mirror of https://github.com/MISP/misp-training
1042 lines
27 KiB
Plaintext
1042 lines
27 KiB
Plaintext
|
{
|
||
|
"cells": [
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Notebook trainer cheatsheet: API and CLI"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"- Automation page\n",
|
||
|
"- Recovering the API KEY (Automation page, User page, RestClient)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Important notice\n",
|
||
|
"\n",
|
||
|
"This notebook various usage of the MISP restAPI.\n",
|
||
|
"\n",
|
||
|
"It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.\n",
|
||
|
"\n",
|
||
|
"This command:\n",
|
||
|
"```\n",
|
||
|
"misp_url = URL + '/events/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"info\": \"Event\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)\n",
|
||
|
"```\n",
|
||
|
"\n",
|
||
|
"Will yield the same result as this command:\n",
|
||
|
"```\n",
|
||
|
"!curl \\\n",
|
||
|
" -d '{\"info\": \"Event\"}' \\\n",
|
||
|
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
|
||
|
" -H \"Accept: application/json\" \\\n",
|
||
|
" -H \"Content-type: application/json\" \\\n",
|
||
|
" -X POST 127.0.0.1:8080/events/restSearch\n",
|
||
|
" ```"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from pymisp import ExpandedPyMISP\n",
|
||
|
"from pprint import pprint\n",
|
||
|
"AUTHKEY = \"ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\"\n",
|
||
|
"URL = \"http://127.0.0.1:8080\"\n",
|
||
|
"\n",
|
||
|
"def print_result(result):\n",
|
||
|
" flag_printed = False\n",
|
||
|
" if isinstance(result, list):\n",
|
||
|
" print(\"Count: %s\" % len(result))\n",
|
||
|
" flag_printed = True\n",
|
||
|
" for i in res:\n",
|
||
|
" if 'Event' in i and 'Attribute' in i['Event']:\n",
|
||
|
" print(\" - Attribute count: %s\" % len(i['Event']['Attribute']))\n",
|
||
|
" elif isinstance(result, dict):\n",
|
||
|
" if 'Attribute' in result:\n",
|
||
|
" print(\"Count: %s\" % len(result['Attribute']))\n",
|
||
|
" flag_printed = True\n",
|
||
|
" elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n",
|
||
|
" print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
|
||
|
" flag_printed = True\n",
|
||
|
" if flag_printed:\n",
|
||
|
" print('----------')\n",
|
||
|
" pprint(result)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Events"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Creation and Edition"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Creation\n",
|
||
|
"misp_url = URL + '/events/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"info\": \"Event created via the API as an example\",\n",
|
||
|
" \"threat_level_id\": 1,\n",
|
||
|
" \"distribution\": 0\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Edition 1\n",
|
||
|
"misp_url = URL + '/events/edit/'\n",
|
||
|
"relative_path = '33'\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"distribution\": 4,\n",
|
||
|
" \"sharing_group_id\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body) \n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Edition 2 - Adding Attribute\n",
|
||
|
"misp_url = URL + '/events/edit/'\n",
|
||
|
"relative_path = '29'\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"distribution\": 0,\n",
|
||
|
" \"Attribute\": [\n",
|
||
|
" {\n",
|
||
|
" \"value\": \"9.9.9.9\",\n",
|
||
|
" \"type\": \"ip-src\"\n",
|
||
|
" }\n",
|
||
|
" ]\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Edition 2 - tagging - The bad way (Fetch the whole event and re-process everything)\n",
|
||
|
"misp_url = URL + '/events/edit/'\n",
|
||
|
"relative_path = '29'\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"distribution\": 0,\n",
|
||
|
" \"EventTag\": {\n",
|
||
|
" \"Tag\": [\n",
|
||
|
" {\"name\":\"tlp:red\"}\n",
|
||
|
" ]\n",
|
||
|
" }\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Edition 2 - tagging - The better way\n",
|
||
|
"misp_url = URL + '/tags/attachTagToObject'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\", # can be anything: event or attribute\n",
|
||
|
" \"tag\": \"tlp:green\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching the Event index (Move it to the search topic)\n",
|
||
|
"misp_url = URL + '/events/index'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"eventinfo\": \"api\",\n",
|
||
|
" \"publish_timestamp\": \"10d\",\n",
|
||
|
" \"org\": \"ORGNAME\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching the Event index\n",
|
||
|
"misp_url = URL + '/events/index'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"hasproposal\": 1,\n",
|
||
|
" \"tag\": [\"tlp:amber\"]\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"\n",
|
||
|
"print('Event number: %s' % len(res))\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Attributes"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Creation and edition"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"event_id = 33"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Adding\n",
|
||
|
"misp_url = URL + '/attributes/add/'\n",
|
||
|
"relative_path = str(event_id)\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"value\": \"8.8.8.9\",\n",
|
||
|
" \"type\": \"ip-dst\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Adding invalid attribute type\n",
|
||
|
"misp_url = URL + '/attributes/add/'\n",
|
||
|
"relative_path = str(event_id)\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"value\": \"8.8.8.9\",\n",
|
||
|
" \"type\": \"md5\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Editing\n",
|
||
|
"misp_url = URL + '/attributes/edit/'\n",
|
||
|
"relative_path = '36586'\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"value\": \"127.0.0.1\",\n",
|
||
|
" \"to_ids\": 0,\n",
|
||
|
" \"comment\": \"Comment added via the API\",\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Editing with data taken from JSON views. \n",
|
||
|
"# <!> (timestamp) contrast the difference with *PyMISP*\n",
|
||
|
"misp_url = URL + '/attributes/edit/'\n",
|
||
|
"relative_path = '36586'\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"id\": \"36586\",\n",
|
||
|
" \"type\": \"ip-dst\",\n",
|
||
|
" \"category\": \"Network activity\",\n",
|
||
|
" \"to_ids\": False,\n",
|
||
|
" \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\",\n",
|
||
|
" \"event_id\": \"33\",\n",
|
||
|
" \"distribution\": \"5\",\n",
|
||
|
" \"comment\": \"Comment added via the API\",\n",
|
||
|
" \"sharing_group_id\": \"0\",\n",
|
||
|
" \"deleted\": False,\n",
|
||
|
" \"disable_correlation\": False,\n",
|
||
|
" \"object_id\": \"0\",\n",
|
||
|
" \"object_relation\": '',\n",
|
||
|
" \"value\": \"1.2.3.5\",\n",
|
||
|
" \"Galaxy\": [],\n",
|
||
|
" \"ShadowAttribute\": [],\n",
|
||
|
" \"Tag\": [\n",
|
||
|
" {\n",
|
||
|
" \"id\": \"4\",\n",
|
||
|
" \"name\": \"tlp:green\",\n",
|
||
|
" \"colour\": \"#14ff00\",\n",
|
||
|
" \"exportable\": True,\n",
|
||
|
" \"user_id\": \"0\",\n",
|
||
|
" \"hide_tag\": False,\n",
|
||
|
" \"numerical_value\": ''\n",
|
||
|
" }\n",
|
||
|
" ]\n",
|
||
|
" }\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Objects"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Example of an un-documented endpoint\n",
|
||
|
"misp_url = URL + '/objects/add/'\n",
|
||
|
"relative_path = str(event_id)\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"name\": \"microblog\",\n",
|
||
|
" \"meta-category\": \"misc\",\n",
|
||
|
" \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n",
|
||
|
" \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n",
|
||
|
" \"template_version\": \"5\",\n",
|
||
|
" \"event_id\": event_id,\n",
|
||
|
" \"timestamp\": \"1558702173\",\n",
|
||
|
" \"distribution\": \"5\",\n",
|
||
|
" \"sharing_group_id\": \"0\",\n",
|
||
|
" \"comment\": \"\",\n",
|
||
|
" \"deleted\": False,\n",
|
||
|
" \"ObjectReference\": [],\n",
|
||
|
" \"Attribute\": [\n",
|
||
|
" {\n",
|
||
|
" \"type\": \"text\",\n",
|
||
|
" \"category\": \"Other\",\n",
|
||
|
" \"to_ids\": False,\n",
|
||
|
" \"event_id\": event_id,\n",
|
||
|
" \"distribution\": \"5\",\n",
|
||
|
" \"timestamp\": \"1558702173\",\n",
|
||
|
" \"comment\": \"\",\n",
|
||
|
" \"sharing_group_id\": \"0\",\n",
|
||
|
" \"deleted\": False,\n",
|
||
|
" \"disable_correlation\": False,\n",
|
||
|
" \"object_relation\": \"post\",\n",
|
||
|
" \"value\": \"post\",\n",
|
||
|
" \"Galaxy\": [],\n",
|
||
|
" \"ShadowAttribute\": []\n",
|
||
|
" }\n",
|
||
|
" ]\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Go to event Edit 2\n",
|
||
|
"# Go to add tag the bad way"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## RestSearch\n",
|
||
|
"**Aka: Most powerful search tool in MISP**"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### RestSearch - Attributes"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches on Attribute's data\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"type\": \"ip-dst\",\n",
|
||
|
" \"value\": \"1.2.3.%\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches on Attribute's data\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"deleted\": [0, 1] # Consider both deleted AND not deleted\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"# [] == {\"OR\": []}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches on Attribute's data\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
"# \"tags\": \"tlp:white\",\n",
|
||
|
"# \"tags\": [\"tlp:white\", \"tlp:green\"]\n",
|
||
|
"# \"tags\": [\"!tlp:green\"]\n",
|
||
|
"# \"tags\": \"tlp:%\",\n",
|
||
|
"# \"includeEventTags\": 1\n",
|
||
|
"# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n",
|
||
|
" \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Paginating\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"page\": 2,\n",
|
||
|
" \"limit\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches based on time: Absolute\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"from\": \"2019/05/21\" # or \"2019-05-21\"\n",
|
||
|
" # from and to NOT REALLY USEFULL.. \n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches based on time: Relative\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"# /!\\ Last: works on the publish_timestamp -> may be confusing\n",
|
||
|
"# Units: days, hours, minutes and secondes\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"to_ids\": 1,\n",
|
||
|
" \"last\": \"10d\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Precision regarding the different timestamps\n",
|
||
|
"- ``publish_timestamp`` = Time at which the event was published\n",
|
||
|
" - Usage: get data that arrived in my system since x\n",
|
||
|
" - E.g.: New data from a feed\n",
|
||
|
"- ``timestamp`` = Time of the last modification on the data\n",
|
||
|
" - data was modified in the last x hours\n",
|
||
|
" - E.g.: Last updated data from a feed\n",
|
||
|
"- ``event_timestamp``: Used in the Attribute scope\n",
|
||
|
" - Event modified in the last x hours"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches with attachments\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": event_id,\n",
|
||
|
" \"type\": \"attachment\",\n",
|
||
|
"# \"withAttachments\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searches - Others\n",
|
||
|
"misp_url = URL + '/attributes/restSearch/'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": 31,\n",
|
||
|
" \"type\": \"ip-src\",\n",
|
||
|
"# \"enforceWarninglist\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### RestSearch - Events"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch\n",
|
||
|
"misp_url = URL + '/events/restSearch'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventid\": 31,\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch - Other return format\n",
|
||
|
"!curl \\\n",
|
||
|
" -d '{\"returnFormat\":\"rpz\",\"eventid\":31}' \\\n",
|
||
|
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
|
||
|
" -H \"Accept: application/json\" \\\n",
|
||
|
" -H \"Content-type: application/json\" \\\n",
|
||
|
" -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch - Other return format\n",
|
||
|
"!curl \\\n",
|
||
|
" -d '{\"returnFormat\":\"csv\",\"eventid\":31}' \\\n",
|
||
|
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
|
||
|
" -H \"Accept: application/json\" \\\n",
|
||
|
" -H \"Content-type: application/json\" \\\n",
|
||
|
" -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch - Filtering\n",
|
||
|
"misp_url = URL + '/events/restSearch'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"value\": \"parsed-ail.json\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch\n",
|
||
|
"misp_url = URL + '/events/restSearch'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"org\": \"CIRCL\",\n",
|
||
|
" \"id\": 33,\n",
|
||
|
" \"metadata\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching using the RestSearch\n",
|
||
|
"misp_url = URL + '/events/restSearch'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"eventinfo\": \"%via the API%\",\n",
|
||
|
" \"published\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Sightings"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Creating sightings\n",
|
||
|
"misp_url = URL + '/sightings/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
"# \"id\": \"36578\"\n",
|
||
|
" \"value\": \"parsed-ail.json\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Searching for sighted elements\n",
|
||
|
"misp_url = URL + '/sightings/restSearch/event'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"returnFormat\": \"json\",\n",
|
||
|
" \"id\": 33,\n",
|
||
|
" \"includeAttribute\": 1,\n",
|
||
|
" \"includeEvent\": 1\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Warning lists"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Checking values against the warining list\n",
|
||
|
"misp_url = URL + '/warninglists/checkValue'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = [\"8.8.8.8\", \"yolo\", \"test\"]\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Instance management"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Creating Organisation\n",
|
||
|
"misp_url = URL + '/admin/organisations/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"name\": \"TEMP_ORG2\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Creating Users\n",
|
||
|
"misp_url = URL + '/admin/users/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"email\": \"from_api2@admin.test\",\n",
|
||
|
" \"org_id\": 1009,\n",
|
||
|
" \"role_id\": 3,\n",
|
||
|
" \"termsaccepted\": 1,\n",
|
||
|
" \"change_pw\": 0, # User prompted to change the psswd once logged in\n",
|
||
|
" \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Creating Sharing Groups\n",
|
||
|
"misp_url = URL + '/sharing_groups/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"name\": \"TEMP_SG2\",\n",
|
||
|
" \"releasability\": \"To nobody\",\n",
|
||
|
" \"SharingGroupOrg\": [\n",
|
||
|
" {\n",
|
||
|
" \"name\": \"ORGNAME\",\n",
|
||
|
" \"extend\": 1\n",
|
||
|
" },\n",
|
||
|
" {\n",
|
||
|
" \"name\": \"CIRCL\",\n",
|
||
|
" \"extend\": 1\n",
|
||
|
" }\n",
|
||
|
" ]\n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {
|
||
|
"scrolled": true
|
||
|
},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Server\n",
|
||
|
"misp_url = URL + '/servers/add'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {\n",
|
||
|
" \"url\": \"http://127.0.0.1:80/\",\n",
|
||
|
" \"name\": \"Myself\",\n",
|
||
|
" \"remote_org_id\": \"2\",\n",
|
||
|
" \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n",
|
||
|
" \n",
|
||
|
"}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Server settings\n",
|
||
|
"misp_url = URL + '/servers/serverSettings'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"# Statistics\n",
|
||
|
"misp_url = URL + '/users/statistics'\n",
|
||
|
"relative_path = ''\n",
|
||
|
"\n",
|
||
|
"body = {}\n",
|
||
|
"\n",
|
||
|
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
|
||
|
"res = misp.direct_call(relative_path, body)\n",
|
||
|
"print_result(res)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"Not Available:\n",
|
||
|
"- misp-module"
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"metadata": {
|
||
|
"kernelspec": {
|
||
|
"display_name": "Python 3",
|
||
|
"language": "python",
|
||
|
"name": "python3"
|
||
|
},
|
||
|
"language_info": {
|
||
|
"codemirror_mode": {
|
||
|
"name": "ipython",
|
||
|
"version": 3
|
||
|
},
|
||
|
"file_extension": ".py",
|
||
|
"mimetype": "text/x-python",
|
||
|
"name": "python",
|
||
|
"nbconvert_exporter": "python",
|
||
|
"pygments_lexer": "ipython3",
|
||
|
"version": "3.6.8"
|
||
|
}
|
||
|
},
|
||
|
"nbformat": 4,
|
||
|
"nbformat_minor": 2
|
||
|
}
|