diff --git a/a.7-rest-API/Training - Using the API in MISP.ipynb b/a.7-rest-API/Training - Using the API in MISP.ipynb new file mode 100644 index 0000000..a074057 --- /dev/null +++ b/a.7-rest-API/Training - Using the API in MISP.ipynb @@ -0,0 +1,1039 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Notebook trainer cheatsheet: API and CLI" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "- Automation page\n", + "- Recovering the API KEY (Automation page, User page, RestClient)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Important notice\n", + "This notebook various usage of the MISP restAPI.\n", + "It should be noted that PyMISP is not required to use the MISP restAPI. We are ising PyMISP only to parse the response and inspect the data.\n", + "\n", + "This command:\n", + "```\n", + "misp_url = URL + '/events/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"info\": \"Event\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)\n", + "```\n", + "\n", + "Will yield the same result as this command:\n", + "```\n", + "!curl \\\n", + " -d '{\"info\": \"Event\"}' \\\n", + " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n", + " -H \"Accept: application/json\" \\\n", + " -H \"Content-type: application/json\" \\\n", + " -X POST 127.0.0.1:8080/events/restSearch\n", + " ```" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "from pymisp import ExpandedPyMISP\n", + "from pprint import pprint\n", + "AUTHKEY = \"ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\"\n", + "URL = \"http://127.0.0.1:8080\"\n", + "\n", + "def print_result(result):\n", + " flag_printed = False\n", + " if isinstance(result, list):\n", + " print(\"Count: %s\" % len(result))\n", + " flag_printed = True\n", + " for i in res:\n", + " if 'Event' in i and 'Attribute' in i['Event']:\n", + " print(\" - Attribute count: %s\" % len(i['Event']['Attribute']))\n", + " elif isinstance(result, dict):\n", + " if 'Attribute' in result:\n", + " print(\"Count: %s\" % len(result['Attribute']))\n", + " flag_printed = True\n", + " elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n", + " print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n", + " flag_printed = True\n", + " if flag_printed:\n", + " print('----------')\n", + " pprint(result)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Events" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Creation and Edition" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Creation\n", + "misp_url = URL + '/events/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"info\": \"Event created via the API for Telindus training\",\n", + " \"threat_level_id\": 1,\n", + " \"distribution\": 0\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Edition 1\n", + "misp_url = URL + '/events/edit/'\n", + "relative_path = '33'\n", + "\n", + "body = {\n", + " \"distribution\": 4,\n", + " \"sharing_group_id\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body) \n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Edition 2 - Adding Attribute\n", + "misp_url = URL + '/events/edit/'\n", + "relative_path = '29'\n", + "\n", + "body = {\n", + " \"distribution\": 0,\n", + " \"Attribute\": [\n", + " {\n", + " \"value\": \"9.9.9.9\",\n", + " \"type\": \"ip-src\"\n", + " }\n", + " ]\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Edition 2 - tagging - The bad way (Fetch the whole event and re-process everything)\n", + "misp_url = URL + '/events/edit/'\n", + "relative_path = '29'\n", + "\n", + "body = {\n", + " \"distribution\": 0,\n", + " \"EventTag\": {\n", + " \"Tag\": [\n", + " {\"name\":\"tlp:red\"}\n", + " ]\n", + " }\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Edition 2 - tagging - The better way\n", + "misp_url = URL + '/tags/attachTagToObject'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\", # can be anything: event or attribute\n", + " \"tag\": \"tlp:green\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching the Event index (Move it to the search topic)\n", + "misp_url = URL + '/events/index'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"eventinfo\": \"api\",\n", + " \"publish_timestamp\": \"10d\",\n", + " \"org\": \"ORGNAME\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching the Event index\n", + "misp_url = URL + '/events/index'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"hasproposal\": 1,\n", + " \"tag\": [\"tlp:amber\"]\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "\n", + "print('Event number: %s' % len(res))\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Attributes" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Creation and edition" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "event_id = 33" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Adding\n", + "misp_url = URL + '/attributes/add/'\n", + "relative_path = str(event_id)\n", + "\n", + "body = {\n", + " \"value\": \"8.8.8.9\",\n", + " \"type\": \"ip-dst\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Adding invalid attribute type\n", + "misp_url = URL + '/attributes/add/'\n", + "relative_path = str(event_id)\n", + "\n", + "body = {\n", + " \"value\": \"8.8.8.9\",\n", + " \"type\": \"md5\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Editing\n", + "misp_url = URL + '/attributes/edit/'\n", + "relative_path = '36586'\n", + "\n", + "body = {\n", + " \"value\": \"127.0.0.1\",\n", + " \"to_ids\": 0,\n", + " \"comment\": \"Comment added via the API\",\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Editing with data taken from JSON views. \n", + "# (timestamp) contrast the difference with *PyMISP*\n", + "misp_url = URL + '/attributes/edit/'\n", + "relative_path = '36586'\n", + "\n", + "body = {\n", + " \"id\": \"36586\",\n", + " \"type\": \"ip-dst\",\n", + " \"category\": \"Network activity\",\n", + " \"to_ids\": False,\n", + " \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\",\n", + " \"event_id\": \"33\",\n", + " \"distribution\": \"5\",\n", + " \"comment\": \"Comment added via the API\",\n", + " \"sharing_group_id\": \"0\",\n", + " \"deleted\": False,\n", + " \"disable_correlation\": False,\n", + " \"object_id\": \"0\",\n", + " \"object_relation\": '',\n", + " \"value\": \"1.2.3.5\",\n", + " \"Galaxy\": [],\n", + " \"ShadowAttribute\": [],\n", + " \"Tag\": [\n", + " {\n", + " \"id\": \"4\",\n", + " \"name\": \"tlp:green\",\n", + " \"colour\": \"#14ff00\",\n", + " \"exportable\": True,\n", + " \"user_id\": \"0\",\n", + " \"hide_tag\": False,\n", + " \"numerical_value\": ''\n", + " }\n", + " ]\n", + " }\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Objects" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Example of an un-documented endpoint\n", + "misp_url = URL + '/objects/add/'\n", + "relative_path = str(event_id)\n", + "\n", + "body = {\n", + " \"name\": \"microblog\",\n", + " \"meta-category\": \"misc\",\n", + " \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n", + " \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n", + " \"template_version\": \"5\",\n", + " \"event_id\": event_id,\n", + " \"timestamp\": \"1558702173\",\n", + " \"distribution\": \"5\",\n", + " \"sharing_group_id\": \"0\",\n", + " \"comment\": \"\",\n", + " \"deleted\": False,\n", + " \"ObjectReference\": [],\n", + " \"Attribute\": [\n", + " {\n", + " \"type\": \"text\",\n", + " \"category\": \"Other\",\n", + " \"to_ids\": False,\n", + " \"event_id\": event_id,\n", + " \"distribution\": \"5\",\n", + " \"timestamp\": \"1558702173\",\n", + " \"comment\": \"\",\n", + " \"sharing_group_id\": \"0\",\n", + " \"deleted\": False,\n", + " \"disable_correlation\": False,\n", + " \"object_relation\": \"post\",\n", + " \"value\": \"post\",\n", + " \"Galaxy\": [],\n", + " \"ShadowAttribute\": []\n", + " }\n", + " ]\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Go to event Edit 2\n", + "# Go to add tag the bad way" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## RestSearch\n", + "**Aka: Most powerfull search tool in MISP**" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### RestSearch - Attributes" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches on Attribute's data\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"type\": \"ip-dst\",\n", + " \"value\": \"1.2.3.%\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches on Attribute's data\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"deleted\": [0, 1] # Consider both deleted AND not deleted\n", + "}\n", + "\n", + "# [] == {\"OR\": []}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches on Attribute's data\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + "# \"tags\": \"tlp:white\",\n", + "# \"tags\": [\"tlp:white\", \"tlp:green\"]\n", + "# \"tags\": [\"!tlp:green\"]\n", + "# \"tags\": \"tlp:%\",\n", + "# \"includeEventTags\": 1\n", + "# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n", + " \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Paginating\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"page\": 2,\n", + " \"limit\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches based on time: Absolute\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"from\": \"2019/05/21\" # or \"2019-05-21\"\n", + " # from and to NOT REALLY USEFULL.. \n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches based on time: Relative\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "# /!\\ Last: works on the publish_timestamp -> may be confusing\n", + "# Units: days, hours, minutes and secondes\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"to_ids\": 1,\n", + " \"last\": \"10d\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Precision regarding the different timestamps\n", + "- ``publish_timestamp`` = Time at which the event was published\n", + " - Usage: get data that arrived in my system since x\n", + " - E.g.: New data from a feed\n", + "- ``timestamp`` = Time of the last modification on the data\n", + " - data was modified in the last x hours\n", + " - E.g.: Last updated data from a feed\n", + "- ``event_timestamp``: Used in the Attribute scope\n", + " - Event modified in the last x hours" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches with attachments\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": event_id,\n", + " \"type\": \"attachment\",\n", + "# \"withAttachments\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searches - Others\n", + "misp_url = URL + '/attributes/restSearch/'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": 31,\n", + " \"type\": \"ip-src\",\n", + "# \"enforceWarninglist\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### RestSearch - Events" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch\n", + "misp_url = URL + '/events/restSearch'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventid\": 31,\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch - Other return format\n", + "!curl \\\n", + " -d '{\"returnFormat\":\"rpz\",\"eventid\":31}' \\\n", + " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n", + " -H \"Accept: application/json\" \\\n", + " -H \"Content-type: application/json\" \\\n", + " -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch - Other return format\n", + "!curl \\\n", + " -d '{\"returnFormat\":\"csv\",\"eventid\":31}' \\\n", + " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n", + " -H \"Accept: application/json\" \\\n", + " -H \"Content-type: application/json\" \\\n", + " -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch - Filtering\n", + "misp_url = URL + '/events/restSearch'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"value\": \"parsed-ail.json\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch\n", + "misp_url = URL + '/events/restSearch'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"org\": \"CIRCL\",\n", + " \"id\": 33,\n", + " \"metadata\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching using the RestSearch\n", + "misp_url = URL + '/events/restSearch'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"eventinfo\": \"%via the API%\",\n", + " \"published\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Sightings" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Creating sightings\n", + "misp_url = URL + '/sightings/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + "# \"id\": \"36578\"\n", + " \"value\": \"parsed-ail.json\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Searching for sighted elements\n", + "misp_url = URL + '/sightings/restSearch/event'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"returnFormat\": \"json\",\n", + " \"id\": 33,\n", + " \"includeAttribute\": 1,\n", + " \"includeEvent\": 1\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Warning lists" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Checking values against the warining list\n", + "misp_url = URL + '/warninglists/checkValue'\n", + "relative_path = ''\n", + "\n", + "body = [\"8.8.8.8\", \"yolo\", \"test\"]\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Instance management" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Creating Organisation\n", + "misp_url = URL + '/admin/organisations/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"name\": \"TEMP_ORG2\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Creating Users\n", + "misp_url = URL + '/admin/users/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"email\": \"from_api2@admin.test\",\n", + " \"org_id\": 1009,\n", + " \"role_id\": 3,\n", + " \"termsaccepted\": 1,\n", + " \"change_pw\": 0, # User prompted to change the psswd once logged in\n", + " \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Creating Sharing Groups\n", + "misp_url = URL + '/sharing_groups/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"name\": \"TEMP_SG2\",\n", + " \"releasability\": \"To nobody\",\n", + " \"SharingGroupOrg\": [\n", + " {\n", + " \"name\": \"ORGNAME\",\n", + " \"extend\": 1\n", + " },\n", + " {\n", + " \"name\": \"CIRCL\",\n", + " \"extend\": 1\n", + " }\n", + " ]\n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": { + "scrolled": true + }, + "outputs": [], + "source": [ + "# Server\n", + "misp_url = URL + '/servers/add'\n", + "relative_path = ''\n", + "\n", + "body = {\n", + " \"url\": \"http://127.0.0.1:80/\",\n", + " \"name\": \"Myself\",\n", + " \"remote_org_id\": \"2\",\n", + " \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n", + " \n", + "}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Server settings\n", + "misp_url = URL + '/servers/serverSettings'\n", + "relative_path = ''\n", + "\n", + "body = {}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Statistics\n", + "misp_url = URL + '/users/statistics'\n", + "relative_path = ''\n", + "\n", + "body = {}\n", + "\n", + "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", + "res = misp.direct_call(relative_path, body)\n", + "print_result(res)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Not Available:\n", + "- misp-module" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.6.7" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +}