# Notebook trainer cheatsheet: API and CLI

- Automation page
- Recovering the API KEY (Automation page, User page, RestClient)

## Important notice

This notebook various usage of the MISP restAPI.

It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.

This command:
```
misp_url = URL + '/events/add'
relative_path = ''

body = {
    "info": "Event"
}

misp = ExpandedPyMISP(misp_url, AUTHKEY, False)
res = misp.direct_call(relative_path, body)
print_result(res)
```

Will yield the same result as this command:
```
!curl \
 -d '{"info": "Event"}' \
 -H "Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -X POST 127.0.0.1:8080/events/restSearch
 ```

In [2]:
from pymisp import ExpandedPyMISP
from pprint import pprint
AUTHKEY = "YOURAPIKEY"
URL = "https://training.misp-community.org/"
import urllib3
urllib3.disable_warnings()
misp = ExpandedPyMISP(URL, AUTHKEY, False)

def print_result(result):
    flag_printed = False
    if isinstance(result, list):
        print("Count: %s" % len(result))
        flag_printed = True
        for i in res:
            if 'Event' in i and 'Attribute' in i['Event']:
                print("  - Attribute count: %s" % len(i['Event']['Attribute']))
    elif isinstance(result, dict):
        if 'Attribute' in result:
            print("Count: %s" % len(result['Attribute']))
            flag_printed = True
        elif 'Event' in result and 'Attribute' in result['Event']:
            print("Attribute count: %s" % len(result['Event']['Attribute']))
            flag_printed = True
    if flag_printed:
        print('----------')
    pprint(result)



# Events

## Creation and Edition

In [5]:
# Creation
endpoint = '/events/add'
relative_path = ''

body = {
    "info": "Event created via the API as an example",
    "threat_level_id": 1,
    "distribution": 0
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Attribute count: 0
----------
{'Event': {'Attribute': [],
           'CryptographicKey': [],
           'EventReport': [],
           'Galaxy': [],
           'Object': [],
           'Org': {'id': '15',
                   'local': True,
                   'name': 'CIRCL',
                   'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'Orgc': {'id': '15',
                    'local': True,
                    'name': 'CIRCL',
                    'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'RelatedEvent': [],
           'ShadowAttribute': [],
           'analysis': '0',
           'attribute_count': '0',
           'date': '2024-04-15',
           'disable_correlation': False,
           'distribution': '0',
           'event_creator_email': 'alexandre.dulaunoy@circl.lu',
           'extends_uuid': '',
           'id': '64',
           'info': 'Event created via the API as an example',
           'locked': False,
           'org_id': '15',
           'org

In [7]:
# Edition 1
endpoint = '/events/edit/'
relative_path = '64'

body = {
    "distribution": 3,
#     "sharing_group_id": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Attribute count: 0
----------
{'Event': {'Attribute': [],
           'CryptographicKey': [],
           'EventReport': [],
           'Galaxy': [],
           'Object': [],
           'Org': {'id': '15',
                   'local': True,
                   'name': 'CIRCL',
                   'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'Orgc': {'id': '15',
                    'local': True,
                    'name': 'CIRCL',
                    'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'RelatedEvent': [],
           'ShadowAttribute': [],
           'analysis': '0',
           'attribute_count': '0',
           'date': '2024-04-15',
           'disable_correlation': False,
           'distribution': '3',
           'event_creator_email': 'alexandre.dulaunoy@circl.lu',
           'extends_uuid': '',
           'id': '64',
           'info': 'Event created via the API as an example',
           'locked': False,
           'org_id': '15',
           'org

In [4]:
# Edition 2 - Adding Attribute
endpoint = '/events/edit/'
relative_path = '126'

body = {
    "distribution": 0,
    "Attribute": [
        {
            "value": "9.9.9.9",
            "type": "ip-src"
        }
    ]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Something went wrong (404): {'name': 'Invalid event', 'message': 'Invalid event', 'url': '/events/edit/126'}


{'errors': (404,
            {'message': 'Invalid event',
             'name': 'Invalid event',
             'url': '/events/edit/126'})}


In [47]:
# Edition 2 - tagging 1
endpoint = '/tags/attachTagToObject'
relative_path = ''

body = {
    "uuid": "b3cc1ea2-892f-48e1-a6dc-20279818a724", # can be anything: event or attribute
    "tag": "tlp:red"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'message': 'Global tag tlp:red123(400) successfully attached to Event(126).',
 'name': 'Global tag tlp:red123(400) successfully attached to Event(126).',
 'saved': True,
 'success': True,
 'url': '/tags/attachTagToObject'}


# Attributes

## Creation and edition

In [8]:
event_id = 64

In [9]:
# Adding
endpoint = '/attributes/add/'
relative_path = str(event_id)

body = {
    "value": "8.8.8.9",
    "type": "ip-dst"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 19
----------
{'Attribute': {'category': 'Network activity',
               'comment': '',
               'deleted': False,
               'disable_correlation': False,
               'distribution': '5',
               'event_id': '64',
               'first_seen': None,
               'id': '3362',
               'last_seen': None,
               'object_id': '0',
               'object_relation': None,
               'sharing_group_id': '0',
               'timestamp': '1713153845',
               'to_ids': True,
               'type': 'ip-dst',
               'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
               'value': '8.8.8.9',
               'value1': '8.8.8.9',
               'value2': ''},
 'AttributeTag': []}


In [21]:
# Adding invalid attribute type
endpoint = '/attributes/add/'
relative_path = str(event_id)

body = {
    "value": "8.8.8.9",
    "type": "md5"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['Checksum has an invalid length or format (expected: 32 hexadecimal characters). Please double check the value or select type "other".']}}


{'errors': (403,
            {'errors': {'value': ['Checksum has an invalid length or format '
                                  '(expected: 32 hexadecimal characters). '
                                  'Please double check the value or select '
                                  'type "other".']},
             'message': 'Could not add Attribute',
             'name': 'Could not add Attribute',
             'saved': False,
             'url': '/attributes/add'})}


In [22]:
# Editing
endpoint = '/attributes/edit/' # /attributes/edit/[attribute_id]
relative_path = '3362'

body = {
    "value": "127.0.0.1",
    "to_ids": 0,
    "comment": "Comment added via the API",
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 17
----------
{'Attribute': {'category': 'Network activity',
               'comment': 'Comment added via the API',
               'deleted': False,
               'disable_correlation': False,
               'distribution': '5',
               'event_id': '64',
               'first_seen': None,
               'id': '3362',
               'last_seen': None,
               'object_id': '0',
               'object_relation': None,
               'sharing_group_id': '0',
               'timestamp': '1713154698',
               'to_ids': False,
               'type': 'ip-dst',
               'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
               'value': '127.0.0.1'}}


In [54]:
# Editing with data taken from JSON views. 
# <!> (timestamp) contrast the difference with *PyMISP*
endpoint = '/attributes/edit/'
relative_path = '56143'

body = {
                "id": "56143",
                "type": "ip-dst",
                "category": "Network activity",
                "to_ids": False,
                "uuid": "8153fcad-cd37-45d9-a1d1-a509942116f8",
                "event_id": "126",
                "distribution": "5",
                "comment": "Comment added via the API",
                "sharing_group_id": "0",
                "deleted": False,
                "disable_correlation": False,
                "object_id": "0",
                "object_relation": None,
                "first_seen": None,
                "last_seen": None,
                "value": "127.1.1.1",
                "Galaxy": [],
                "ShadowAttribute": []
            }

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 17
----------
{'Attribute': {'category': 'Network activity',
               'comment': 'Comment added via the API',
               'deleted': False,
               'disable_correlation': False,
               'distribution': '5',
               'event_id': '126',
               'first_seen': None,
               'id': '56143',
               'last_seen': None,
               'object_id': '0',
               'object_relation': None,
               'sharing_group_id': '0',
               'timestamp': '1705582332',
               'to_ids': False,
               'type': 'ip-dst',
               'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',
               'value': '127.1.1.1'}}


# Objects

In [23]:
endpoint = '/objects/add/'
relative_path = str(event_id)

body = {
    "name": "microblog",
    "meta-category": "misc",
    "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
    "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
    "template_version": "5",
    "event_id": event_id,
    "timestamp": "1558702173",
    "distribution": "5",
    "sharing_group_id": "0",
    "comment": "",
    "deleted": False,
    "ObjectReference": [],
    "Attribute": [
        {
            "type": "text",
            "category": "Other",
            "to_ids": False,
            "event_id": event_id,
            "distribution": "5",
            "timestamp": "1558702173",
            "comment": "",
            "sharing_group_id": "0",
            "deleted": False,
            "disable_correlation": False,
            "object_relation": "post",
            "value": "post",
            "Galaxy": [],
            "ShadowAttribute": []
        }
    ]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Object': {'Attribute': [{'category': 'Other',
                           'comment': '',
                           'deleted': False,
                           'disable_correlation': False,
                           'distribution': '5',
                           'event_id': '64',
                           'first_seen': None,
                           'id': '3363',
                           'last_seen': None,
                           'object_id': '537',
                           'object_relation': 'post',
                           'sharing_group_id': '0',
                           'timestamp': '1558702173',
                           'to_ids': False,
                           'type': 'text',
                           'uuid': '17bebb02-c294-4444-adc9-85e8fa0039f1',
                           'value': 'post',
                           'value1': 'post',
                           'value2': ''}],
            'comment': '',
            'deleted': False,
            'descriptio

In [24]:
# Edition 2 - tagging 2
endpoint = '/events/edit/'
relative_path = str(event_id)

body = {
    "distribution": 0,
    "Tag": [
         {"name":"tlp:green"}
    ]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Attribute count: 1
----------
{'Event': {'Attribute': [{'Galaxy': [],
                          'ShadowAttribute': [],
                          'category': 'Network activity',
                          'comment': 'Comment added via the API',
                          'deleted': False,
                          'disable_correlation': False,
                          'distribution': '5',
                          'event_id': '64',
                          'first_seen': None,
                          'id': '3362',
                          'last_seen': None,
                          'object_id': '0',
                          'object_relation': None,
                          'sharing_group_id': '0',
                          'timestamp': '1713154698',
                          'to_ids': False,
                          'type': 'ip-dst',
                          'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
                          'value': '127.0.0.1'}],
           'Cryptographic

# Event reports

In [20]:
endpoint = '/eventReports/add/'
relative_path = str(event_id)

body = {
    "name": "Report from API",
    "distribution": 5,
    "sharing_group_id": 0,
    "content": "Body"
}

res = misp.direct_call(endpoint + relative_path, body)
event_report_id = res['EventReport']['id']

print_result(res)

{'Event': {'Org': {'id': '15', 'name': 'CIRCL'},
           'Orgc': {'id': '15', 'name': 'CIRCL'},
           'date': '2024-04-15',
           'id': '64',
           'info': 'Event created via the API as an example',
           'org_id': '15',
           'orgc_id': '15',
           'user_id': '626'},
 'EventReport': {'content': 'Body',
                 'deleted': False,
                 'distribution': '5',
                 'event_id': '64',
                 'id': '56',
                 'name': 'Report from API',
                 'sharing_group_id': '0',
                 'timestamp': '1713154575',
                 'uuid': '823d4e2e-76f4-43b8-9b3c-c851fa32412d'},
 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}


In [66]:
# Download HTML, convert it into markdown then save it as Event Report.
endpoint = '/eventReports/importReportFromUrl/'
relative_path = str(event_id)

body = {
    "url": "https://www.circl.lu/pub/tr-84/"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Event': {'Org': {'id': '15', 'name': 'CIRCL'},
           'Orgc': {'id': '15', 'name': 'CIRCL'},
           'date': '2024-04-15',
           'id': '64',
           'info': 'Event created via the API as an example',
           'org_id': '15',
           'orgc_id': '15',
           'user_id': '626'},
 'EventReport': {'content': 'html     # TR-84 - PAN-OS (Palo Alto Networks) OS '
                            'Command Injection Vulnerability in GlobalProtect '
                            'Gateway - CVE-2024-3400\n'
                            '\n'
                            '       ### TR-84 - PAN-OS (Palo Alto Networks) OS '
                            'Command Injection Vulnerability in GlobalProtect '
                            'Gateway - CVE-2024-3400\n'
                            '\n'
                            ' â\x86\x91 Back to Publications and '
                            'Presentations\n'
                            '\n'
                            ' \n'
                  

In [68]:
 # Extract all entities, tag Event with tag found
endpoint = '/eventReports/extractAllFromReport/'
relative_path = str(64)

body = {
    "tag_event": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Something went wrong (404): {'name': 'Invalid report', 'message': 'Invalid report', 'url': '/eventReports/extractAllFromReport/64'}


{'errors': (404,
            {'message': 'Invalid report',
             'name': 'Invalid report',
             'url': '/eventReports/extractAllFromReport/64'})}


# Analyst Data

## Analyst Note

In [67]:
analystType = 'Note'
objectUUID = '501fd194-8b98-40d9-91e6-1c3d56d9c36a'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
#                   "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'

body = {
    "note": "Ceci est une note",
    "language": "fr-BE",
    "authors": "john.doe@admin.test",
    "distribution": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Note': {'Org': {'contacts': None,
                  'created_by': '0',
                  'date_created': '2023-09-29 06:47:38',
                  'date_modified': '2023-09-29 06:47:38',
                  'description': 'CIRCL is the CERT (Computer Emergency '
                                 'Response Team/Computer Security Incident '
                                 'Response Team) for the private sector, '
                                 'communes and non-governmental entities in '
                                 'Luxembourg.',
                  'id': '15',
                  'landingpage': None,
                  'local': True,
                  'name': 'CIRCL',
                  'nationality': '',
                  'restricted_to_domain': [],
                  'sector': '',
                  'type': '',
                  'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
          'Orgc': {'contacts': None,
                   'created_by': '0',
                   'date_created': '

## Analyst Opinion

In [69]:
analystType = 'Opinion'
objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
#                   "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'

body = {
    "opinion": 75,
    "comment": "This is an opinion",
    "authors": "john.doe@admin.test",
    "distribution": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Opinion': {'Org': {'contacts': None,
                     'created_by': '0',
                     'date_created': '2023-09-29 06:47:38',
                     'date_modified': '2023-09-29 06:47:38',
                     'description': 'CIRCL is the CERT (Computer Emergency '
                                    'Response Team/Computer Security Incident '
                                    'Response Team) for the private sector, '
                                    'communes and non-governmental entities in '
                                    'Luxembourg.',
                     'id': '15',
                     'landingpage': None,
                     'local': True,
                     'name': 'CIRCL',
                     'nationality': '',
                     'restricted_to_domain': [],
                     'sector': '',
                     'type': '',
                     'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
             'Orgc': {'contacts': None,
                 

# Searches

In [28]:
# Searching the Event index (Move it to the search topic)
endpoint = '/events/index'
relative_path = ''

body = {
    "eventinfo": "Event created via the API as an example",
#    "publish_timestamp": "2024-04-15",
#    "org": "ORGNAME"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
[{'EventTag': [],
  'Org': {'id': '15',
          'name': 'CIRCL',
          'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
  'Orgc': {'id': '15',
           'name': 'CIRCL',
           'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
  'analysis': '0',
  'attribute_count': '0',
  'date': '2024-04-15',
  'disable_correlation': False,
  'distribution': '0',
  'extends_uuid': '',
  'id': '63',
  'info': 'Event created via the API as an example',
  'locked': False,
  'org_id': '15',
  'orgc_id': '15',
  'proposal_email_lock': False,
  'protected': None,
  'publish_timestamp': '0',
  'published': False,
  'sharing_group_id': '0',
  'sighting_timestamp': '0',
  'threat_level_id': '1',
  'timestamp': '1713153707',
  'uuid': 'ab3edd51-58a2-47b3-b465-546364cb0d44'},
 {'EventTag': [{'Tag': {'colour': '#33FF00',
                        'id': '12',
                        'is_galaxy': False,
                        'name': 'tlp:green'},
                'event_id': '64',
    

In [29]:
# Searching the Event index
misp_url = '/events/index'
relative_path = ''

body = {
#     "hasproposal": 1,
    "tag": ["tlp:amber"]
}

res = misp.direct_call(endpoint + relative_path, body)

print('Event number: %s' % len(res))
print_result(res)

Event number: 0
Count: 0
----------
[]


## RestSearch
**Aka: Most powerful search tool in MISP**

### RestSearch - Attributes

In [30]:
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

In [69]:
# Searches on Attribute's data
misp_url = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "type": "ip-dst",
#     "value": "127.0.%"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '126',
                          'info': 'Event created via the API as an example',
                          'org_id': '1',
                          'orgc_id': '1',
                          'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},
                'Object': {'distribution': '5',
                           'id': '645',
                           'sharing_group_id': '0'},
                'category': 'Other',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '126',
                'first_seen': None,
                'id': '56144',
                'last_seen': None,
                'object_id': '645',
                'object_relation': 'post',
                'sharing_group_id': '0',
                'timestamp': '1558702173',
                'to_ids': False,


In [31]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "deleted": [0, 1]    # Consider both deleted AND not deleted
}

# [] == {"OR": []}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

In [33]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
#    "tags": "tlp:white",
#     "tags": ["tlp:white", "tlp:green"]
#     "tags": ["!tlp:green"]
#     "tags": "tlp:%",
#     "includeEventTags": 1
#         BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!
#     "tags": {"AND": ["tlp:green", "Malware"], "NOT": ["%ransomware%"]}
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

In [35]:
# Paginating
endpoint = '/attributes/restSearch/'
#relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
#     "page": 0,
#     "limit": 10000
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

In [37]:
# Searches based on time: Absolute
endpoint = '/attributes/restSearch/'
relative_path = ''
event_id = 64

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "from": "2019/05/21" # or "2019-05-21"
    # from and to NOT REALLY USEFUL.. 
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

In [40]:
# Searches based on time: Relative
endpoint = '/attributes/restSearch/'
relative_path = ''

# /!\ Last: works on the publish_timestamp -> may be confusing
# Units: days, hours, minutes and secondes
body = {
    "returnFormat": "json",
    "eventid": event_id,
#     "to_ids": 1,
#    "publish_timestamp": "2024-04-15"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

## Precision regarding the different timestamps
- ``publish_timestamp`` = Time at which the event was published
    - Usage: get data that arrived in my system since x
    - E.g.: New data from a feed
- ``timestamp`` = Time of the last modification on the data
    - data was modified in the last x hours
    - E.g.: Last updated data from a feed
- ``event_timestamp``: Used in the Attribute scope
    - Event modified in the last x hours

In [44]:
# Searches with attachments
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "type": "attachment",
    "withAttachments": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Payload delivery',
                'comment': '',
                'data': 'iVBORw0KGgoAAAANSUhEUgAAAG8AAABvAQAAAADKvqPNAAABJklEQVQ4jdXUMY6FIBAG4N9Y0K0XIOEadF5JL4B6Ad+V6LiGiRfAjoI4O5oX87ZhKDabLKH5CsPPMCPox8L/YASm0EZkwIg8KI9hX/s8UQW9nkhPKQ+qioMCel1J1+fR15HyYNv5I2SBfN8xaN7P9QvkdYIPMk9hC4zQsJvr99XKPG37usqO8U4lEFsXaAm5uw8qM3JyMkeCsxVU2nHZLZ1K5gl++v1IW/NOVSIFjB5QcPe3ZfJ9KeUm0CvJjNi+cOV/hyzyILMEbkI0wcj0/EBmVtdZMkO79hwJU6qgz07tp0XjjUheR2o5W4RMbpJB6S7xLJBIngUHzaccycj0eqR9Vk9xBA7gzW1Qx75dCADJvP45V9NGK/MeGR6xayJE/tkf+Nf4DXMqFobLZDuHAAAAAElFTkSuQmCC',
                'deleted': False,
                'disable_correlation': False,
   

In [48]:
# Searches - Others
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "type": ["ip-src", "ip-dst"],
    "enforceWarninglist": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '64',
                          'info': 'Event created via the API as an example',
                          'org_id': '15',
                          'orgc_id': '15',
                          'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '64',
                'first_seen': None,
                'id': '3362',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1713154698',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
            

### RestSearch - Events

In [49]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": 64,
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 1
  - Attribute count: 4
----------
[{'Event': {'Attribute': [{'Galaxy': [],
                           'ShadowAttribute': [],
                           'category': 'Network activity',
                           'comment': 'Comment added via the API',
                           'deleted': False,
                           'disable_correlation': False,
                           'distribution': '5',
                           'event_id': '64',
                           'first_seen': None,
                           'id': '3362',
                           'last_seen': None,
                           'object_id': '0',
                           'object_relation': None,
                           'sharing_group_id': '0',
                           'timestamp': '1713154698',
                           'to_ids': False,
                           'type': 'ip-dst',
                           'uuid': '501fd194-8b98-40d9-91e6-1c3d56d9c36a',
                           'value': '127.0.0

In [51]:
# Searching using the RestSearch - Other return format
!curl \
 -d '{"returnFormat":"rpz","eventid":64}' \
 -H "Authorization: tzcU6V4IdOdNsQy9LkD3yBHaIkg64n7oeKpaQNyf" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -k \
 -X POST https://localhost:8443/events/restSearch 2> /dev/null

In [96]:
# Searching using the RestSearch - Other return format
!curl \
 -d '{"returnFormat":"csv","eventid":126}' \
 -H "Authorization: AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -k \
 -X POST https://localhost:8443/events/restSearch 2> /dev/null

uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category
"6938d503-7d96-48b6-9a18-f8e6f95f04dd",126,"Network activity","ip-src","9.9.9.9","",1,1705581872,"","","","",""
"8153fcad-cd37-45d9-a1d1-a509942116f8",126,"Network activity","ip-dst","127.2.2.2","Comment added via the API!",0,1705583914,"","tlp:white","","",""
"1b436ea7-5fc3-485f-b059-9bfff544925f",126,"Payload delivery","attachment","test.txt","",0,1705584018,"","","","",""
"7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5",126,"Other","text","post","",0,1558702173,"post","","838aefb1-0f6e-4967-9a99-e7414887ae9a","microblog","misc"



In [52]:
# Searching using the RestSearch - Filtering
endpoint = '/events/restSearch'
relative_path = ''

body = {
    "returnFormat": "json",
    "value": "parsed-ail.json"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 0
----------
[]


In [53]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
relative_path = ''

body = {
    "returnFormat": "json",
    "org": "CIRCL",
#     "id": 33,
    "metadata": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 14
----------
[{'Event': {'CryptographicKey': [],
            'Galaxy': [{'GalaxyCluster': [{'GalaxyClusterRelation': [],
                                           'Org': {'contacts': '',
                                                   'created_by': '0',
                                                   'date_created': '',
                                                   'date_modified': '',
                                                   'description': 'Automatically '
                                                                  'generated '
                                                                  'MISP '
                                                                  'organisation',
                                                   'id': '0',
                                                   'landingpage': None,
                                                   'local': True,
                                                   'name': 'MISP',
      

In [55]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventinfo": "%via the API%",
#    "published": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 2
  - Attribute count: 0
  - Attribute count: 4
----------
[{'Event': {'Attribute': [],
            'CryptographicKey': [],
            'EventReport': [],
            'Galaxy': [],
            'Object': [],
            'Org': {'id': '15',
                    'local': True,
                    'name': 'CIRCL',
                    'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
            'Orgc': {'id': '15',
                     'local': True,
                     'name': 'CIRCL',
                     'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
            'RelatedEvent': [],
            'ShadowAttribute': [],
            'analysis': '0',
            'attribute_count': '0',
            'date': '2024-04-15',
            'disable_correlation': False,
            'distribution': '0',
            'event_creator_email': 'alexandre.dulaunoy@circl.lu',
            'extends_uuid': '',
            'id': '63',
            'info': 'Event created via the API as an example',
          

# Sightings

In [60]:
# Creating sightings
endpoint = '/sightings/add'
relative_path = ''

body = {
    "id": "3366"
#     "value": "127.2.2.2"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Sighting': {'attribute_id': '3366',
              'date_sighting': '1713155573',
              'event_id': '64',
              'id': '102',
              'org_id': '15',
              'source': '',
              'type': '0',
              'uuid': '53eb767b-b54a-4d7d-b3d8-6809703a3975'}}


In [63]:
# Searching for sighted elements
endpoint = '/sightings/restSearch/event'
relative_path = ''

body = {
    "returnFormat": "json",
    "id": 64,
    "includeAttribute": 1,
    "includeEvent": 1
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 1
----------
[{'Sighting': {'Attribute': {'category': 'Network activity',
                             'id': '3366',
                             'to_ids': True,
                             'type': 'ip-dst',
                             'uuid': '6c4e1467-ce18-4131-b858-470ee57ebaec',
                             'value': '127.0.0.2'},
               'Event': {'Orgc': {'name': 'CIRCL'},
                         'id': '64',
                         'info': 'Event created via the API as an example',
                         'org_id': '15',
                         'orgc_id': '15',
                         'uuid': '24e1a0bd-a6ad-4ff6-9d4b-5aeb0413a1f9'},
               'Organisation': {'id': '15',
                                'name': 'CIRCL',
                                'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
               'attribute_id': '3366',
               'date_sighting': '1713155573',
               'event_id': '64',
               'id': '102',
             

# Warning lists

In [64]:
# Checking values against the warining list
endpoint = '/warninglists/checkValue'
relative_path = ''

body = ["8.8.8.8", "yolo", "test"]

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'8.8.8.8': [{'id': '54',
              'matched': '8.8.8.8/32',
              'name': 'List of known IPv4 public DNS resolvers'}]}


# Instance management

In [65]:
# Creating Organisation
endpoint = '/admin/organisations/add'
relative_path = ''

body = {
    "name": "TEMP_ORG2"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'Organisation': {'contacts': None,
                  'created_by': '626',
                  'date_created': '2024-04-15 04:34:16',
                  'date_modified': '2024-04-15 04:34:16',
                  'description': None,
                  'id': '17',
                  'landingpage': None,
                  'local': True,
                  'name': 'TEMP_ORG2',
                  'nationality': '',
                  'restricted_to_domain': None,
                  'sector': '',
                  'type': '',
                  'uuid': 'c9a0a3d6-2698-4535-9bf3-782667e8779b'}}


In [None]:
# Creating Users
endpoint = '/admin/users/add'
relative_path = ''

body = {
    "email": "from_api2@admin.test",
    "org_id": 1009,
    "role_id": 3,
    "termsaccepted": 1,
    "change_pw": 0, # User prompted to change the psswd once logged in
    "password": "~~UlTrA_SeCuRe_PaSsWoRd~~"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Creating Sharing Groups
endpoint = '/sharing_groups/add'
relative_path = ''

body = {
    "name": "TEMP_SG2",
    "releasability": "To nobody",
    "SharingGroupOrg": [
        {
            "name": "ORGNAME",
            "extend": 1
        },
        {
            "name": "CIRCL",
            "extend": 1
        }
    ]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Server
endpoint = '/servers/add'
relative_path = ''

body = {
    "url": "http://127.0.0.1:80/",
    "name": "Myself",
    "remote_org_id": "2",
    "authkey": "UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9"
    
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Server settings
endpoint = '/servers/serverSettings'
relative_path = ''

body = {}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [99]:
# Statistics
endpoint = '/users/statistics'
relative_path = ''

body = {}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

{'stats': {'attribute_count': 51848,
           'attribute_count_month': 11,
           'attributes_per_event': 701,
           'average_user_per_org': 2.6,
           'contributing_org_count': 6,
           'correlation_count': 63,
           'event_count': 74,
           'event_count_month': 7,
           'local_org_count': 7,
           'org_count': 16,
           'post_count': 14,
           'post_count_month': 0,
           'proposal_count': 1,
           'thread_count': 2,
           'thread_count_month': 0,
           'user_count': 18,
           'user_count_pgp': 0}}


Not Available:
- misp-module