You can fetch a VM from here: https://www.circl.lu/misp-images/latest/, or connect to your dev instance.
This box needs to be run in order to connect to the MISP instance and run the subsequent commands.
from pymisp import PyMISP, MISPEvent, MISPAttribute
# The URL of the MISP instance to connect to
misp_url = 'http://127.0.0.1:8080'
# Can be found in the MISP web interface under
# http://+MISP_URL+/users/view/me -> Authkey
misp_key = 'yB8DMS8LkfYYpcVX8bN2v7xwDZDMp4bpW0sNqNGj'
# Should PyMISP verify the MISP certificate
misp_verifycert = False
misp = PyMISP(misp_url, misp_key, misp_verifycert)
response = misp.search(last='1d')
events = []
for event in response['response']:
me = MISPEvent()
me.load(event)
events.append(me)
for e in events:
print(e)
response = misp.search(last=['3d', '2d'])
events = []
for event in response['response']:
me = MISPEvent()
me.load(event)
events.append(me)
for e in events:
print(e)
from datetime import datetime
ts = int(datetime.now().timestamp())
response = misp.search(timestamp=ts-36000)
events = []
for event in response['response']:
me = MISPEvent()
me.load(event)
events.append(me)
for e in events:
print(e)
misp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
ts = int(datetime.now().timestamp())
response = misp.search(timestamp=[ts-3600, ts])
events = []
for event in response['response']:
me = MISPEvent()
me.load(event)
events.append(me)
for e in events:
print(e)
misp = PyMISP(misp_url, misp_key, misp_verifycert) # TODO: remove when fixed
response = misp.search(controller='attributes', last='1h')
attributes = []
for attribute in response['response']['Attribute']:
ma = MISPAttribute()
ma.from_dict(**attribute)
attributes.append(ma)
for a in attributes:
print(a.event_id, a)
response = misp.search(controller='attributes', last=['2h', '1h'])
attributes = []
for attribute in response['response']['Attribute']:
ma = MISPAttribute()
ma.from_dict(**attribute)
attributes.append(ma)
for a in attributes:
print(a)
ts = int(datetime.now().timestamp())
response = misp.search(controller='attributes', timestamp=ts - 36000)
attributes = []
for attribute in response['response']['Attribute']:
ma = MISPAttribute()
ma.from_dict(**attribute)
attributes.append(ma)
for a in attributes:
print(a)
You have multiple ways to search for different values in MISP. Searching in the medadata of the events is very fast and if generally the recommended approach if your query returns lots of events.
response = misp.search_index(eventinfo='Cobalt Strike')
events = []
for event in response['response']:
me = MISPEvent()
me.from_dict(**event)
events.append(me)
for e in events:
print(e)
print('No attributes are in the event', events[0].attributes)
response = misp.search_index(tag='malware_classification:malware-category="Ransomware"')
events = []
for event in response['response']:
me = MISPEvent()
me.from_dict(**event)
events.append(me)
for e in events:
print(e)
response = misp.search_index(timestamp='1h')
events = []
for event in response['response']:
me = MISPEvent()
me.from_dict(**event)
events.append(me)
for e in events:
print(e)
events[0].id
event = MISPEvent()
event.load(misp.get(events[0].id))
print(event.to_json())
response = misp.search(values=['59.157.4.2', 'hotfixmsupload.com'])
events = []
for event in response['response']:
me = MISPEvent()
me.load(event)
events.append(me)
for e in events:
print(e)
misp.sighting(value=e.attributes[3].value)
misp.sighting_list(e.attributes[3].id)
misp.get_sharing_groups()
misp.get_users_list()
misp.add_user('bar@foo.de', 1, 3)
misp.get_organisations_list()
misp.get_roles_list()
misp.get_feeds_list()
misp.cache_feeds_all()