The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.
First start Python from the virtual environment.
Then load the libraries and set some variables.
import urllib3 from pymisp import ExpandedPyMISP, MISPObject, MISPEvent, MISPAttribute, MISPOrganisation, MISPServer urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) misp_verifycert = False misp_url = "https://MISP/" misp_key = "APIKEY" misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, proxies=None)
Now you can use the misp variable to interact with MISP.
For example to search for events
resp = misp.search(tags="tlp:white", pythonify=True) for event in resp: print(event.info)
As you can see, the search is for events with tag tlp:white and we asked to have Python objects returned. This then allows us to ask for one of the properties (such as ‘info’, the event title). If you expect a large list, you can supply the parameter “limit=5” to limit the results to only 5 events.
There are other things that you can do with that same result set such as adding a tag and publishing the event.
resp = misp.search(tags="tlp:white", limit = 10, pythonify=True) for event in resp: misp.tag(event.uuid,'source:EXTERNAL') misp.publish(event.uuid)
Obviously it’s also possible to add attributes.
uuid="7aaf7517-cd35-49c0-83bd-010900c41a06" event = misp.get_event(uuid,pythonify=True) a = MISPAttribute() a.category="Network activity" a.type="ip-dst" a.value="126.96.36.199" print(misp.add_attribute(event,a))