In order to use these, you need to create a file named keys.py in the examples folder and edit it to put the url of your MISP instance and your automation key.
~~~~
cd examples
cp keys.py.sample keys.py
vim keys.py
~~~~
Once you are done with it, you are ready to start.
This function will create a PyMISP object that will be used later to interact with the MISP instance.
As seen in the [api.py](https://github.com/CIRCL/PyMISP/blob/master/pymisp/api.py#L85), a PyMISP object need to know both the url of the MISP instance and the API key to use. It can also take additionnal and not mandatory data, such as the use or not of SSL or the name of the export format.
In order to add the new argument, we first need to fetch the event in the MISP database using the [get\_event](https://github.com/CIRCL/PyMISP/blob/master/pymisp/api.py#L223) function which only need the event\_id. Then only once we have it, we can call the function [add\_named\_attribute](https://github.com/CIRCL/PyMISP/blob/master/pymisp/api.py#L372) that will add the argument.
Delete an event or an attribute from a MISP instance. The event has the priority: if both are set, only the event will be deleted.
Arguments:
* **event**: Event ID to delete.
* **attribute**: Attribute ID to delete.
#### delete_user.py
Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always prefered to keep user associations to events intact.
Arguments:
* **user_id**: The id of the user you want to delete.
#### edit_user.py
Edit the email of the user designed by the user_id.
Arguments:
* **user_id**: The name of the json file describing the user you want to modify.
* **email**: Email linked to the account.
#### edit_user_json.py
Edit the user designed by the user_id. If no file is provided, returns a json listing all the fields used to describe a user.
Arguments:
* **user_id**: The name of the json file describing the user you want to modify.
* **json_file**: The name of the json file describing your modifications.
#### get.py
Get an event from a MISP instance in json format.
Arguments:
* **event**: Event ID to get.
* **output**: Output file
#### last.py
Download latest events from a MISP instance. A output file can be created to store these events.
Arguments:
* **last**: can be defined in days, hours, minutes (for example 5d or 12h or 30m).
* **output**: Output file
#### searchall.py
Get all the events matching a value.
Arguments:
* **search**: String to search.
* **quiet**: Only display URLs to MISP
* **output**: Output file
#### sharing_groups.py
Get a list of the sharing groups from the MISP instance.
No argument.
#### sighting.py
Add sighting.
Arguments:
* **json_file**: The name of the json file describing the attribute you want to add sighting to.
#### stats.py
Output attributes statistics from a MISP instance.
No argument.
#### suricata.py
Download Suricata events.
Arguments:
* **all**: Download all suricata rules available.
* **event**: Download suricata rules from one event.
#### tags.py
Get tags from MISP instance.
No argument.
#### tagstatistics.py
Get statistics from tags.
Arguments:
* **percentage**: An optional field, if set, it will return the results in percentages, otherwise it returns exact count.
* **namesort**: An optional field, if set, values are sort by the namespace, otherwise the sorting will happen on the value.
#### up.py
Update an existing event regarding the data inside a given json file.
Arguments:
* **event**: Event ID to modify.
* **input**: Input file
#### upload.py
Send malware sample to MISP.
Arguments:
* **upload**: File or directory of files to upload.
* **event**: Not supplying an event ID will cause MISP to create a single new event for all of the POSTed malware samples.
* **distrib**: The distribution setting used for the attributes and for the newly created event, if relevant. [0-3].
* **ids**: You can flag all attributes created during the transaction to be marked as \"to_ids\" or not.
* **categ**: The category that will be assigned to the uploaded samples. Valid options are: Payload delivery, Artifacts dropped, Payload Installation, External Analysis.
* **info**: Used to populate the event info field if no event ID supplied.
* **analysis**: The analysis level of the newly created event, if applicatble. [0-2]
* **threat**: The threat level ID of the newly created event, if applicatble. [1-4]
* **comment**: Comment for the uploaded file(s).
#### users_list.py
Get a list of the sharing groups from the MISP instance.
No argument.
### Going further
#### feed-generator
It is used to generate the CIRCL OSINT feed. This script export the events as json, based on tags, organisation, events, ...
It automatically update the dumps and the metadata file.