{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Notebook trainer cheatsheet: API and CLI" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "- Automation page\n", "- Recovering the API KEY (Automation page, User page, RestClient)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Important notice\n", "\n", "This notebook various usage of the MISP restAPI.\n", "\n", "It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.\n", "\n", "This command:\n", "```\n", "misp_url = URL + '/events/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"info\": \"Event\"\n", "}\n", "\n", "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n", "res = misp.direct_call(relative_path, body)\n", "print_result(res)\n", "```\n", "\n", "Will yield the same result as this command:\n", "```\n", "!curl \\\n", " -d '{\"info\": \"Event\"}' \\\n", " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n", " -H \"Accept: application/json\" \\\n", " -H \"Content-type: application/json\" \\\n", " -X POST 127.0.0.1:8080/events/restSearch\n", " ```" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "name": "stderr", "output_type": "stream", "text": [ "The version of PyMISP recommended by the MISP instance (2.4.183) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n" ] } ], "source": [ "from pymisp import ExpandedPyMISP\n", "from pprint import pprint\n", "AUTHKEY = \"AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\"\n", "URL = \"https://localhost:8443\"\n", "import urllib3\n", "urllib3.disable_warnings()\n", "misp = ExpandedPyMISP(URL, AUTHKEY, False)\n", "\n", "def print_result(result):\n", " flag_printed = False\n", " if isinstance(result, list):\n", " print(\"Count: %s\" % len(result))\n", " flag_printed = True\n", " for i in res:\n", " if 'Event' in i and 'Attribute' in i['Event']:\n", " print(\" - Attribute count: %s\" % len(i['Event']['Attribute']))\n", " elif isinstance(result, dict):\n", " if 'Attribute' in result:\n", " print(\"Count: %s\" % len(result['Attribute']))\n", " flag_printed = True\n", " elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n", " print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n", " flag_printed = True\n", " if flag_printed:\n", " print('----------')\n", " pprint(result)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Events" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Creation and Edition" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'Event': {'Attribute': [],\n", " 'CryptographicKey': [],\n", " 'EventReport': [],\n", " 'Galaxy': [],\n", " 'Object': [],\n", " 'Org': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'RelatedEvent': [],\n", " 'ShadowAttribute': [],\n", " 'analysis': '0',\n", " 'attribute_count': '0',\n", " 'date': '2024-01-18',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '0',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581715',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n" ] } ], "source": [ "# Creation\n", "endpoint = '/events/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"info\": \"Event created via the API as an example\",\n", " \"threat_level_id\": 1,\n", " \"distribution\": 0\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 44, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'Event': {'Attribute': [],\n", " 'CryptographicKey': [],\n", " 'EventReport': [],\n", " 'Galaxy': [],\n", " 'Object': [],\n", " 'Org': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'RelatedEvent': [],\n", " 'ShadowAttribute': [],\n", " 'analysis': '0',\n", " 'attribute_count': '0',\n", " 'date': '2024-01-18',\n", " 'disable_correlation': False,\n", " 'distribution': '3',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '0',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581830',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n" ] } ], "source": [ "# Edition 1\n", "endpoint = '/events/edit/'\n", "relative_path = '126'\n", "\n", "body = {\n", " \"distribution\": 3,\n", "# \"sharing_group_id\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 45, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'Event': {'Attribute': [{'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56142',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705581872',\n", " 'to_ids': True,\n", " 'type': 'ip-src',\n", " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", " 'value': '9.9.9.9'}],\n", " 'CryptographicKey': [],\n", " 'EventReport': [],\n", " 'Galaxy': [],\n", " 'Object': [],\n", " 'Org': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2024-01-16',\n", " 'distribution': '3',\n", " 'id': '122',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': False,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581786',\n", " 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n", " {'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2023-09-28',\n", " 'distribution': '0',\n", " 'id': '87',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': True,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1695907402',\n", " 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n", " 'ShadowAttribute': [],\n", " 'analysis': '0',\n", " 'attribute_count': '1',\n", " 'date': '2024-01-18',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '0',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581872',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n" ] } ], "source": [ "# Edition 2 - Adding Attribute\n", "endpoint = '/events/edit/'\n", "relative_path = '126'\n", "\n", "body = {\n", " \"distribution\": 0,\n", " \"Attribute\": [\n", " {\n", " \"value\": \"9.9.9.9\",\n", " \"type\": \"ip-src\"\n", " }\n", " ]\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 47, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'message': 'Global tag tlp:red123(400) successfully attached to Event(126).',\n", " 'name': 'Global tag tlp:red123(400) successfully attached to Event(126).',\n", " 'saved': True,\n", " 'success': True,\n", " 'url': '/tags/attachTagToObject'}\n" ] } ], "source": [ "# Edition 2 - tagging 1\n", "endpoint = '/tags/attachTagToObject'\n", "relative_path = ''\n", "\n", "body = {\n", " \"uuid\": \"b3cc1ea2-892f-48e1-a6dc-20279818a724\", # can be anything: event or attribute\n", " \"tag\": \"tlp:red\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Attributes" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Creation and edition" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [], "source": [ "event_id = 126" ] }, { "cell_type": "code", "execution_count": 49, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 19\n", "----------\n", "{'Attribute': {'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705582067',\n", " 'to_ids': True,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '8.8.8.9',\n", " 'value1': '8.8.8.9',\n", " 'value2': ''},\n", " 'AttributeTag': []}\n" ] } ], "source": [ "# Adding\n", "endpoint = '/attributes/add/'\n", "relative_path = str(event_id)\n", "\n", "body = {\n", " \"value\": \"8.8.8.9\",\n", " \"type\": \"ip-dst\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [ { "name": "stderr", "output_type": "stream", "text": [ "Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['Checksum has an invalid length or format (expected: 32 hexadecimal characters). Please double check the value or select type \"other\".']}}\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "{'errors': (403,\n", " {'errors': {'value': ['Checksum has an invalid length or format '\n", " '(expected: 32 hexadecimal characters). '\n", " 'Please double check the value or select '\n", " 'type \"other\".']},\n", " 'message': 'Could not add Attribute',\n", " 'name': 'Could not add Attribute',\n", " 'saved': False,\n", " 'url': '/attributes/add'})}\n" ] } ], "source": [ "# Adding invalid attribute type\n", "endpoint = '/attributes/add/'\n", "relative_path = str(event_id)\n", "\n", "body = {\n", " \"value\": \"8.8.8.9\",\n", " \"type\": \"md5\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 51, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 17\n", "----------\n", "{'Attribute': {'category': 'Network activity',\n", " 'comment': 'Comment added via the API',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705582158',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.0.0.1'}}\n" ] } ], "source": [ "# Editing\n", "endpoint = '/attributes/edit/' # /attributes/edit/[attribute_id]\n", "relative_path = '56143'\n", "\n", "body = {\n", " \"value\": \"127.0.0.1\",\n", " \"to_ids\": 0,\n", " \"comment\": \"Comment added via the API\",\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 17\n", "----------\n", "{'Attribute': {'category': 'Network activity',\n", " 'comment': 'Comment added via the API',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705582332',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.1.1.1'}}\n" ] } ], "source": [ "# Editing with data taken from JSON views. \n", "# (timestamp) contrast the difference with *PyMISP*\n", "endpoint = '/attributes/edit/'\n", "relative_path = '56143'\n", "\n", "body = {\n", " \"id\": \"56143\",\n", " \"type\": \"ip-dst\",\n", " \"category\": \"Network activity\",\n", " \"to_ids\": False,\n", " \"uuid\": \"8153fcad-cd37-45d9-a1d1-a509942116f8\",\n", " \"event_id\": \"126\",\n", " \"distribution\": \"5\",\n", " \"comment\": \"Comment added via the API\",\n", " \"sharing_group_id\": \"0\",\n", " \"deleted\": False,\n", " \"disable_correlation\": False,\n", " \"object_id\": \"0\",\n", " \"object_relation\": None,\n", " \"first_seen\": None,\n", " \"last_seen\": None,\n", " \"value\": \"127.1.1.1\",\n", " \"Galaxy\": [],\n", " \"ShadowAttribute\": []\n", " }\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Objects" ] }, { "cell_type": "code", "execution_count": 55, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'Object': {'Attribute': [{'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post',\n", " 'value1': 'post',\n", " 'value2': ''}],\n", " 'comment': '',\n", " 'deleted': False,\n", " 'description': 'Microblog post like a Twitter tweet or a post on a '\n", " 'Facebook wall.',\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '645',\n", " 'last_seen': None,\n", " 'meta-category': 'misc',\n", " 'name': 'microblog',\n", " 'sharing_group_id': '0',\n", " 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n", " 'template_version': '5',\n", " 'timestamp': '1558702173',\n", " 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}}\n" ] } ], "source": [ "endpoint = '/objects/add/'\n", "relative_path = str(event_id)\n", "\n", "body = {\n", " \"name\": \"microblog\",\n", " \"meta-category\": \"misc\",\n", " \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n", " \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n", " \"template_version\": \"5\",\n", " \"event_id\": event_id,\n", " \"timestamp\": \"1558702173\",\n", " \"distribution\": \"5\",\n", " \"sharing_group_id\": \"0\",\n", " \"comment\": \"\",\n", " \"deleted\": False,\n", " \"ObjectReference\": [],\n", " \"Attribute\": [\n", " {\n", " \"type\": \"text\",\n", " \"category\": \"Other\",\n", " \"to_ids\": False,\n", " \"event_id\": event_id,\n", " \"distribution\": \"5\",\n", " \"timestamp\": \"1558702173\",\n", " \"comment\": \"\",\n", " \"sharing_group_id\": \"0\",\n", " \"deleted\": False,\n", " \"disable_correlation\": False,\n", " \"object_relation\": \"post\",\n", " \"value\": \"post\",\n", " \"Galaxy\": [],\n", " \"ShadowAttribute\": []\n", " }\n", " ]\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 58, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'Event': {'Attribute': [{'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56142',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705581872',\n", " 'to_ids': True,\n", " 'type': 'ip-src',\n", " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", " 'value': '9.9.9.9'},\n", " {'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Network activity',\n", " 'comment': 'Comment added via the API',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705582453',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.2.2.2'}],\n", " 'CryptographicKey': [],\n", " 'EventReport': [],\n", " 'Galaxy': [],\n", " 'Object': [{'Attribute': [{'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post'}],\n", " 'ObjectReference': [],\n", " 'comment': '',\n", " 'deleted': False,\n", " 'description': 'Microblog post like a Twitter tweet or '\n", " 'a post on a Facebook wall.',\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '645',\n", " 'last_seen': None,\n", " 'meta-category': 'misc',\n", " 'name': 'microblog',\n", " 'sharing_group_id': '0',\n", " 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n", " 'template_version': '5',\n", " 'timestamp': '1558702173',\n", " 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n", " 'Org': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2024-01-16',\n", " 'distribution': '3',\n", " 'id': '122',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': False,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581786',\n", " 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n", " {'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2023-09-28',\n", " 'distribution': '0',\n", " 'id': '87',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': True,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1695907402',\n", " 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n", " 'ShadowAttribute': [],\n", " 'Tag': [{'colour': '#FF2B2B',\n", " 'exportable': True,\n", " 'hide_tag': False,\n", " 'id': '16',\n", " 'is_custom_galaxy': False,\n", " 'is_galaxy': False,\n", " 'local': 0,\n", " 'local_only': False,\n", " 'name': 'tlp:red',\n", " 'numerical_value': None,\n", " 'relationship_type': None,\n", " 'user_id': '0'},\n", " {'colour': '#33FF00',\n", " 'exportable': True,\n", " 'hide_tag': False,\n", " 'id': '79',\n", " 'is_custom_galaxy': False,\n", " 'is_galaxy': False,\n", " 'local': 0,\n", " 'local_only': False,\n", " 'name': 'tlp:green',\n", " 'numerical_value': None,\n", " 'relationship_type': None,\n", " 'user_id': '0'}],\n", " 'analysis': '0',\n", " 'attribute_count': '3',\n", " 'date': '2024-01-18',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '0',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705582663',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n" ] } ], "source": [ "# Edition 2 - tagging 2\n", "endpoint = '/events/edit/'\n", "relative_path = '126'\n", "\n", "body = {\n", " \"distribution\": 0,\n", " \"Tag\": [\n", " {\"name\":\"tlp:green\"}\n", " ]\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Searches" ] }, { "cell_type": "code", "execution_count": 61, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 2\n", "----------\n", "[{'EventTag': [{'Tag': {'colour': '#33FF00',\n", " 'id': '79',\n", " 'is_galaxy': False,\n", " 'name': 'tlp:green'},\n", " 'event_id': '87',\n", " 'id': '483',\n", " 'local': False,\n", " 'relationship_type': '',\n", " 'tag_id': '79'}],\n", " 'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'attribute_count': '5',\n", " 'date': '2023-09-28',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'extends_uuid': '',\n", " 'id': '87',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '1695907664',\n", " 'published': True,\n", " 'sharing_group_id': '0',\n", " 'sighting_timestamp': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1695907402',\n", " 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'},\n", " {'EventTag': [{'Tag': {'colour': '#FFC000',\n", " 'id': '81',\n", " 'is_galaxy': False,\n", " 'name': 'tlp:amber'},\n", " 'event_id': '122',\n", " 'id': '592',\n", " 'local': False,\n", " 'relationship_type': '',\n", " 'tag_id': '81'}],\n", " 'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'attribute_count': '4',\n", " 'date': '2024-01-16',\n", " 'disable_correlation': False,\n", " 'distribution': '3',\n", " 'extends_uuid': '',\n", " 'id': '122',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '1705411595',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'sighting_timestamp': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581786',\n", " 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}]\n" ] } ], "source": [ "# Searching the Event index (Move it to the search topic)\n", "endpoint = '/events/index'\n", "relative_path = ''\n", "\n", "body = {\n", " \"eventinfo\": \"api\",\n", " \"publish_timestamp\": \"2023-09-06\",\n", " \"org\": \"ORGNAME\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 63, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Event number: 0\n", "Count: 0\n", "----------\n", "[]\n" ] } ], "source": [ "# Searching the Event index\n", "misp_url = '/events/index'\n", "relative_path = ''\n", "\n", "body = {\n", "# \"hasproposal\": 1,\n", " \"tag\": [\"tlp:amber\"]\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "\n", "print('Event number: %s' % len(res))\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## RestSearch\n", "**Aka: Most powerful search tool in MISP**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### RestSearch - Attributes" ] }, { "cell_type": "code", "execution_count": 64, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 3\n", "----------\n", "{'Attribute': [{'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56142',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705581872',\n", " 'to_ids': True,\n", " 'type': 'ip-src',\n", " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", " 'value': '9.9.9.9'},\n", " {'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'category': 'Network activity',\n", " 'comment': 'Comment added via the API',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705582453',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.2.2.2'},\n", " {'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Object': {'distribution': '5',\n", " 'id': '645',\n", " 'sharing_group_id': '0'},\n", " 'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post'}]}\n" ] } ], "source": [ "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 69, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 1\n", "----------\n", "{'Attribute': [{'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Object': {'distribution': '5',\n", " 'id': '645',\n", " 'sharing_group_id': '0'},\n", " 'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post'}]}\n" ] } ], "source": [ "# Searches on Attribute's data\n", "misp_url = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"type\": \"ip-dst\",\n", "# \"value\": \"127.0.%\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 71, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 0\n", "----------\n", "{'Attribute': []}\n" ] } ], "source": [ "# Searches on Attribute's data\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"deleted\": [0, 1] # Consider both deleted AND not deleted\n", "}\n", "\n", "# [] == {\"OR\": []}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 77, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 3\n", "----------\n", "{'Attribute': [{'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Tag': [{'colour': '#FF2B2B',\n", " 'id': '16',\n", " 'inherited': 1,\n", " 'name': 'tlp:red',\n", " 'numerical_value': None}],\n", " 'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56142',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705581872',\n", " 'to_ids': True,\n", " 'type': 'ip-src',\n", " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", " 'value': '9.9.9.9'},\n", " {'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Tag': [{'colour': '#ffffff',\n", " 'id': '6',\n", " 'is_galaxy': False,\n", " 'local': False,\n", " 'name': 'tlp:white',\n", " 'numerical_value': None},\n", " {'colour': '#FF2B2B',\n", " 'id': '16',\n", " 'inherited': 1,\n", " 'name': 'tlp:red',\n", " 'numerical_value': None}],\n", " 'category': 'Network activity',\n", " 'comment': 'Comment added via the API',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705583213',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.2.2.2'},\n", " {'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Object': {'distribution': '5',\n", " 'id': '645',\n", " 'sharing_group_id': '0'},\n", " 'Tag': [{'colour': '#FF2B2B',\n", " 'id': '16',\n", " 'inherited': 1,\n", " 'name': 'tlp:red',\n", " 'numerical_value': None}],\n", " 'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post'}]}\n" ] } ], "source": [ "# Searches on Attribute's data\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"tags\": \"tlp:white\",\n", "# \"tags\": [\"tlp:white\", \"tlp:green\"]\n", "# \"tags\": [\"!tlp:green\"]\n", "# \"tags\": \"tlp:%\",\n", "# \"includeEventTags\": 1\n", "# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n", "# \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 83, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 0\n", "----------\n", "{'Attribute': []}\n" ] } ], "source": [ "# Paginating\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", "# \"page\": 0,\n", "# \"limit\": 10000\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Searches based on time: Absolute\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "event_id = 13\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"from\": \"2019/05/21\" # or \"2019-05-21\"\n", " # from and to NOT REALLY USEFULL.. \n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 86, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 0\n", "----------\n", "{'Attribute': []}\n" ] } ], "source": [ "# Searches based on time: Relative\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "# /!\\ Last: works on the publish_timestamp -> may be confusing\n", "# Units: days, hours, minutes and secondes\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", "# \"to_ids\": 1,\n", " \"publish_timestamp\": \"2019-08-28\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Precision regarding the different timestamps\n", "- ``publish_timestamp`` = Time at which the event was published\n", " - Usage: get data that arrived in my system since x\n", " - E.g.: New data from a feed\n", "- ``timestamp`` = Time of the last modification on the data\n", " - data was modified in the last x hours\n", " - E.g.: Last updated data from a feed\n", "- ``event_timestamp``: Used in the Attribute scope\n", " - Event modified in the last x hours" ] }, { "cell_type": "code", "execution_count": 89, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 1\n", "----------\n", "{'Attribute': [{'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'category': 'Payload delivery',\n", " 'comment': '',\n", " 'data': 'dGVzdAo=',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56145',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705584018',\n", " 'to_ids': False,\n", " 'type': 'attachment',\n", " 'uuid': '1b436ea7-5fc3-485f-b059-9bfff544925f',\n", " 'value': 'test.txt'}]}\n" ] } ], "source": [ "# Searches with attachments\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"type\": \"attachment\",\n", " \"withAttachments\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 93, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 1\n", "----------\n", "{'Attribute': [{'Event': {'distribution': '0',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n", " 'Tag': [{'colour': '#ffffff',\n", " 'id': '6',\n", " 'is_galaxy': False,\n", " 'local': False,\n", " 'name': 'tlp:white',\n", " 'numerical_value': None}],\n", " 'category': 'Network activity',\n", " 'comment': 'Comment added via the API!',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705583914',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.2.2.2'}]}\n" ] } ], "source": [ "# Searches - Others\n", "endpoint = '/attributes/restSearch/'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": event_id,\n", " \"type\": [\"ip-src\", \"ip-dst\"],\n", " \"enforceWarninglist\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### RestSearch - Events" ] }, { "cell_type": "code", "execution_count": 94, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 1\n", " - Attribute count: 3\n", "----------\n", "[{'Event': {'Attribute': [{'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Network activity',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56142',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705581872',\n", " 'to_ids': True,\n", " 'type': 'ip-src',\n", " 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n", " 'value': '9.9.9.9'},\n", " {'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'Tag': [{'colour': '#ffffff',\n", " 'exportable': True,\n", " 'hide_tag': False,\n", " 'id': '6',\n", " 'is_custom_galaxy': False,\n", " 'is_galaxy': False,\n", " 'local': 0,\n", " 'local_only': False,\n", " 'name': 'tlp:white',\n", " 'numerical_value': None,\n", " 'relationship_type': None,\n", " 'user_id': '0'}],\n", " 'category': 'Network activity',\n", " 'comment': 'Comment added via the API!',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56143',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705583914',\n", " 'to_ids': False,\n", " 'type': 'ip-dst',\n", " 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n", " 'value': '127.2.2.2'},\n", " {'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Payload delivery',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56145',\n", " 'last_seen': None,\n", " 'object_id': '0',\n", " 'object_relation': None,\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1705584018',\n", " 'to_ids': False,\n", " 'type': 'attachment',\n", " 'uuid': '1b436ea7-5fc3-485f-b059-9bfff544925f',\n", " 'value': 'test.txt'}],\n", " 'CryptographicKey': [],\n", " 'EventReport': [],\n", " 'Galaxy': [],\n", " 'Object': [{'Attribute': [{'Galaxy': [],\n", " 'ShadowAttribute': [],\n", " 'category': 'Other',\n", " 'comment': '',\n", " 'deleted': False,\n", " 'disable_correlation': False,\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '56144',\n", " 'last_seen': None,\n", " 'object_id': '645',\n", " 'object_relation': 'post',\n", " 'sharing_group_id': '0',\n", " 'timestamp': '1558702173',\n", " 'to_ids': False,\n", " 'type': 'text',\n", " 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n", " 'value': 'post'}],\n", " 'ObjectReference': [],\n", " 'comment': '',\n", " 'deleted': False,\n", " 'description': 'Microblog post like a Twitter tweet or '\n", " 'a post on a Facebook wall.',\n", " 'distribution': '5',\n", " 'event_id': '126',\n", " 'first_seen': None,\n", " 'id': '645',\n", " 'last_seen': None,\n", " 'meta-category': 'misc',\n", " 'name': 'microblog',\n", " 'sharing_group_id': '0',\n", " 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n", " 'template_version': '5',\n", " 'timestamp': '1558702173',\n", " 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n", " 'Org': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'local': True,\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2024-01-16',\n", " 'distribution': '3',\n", " 'id': '122',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': False,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705581786',\n", " 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n", " {'Event': {'Org': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'Orgc': {'id': '1',\n", " 'name': 'ORGNAME',\n", " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", " 'analysis': '0',\n", " 'date': '2023-09-28',\n", " 'distribution': '0',\n", " 'id': '87',\n", " 'info': 'Event created via the API as '\n", " 'an example',\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'published': True,\n", " 'threat_level_id': '1',\n", " 'timestamp': '1695907402',\n", " 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n", " 'ShadowAttribute': [],\n", " 'Tag': [{'colour': '#FF2B2B',\n", " 'exportable': True,\n", " 'hide_tag': False,\n", " 'id': '16',\n", " 'is_custom_galaxy': False,\n", " 'is_galaxy': False,\n", " 'local': 0,\n", " 'local_only': False,\n", " 'name': 'tlp:red',\n", " 'numerical_value': None,\n", " 'relationship_type': None,\n", " 'user_id': '0'},\n", " {'colour': '#326300',\n", " 'exportable': True,\n", " 'hide_tag': False,\n", " 'id': '29',\n", " 'is_custom_galaxy': False,\n", " 'is_galaxy': False,\n", " 'local': 0,\n", " 'local_only': False,\n", " 'name': 'circl:incident-classification=\"phishing\"',\n", " 'numerical_value': None,\n", " 'relationship_type': None,\n", " 'user_id': '0'}],\n", " 'analysis': '0',\n", " 'attribute_count': '4',\n", " 'date': '2024-01-18',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '126',\n", " 'info': 'Event created via the API as an example',\n", " 'locked': False,\n", " 'org_id': '1',\n", " 'orgc_id': '1',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '1705583856',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1705584018',\n", " 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}]\n" ] } ], "source": [ "# Searching using the RestSearch\n", "endpoint = '/events/restSearch'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventid\": 126,\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 95, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "$TTL 1w;\r\n", "@ SOA localhost. root.localhost (2024011800 2h 30m 30d 1h)\r\n", " NS localhost.\r\n", "\r\n" ] } ], "source": [ "# Searching using the RestSearch - Other return format\n", "!curl \\\n", " -d '{\"returnFormat\":\"rpz\",\"eventid\":126}' \\\n", " -H \"Authorization: AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\" \\\n", " -H \"Accept: application/json\" \\\n", " -H \"Content-type: application/json\" \\\n", " -k \\\n", " -X POST https://localhost:8443/events/restSearch 2> /dev/null" ] }, { "cell_type": "code", "execution_count": 96, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category\r\n", "\"6938d503-7d96-48b6-9a18-f8e6f95f04dd\",126,\"Network activity\",\"ip-src\",\"9.9.9.9\",\"\",1,1705581872,\"\",\"\",\"\",\"\",\"\"\r\n", "\"8153fcad-cd37-45d9-a1d1-a509942116f8\",126,\"Network activity\",\"ip-dst\",\"127.2.2.2\",\"Comment added via the API!\",0,1705583914,\"\",\"tlp:white\",\"\",\"\",\"\"\r\n", "\"1b436ea7-5fc3-485f-b059-9bfff544925f\",126,\"Payload delivery\",\"attachment\",\"test.txt\",\"\",0,1705584018,\"\",\"\",\"\",\"\",\"\"\r\n", "\"7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5\",126,\"Other\",\"text\",\"post\",\"\",0,1558702173,\"post\",\"\",\"838aefb1-0f6e-4967-9a99-e7414887ae9a\",\"microblog\",\"misc\"\r\n", "\r\n" ] } ], "source": [ "# Searching using the RestSearch - Other return format\n", "!curl \\\n", " -d '{\"returnFormat\":\"csv\",\"eventid\":126}' \\\n", " -H \"Authorization: AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\" \\\n", " -H \"Accept: application/json\" \\\n", " -H \"Content-type: application/json\" \\\n", " -k \\\n", " -X POST https://localhost:8443/events/restSearch 2> /dev/null" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Searching using the RestSearch - Filtering\n", "endpoint = '/events/restSearch'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"value\": \"parsed-ail.json\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 97, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Count: 1\n", "----------\n", "[{'Event': {'CryptographicKey': [],\n", " 'Galaxy': [],\n", " 'Org': {'id': '2',\n", " 'local': True,\n", " 'name': 'CIRCL',\n", " 'uuid': '1646fb8f-6f23-4b51-ae80-c84d1ff8fbe0'},\n", " 'Orgc': {'id': '2',\n", " 'local': True,\n", " 'name': 'CIRCL',\n", " 'uuid': '1646fb8f-6f23-4b51-ae80-c84d1ff8fbe0'},\n", " 'RelatedEvent': [],\n", " 'analysis': '0',\n", " 'attribute_count': '2',\n", " 'date': '2023-02-08',\n", " 'disable_correlation': False,\n", " 'distribution': '0',\n", " 'event_creator_email': 'admin@admin.test',\n", " 'extends_uuid': '',\n", " 'id': '51',\n", " 'info': 'Incident 1',\n", " 'locked': False,\n", " 'org_id': '2',\n", " 'orgc_id': '2',\n", " 'proposal_email_lock': False,\n", " 'protected': None,\n", " 'publish_timestamp': '0',\n", " 'published': False,\n", " 'sharing_group_id': '0',\n", " 'threat_level_id': '1',\n", " 'timestamp': '1675875565',\n", " 'uuid': '65c1aa0e-4d03-4d4b-a6c0-42730a4dbdc6'}}]\n" ] } ], "source": [ "# Searching using the RestSearch\n", "endpoint = '/events/restSearch'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"org\": \"CIRCL\",\n", "# \"id\": 33,\n", " \"metadata\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Searching using the RestSearch\n", "endpoint = '/events/restSearch'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"eventinfo\": \"%via the API%\",\n", " \"published\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Sightings" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Creating sightings\n", "endpoint = '/sightings/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"id\": \"56143\"\n", "# \"value\": \"127.2.2.2\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Searching for sighted elements\n", "endpoint = '/sightings/restSearch/event'\n", "relative_path = ''\n", "\n", "body = {\n", " \"returnFormat\": \"json\",\n", " \"id\": 33,\n", " \"includeAttribute\": 1,\n", " \"includeEvent\": 1\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Warning lists" ] }, { "cell_type": "code", "execution_count": 98, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'8.8.8.8': [{'id': '49',\n", " 'matched': '8.8.8.8/32',\n", " 'name': 'List of known IPv4 public DNS resolvers'}]}\n" ] } ], "source": [ "# Checking values against the warining list\n", "endpoint = '/warninglists/checkValue'\n", "relative_path = ''\n", "\n", "body = [\"8.8.8.8\", \"yolo\", \"test\"]\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# Instance management" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Creating Organisation\n", "endpoint = '/admin/organisations/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"name\": \"TEMP_ORG2\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Creating Users\n", "endpoint = '/admin/users/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"email\": \"from_api2@admin.test\",\n", " \"org_id\": 1009,\n", " \"role_id\": 3,\n", " \"termsaccepted\": 1,\n", " \"change_pw\": 0, # User prompted to change the psswd once logged in\n", " \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Creating Sharing Groups\n", "endpoint = '/sharing_groups/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"name\": \"TEMP_SG2\",\n", " \"releasability\": \"To nobody\",\n", " \"SharingGroupOrg\": [\n", " {\n", " \"name\": \"ORGNAME\",\n", " \"extend\": 1\n", " },\n", " {\n", " \"name\": \"CIRCL\",\n", " \"extend\": 1\n", " }\n", " ]\n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "scrolled": true }, "outputs": [], "source": [ "# Server\n", "endpoint = '/servers/add'\n", "relative_path = ''\n", "\n", "body = {\n", " \"url\": \"http://127.0.0.1:80/\",\n", " \"name\": \"Myself\",\n", " \"remote_org_id\": \"2\",\n", " \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n", " \n", "}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "# Server settings\n", "endpoint = '/servers/serverSettings'\n", "relative_path = ''\n", "\n", "body = {}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "code", "execution_count": 99, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{'stats': {'attribute_count': 51848,\n", " 'attribute_count_month': 11,\n", " 'attributes_per_event': 701,\n", " 'average_user_per_org': 2.6,\n", " 'contributing_org_count': 6,\n", " 'correlation_count': 63,\n", " 'event_count': 74,\n", " 'event_count_month': 7,\n", " 'local_org_count': 7,\n", " 'org_count': 16,\n", " 'post_count': 14,\n", " 'post_count_month': 0,\n", " 'proposal_count': 1,\n", " 'thread_count': 2,\n", " 'thread_count_month': 0,\n", " 'user_count': 18,\n", " 'user_count_pgp': 0}}\n" ] } ], "source": [ "# Statistics\n", "endpoint = '/users/statistics'\n", "relative_path = ''\n", "\n", "body = {}\n", "\n", "res = misp.direct_call(endpoint + relative_path, body)\n", "print_result(res)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Not Available:\n", "- misp-module" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.8.10" } }, "nbformat": 4, "nbformat_minor": 2 }