MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [a.7-restAPI] Updated notebook to include event-report and analyst-data

main
Sami Mokaddem 2024-04-11 10:06:34 +02:00
parent 8390eadcae
commit 3fca4fdc5c
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 287 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

456
a.7-rest-API/Training - Using the API in MISP.ipynb
View File

@ -52,14 +52,14 @@
},
{
"cell_type": "code",
"execution_count": 38,
"execution_count": 6,
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"The version of PyMISP recommended by the MISP instance (2.4.183) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n"
"The version of PyMISP recommended by the MISP instance (2.4.188) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n"
]
}
],
@ -84,7 +84,7 @@
" if 'Attribute' in result:\n",
" print(\"Count: %s\" % len(result['Attribute']))\n",
" flag_printed = True\n",
" elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n",
" elif 'Event' in result and 'Attribute' in result['Event']:\n",
" print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
" flag_printed = True\n",
" if flag_printed:\n",
@ -697,186 +697,38 @@
},
{
"cell_type": "code",
"execution_count": 58,
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'},\n",
" {'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582453',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'}],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [{'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}],\n",
" 'ObjectReference': [],\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'description': 'Microblog post like a Twitter tweet or '\n",
" 'a post on a Facebook wall.',\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '645',\n",
" 'last_seen': None,\n",
" 'meta-category': 'misc',\n",
" 'name': 'microblog',\n",
" 'sharing_group_id': '0',\n",
" 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n",
" 'template_version': '5',\n",
" 'timestamp': '1558702173',\n",
" 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2024-01-16',\n",
" 'distribution': '3',\n",
" 'id': '122',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': False,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581786',\n",
" 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n",
" {'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2023-09-28',\n",
" 'distribution': '0',\n",
" 'id': '87',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': True,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1695907402',\n",
" 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n",
" 'ShadowAttribute': [],\n",
" 'Tag': [{'colour': '#FF2B2B',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '16',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'},\n",
" {'colour': '#33FF00',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '79',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:green',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'}],\n",
" 'analysis': '0',\n",
" 'attribute_count': '3',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
"{'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705582663',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n"
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '52',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712818726',\n",
" 'uuid': '9b6a2be2-127a-4c61-875b-a9eeba3b1139'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}\n"
]
}
],
"source": [
"# Edition 2 - tagging 2\n",
"endpoint = '/events/edit/'\n",
"relative_path = '126'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
@ -889,6 +741,272 @@
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Event reports"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"endpoint = '/eventReports/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"name\": \"Report from API\",\n",
" \"distribution\": 5,\n",
" \"sharing_group_id\": 0,\n",
" \"content\": \"Body\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"event_report_id = res['EventReport']['id']\n",
"\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Download HTML, convert it into markdown then save it as Event Report.\n",
"endpoint = '/eventReports/importReportFromUrl/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"url\": \"https://domain.example/blogpost/123.pdf\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'report': {'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body @[tag](tlp:red) '\n",
" '@[attribute](bffa5ba8-7040-4f38-979f-7386f5a3a251)',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '50',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712821134',\n",
" 'uuid': '972d3aeb-a60e-4bab-9db9-a76ef0551188'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}}\n"
]
}
],
"source": [
" # Extract all entities, tag Event with tag found\n",
"endpoint = '/eventReports/extractAllFromReport/'\n",
"relative_path = str(50)\n",
"\n",
"body = {\n",
" \"tag_event\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Analyst Data"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Note"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Note': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'created': '2024-04-11 07:54:06',\n",
" 'distribution': '1',\n",
" 'id': '80',\n",
" 'language': 'fr-BE',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:06',\n",
" 'note': 'Ceci est une note',\n",
" 'note_type': 0,\n",
" 'note_type_name': 'Note',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'b6362eab-b232-4d7b-867f-52c6971a743b'}}\n"
]
}
],
"source": [
"analystType = 'Note'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"note\": \"Ceci est une note\",\n",
" \"language\": \"fr-BE\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Opinion"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Opinion': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'comment': 'This is an opinion',\n",
" 'created': '2024-04-11 07:54:12',\n",
" 'distribution': '1',\n",
" 'id': '64',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:12',\n",
" 'note_type': 1,\n",
" 'note_type_name': 'Opinion',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'opinion': '75',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'eea00f1d-71aa-4763-9489-bd137cae2a57'}}\n"
]
}
],
"source": [
"analystType = 'Opinion'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"opinion\": 75,\n",
" \"comment\": \"This is an opinion\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},