misp-training/a.7-rest-API/.ipynb_checkpoints/Training - Using the API in...

1042 lines
27 KiB
Plaintext
Raw Normal View History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Notebook trainer cheatsheet: API and CLI"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"- Automation page\n",
"- Recovering the API KEY (Automation page, User page, RestClient)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Important notice\n",
"\n",
"This notebook various usage of the MISP restAPI.\n",
"\n",
"It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.\n",
"\n",
"This command:\n",
"```\n",
"misp_url = URL + '/events/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"info\": \"Event\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)\n",
"```\n",
"\n",
"Will yield the same result as this command:\n",
"```\n",
"!curl \\\n",
" -d '{\"info\": \"Event\"}' \\\n",
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -X POST 127.0.0.1:8080/events/restSearch\n",
" ```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from pymisp import ExpandedPyMISP\n",
"from pprint import pprint\n",
"AUTHKEY = \"ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\"\n",
"URL = \"http://127.0.0.1:8080\"\n",
"\n",
"def print_result(result):\n",
" flag_printed = False\n",
" if isinstance(result, list):\n",
" print(\"Count: %s\" % len(result))\n",
" flag_printed = True\n",
" for i in res:\n",
" if 'Event' in i and 'Attribute' in i['Event']:\n",
" print(\" - Attribute count: %s\" % len(i['Event']['Attribute']))\n",
" elif isinstance(result, dict):\n",
" if 'Attribute' in result:\n",
" print(\"Count: %s\" % len(result['Attribute']))\n",
" flag_printed = True\n",
" elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n",
" print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
" flag_printed = True\n",
" if flag_printed:\n",
" print('----------')\n",
" pprint(result)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Events"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Creation and Edition"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creation\n",
"misp_url = URL + '/events/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"info\": \"Event created via the API as an example\",\n",
" \"threat_level_id\": 1,\n",
" \"distribution\": 0\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Edition 1\n",
"misp_url = URL + '/events/edit/'\n",
"relative_path = '33'\n",
"\n",
"body = {\n",
" \"distribution\": 4,\n",
" \"sharing_group_id\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body) \n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Edition 2 - Adding Attribute\n",
"misp_url = URL + '/events/edit/'\n",
"relative_path = '29'\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
" \"Attribute\": [\n",
" {\n",
" \"value\": \"9.9.9.9\",\n",
" \"type\": \"ip-src\"\n",
" }\n",
" ]\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Edition 2 - tagging - The bad way (Fetch the whole event and re-process everything)\n",
"misp_url = URL + '/events/edit/'\n",
"relative_path = '29'\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
" \"EventTag\": {\n",
" \"Tag\": [\n",
" {\"name\":\"tlp:red\"}\n",
" ]\n",
" }\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Edition 2 - tagging - The better way\n",
"misp_url = URL + '/tags/attachTagToObject'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\", # can be anything: event or attribute\n",
" \"tag\": \"tlp:green\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching the Event index (Move it to the search topic)\n",
"misp_url = URL + '/events/index'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"eventinfo\": \"api\",\n",
" \"publish_timestamp\": \"10d\",\n",
" \"org\": \"ORGNAME\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching the Event index\n",
"misp_url = URL + '/events/index'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"hasproposal\": 1,\n",
" \"tag\": [\"tlp:amber\"]\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"\n",
"print('Event number: %s' % len(res))\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Attributes"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Creation and edition"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"event_id = 33"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Adding\n",
"misp_url = URL + '/attributes/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"value\": \"8.8.8.9\",\n",
" \"type\": \"ip-dst\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Adding invalid attribute type\n",
"misp_url = URL + '/attributes/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"value\": \"8.8.8.9\",\n",
" \"type\": \"md5\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Editing\n",
"misp_url = URL + '/attributes/edit/'\n",
"relative_path = '36586'\n",
"\n",
"body = {\n",
" \"value\": \"127.0.0.1\",\n",
" \"to_ids\": 0,\n",
" \"comment\": \"Comment added via the API\",\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Editing with data taken from JSON views. \n",
"# <!> (timestamp) contrast the difference with *PyMISP*\n",
"misp_url = URL + '/attributes/edit/'\n",
"relative_path = '36586'\n",
"\n",
"body = {\n",
" \"id\": \"36586\",\n",
" \"type\": \"ip-dst\",\n",
" \"category\": \"Network activity\",\n",
" \"to_ids\": False,\n",
" \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\",\n",
" \"event_id\": \"33\",\n",
" \"distribution\": \"5\",\n",
" \"comment\": \"Comment added via the API\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"deleted\": False,\n",
" \"disable_correlation\": False,\n",
" \"object_id\": \"0\",\n",
" \"object_relation\": '',\n",
" \"value\": \"1.2.3.5\",\n",
" \"Galaxy\": [],\n",
" \"ShadowAttribute\": [],\n",
" \"Tag\": [\n",
" {\n",
" \"id\": \"4\",\n",
" \"name\": \"tlp:green\",\n",
" \"colour\": \"#14ff00\",\n",
" \"exportable\": True,\n",
" \"user_id\": \"0\",\n",
" \"hide_tag\": False,\n",
" \"numerical_value\": ''\n",
" }\n",
" ]\n",
" }\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Objects"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Example of an un-documented endpoint\n",
"misp_url = URL + '/objects/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"name\": \"microblog\",\n",
" \"meta-category\": \"misc\",\n",
" \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n",
" \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n",
" \"template_version\": \"5\",\n",
" \"event_id\": event_id,\n",
" \"timestamp\": \"1558702173\",\n",
" \"distribution\": \"5\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"comment\": \"\",\n",
" \"deleted\": False,\n",
" \"ObjectReference\": [],\n",
" \"Attribute\": [\n",
" {\n",
" \"type\": \"text\",\n",
" \"category\": \"Other\",\n",
" \"to_ids\": False,\n",
" \"event_id\": event_id,\n",
" \"distribution\": \"5\",\n",
" \"timestamp\": \"1558702173\",\n",
" \"comment\": \"\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"deleted\": False,\n",
" \"disable_correlation\": False,\n",
" \"object_relation\": \"post\",\n",
" \"value\": \"post\",\n",
" \"Galaxy\": [],\n",
" \"ShadowAttribute\": []\n",
" }\n",
" ]\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Go to event Edit 2\n",
"# Go to add tag the bad way"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## RestSearch\n",
"**Aka: Most powerful search tool in MISP**"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### RestSearch - Attributes"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches on Attribute's data\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"type\": \"ip-dst\",\n",
" \"value\": \"1.2.3.%\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches on Attribute's data\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"deleted\": [0, 1] # Consider both deleted AND not deleted\n",
"}\n",
"\n",
"# [] == {\"OR\": []}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches on Attribute's data\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
"# \"tags\": \"tlp:white\",\n",
"# \"tags\": [\"tlp:white\", \"tlp:green\"]\n",
"# \"tags\": [\"!tlp:green\"]\n",
"# \"tags\": \"tlp:%\",\n",
"# \"includeEventTags\": 1\n",
"# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n",
" \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Paginating\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"page\": 2,\n",
" \"limit\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches based on time: Absolute\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"from\": \"2019/05/21\" # or \"2019-05-21\"\n",
" # from and to NOT REALLY USEFULL.. \n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches based on time: Relative\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"# /!\\ Last: works on the publish_timestamp -> may be confusing\n",
"# Units: days, hours, minutes and secondes\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"to_ids\": 1,\n",
" \"last\": \"10d\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Precision regarding the different timestamps\n",
"- ``publish_timestamp`` = Time at which the event was published\n",
" - Usage: get data that arrived in my system since x\n",
" - E.g.: New data from a feed\n",
"- ``timestamp`` = Time of the last modification on the data\n",
" - data was modified in the last x hours\n",
" - E.g.: Last updated data from a feed\n",
"- ``event_timestamp``: Used in the Attribute scope\n",
" - Event modified in the last x hours"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches with attachments\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"type\": \"attachment\",\n",
"# \"withAttachments\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches - Others\n",
"misp_url = URL + '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": 31,\n",
" \"type\": \"ip-src\",\n",
"# \"enforceWarninglist\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### RestSearch - Events"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch\n",
"misp_url = URL + '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": 31,\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch - Other return format\n",
"!curl \\\n",
" -d '{\"returnFormat\":\"rpz\",\"eventid\":31}' \\\n",
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch - Other return format\n",
"!curl \\\n",
" -d '{\"returnFormat\":\"csv\",\"eventid\":31}' \\\n",
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch - Filtering\n",
"misp_url = URL + '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"value\": \"parsed-ail.json\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch\n",
"misp_url = URL + '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"org\": \"CIRCL\",\n",
" \"id\": 33,\n",
" \"metadata\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch\n",
"misp_url = URL + '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventinfo\": \"%via the API%\",\n",
" \"published\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sightings"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating sightings\n",
"misp_url = URL + '/sightings/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
"# \"id\": \"36578\"\n",
" \"value\": \"parsed-ail.json\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching for sighted elements\n",
"misp_url = URL + '/sightings/restSearch/event'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"id\": 33,\n",
" \"includeAttribute\": 1,\n",
" \"includeEvent\": 1\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Warning lists"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Checking values against the warining list\n",
"misp_url = URL + '/warninglists/checkValue'\n",
"relative_path = ''\n",
"\n",
"body = [\"8.8.8.8\", \"yolo\", \"test\"]\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Instance management"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Organisation\n",
"misp_url = URL + '/admin/organisations/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"name\": \"TEMP_ORG2\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Users\n",
"misp_url = URL + '/admin/users/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"email\": \"from_api2@admin.test\",\n",
" \"org_id\": 1009,\n",
" \"role_id\": 3,\n",
" \"termsaccepted\": 1,\n",
" \"change_pw\": 0, # User prompted to change the psswd once logged in\n",
" \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Sharing Groups\n",
"misp_url = URL + '/sharing_groups/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"name\": \"TEMP_SG2\",\n",
" \"releasability\": \"To nobody\",\n",
" \"SharingGroupOrg\": [\n",
" {\n",
" \"name\": \"ORGNAME\",\n",
" \"extend\": 1\n",
" },\n",
" {\n",
" \"name\": \"CIRCL\",\n",
" \"extend\": 1\n",
" }\n",
" ]\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"# Server\n",
"misp_url = URL + '/servers/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"url\": \"http://127.0.0.1:80/\",\n",
" \"name\": \"Myself\",\n",
" \"remote_org_id\": \"2\",\n",
" \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n",
" \n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Server settings\n",
"misp_url = URL + '/servers/serverSettings'\n",
"relative_path = ''\n",
"\n",
"body = {}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Statistics\n",
"misp_url = URL + '/users/statistics'\n",
"relative_path = ''\n",
"\n",
"body = {}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Not Available:\n",
"- misp-module"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.8"
}
},
"nbformat": 4,
"nbformat_minor": 2
}