def get_misp_data(indicator, indicator_type, misp_api_key, misp_url): data = { 'misp_eventid': 'n/a', 'misp_firstseen': 'n/a', 'misp_lastseen': 'n/a', 'misp_eventinfo': 'n/a', 'misp_dateadded': 'n/a', 'misp_comment': 'n/a' } if misp_api_key: try: misp_key = misp_api_key misp = ExpandedPyMISP(misp_url, misp_key, True) body = { "returnFormat": "json", "type": indicator_type, "value": indicator } # add type to be passed by the enrichment function to just search for that type misp_query = misp.direct_call('attributes/restSearch', body) data['misp_eventid'] = misp_query['Attribute'][0]['event_id'] data['misp_firstseen'] = misp_query['Attribute'][0]['first_seen'] data['misp_lastseen'] = misp_query['Attribute'][0]['last_seen'] data['misp_eventinfo'] = misp_query['Attribute'][0]['Event'][ 'info'] try: ts = int(misp_query['Attribute'][0]['timestamp']) data['misp_dateadded'] = datetime.fromtimestamp(ts).isoformat() except: data['misp_dateadded'] = misp_query['Attribute'][0][ 'timestamp'] data['misp_comment'] = misp_query['Attribute'][0]['Event'][ 'comment'] except Exception as err: print('MISP error for indicator{}: {}'.format( indicator, traceback.format_exception(type(err), err, err.__traceback__))) return data
# this will test simple event extraction in MISP misp_url = 'https://misp1.kamuning176.com' misp_key = 'sEAgO9AHWiC04xswoU2g3WQFYWaq4fTM5Hc8ZQ13' misp_verifycert = True relative_path = 'attributes/restSearch' body = { "returnFormat": "json", "type": { "OR": ["ip-src", "ip-dst"] }, "tags": { "NOT": ["tlp:red"], "OR": ["tlp:%"] } } from pymisp import ExpandedPyMISP misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) misp.direct_call(relative_path, body)
#!/usr/bin/env python # -*- coding: utf-8 -*- from secrets.keys import misps from pymisp import ExpandedPyMISP import json relative_path = 'servers/serverSettings/diagnostics' body = None misp = ExpandedPyMISP(misps[0].split('|')[0], misps[0].split('|')[1], misps[0].split('|')[2]) result = misp.direct_call(relative_path, body) print(result['version']['upToDate']) print(result['gpgStatus']) print(result['zmqStatus']) print(result['moduleStatus']['Enrichment']) print(result['moduleStatus']['Import']) print(result['moduleStatus']['Export']) print(result['dbSchemaDiagnostics']['checked_table_column']) print(json.dumps(result['dbSchemaDiagnostics'], indent=2, sort_keys=True)) print(len(result['dbSchemaDiagnostics']['diagnostic']))