From f6cffd5a00da22a84d785c2775a32a186d01011d Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 20 Feb 2018 17:08:43 +0100 Subject: [PATCH 01/12] Updates README.md Auto commit by GitBook Editor --- README.md | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 12faaee..890ad78 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,25 @@ +--- +description: Introduction to MISP (Malware Information Sharing Platform) +--- + # Introduction [![Build Status](https://travis-ci.org/MISP/misp-book.svg?branch=master)](https://travis-ci.org/MISP/misp-book) ![MISP logo](https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/misp-logo.png) -User guide for MISP (Malware Information Sharing Platform) - A Threat Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces (API), in order to integrate MISP within a security environment. +User guide for MISP \(Malware Information Sharing Platform\) - A Threat Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces \(API\), in order to integrate MISP within a security environment. ## Acknowledgement The MISP user guide is a collaborative effort between all the contributors to [MISP](https://www.github.com/MISP) including: -- Belgian Ministry of Defence (CERT) -- [CIRCL Computer Incident Response Center Luxembourg](https://www.circl.lu/) -- Iklody IT Solutions -- [NATO NCIRC](http://www.ncirc.nato.int/) -- Cthulhu Solutions -- [CERT-EU](https://cert.europa.eu) +* Belgian Ministry of Defence \(CERT\) +* [CIRCL Computer Incident Response Center Luxembourg](https://www.circl.lu/) +* Iklody IT Solutions +* [NATO NCIRC](http://www.ncirc.nato.int/) +* Cthulhu Solutions +* [CERT-EU](https://cert.europa.eu) and many other contributors especially the ones during the MISP hackathons. @@ -27,10 +31,12 @@ We welcome contributions to the MISP book. If you want to contribute, clone the The MISP user guide is dual-licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html) and [CC-BY-SA 4.0 international](https://creativecommons.org/licenses/by-sa/4.0/). -* Copyright (C) 2012 Christophe Vandeplas -* Copyright (C) 2012 Belgian Defence -* Copyright (C) 2012 NATO / NCIRC -* Copyright (C) 2013-2017 Andras Iklody -* Copyright (C) 2015-2017 Alexandre Dulaunoy -* Copyright (C) 2014-2017 CIRCL - Computer Incident Response Center Luxembourg +* Copyright \(C\) 2012 Christophe Vandeplas +* Copyright \(C\) 2012 Belgian Defence +* Copyright \(C\) 2012 NATO / NCIRC +* Copyright \(C\) 2013-2017 Andras Iklody +* Copyright \(C\) 2015-2017 Alexandre Dulaunoy +* Copyright \(C\) 2014-2017 CIRCL - Computer Incident Response Center Luxembourg + + From 2e024fda7888cf32a15daa4117418a1e010e4c64 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 20 Feb 2018 17:09:49 +0100 Subject: [PATCH 02/12] Updates README.md Auto commit by GitBook Editor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 890ad78..9ff4dc0 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ description: Introduction to MISP (Malware Information Sharing Platform) ![MISP logo](https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/misp-logo.png) -User guide for MISP \(Malware Information Sharing Platform\) - A Threat Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces \(API\), in order to integrate MISP within a security environment. +User guide for MISP \(Malware Information Sharing Platform\) - An Open Source Threat Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces \(API\), in order to integrate MISP within a security environment. ## Acknowledgement From 93029d8b266a23fb24f14dddc3365b738a072cda Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 20 Feb 2018 17:10:30 +0100 Subject: [PATCH 03/12] Updates README.md Auto commit by GitBook Editor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ff4dc0..a80a155 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ description: Introduction to MISP (Malware Information Sharing Platform) ![MISP logo](https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/misp-logo.png) -User guide for MISP \(Malware Information Sharing Platform\) - An Open Source Threat Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces \(API\), in order to integrate MISP within a security environment. +User guide for MISP \(Malware Information Sharing Platform\) - An Open Source Threat Intelligence Sharing Platform. This user guide is intended for ICT professionals such as security analysts, security incident handlers, or malware reverse engineers who share threat indicators using MISP or integrate MISP into other security monitoring tools. The user guide includes day-to-day usage of the MISP's graphical user interface along with its automated interfaces \(API\), in order to integrate MISP within a security environment. ## Acknowledgement From 5bf331ce224ebc35d91517dcb4e02499256d113d Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 20 Feb 2018 17:14:06 +0100 Subject: [PATCH 04/12] Updates README.md Auto commit by GitBook Editor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a80a155..9918e54 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ The MISP user guide is a collaborative effort between all the contributors to [M * Cthulhu Solutions * [CERT-EU](https://cert.europa.eu) -and many other contributors especially the ones during the MISP hackathons. +and many other contributors especially the ones during the [MISP hackathons](https://github.com/MISP/MISP/wiki/Hackathon "MISP Hackathon Wiki"). ## Contributing From ffdca73fc2562268fdaa44c2039f1df7de4a8139 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 20 Feb 2018 17:16:05 +0100 Subject: [PATCH 05/12] Updates README.md Auto commit by GitBook Editor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9918e54..4cbc06f 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ and many other contributors especially the ones during the [MISP hackathons](htt ## Contributing -We welcome contributions to the MISP book. If you want to contribute, clone the [misp-book](https://github.com/MISP/misp-book) repository and pull a request with your changes. You can also [open issues](https://github.com/MISP/misp-book/issues) if you find any errors or propose changes. +We welcome contributions to the MISP book. If you want to contribute, fork the [misp-book](https://github.com/MISP/misp-book) repository and pull a request with your changes. You can also [open issues](https://github.com/MISP/misp-book/issues) if you find any errors or propose changes. ## License From ec9e6b8d486d2bffd7c6c7cea2b657b021f1e3df Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:48:20 +0100 Subject: [PATCH 06/12] Use Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 116 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/automation/README.md b/automation/README.md index 170b901..2a0813c 100644 --- a/automation/README.md +++ b/automation/README.md @@ -1978,6 +1978,122 @@ An example output of https:///users/statistics.json: } ~~~~ +# MISP modules +## Description +It is possible call misp-modules directly from API. +If the module needs credentials, API will get the information directly from MISP configuration. +### GET /modules/ +Retrieve a list of all modules enabled. +#### Example +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" -X GET http:///modules/ +~~~ + +#### Output +~~~json +[ + { + "name": "passivetotal", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain", + "ip-src", + "ip-dst" + ], + "output": [ + "ip-src", + "ip-dst", + "hostname", + "domain" + ] + }, + "meta": { + "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", + "config": [ + "username", + "password" + ], + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "sourcecache", + "type": "expansion", + "mispattributes": { + "input": [ + "link" + ], + "output": [ + "link" + ] + }, + "meta": { + "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "dns", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain" + ], + "output": [ + "ip-src", + "ip-dst" + ] + }, + "meta": { + "description": "Simple DNS expansion service to resolve IP address from MISP attributes", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + } +] +~~~ + +### POST /modules/query +Call any enabled module. + +#### Example + +Content of dns.json +~~~json +{ + "hostname": "www.foo.be", + "module": "dns" +} +~~~ + +Query using MISP API + +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +~~~ + +The output will be following JSON: + +~~~json +{ + "results": [ + { + "types": [ + "ip-src", + "ip-dst" + ], + "values": [ + "188.65.217.78" + ] + } + ] +} +~~~ From 2cb4f2bb51f1945e36d75f5ee87e402101034579 Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:50:56 +0100 Subject: [PATCH 07/12] Use new Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/README.md b/automation/README.md index 2a0813c..ce59664 100644 --- a/automation/README.md +++ b/automation/README.md @@ -27,7 +27,6 @@ The authorization is performed by using the following header: ~~~~ Authorization: YOUR API KEY ~~~~ - ### Accept and Content-Type headers When performing your request, depending on the type of request, you might need to explicitly specify in what content type you want to get your results. This is done by setting one of the below Accept headers: From df9b4f7f75a19d00dec9c6f8023e5a29696cda2e Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 10:10:58 +0100 Subject: [PATCH 08/12] Use new Modules Controller --- automation/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/README.md b/automation/README.md index ce59664..25cd36a 100644 --- a/automation/README.md +++ b/automation/README.md @@ -2059,7 +2059,7 @@ curl --header "Authorization: " --header "Accept: application/json" --h ] ~~~ -### POST /modules/query +### POST /modules/queryEnrichment Call any enabled module. #### Example @@ -2075,7 +2075,7 @@ Content of dns.json Query using MISP API ~~~bash -curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/queryEnrichment ~~~ The output will be following JSON: From 1191e3a5720f358305502871dc9d7b5469517a98 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 11:55:44 +0100 Subject: [PATCH 09/12] Update README.md --- automation/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/automation/README.md b/automation/README.md index 25cd36a..5c44bdf 100644 --- a/automation/README.md +++ b/automation/README.md @@ -445,6 +445,12 @@ Attaches an Tag to an Object by a given UUID curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/5a0d68b3-6da0-4ced-8233-77bb950d210f/tlp3Awhite ~~~~ + +~~~~ +curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " -d "{"uuid"="5a0d68b3-6da0-4ced-8233-77bb950d210f" "tag"="tlp:white"}" --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/ +~~~~ + + ### POST /tags/removeTagFromObject #### Description From b412cd71f2779b5615c47898eb9a03c864957b7a Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 12:44:04 +0100 Subject: [PATCH 10/12] mention add Attributes no idea why that has never been documented. --- automation/README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/automation/README.md b/automation/README.md index 5c44bdf..c2c65cf 100644 --- a/automation/README.md +++ b/automation/README.md @@ -55,7 +55,8 @@ By appending .json or .xml the content type can also be set without the need for PyMISP is a Python library to access MISP platforms via their REST API. -PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes. +PyMISP allows you to fetch events, add or update events/ +utes, add or update samples or search for attributes. [PyMISP is available](https://github.com/MISP/PyMISP) including a documentation with various examples. @@ -508,6 +509,20 @@ curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --heade ## Attribute management +### POST /attributes/add/ + +Adds an Attribute to an event + +#### URL Arguments + +- event id + +#### Output + +#### Example +~~~~ +curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -d "{"event_id":"3542","value":"1.2.3.4","category":"Network activity","type":"ip-dst"}" http://10.50.13.60/attributes/add/3542 +~~~~ ### GET /attributes From 9ea8a1fe5a0436a7c57081abed5c868b1af4d818 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 12:46:41 +0100 Subject: [PATCH 11/12] Update README.md --- automation/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/automation/README.md b/automation/README.md index c2c65cf..f157dcc 100644 --- a/automation/README.md +++ b/automation/README.md @@ -55,8 +55,7 @@ By appending .json or .xml the content type can also be set without the need for PyMISP is a Python library to access MISP platforms via their REST API. -PyMISP allows you to fetch events, add or update events/ -utes, add or update samples or search for attributes. +PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes. [PyMISP is available](https://github.com/MISP/PyMISP) including a documentation with various examples. From 0458def491d68ef76e9e3b8184e759a8d3e9d568 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 17:08:43 +0100 Subject: [PATCH 12/12] Update README.md --- automation/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/README.md b/automation/README.md index 5c44bdf..7189b44 100644 --- a/automation/README.md +++ b/automation/README.md @@ -1315,6 +1315,8 @@ To return an event with all of its attributes, relations, shadowAttributes, use ~~~~ https:///attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid] ~~~~ + + If you include "includeEventUuid":1" in the json request, it will give you the event_uuid as a result as well.