MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-training/a.7-rest-API/Training - Using the API in...

2349 lines
84 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Notebook trainer cheatsheet: API and CLI"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"- Automation page\n",
"- Recovering the API KEY (Automation page, User page, RestClient)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Important notice\n",
"\n",
"This notebook various usage of the MISP restAPI.\n",
"\n",
"It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.\n",
"\n",
"This command:\n",
"```\n",
"misp_url = URL + '/events/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"info\": \"Event\"\n",
"}\n",
"\n",
"misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
"res = misp.direct_call(relative_path, body)\n",
"print_result(res)\n",
"```\n",
"\n",
"Will yield the same result as this command:\n",
"```\n",
"!curl \\\n",
" -d '{\"info\": \"Event\"}' \\\n",
" -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -X POST 127.0.0.1:8080/events/restSearch\n",
" ```"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"The version of PyMISP recommended by the MISP instance (2.4.188) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n"
]
}
],
"source": [
"from pymisp import ExpandedPyMISP\n",
"from pprint import pprint\n",
"AUTHKEY = \"AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\"\n",
"URL = \"https://localhost:8443\"\n",
"import urllib3\n",
"urllib3.disable_warnings()\n",
"misp = ExpandedPyMISP(URL, AUTHKEY, False)\n",
"\n",
"def print_result(result):\n",
" flag_printed = False\n",
" if isinstance(result, list):\n",
" print(\"Count: %s\" % len(result))\n",
" flag_printed = True\n",
" for i in res:\n",
" if 'Event' in i and 'Attribute' in i['Event']:\n",
" print(\" - Attribute count: %s\" % len(i['Event']['Attribute']))\n",
" elif isinstance(result, dict):\n",
" if 'Attribute' in result:\n",
" print(\"Count: %s\" % len(result['Attribute']))\n",
" flag_printed = True\n",
" elif 'Event' in result and 'Attribute' in result['Event']:\n",
" print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
" flag_printed = True\n",
" if flag_printed:\n",
" print('----------')\n",
" pprint(result)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Events"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Creation and Edition"
]
},
{
"cell_type": "code",
"execution_count": 39,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Attribute': [],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [],\n",
" 'ShadowAttribute': [],\n",
" 'analysis': '0',\n",
" 'attribute_count': '0',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581715',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n"
]
}
],
"source": [
"# Creation\n",
"endpoint = '/events/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"info\": \"Event created via the API as an example\",\n",
" \"threat_level_id\": 1,\n",
" \"distribution\": 0\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 44,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Attribute': [],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [],\n",
" 'ShadowAttribute': [],\n",
" 'analysis': '0',\n",
" 'attribute_count': '0',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '3',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581830',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n"
]
}
],
"source": [
"# Edition 1\n",
"endpoint = '/events/edit/'\n",
"relative_path = '126'\n",
"\n",
"body = {\n",
" \"distribution\": 3,\n",
"# \"sharing_group_id\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 45,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'}],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2024-01-16',\n",
" 'distribution': '3',\n",
" 'id': '122',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': False,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581786',\n",
" 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n",
" {'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2023-09-28',\n",
" 'distribution': '0',\n",
" 'id': '87',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': True,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1695907402',\n",
" 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n",
" 'ShadowAttribute': [],\n",
" 'analysis': '0',\n",
" 'attribute_count': '1',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581872',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n"
]
}
],
"source": [
"# Edition 2 - Adding Attribute\n",
"endpoint = '/events/edit/'\n",
"relative_path = '126'\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
" \"Attribute\": [\n",
" {\n",
" \"value\": \"9.9.9.9\",\n",
" \"type\": \"ip-src\"\n",
" }\n",
" ]\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 47,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'message': 'Global tag tlp:red123(400) successfully attached to Event(126).',\n",
" 'name': 'Global tag tlp:red123(400) successfully attached to Event(126).',\n",
" 'saved': True,\n",
" 'success': True,\n",
" 'url': '/tags/attachTagToObject'}\n"
]
}
],
"source": [
"# Edition 2 - tagging 1\n",
"endpoint = '/tags/attachTagToObject'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"uuid\": \"b3cc1ea2-892f-48e1-a6dc-20279818a724\", # can be anything: event or attribute\n",
" \"tag\": \"tlp:red\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Attributes"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Creation and edition"
]
},
{
"cell_type": "code",
"execution_count": 48,
"metadata": {},
"outputs": [],
"source": [
"event_id = 126"
]
},
{
"cell_type": "code",
"execution_count": 49,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 19\n",
"----------\n",
"{'Attribute': {'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582067',\n",
" 'to_ids': True,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '8.8.8.9',\n",
" 'value1': '8.8.8.9',\n",
" 'value2': ''},\n",
" 'AttributeTag': []}\n"
]
}
],
"source": [
"# Adding\n",
"endpoint = '/attributes/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"value\": \"8.8.8.9\",\n",
" \"type\": \"ip-dst\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 50,
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['Checksum has an invalid length or format (expected: 32 hexadecimal characters). Please double check the value or select type \"other\".']}}\n"
]
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'errors': (403,\n",
" {'errors': {'value': ['Checksum has an invalid length or format '\n",
" '(expected: 32 hexadecimal characters). '\n",
" 'Please double check the value or select '\n",
" 'type \"other\".']},\n",
" 'message': 'Could not add Attribute',\n",
" 'name': 'Could not add Attribute',\n",
" 'saved': False,\n",
" 'url': '/attributes/add'})}\n"
]
}
],
"source": [
"# Adding invalid attribute type\n",
"endpoint = '/attributes/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"value\": \"8.8.8.9\",\n",
" \"type\": \"md5\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 51,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 17\n",
"----------\n",
"{'Attribute': {'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582158',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.0.0.1'}}\n"
]
}
],
"source": [
"# Editing\n",
"endpoint = '/attributes/edit/' # /attributes/edit/[attribute_id]\n",
"relative_path = '56143'\n",
"\n",
"body = {\n",
" \"value\": \"127.0.0.1\",\n",
" \"to_ids\": 0,\n",
" \"comment\": \"Comment added via the API\",\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 54,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 17\n",
"----------\n",
"{'Attribute': {'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582332',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.1.1.1'}}\n"
]
}
],
"source": [
"# Editing with data taken from JSON views. \n",
"# <!> (timestamp) contrast the difference with *PyMISP*\n",
"endpoint = '/attributes/edit/'\n",
"relative_path = '56143'\n",
"\n",
"body = {\n",
" \"id\": \"56143\",\n",
" \"type\": \"ip-dst\",\n",
" \"category\": \"Network activity\",\n",
" \"to_ids\": False,\n",
" \"uuid\": \"8153fcad-cd37-45d9-a1d1-a509942116f8\",\n",
" \"event_id\": \"126\",\n",
" \"distribution\": \"5\",\n",
" \"comment\": \"Comment added via the API\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"deleted\": False,\n",
" \"disable_correlation\": False,\n",
" \"object_id\": \"0\",\n",
" \"object_relation\": None,\n",
" \"first_seen\": None,\n",
" \"last_seen\": None,\n",
" \"value\": \"127.1.1.1\",\n",
" \"Galaxy\": [],\n",
" \"ShadowAttribute\": []\n",
" }\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Objects"
]
},
{
"cell_type": "code",
"execution_count": 55,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Object': {'Attribute': [{'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post',\n",
" 'value1': 'post',\n",
" 'value2': ''}],\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'description': 'Microblog post like a Twitter tweet or a post on a '\n",
" 'Facebook wall.',\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '645',\n",
" 'last_seen': None,\n",
" 'meta-category': 'misc',\n",
" 'name': 'microblog',\n",
" 'sharing_group_id': '0',\n",
" 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n",
" 'template_version': '5',\n",
" 'timestamp': '1558702173',\n",
" 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}}\n"
]
}
],
"source": [
"endpoint = '/objects/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"name\": \"microblog\",\n",
" \"meta-category\": \"misc\",\n",
" \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n",
" \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n",
" \"template_version\": \"5\",\n",
" \"event_id\": event_id,\n",
" \"timestamp\": \"1558702173\",\n",
" \"distribution\": \"5\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"comment\": \"\",\n",
" \"deleted\": False,\n",
" \"ObjectReference\": [],\n",
" \"Attribute\": [\n",
" {\n",
" \"type\": \"text\",\n",
" \"category\": \"Other\",\n",
" \"to_ids\": False,\n",
" \"event_id\": event_id,\n",
" \"distribution\": \"5\",\n",
" \"timestamp\": \"1558702173\",\n",
" \"comment\": \"\",\n",
" \"sharing_group_id\": \"0\",\n",
" \"deleted\": False,\n",
" \"disable_correlation\": False,\n",
" \"object_relation\": \"post\",\n",
" \"value\": \"post\",\n",
" \"Galaxy\": [],\n",
" \"ShadowAttribute\": []\n",
" }\n",
" ]\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '52',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712818726',\n",
" 'uuid': '9b6a2be2-127a-4c61-875b-a9eeba3b1139'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}\n"
]
}
],
"source": [
"# Edition 2 - tagging 2\n",
"endpoint = '/events/edit/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
" \"Tag\": [\n",
" {\"name\":\"tlp:green\"}\n",
" ]\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Event reports"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"endpoint = '/eventReports/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"name\": \"Report from API\",\n",
" \"distribution\": 5,\n",
" \"sharing_group_id\": 0,\n",
" \"content\": \"Body\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"event_report_id = res['EventReport']['id']\n",
"\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Download HTML, convert it into markdown then save it as Event Report.\n",
"endpoint = '/eventReports/importReportFromUrl/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"url\": \"https://domain.example/blogpost/123.pdf\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'report': {'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body @[tag](tlp:red) '\n",
" '@[attribute](bffa5ba8-7040-4f38-979f-7386f5a3a251)',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '50',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712821134',\n",
" 'uuid': '972d3aeb-a60e-4bab-9db9-a76ef0551188'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}}\n"
]
}
],
"source": [
" # Extract all entities, tag Event with tag found\n",
"endpoint = '/eventReports/extractAllFromReport/'\n",
"relative_path = str(50)\n",
"\n",
"body = {\n",
" \"tag_event\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Analyst Data"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Note"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Note': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'created': '2024-04-11 07:54:06',\n",
" 'distribution': '1',\n",
" 'id': '80',\n",
" 'language': 'fr-BE',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:06',\n",
" 'note': 'Ceci est une note',\n",
" 'note_type': 0,\n",
" 'note_type_name': 'Note',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'b6362eab-b232-4d7b-867f-52c6971a743b'}}\n"
]
}
],
"source": [
"analystType = 'Note'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"note\": \"Ceci est une note\",\n",
" \"language\": \"fr-BE\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Opinion"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Opinion': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'comment': 'This is an opinion',\n",
" 'created': '2024-04-11 07:54:12',\n",
" 'distribution': '1',\n",
" 'id': '64',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:12',\n",
" 'note_type': 1,\n",
" 'note_type_name': 'Opinion',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'opinion': '75',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'eea00f1d-71aa-4763-9489-bd137cae2a57'}}\n"
]
}
],
"source": [
"analystType = 'Opinion'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"opinion\": 75,\n",
" \"comment\": \"This is an opinion\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Searches"
]
},
{
"cell_type": "code",
"execution_count": 61,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 2\n",
"----------\n",
"[{'EventTag': [{'Tag': {'colour': '#33FF00',\n",
" 'id': '79',\n",
" 'is_galaxy': False,\n",
" 'name': 'tlp:green'},\n",
" 'event_id': '87',\n",
" 'id': '483',\n",
" 'local': False,\n",
" 'relationship_type': '',\n",
" 'tag_id': '79'}],\n",
" 'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'attribute_count': '5',\n",
" 'date': '2023-09-28',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'extends_uuid': '',\n",
" 'id': '87',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '1695907664',\n",
" 'published': True,\n",
" 'sharing_group_id': '0',\n",
" 'sighting_timestamp': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1695907402',\n",
" 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'},\n",
" {'EventTag': [{'Tag': {'colour': '#FFC000',\n",
" 'id': '81',\n",
" 'is_galaxy': False,\n",
" 'name': 'tlp:amber'},\n",
" 'event_id': '122',\n",
" 'id': '592',\n",
" 'local': False,\n",
" 'relationship_type': '',\n",
" 'tag_id': '81'}],\n",
" 'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'attribute_count': '4',\n",
" 'date': '2024-01-16',\n",
" 'disable_correlation': False,\n",
" 'distribution': '3',\n",
" 'extends_uuid': '',\n",
" 'id': '122',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '1705411595',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'sighting_timestamp': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581786',\n",
" 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}]\n"
]
}
],
"source": [
"# Searching the Event index (Move it to the search topic)\n",
"endpoint = '/events/index'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"eventinfo\": \"api\",\n",
" \"publish_timestamp\": \"2023-09-06\",\n",
" \"org\": \"ORGNAME\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 63,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Event number: 0\n",
"Count: 0\n",
"----------\n",
"[]\n"
]
}
],
"source": [
"# Searching the Event index\n",
"misp_url = '/events/index'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
"# \"hasproposal\": 1,\n",
" \"tag\": [\"tlp:amber\"]\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"\n",
"print('Event number: %s' % len(res))\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## RestSearch\n",
"**Aka: Most powerful search tool in MISP**"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### RestSearch - Attributes"
]
},
{
"cell_type": "code",
"execution_count": 64,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 3\n",
"----------\n",
"{'Attribute': [{'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'},\n",
" {'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582453',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'},\n",
" {'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Object': {'distribution': '5',\n",
" 'id': '645',\n",
" 'sharing_group_id': '0'},\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}]}\n"
]
}
],
"source": [
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 69,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 1\n",
"----------\n",
"{'Attribute': [{'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Object': {'distribution': '5',\n",
" 'id': '645',\n",
" 'sharing_group_id': '0'},\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}]}\n"
]
}
],
"source": [
"# Searches on Attribute's data\n",
"misp_url = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"type\": \"ip-dst\",\n",
"# \"value\": \"127.0.%\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 71,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 0\n",
"----------\n",
"{'Attribute': []}\n"
]
}
],
"source": [
"# Searches on Attribute's data\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"deleted\": [0, 1] # Consider both deleted AND not deleted\n",
"}\n",
"\n",
"# [] == {\"OR\": []}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 77,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 3\n",
"----------\n",
"{'Attribute': [{'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Tag': [{'colour': '#FF2B2B',\n",
" 'id': '16',\n",
" 'inherited': 1,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None}],\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'},\n",
" {'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Tag': [{'colour': '#ffffff',\n",
" 'id': '6',\n",
" 'is_galaxy': False,\n",
" 'local': False,\n",
" 'name': 'tlp:white',\n",
" 'numerical_value': None},\n",
" {'colour': '#FF2B2B',\n",
" 'id': '16',\n",
" 'inherited': 1,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None}],\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705583213',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'},\n",
" {'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Object': {'distribution': '5',\n",
" 'id': '645',\n",
" 'sharing_group_id': '0'},\n",
" 'Tag': [{'colour': '#FF2B2B',\n",
" 'id': '16',\n",
" 'inherited': 1,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None}],\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}]}\n"
]
}
],
"source": [
"# Searches on Attribute's data\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"tags\": \"tlp:white\",\n",
"# \"tags\": [\"tlp:white\", \"tlp:green\"]\n",
"# \"tags\": [\"!tlp:green\"]\n",
"# \"tags\": \"tlp:%\",\n",
"# \"includeEventTags\": 1\n",
"# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n",
"# \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 83,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 0\n",
"----------\n",
"{'Attribute': []}\n"
]
}
],
"source": [
"# Paginating\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
"# \"page\": 0,\n",
"# \"limit\": 10000\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searches based on time: Absolute\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"event_id = 13\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"from\": \"2019/05/21\" # or \"2019-05-21\"\n",
" # from and to NOT REALLY USEFULL.. \n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 86,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 0\n",
"----------\n",
"{'Attribute': []}\n"
]
}
],
"source": [
"# Searches based on time: Relative\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"# /!\\ Last: works on the publish_timestamp -> may be confusing\n",
"# Units: days, hours, minutes and secondes\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
"# \"to_ids\": 1,\n",
" \"publish_timestamp\": \"2019-08-28\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Precision regarding the different timestamps\n",
"- ``publish_timestamp`` = Time at which the event was published\n",
" - Usage: get data that arrived in my system since x\n",
" - E.g.: New data from a feed\n",
"- ``timestamp`` = Time of the last modification on the data\n",
" - data was modified in the last x hours\n",
" - E.g.: Last updated data from a feed\n",
"- ``event_timestamp``: Used in the Attribute scope\n",
" - Event modified in the last x hours"
]
},
{
"cell_type": "code",
"execution_count": 89,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 1\n",
"----------\n",
"{'Attribute': [{'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'category': 'Payload delivery',\n",
" 'comment': '',\n",
" 'data': 'dGVzdAo=',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56145',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705584018',\n",
" 'to_ids': False,\n",
" 'type': 'attachment',\n",
" 'uuid': '1b436ea7-5fc3-485f-b059-9bfff544925f',\n",
" 'value': 'test.txt'}]}\n"
]
}
],
"source": [
"# Searches with attachments\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"type\": \"attachment\",\n",
" \"withAttachments\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 93,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 1\n",
"----------\n",
"{'Attribute': [{'Event': {'distribution': '0',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'},\n",
" 'Tag': [{'colour': '#ffffff',\n",
" 'id': '6',\n",
" 'is_galaxy': False,\n",
" 'local': False,\n",
" 'name': 'tlp:white',\n",
" 'numerical_value': None}],\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API!',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705583914',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'}]}\n"
]
}
],
"source": [
"# Searches - Others\n",
"endpoint = '/attributes/restSearch/'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": event_id,\n",
" \"type\": [\"ip-src\", \"ip-dst\"],\n",
" \"enforceWarninglist\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### RestSearch - Events"
]
},
{
"cell_type": "code",
"execution_count": 94,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 1\n",
" - Attribute count: 3\n",
"----------\n",
"[{'Event': {'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'},\n",
" {'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'Tag': [{'colour': '#ffffff',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '6',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:white',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'}],\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API!',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705583914',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'},\n",
" {'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Payload delivery',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56145',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705584018',\n",
" 'to_ids': False,\n",
" 'type': 'attachment',\n",
" 'uuid': '1b436ea7-5fc3-485f-b059-9bfff544925f',\n",
" 'value': 'test.txt'}],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [{'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}],\n",
" 'ObjectReference': [],\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'description': 'Microblog post like a Twitter tweet or '\n",
" 'a post on a Facebook wall.',\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '645',\n",
" 'last_seen': None,\n",
" 'meta-category': 'misc',\n",
" 'name': 'microblog',\n",
" 'sharing_group_id': '0',\n",
" 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n",
" 'template_version': '5',\n",
" 'timestamp': '1558702173',\n",
" 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2024-01-16',\n",
" 'distribution': '3',\n",
" 'id': '122',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': False,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581786',\n",
" 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n",
" {'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2023-09-28',\n",
" 'distribution': '0',\n",
" 'id': '87',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': True,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1695907402',\n",
" 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n",
" 'ShadowAttribute': [],\n",
" 'Tag': [{'colour': '#FF2B2B',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '16',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'},\n",
" {'colour': '#326300',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '29',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'circl:incident-classification=\"phishing\"',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'}],\n",
" 'analysis': '0',\n",
" 'attribute_count': '4',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '1705583856',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705584018',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}]\n"
]
}
],
"source": [
"# Searching using the RestSearch\n",
"endpoint = '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventid\": 126,\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 95,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"$TTL 1w;\r\n",
"@ SOA localhost. root.localhost (2024011800 2h 30m 30d 1h)\r\n",
" NS localhost.\r\n",
"\r\n"
]
}
],
"source": [
"# Searching using the RestSearch - Other return format\n",
"!curl \\\n",
" -d '{\"returnFormat\":\"rpz\",\"eventid\":126}' \\\n",
" -H \"Authorization: AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -k \\\n",
" -X POST https://localhost:8443/events/restSearch 2> /dev/null"
]
},
{
"cell_type": "code",
"execution_count": 96,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category\r\n",
"\"6938d503-7d96-48b6-9a18-f8e6f95f04dd\",126,\"Network activity\",\"ip-src\",\"9.9.9.9\",\"\",1,1705581872,\"\",\"\",\"\",\"\",\"\"\r\n",
"\"8153fcad-cd37-45d9-a1d1-a509942116f8\",126,\"Network activity\",\"ip-dst\",\"127.2.2.2\",\"Comment added via the API!\",0,1705583914,\"\",\"tlp:white\",\"\",\"\",\"\"\r\n",
"\"1b436ea7-5fc3-485f-b059-9bfff544925f\",126,\"Payload delivery\",\"attachment\",\"test.txt\",\"\",0,1705584018,\"\",\"\",\"\",\"\",\"\"\r\n",
"\"7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5\",126,\"Other\",\"text\",\"post\",\"\",0,1558702173,\"post\",\"\",\"838aefb1-0f6e-4967-9a99-e7414887ae9a\",\"microblog\",\"misc\"\r\n",
"\r\n"
]
}
],
"source": [
"# Searching using the RestSearch - Other return format\n",
"!curl \\\n",
" -d '{\"returnFormat\":\"csv\",\"eventid\":126}' \\\n",
" -H \"Authorization: AaRwZVxZqE8peVet1LGfTYMOkOfFfa7rlS5i5xfL\" \\\n",
" -H \"Accept: application/json\" \\\n",
" -H \"Content-type: application/json\" \\\n",
" -k \\\n",
" -X POST https://localhost:8443/events/restSearch 2> /dev/null"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch - Filtering\n",
"endpoint = '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"value\": \"parsed-ail.json\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 97,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Count: 1\n",
"----------\n",
"[{'Event': {'CryptographicKey': [],\n",
" 'Galaxy': [],\n",
" 'Org': {'id': '2',\n",
" 'local': True,\n",
" 'name': 'CIRCL',\n",
" 'uuid': '1646fb8f-6f23-4b51-ae80-c84d1ff8fbe0'},\n",
" 'Orgc': {'id': '2',\n",
" 'local': True,\n",
" 'name': 'CIRCL',\n",
" 'uuid': '1646fb8f-6f23-4b51-ae80-c84d1ff8fbe0'},\n",
" 'RelatedEvent': [],\n",
" 'analysis': '0',\n",
" 'attribute_count': '2',\n",
" 'date': '2023-02-08',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '51',\n",
" 'info': 'Incident 1',\n",
" 'locked': False,\n",
" 'org_id': '2',\n",
" 'orgc_id': '2',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1675875565',\n",
" 'uuid': '65c1aa0e-4d03-4d4b-a6c0-42730a4dbdc6'}}]\n"
]
}
],
"source": [
"# Searching using the RestSearch\n",
"endpoint = '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"org\": \"CIRCL\",\n",
"# \"id\": 33,\n",
" \"metadata\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching using the RestSearch\n",
"endpoint = '/events/restSearch'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"eventinfo\": \"%via the API%\",\n",
" \"published\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sightings"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating sightings\n",
"endpoint = '/sightings/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"id\": \"56143\"\n",
"# \"value\": \"127.2.2.2\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Searching for sighted elements\n",
"endpoint = '/sightings/restSearch/event'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"returnFormat\": \"json\",\n",
" \"id\": 33,\n",
" \"includeAttribute\": 1,\n",
" \"includeEvent\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Warning lists"
]
},
{
"cell_type": "code",
"execution_count": 98,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'8.8.8.8': [{'id': '49',\n",
" 'matched': '8.8.8.8/32',\n",
" 'name': 'List of known IPv4 public DNS resolvers'}]}\n"
]
}
],
"source": [
"# Checking values against the warining list\n",
"endpoint = '/warninglists/checkValue'\n",
"relative_path = ''\n",
"\n",
"body = [\"8.8.8.8\", \"yolo\", \"test\"]\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Instance management"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Organisation\n",
"endpoint = '/admin/organisations/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"name\": \"TEMP_ORG2\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Users\n",
"endpoint = '/admin/users/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"email\": \"from_api2@admin.test\",\n",
" \"org_id\": 1009,\n",
" \"role_id\": 3,\n",
" \"termsaccepted\": 1,\n",
" \"change_pw\": 0, # User prompted to change the psswd once logged in\n",
" \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Creating Sharing Groups\n",
"endpoint = '/sharing_groups/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"name\": \"TEMP_SG2\",\n",
" \"releasability\": \"To nobody\",\n",
" \"SharingGroupOrg\": [\n",
" {\n",
" \"name\": \"ORGNAME\",\n",
" \"extend\": 1\n",
" },\n",
" {\n",
" \"name\": \"CIRCL\",\n",
" \"extend\": 1\n",
" }\n",
" ]\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"scrolled": true
},
"outputs": [],
"source": [
"# Server\n",
"endpoint = '/servers/add'\n",
"relative_path = ''\n",
"\n",
"body = {\n",
" \"url\": \"http://127.0.0.1:80/\",\n",
" \"name\": \"Myself\",\n",
" \"remote_org_id\": \"2\",\n",
" \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n",
" \n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Server settings\n",
"endpoint = '/servers/serverSettings'\n",
"relative_path = ''\n",
"\n",
"body = {}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 99,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'stats': {'attribute_count': 51848,\n",
" 'attribute_count_month': 11,\n",
" 'attributes_per_event': 701,\n",
" 'average_user_per_org': 2.6,\n",
" 'contributing_org_count': 6,\n",
" 'correlation_count': 63,\n",
" 'event_count': 74,\n",
" 'event_count_month': 7,\n",
" 'local_org_count': 7,\n",
" 'org_count': 16,\n",
" 'post_count': 14,\n",
" 'post_count_month': 0,\n",
" 'proposal_count': 1,\n",
" 'thread_count': 2,\n",
" 'thread_count_month': 0,\n",
" 'user_count': 18,\n",
" 'user_count_pgp': 0}}\n"
]
}
],
"source": [
"# Statistics\n",
"endpoint = '/users/statistics'\n",
"relative_path = ''\n",
"\n",
"body = {}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Not Available:\n",
"- misp-module"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.4"
}
},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink