diff --git a/a.7-rest-API/Training - Using the API in MISP.ipynb b/a.7-rest-API/Training - Using the API in MISP.ipynb index a17da53..e83d757 100644 --- a/a.7-rest-API/Training - Using the API in MISP.ipynb +++ b/a.7-rest-API/Training - Using the API in MISP.ipynb @@ -52,14 +52,14 @@ }, { "cell_type": "code", - "execution_count": 38, + "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stderr", "output_type": "stream", "text": [ - "The version of PyMISP recommended by the MISP instance (2.4.183) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n" + "The version of PyMISP recommended by the MISP instance (2.4.188) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n" ] } ], @@ -84,7 +84,7 @@ " if 'Attribute' in result:\n", " print(\"Count: %s\" % len(result['Attribute']))\n", " flag_printed = True\n", - " elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n", + " elif 'Event' in result and 'Attribute' in result['Event']:\n", " print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n", " flag_printed = True\n", " if flag_printed:\n", @@ -697,186 +697,38 @@ }, { "cell_type": "code", - "execution_count": 58, + "execution_count": 7, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ - "{'Event': {'Attribute': [{'Galaxy': [],\n", - " 'ShadowAttribute': [],\n", - " 'category': 'Network activity',\n", - " 'comment': '',\n", - " 'deleted': False,\n", - " 'disable_correlation': False,\n", - " 'distribution': '5',\n", - " 'event_id': '126',\n", - " 'first_seen': None,\n", - " 'id': '56142',\n", - " 'last_seen': None,\n", - " 'object_id': '0',\n", - " 'object_relation': None,\n", - " 'sharing_group_id': '0',\n", - " 'timestamp': '1705581872',\n", - " 'to_ids': True,\n", - " 'type': 'ip-src',\n", - " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", - " 'value': '9.9.9.9'},\n", - " {'Galaxy': [],\n", - " 'ShadowAttribute': [],\n", - " 'category': 'Network activity',\n", - " 'comment': 'Comment added via the API',\n", - " 'deleted': False,\n", - " 'disable_correlation': False,\n", - " 'distribution': '5',\n", - " 'event_id': '126',\n", - " 'first_seen': None,\n", - " 'id': '56143',\n", - " 'last_seen': None,\n", - " 'object_id': '0',\n", - " 'object_relation': None,\n", - " 'sharing_group_id': '0',\n", - " 'timestamp': '1705582453',\n", - " 'to_ids': False,\n", - " 'type': 'ip-dst',\n", - " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", - " 'value': '127.2.2.2'}],\n", - " 'CryptographicKey': [],\n", - " 'EventReport': [],\n", - " 'Galaxy': [],\n", - " 'Object': [{'Attribute': [{'Galaxy': [],\n", - " 'ShadowAttribute': [],\n", - " 'category': 'Other',\n", - " 'comment': '',\n", - " 'deleted': False,\n", - " 'disable_correlation': False,\n", - " 'distribution': '5',\n", - " 'event_id': '126',\n", - " 'first_seen': None,\n", - " 'id': '56144',\n", - " 'last_seen': None,\n", - " 'object_id': '645',\n", - " 'object_relation': 'post',\n", - " 'sharing_group_id': '0',\n", - " 'timestamp': '1558702173',\n", - " 'to_ids': False,\n", - " 'type': 'text',\n", - " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", - " 'value': 'post'}],\n", - " 'ObjectReference': [],\n", - " 'comment': '',\n", - " 'deleted': False,\n", - " 'description': 'Microblog post like a Twitter tweet or '\n", - " 'a post on a Facebook wall.',\n", - " 'distribution': '5',\n", - " 'event_id': '126',\n", - " 'first_seen': None,\n", - " 'id': '645',\n", - " 'last_seen': None,\n", - " 'meta-category': 'misc',\n", - " 'name': 'microblog',\n", - " 'sharing_group_id': '0',\n", - " 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n", - " 'template_version': '5',\n", - " 'timestamp': '1558702173',\n", - " 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n", - " 'Org': {'id': '1',\n", - " 'local': True,\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'Orgc': {'id': '1',\n", - " 'local': True,\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'Orgc': {'id': '1',\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'analysis': '0',\n", - " 'date': '2024-01-16',\n", - " 'distribution': '3',\n", - " 'id': '122',\n", - " 'info': 'Event created via the API as '\n", - " 'an example',\n", - " 'org_id': '1',\n", - " 'orgc_id': '1',\n", - " 'published': False,\n", - " 'threat_level_id': '1',\n", - " 'timestamp': '1705581786',\n", - " 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n", - " {'Event': {'Org': {'id': '1',\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'Orgc': {'id': '1',\n", - " 'name': 'ORGNAME',\n", - " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", - " 'analysis': '0',\n", - " 'date': '2023-09-28',\n", - " 'distribution': '0',\n", - " 'id': '87',\n", - " 'info': 'Event created via the API as '\n", - " 'an example',\n", - " 'org_id': '1',\n", - " 'orgc_id': '1',\n", - " 'published': True,\n", - " 'threat_level_id': '1',\n", - " 'timestamp': '1695907402',\n", - " 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n", - " 'ShadowAttribute': [],\n", - " 'Tag': [{'colour': '#FF2B2B',\n", - " 'exportable': True,\n", - " 'hide_tag': False,\n", - " 'id': '16',\n", - " 'is_custom_galaxy': False,\n", - " 'is_galaxy': False,\n", - " 'local': 0,\n", - " 'local_only': False,\n", - " 'name': 'tlp:red',\n", - " 'numerical_value': None,\n", - " 'relationship_type': None,\n", - " 'user_id': '0'},\n", - " {'colour': '#33FF00',\n", - " 'exportable': True,\n", - " 'hide_tag': False,\n", - " 'id': '79',\n", - " 'is_custom_galaxy': False,\n", - " 'is_galaxy': False,\n", - " 'local': 0,\n", - " 'local_only': False,\n", - " 'name': 'tlp:green',\n", - " 'numerical_value': None,\n", - " 'relationship_type': None,\n", - " 'user_id': '0'}],\n", - " 'analysis': '0',\n", - " 'attribute_count': '3',\n", - " 'date': '2024-01-18',\n", - " 'disable_correlation': False,\n", - " 'distribution': '0',\n", - " 'event_creator_email': 'admin@admin.test',\n", - " 'extends_uuid': '',\n", - " 'id': '126',\n", - " 'info': 'Event created via the API as an example',\n", - " 'locked': False,\n", + "{'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n", + " 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n", + " 'date': '2023-12-11',\n", + " 'id': '119',\n", + " 'info': 'testtest',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", - " 'proposal_email_lock': False,\n", - " 'protected': None,\n", - " 'publish_timestamp': '0',\n", - " 'published': False,\n", - " 'sharing_group_id': '0',\n", - " 'threat_level_id': '1',\n", - " 'timestamp': '1705582663',\n", - " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n" + " 'user_id': '6'},\n", + " 'EventReport': {'content': 'Body',\n", + " 'deleted': False,\n", + " 'distribution': '5',\n", + " 'event_id': '119',\n", + " 'id': '52',\n", + " 'name': 'Report from API',\n", + " 'sharing_group_id': '0',\n", + " 'timestamp': '1712818726',\n", + " 'uuid': '9b6a2be2-127a-4c61-875b-a9eeba3b1139'},\n", + " 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}\n" ] } ], "source": [ "# Edition 2 - tagging 2\n", "endpoint = '/events/edit/'\n", - "relative_path = '126'\n", + "relative_path = str(event_id)\n", "\n", "body = {\n", " \"distribution\": 0,\n", @@ -889,6 +741,272 @@ "print_result(res)" ] }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Event reports" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "endpoint = '/eventReports/add/'\n", + "relative_path = str(event_id)\n", + "\n", + "body = {\n", + " \"name\": \"Report from API\",\n", + " \"distribution\": 5,\n", + " \"sharing_group_id\": 0,\n", + " \"content\": \"Body\"\n", + "}\n", + "\n", + "res = misp.direct_call(endpoint + relative_path, body)\n", + "event_report_id = res['EventReport']['id']\n", + "\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Download HTML, convert it into markdown then save it as Event Report.\n", + "endpoint = '/eventReports/importReportFromUrl/'\n", + "relative_path = str(event_id)\n", + "\n", + "body = {\n", + " \"url\": \"https://domain.example/blogpost/123.pdf\"\n", + "}\n", + "\n", + "res = misp.direct_call(endpoint + relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": 20, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'report': {'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n", + " 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n", + " 'date': '2023-12-11',\n", + " 'id': '119',\n", + " 'info': 'testtest',\n", + " 'org_id': '1',\n", + " 'orgc_id': '1',\n", + " 'user_id': '6'},\n", + " 'EventReport': {'content': 'Body @[tag](tlp:red) '\n", + " '@[attribute](bffa5ba8-7040-4f38-979f-7386f5a3a251)',\n", + " 'deleted': False,\n", + " 'distribution': '5',\n", + " 'event_id': '119',\n", + " 'id': '50',\n", + " 'name': 'Report from API',\n", + " 'sharing_group_id': '0',\n", + " 'timestamp': '1712821134',\n", + " 'uuid': '972d3aeb-a60e-4bab-9db9-a76ef0551188'},\n", + " 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}}\n" + ] + } + ], + "source": [ + " # Extract all entities, tag Event with tag found\n", + "endpoint = '/eventReports/extractAllFromReport/'\n", + "relative_path = str(50)\n", + "\n", + "body = {\n", + " \"tag_event\": 1\n", + "}\n", + "\n", + "res = misp.direct_call(endpoint + relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Analyst Data" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Analyst Note" + ] + }, + { + "cell_type": "code", + "execution_count": 22, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'Note': {'Org': {'contacts': '',\n", + " 'created_by': '0',\n", + " 'date_created': '2021-09-30 13:28:31',\n", + " 'date_modified': '2023-09-07 07:40:54',\n", + " 'description': 'Automatically generated admin organisation',\n", + " 'id': '1',\n", + " 'landingpage': None,\n", + " 'local': True,\n", + " 'name': 'ORGNAME',\n", + " 'nationality': 'Belgium',\n", + " 'restricted_to_domain': [],\n", + " 'sector': '',\n", + " 'type': 'ADMIN',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'Orgc': {'contacts': '',\n", + " 'created_by': '0',\n", + " 'date_created': '2021-09-30 13:28:31',\n", + " 'date_modified': '2023-09-07 07:40:54',\n", + " 'description': 'Automatically generated admin organisation',\n", + " 'id': '1',\n", + " 'landingpage': None,\n", + " 'local': True,\n", + " 'name': 'ORGNAME',\n", + " 'nationality': 'Belgium',\n", + " 'restricted_to_domain': [],\n", + " 'sector': '',\n", + " 'type': 'ADMIN',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " '_canEdit': True,\n", + " 'authors': 'john.doe@admin.test',\n", + " 'created': '2024-04-11 07:54:06',\n", + " 'distribution': '1',\n", + " 'id': '80',\n", + " 'language': 'fr-BE',\n", + " 'locked': False,\n", + " 'modified': '2024-04-11 07:54:06',\n", + " 'note': 'Ceci est une note',\n", + " 'note_type': 0,\n", + " 'note_type_name': 'Note',\n", + " 'object_type': 'Event50',\n", + " 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n", + " 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n", + " 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n", + " 'sharing_group_id': None,\n", + " 'uuid': 'b6362eab-b232-4d7b-867f-52c6971a743b'}}\n" + ] + } + ], + "source": [ + "analystType = 'Note'\n", + "objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n", + "# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n", + "# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n", + "objectType = 'Event'\n", + "endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n", + "\n", + "body = {\n", + " \"note\": \"Ceci est une note\",\n", + " \"language\": \"fr-BE\",\n", + " \"authors\": \"john.doe@admin.test\",\n", + " \"distribution\": 1\n", + "}\n", + "\n", + "res = misp.direct_call(endpoint + relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Analyst Opinion" + ] + }, + { + "cell_type": "code", + "execution_count": 23, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'Opinion': {'Org': {'contacts': '',\n", + " 'created_by': '0',\n", + " 'date_created': '2021-09-30 13:28:31',\n", + " 'date_modified': '2023-09-07 07:40:54',\n", + " 'description': 'Automatically generated admin '\n", + " 'organisation',\n", + " 'id': '1',\n", + " 'landingpage': None,\n", + " 'local': True,\n", + " 'name': 'ORGNAME',\n", + " 'nationality': 'Belgium',\n", + " 'restricted_to_domain': [],\n", + " 'sector': '',\n", + " 'type': 'ADMIN',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'Orgc': {'contacts': '',\n", + " 'created_by': '0',\n", + " 'date_created': '2021-09-30 13:28:31',\n", + " 'date_modified': '2023-09-07 07:40:54',\n", + " 'description': 'Automatically generated admin '\n", + " 'organisation',\n", + " 'id': '1',\n", + " 'landingpage': None,\n", + " 'local': True,\n", + " 'name': 'ORGNAME',\n", + " 'nationality': 'Belgium',\n", + " 'restricted_to_domain': [],\n", + " 'sector': '',\n", + " 'type': 'ADMIN',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " '_canEdit': True,\n", + " 'authors': 'john.doe@admin.test',\n", + " 'comment': 'This is an opinion',\n", + " 'created': '2024-04-11 07:54:12',\n", + " 'distribution': '1',\n", + " 'id': '64',\n", + " 'locked': False,\n", + " 'modified': '2024-04-11 07:54:12',\n", + " 'note_type': 1,\n", + " 'note_type_name': 'Opinion',\n", + " 'object_type': 'Event50',\n", + " 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n", + " 'opinion': '75',\n", + " 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n", + " 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n", + " 'sharing_group_id': None,\n", + " 'uuid': 'eea00f1d-71aa-4763-9489-bd137cae2a57'}}\n" + ] + } + ], + "source": [ + "analystType = 'Opinion'\n", + "objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n", + "# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n", + "# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n", + "objectType = 'Event'\n", + "endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n", + "\n", + "body = {\n", + " \"opinion\": 75,\n", + " \"comment\": \"This is an opinion\",\n", + " \"authors\": \"john.doe@admin.test\",\n", + " \"distribution\": 1\n", + "}\n", + "\n", + "res = misp.direct_call(endpoint + relative_path, body)\n", + "print_result(res)" + ] + }, { "cell_type": "markdown", "metadata": {},