Interactive usage of MISP

MISP API

The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.

First start Python from the virtual environment.

/var/www/MISP/venv/bin/python3

Then load the libraries and set some variables.

import urllib3
from pymisp import ExpandedPyMISP, MISPObject, MISPEvent, MISPAttribute, MISPOrganisation, MISPServer
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
misp_verifycert = False
misp_url = "https://MISP/"
misp_key = "APIKEY"
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, proxies=None)

Now you can use the misp variable to interact with MISP.

For example to search for events

resp = misp.search(tags="tlp:white", pythonify=True)
for event in resp:
   print(event.info)

As you can see, the search is for events with tag tlp:white and we asked to have Python objects returned. This then allows us to ask for one of the properties (such as ‘info’, the event title). If you expect a large list, you can supply the parameter “limit=5” to limit the results to only 5 events.

There are other things that you can do with that same result set such as adding a tag and publishing the event.

resp = misp.search(tags="tlp:white", limit = 10, pythonify=True)
for event in resp:
   misp.tag(event.uuid,'source:EXTERNAL')
   misp.publish(event.uuid)

Obviously it’s also possible to add attributes.

uuid="7aaf7517-cd35-49c0-83bd-010900c41a06"
event = misp.get_event(uuid,pythonify=True)
a = MISPAttribute()
a.category="Network activity"
a.type="ip-dst"
a.value="8.8.4.4"
print(misp.add_attribute(event,a))

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.