True)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Get the last attributes\n",
"\n",
"## Last *published* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(controller='attributes', publish_timestamp='1d')\n",
"\n",
"attributes = []\n",
"for attribute in response['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a.event_id, a)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search(controller='attributes', publish_timestamp=['2d', '1h'])\n",
"\n",
"attributes = []\n",
"for attribute in response['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Last *updated* attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"ts = int(datetime.now().timestamp())\n",
"\n",
"response = misp.search(controller='attributes', timestamp=ts - 36000)\n",
"\n",
"attributes = []\n",
"for attribute in response['Attribute']:\n",
" ma = MISPAttribute()\n",
" ma.from_dict(**attribute)\n",
" attributes.append(ma)\n",
"\n",
"for a in attributes:\n",
" print(a)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Fast search at index event level\n",
"\n",
"You have multiple ways to search for different values in MISP. Searching in the medadata of the events is very fast and if generally the recommended approach if your query returns lots of events."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search_index(eventinfo='Cobalt Strike')\n",
"\n",
"events = []\n",
"for event in response:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"print('No attributes are in the event', events[0].attributes)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"response = misp.search_index(tags='malware_classification:malware-category=\"Ransomware\"')\n",
"\n",
"events = []\n",
"for event in response:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"response = misp.search_index(timestamp='1h')\n",
"\n",
"events = []\n",
"for event in response:\n",
" me = MISPEvent()\n",
" me.from_dict(**event)\n",
" events.append(me)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"events[0].id"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event = MISPEvent()\n",
"#event.load(misp.get(events[0].id))\n",
"print (misp.get(events[0].id))\n",
"#print(event.to_json())"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Search indicators"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"complex_query = misp.build_complex_query(or_parameters=['59.157.4.2', 'hotfixmsupload.com', '8.8.8.8'])\n",
"events = misp.search(value=complex_query, pythonify=True)\n",
"\n",
"for e in events:\n",
" print(e)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sightings"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting(value=e.attributes[1].value)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.sighting_list(e.attributes[1].id)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Admin Stuff"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_sharing_groups()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## User"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_users_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.add_user('bar@foo.de', 1, 3)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_organisations_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_roles_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.get_feeds_list()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp.cache_feeds_all()"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.7"
}
},
"nbformat": 4,
"nbformat_minor": 2
}
Reference in New Issue View Git Blame Copy Permalink