mirror of https://github.com/MISP/misp-training
				
				
				
			
		
			
				
	
	
		
			1010 lines
		
	
	
		
			25 KiB
		
	
	
	
		
			Plaintext
		
	
	
			
		
		
	
	
			1010 lines
		
	
	
		
			25 KiB
		
	
	
	
		
			Plaintext
		
	
	
| {
 | |
|  "cells": [
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Notebook trainer cheatsheet: API and CLI"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "- Automation page\n",
 | |
|     "- Recovering the API KEY (Automation page, User page, RestClient)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "## Important notice\n",
 | |
|     "\n",
 | |
|     "This notebook various usage of the MISP restAPI.\n",
 | |
|     "\n",
 | |
|     "It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.\n",
 | |
|     "\n",
 | |
|     "This command:\n",
 | |
|     "```\n",
 | |
|     "misp_url = URL + '/events/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"info\": \"Event\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "misp = ExpandedPyMISP(misp_url, AUTHKEY, False)\n",
 | |
|     "res = misp.direct_call(relative_path, body)\n",
 | |
|     "print_result(res)\n",
 | |
|     "```\n",
 | |
|     "\n",
 | |
|     "Will yield the same result as this command:\n",
 | |
|     "```\n",
 | |
|     "!curl \\\n",
 | |
|     " -d '{\"info\": \"Event\"}' \\\n",
 | |
|     " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
 | |
|     " -H \"Accept: application/json\" \\\n",
 | |
|     " -H \"Content-type: application/json\" \\\n",
 | |
|     " -X POST 127.0.0.1:8080/events/restSearch\n",
 | |
|     " ```"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "from pymisp import ExpandedPyMISP\n",
 | |
|     "from pprint import pprint\n",
 | |
|     "AUTHKEY = \"AY6Qur7V1kyQ1BTefWiiTx7B6KM7ABln1UVpfDKB\"\n",
 | |
|     "URL = \"https://localhost:8443\"\n",
 | |
|     "misp = ExpandedPyMISP(URL, AUTHKEY, False)\n",
 | |
|     "\n",
 | |
|     "def print_result(result):\n",
 | |
|     "    flag_printed = False\n",
 | |
|     "    if isinstance(result, list):\n",
 | |
|     "        print(\"Count: %s\" % len(result))\n",
 | |
|     "        flag_printed = True\n",
 | |
|     "        for i in res:\n",
 | |
|     "            if 'Event' in i and 'Attribute' in i['Event']:\n",
 | |
|     "                print(\"  - Attribute count: %s\" % len(i['Event']['Attribute']))\n",
 | |
|     "    elif isinstance(result, dict):\n",
 | |
|     "        if 'Attribute' in result:\n",
 | |
|     "            print(\"Count: %s\" % len(result['Attribute']))\n",
 | |
|     "            flag_printed = True\n",
 | |
|     "        elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n",
 | |
|     "            print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
 | |
|     "            flag_printed = True\n",
 | |
|     "    if flag_printed:\n",
 | |
|     "        print('----------')\n",
 | |
|     "    pprint(result)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Events"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "## Creation and Edition"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Creation\n",
 | |
|     "endpoint = '/events/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"info\": \"Event created via the API as an example\",\n",
 | |
|     "    \"threat_level_id\": 1,\n",
 | |
|     "    \"distribution\": 0\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Edition 1\n",
 | |
|     "endpoint = '/events/edit/'\n",
 | |
|     "relative_path = '21'\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"distribution\": 3\n",
 | |
|     "#     \"sharing_group_id\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Edition 2 - Adding Attribute\n",
 | |
|     "endpoint = '/events/edit/'\n",
 | |
|     "relative_path = '18'\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"distribution\": 0,\n",
 | |
|     "    \"Attribute\": [\n",
 | |
|     "        {\n",
 | |
|     "            \"value\": \"9.9.9.9\",\n",
 | |
|     "            \"type\": \"ip-src\"\n",
 | |
|     "        }\n",
 | |
|     "    ]\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Edition 2 - tagging - The bad way (Fetch the whole event and re-process everything)\n",
 | |
|     "endpoint = '/events/edit/'\n",
 | |
|     "relative_path = '29'\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"distribution\": 0,\n",
 | |
|     "    \"EventTag\": {\n",
 | |
|     "        \"Tag\": [\n",
 | |
|     "            {\"name\":\"tlp:red\"}\n",
 | |
|     "        ]\n",
 | |
|     "    }\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Edition 2 - tagging - The better way\n",
 | |
|     "endpoint = '/tags/attachTagToObject'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"uuid\": \"5d6f857e-698c-4ea0-834a-6db1cfc4a0a0\", # can be anything: event or attribute\n",
 | |
|     "    \"tag\": \"tlp:green\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching the Event index (Move it to the search topic)\n",
 | |
|     "endpoint = '/events/index'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "#     \"eventinfo\": \"api\",\n",
 | |
|     "    \"publish_timestamp\": \"2019-05-21\",\n",
 | |
|     "#     \"org\": \"ORGNAME\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching the Event index\n",
 | |
|     "misp_url = '/events/index'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"hasproposal\": 1,\n",
 | |
|     "    \"tag\": [\"tlp:amber\"]\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "\n",
 | |
|     "print('Event number: %s' % len(res))\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Attributes"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "## Creation and edition"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "event_id = XXXXX"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Adding\n",
 | |
|     "endpoint = '/attributes/add/'\n",
 | |
|     "relative_path = str(event_id)\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"value\": \"8.8.8.9\",\n",
 | |
|     "    \"type\": \"ip-dst\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Adding invalid attribute type\n",
 | |
|     "endpoint = '/attributes/add/'\n",
 | |
|     "relative_path = str(event_id)\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"value\": \"8.8.8.9\",\n",
 | |
|     "    \"type\": \"md5\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Editing\n",
 | |
|     "endpoint = '/attributes/edit/'\n",
 | |
|     "relative_path = '36586'\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"value\": \"127.0.0.1\",\n",
 | |
|     "    \"to_ids\": 0,\n",
 | |
|     "    \"comment\": \"Comment added via the API\",\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Editing with data taken from JSON views. \n",
 | |
|     "# <!> (timestamp) contrast the difference with *PyMISP*\n",
 | |
|     "endpoint = '/attributes/edit/'\n",
 | |
|     "relative_path = 'XXXXXXXX'\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "                \"id\": \"XXXXXXXX\",\n",
 | |
|     "                \"type\": \"ip-dst\",\n",
 | |
|     "                \"category\": \"Network activity\",\n",
 | |
|     "                \"to_ids\": False,\n",
 | |
|     "                \"uuid\": \"5cf65823-d22c-45ae-af4f-47d80a00020f\",\n",
 | |
|     "                \"event_id\": \"33\",\n",
 | |
|     "                \"distribution\": \"5\",\n",
 | |
|     "                \"comment\": \"Comment added via the API\",\n",
 | |
|     "                \"sharing_group_id\": \"0\",\n",
 | |
|     "                \"deleted\": False,\n",
 | |
|     "                \"disable_correlation\": False,\n",
 | |
|     "                \"object_id\": \"0\",\n",
 | |
|     "                \"object_relation\": '',\n",
 | |
|     "                \"value\": \"1.2.3.5\",\n",
 | |
|     "                \"Galaxy\": [],\n",
 | |
|     "                \"ShadowAttribute\": [],\n",
 | |
|     "                \"Tag\": [\n",
 | |
|     "                    {\n",
 | |
|     "                        \"id\": \"4\",\n",
 | |
|     "                        \"name\": \"tlp:green\",\n",
 | |
|     "                        \"colour\": \"#14ff00\",\n",
 | |
|     "                        \"exportable\": True,\n",
 | |
|     "                        \"user_id\": \"0\",\n",
 | |
|     "                        \"hide_tag\": False,\n",
 | |
|     "                        \"numerical_value\": ''\n",
 | |
|     "                    }\n",
 | |
|     "                ]\n",
 | |
|     "            }\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Objects"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Example of an un-documented endpoint\n",
 | |
|     "endpoint = '/objects/add/'\n",
 | |
|     "relative_path = str(event_id)\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"name\": \"microblog\",\n",
 | |
|     "    \"meta-category\": \"misc\",\n",
 | |
|     "    \"description\": \"Microblog post like a Twitter tweet or a post on a Facebook wall.\",\n",
 | |
|     "    \"template_uuid\": \"8ec8c911-ddbe-4f5b-895b-fbff70c42a60\",\n",
 | |
|     "    \"template_version\": \"5\",\n",
 | |
|     "    \"event_id\": event_id,\n",
 | |
|     "    \"timestamp\": \"1558702173\",\n",
 | |
|     "    \"distribution\": \"5\",\n",
 | |
|     "    \"sharing_group_id\": \"0\",\n",
 | |
|     "    \"comment\": \"\",\n",
 | |
|     "    \"deleted\": False,\n",
 | |
|     "    \"ObjectReference\": [],\n",
 | |
|     "    \"Attribute\": [\n",
 | |
|     "        {\n",
 | |
|     "            \"type\": \"text\",\n",
 | |
|     "            \"category\": \"Other\",\n",
 | |
|     "            \"to_ids\": False,\n",
 | |
|     "            \"event_id\": event_id,\n",
 | |
|     "            \"distribution\": \"5\",\n",
 | |
|     "            \"timestamp\": \"1558702173\",\n",
 | |
|     "            \"comment\": \"\",\n",
 | |
|     "            \"sharing_group_id\": \"0\",\n",
 | |
|     "            \"deleted\": False,\n",
 | |
|     "            \"disable_correlation\": False,\n",
 | |
|     "            \"object_relation\": \"post\",\n",
 | |
|     "            \"value\": \"post\",\n",
 | |
|     "            \"Galaxy\": [],\n",
 | |
|     "            \"ShadowAttribute\": []\n",
 | |
|     "        }\n",
 | |
|     "    ]\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Go to event Edit 2\n",
 | |
|     "# Go to add tag the bad way"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "## RestSearch\n",
 | |
|     "**Aka: Most powerful search tool in MISP**"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "### RestSearch - Attributes"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches on Attribute's data\n",
 | |
|     "misp_url = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "    \"type\": \"ip-dst\",\n",
 | |
|     "    \"value\": \"1.2.3.%\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches on Attribute's data\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "    \"deleted\": [0, 1]    # Consider both deleted AND not deleted\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "# [] == {\"OR\": []}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches on Attribute's data\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "#     \"tags\": \"tlp:white\",\n",
 | |
|     "#     \"tags\": [\"tlp:white\", \"tlp:green\"]\n",
 | |
|     "#     \"tags\": [\"!tlp:green\"]\n",
 | |
|     "#     \"tags\": \"tlp:%\",\n",
 | |
|     "#     \"includeEventTags\": 1\n",
 | |
|     "#         BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!\n",
 | |
|     "    \"tags\": {\"AND\": [\"tlp:green\", \"Malware\"], \"NOT\": [\"%ransomware%\"]}\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Paginating\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "    \"page\": 2,\n",
 | |
|     "    \"limit\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches based on time: Absolute\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "event_id = 13\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "    \"from\": \"2019/05/21\" # or \"2019-05-21\"\n",
 | |
|     "    # from and to NOT REALLY USEFULL.. \n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches based on time: Relative\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "# /!\\ Last: works on the publish_timestamp -> may be confusing\n",
 | |
|     "# Units: days, hours, minutes and secondes\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "#     \"to_ids\": 1,\n",
 | |
|     "    \"last\": \"2019-08-28\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "## Precision regarding the different timestamps\n",
 | |
|     "- ``publish_timestamp`` = Time at which the event was published\n",
 | |
|     "    - Usage: get data that arrived in my system since x\n",
 | |
|     "    - E.g.: New data from a feed\n",
 | |
|     "- ``timestamp`` = Time of the last modification on the data\n",
 | |
|     "    - data was modified in the last x hours\n",
 | |
|     "    - E.g.: Last updated data from a feed\n",
 | |
|     "- ``event_timestamp``: Used in the Attribute scope\n",
 | |
|     "    - Event modified in the last x hours"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches with attachments\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": event_id,\n",
 | |
|     "    \"type\": \"attachment\",\n",
 | |
|     "#     \"withAttachments\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searches - Others\n",
 | |
|     "endpoint = '/attributes/restSearch/'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": 31,\n",
 | |
|     "    \"type\": \"ip-src\",\n",
 | |
|     "#     \"enforceWarninglist\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "### RestSearch - Events"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch\n",
 | |
|     "endpoint = '/events/restSearch'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventid\": 31,\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch - Other return format\n",
 | |
|     "!curl \\\n",
 | |
|     " -d '{\"returnFormat\":\"rpz\",\"eventid\":31}' \\\n",
 | |
|     " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
 | |
|     " -H \"Accept: application/json\" \\\n",
 | |
|     " -H \"Content-type: application/json\" \\\n",
 | |
|     " -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch - Other return format\n",
 | |
|     "!curl \\\n",
 | |
|     " -d '{\"returnFormat\":\"csv\",\"eventid\":31}' \\\n",
 | |
|     " -H \"Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL\" \\\n",
 | |
|     " -H \"Accept: application/json\" \\\n",
 | |
|     " -H \"Content-type: application/json\" \\\n",
 | |
|     " -X POST 127.0.0.1:8080/events/restSearch 2> /dev/null"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch - Filtering\n",
 | |
|     "endpoint = '/events/restSearch'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"value\": \"parsed-ail.json\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch\n",
 | |
|     "endpoint = '/events/restSearch'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"org\": \"CIRCL\",\n",
 | |
|     "    \"id\": 33,\n",
 | |
|     "    \"metadata\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching using the RestSearch\n",
 | |
|     "endpoint = '/events/restSearch'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"eventinfo\": \"%via the API%\",\n",
 | |
|     "    \"published\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Sightings"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Creating sightings\n",
 | |
|     "endpoint = '/sightings/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "#     \"id\": \"36578\"\n",
 | |
|     "    \"value\": \"parsed-ail.json\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Searching for sighted elements\n",
 | |
|     "endpoint = '/sightings/restSearch/event'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"returnFormat\": \"json\",\n",
 | |
|     "    \"id\": 33,\n",
 | |
|     "    \"includeAttribute\": 1,\n",
 | |
|     "    \"includeEvent\": 1\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Warning lists"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Checking values against the warining list\n",
 | |
|     "endpoint = '/warninglists/checkValue'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = [\"8.8.8.8\", \"yolo\", \"test\"]\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "# Instance management"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Creating Organisation\n",
 | |
|     "endpoint = '/admin/organisations/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"name\": \"TEMP_ORG2\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Creating Users\n",
 | |
|     "endpoint = '/admin/users/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"email\": \"from_api2@admin.test\",\n",
 | |
|     "    \"org_id\": 1009,\n",
 | |
|     "    \"role_id\": 3,\n",
 | |
|     "    \"termsaccepted\": 1,\n",
 | |
|     "    \"change_pw\": 0, # User prompted to change the psswd once logged in\n",
 | |
|     "    \"password\": \"~~UlTrA_SeCuRe_PaSsWoRd~~\"\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Creating Sharing Groups\n",
 | |
|     "endpoint = '/sharing_groups/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"name\": \"TEMP_SG2\",\n",
 | |
|     "    \"releasability\": \"To nobody\",\n",
 | |
|     "    \"SharingGroupOrg\": [\n",
 | |
|     "        {\n",
 | |
|     "            \"name\": \"ORGNAME\",\n",
 | |
|     "            \"extend\": 1\n",
 | |
|     "        },\n",
 | |
|     "        {\n",
 | |
|     "            \"name\": \"CIRCL\",\n",
 | |
|     "            \"extend\": 1\n",
 | |
|     "        }\n",
 | |
|     "    ]\n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {
 | |
|     "scrolled": true
 | |
|    },
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Server\n",
 | |
|     "endpoint = '/servers/add'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {\n",
 | |
|     "    \"url\": \"http://127.0.0.1:80/\",\n",
 | |
|     "    \"name\": \"Myself\",\n",
 | |
|     "    \"remote_org_id\": \"2\",\n",
 | |
|     "    \"authkey\": \"UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9\"\n",
 | |
|     "    \n",
 | |
|     "}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Server settings\n",
 | |
|     "endpoint = '/servers/serverSettings'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "code",
 | |
|    "execution_count": null,
 | |
|    "metadata": {},
 | |
|    "outputs": [],
 | |
|    "source": [
 | |
|     "# Statistics\n",
 | |
|     "endpoint = '/users/statistics'\n",
 | |
|     "relative_path = ''\n",
 | |
|     "\n",
 | |
|     "body = {}\n",
 | |
|     "\n",
 | |
|     "res = misp.direct_call(endpoint + relative_path, body)\n",
 | |
|     "print_result(res)"
 | |
|    ]
 | |
|   },
 | |
|   {
 | |
|    "cell_type": "markdown",
 | |
|    "metadata": {},
 | |
|    "source": [
 | |
|     "Not Available:\n",
 | |
|     "- misp-module"
 | |
|    ]
 | |
|   }
 | |
|  ],
 | |
|  "metadata": {
 | |
|   "kernelspec": {
 | |
|    "display_name": "Python 3",
 | |
|    "language": "python",
 | |
|    "name": "python3"
 | |
|   },
 | |
|   "language_info": {
 | |
|    "codemirror_mode": {
 | |
|     "name": "ipython",
 | |
|     "version": 3
 | |
|    },
 | |
|    "file_extension": ".py",
 | |
|    "mimetype": "text/x-python",
 | |
|    "name": "python",
 | |
|    "nbconvert_exporter": "python",
 | |
|    "pygments_lexer": "ipython3",
 | |
|    "version": "3.6.8"
 | |
|   }
 | |
|  },
 | |
|  "nbformat": 4,
 | |
|  "nbformat_minor": 2
 | |
| }
 |