def toggle_attribute(misp: pymisp.api.PyMISP, attr: pymisp.MISPAttribute):
"""
First turns off the 'to_ids' flag for the given MISP Attribute, then turns
it on. Once this function exits, the Attribute will always be left with
'to_ids' enabled.
@param misp The PyMISP instance to use
@param attr The MISP Attribute to toggle
"""
attr.to_ids = False
resp = misp.update_attribute(attr)
if not resp or resp.get("errors", {}):
logger.error(f"Error disabling 'to_ids' flag for Attribute {attr}")
attr.to_ids = True
resp = misp.update_attribute(attr)
if not resp or resp.get("errors", {}):
logger.error(f"Error enabling 'to_ids' flag for Attribute {attr}")
return
logger.info(f"Toggled 'to_ids' flag for Attibute {attr}")
def get_or_create_event(misp: pymisp.api.PyMISP, event_uuid: str):
"""
Returns a MISP Event with the given UUID. Creates a new event with the given
UUID if it does not exist yet.
@param misp The PyMISP instance to use
@param event_uuid The Event UUID to fetch or create
"""
misp_event = pymisp.MISPEvent()
misp_event.uuid = event_uuid
event = misp.get_event(misp_event, deleted=False, pythonify=True)
if not event or event.get("errors", None):
logger.warn(f"Could not fetch MISP event with UUID {event_uuid}.")
misp_event.info = "Retro-Matching roundtrip test event"
event = misp.add_event(misp_event, pythonify=True)
if not event or event.get("errors", None):
errors = event.get("errors", {})
logger.critical(
f"Error creating new event. Make sure the configured UUID is not already deleted in MISP: {errors}"
)
logger.info(f"Created new MISP event with UUID '{event.uuid}'.")
else:
logger.info(f"Found MISP event with UUID '{event.uuid}'")
return event
def report_sighting(misp: pymisp.api.PyMISP, attr: pymisp.MISPAttribute):
"""
Reports a sighting for the given attribute
@param misp The PyMISP instance to use
@param attr The MISP Attribute to send the sighting for
"""
misp_sighting = pymisp.MISPSighting()
misp_sighting.from_dict(
id=attr.id,
source="TEST",
type=
"0", # true positive sighting: https://www.circl.lu/doc/misp/automation/#post-sightingsadd
timestamp=datetime.now(),
)
resp = misp.add_sighting(misp_sighting)
if (not resp or type(resp) is dict and
(resp.get("message", None) or resp.get("errors", None))):
logger.error(f"Failed to add sighting to MISP: {resp}")
return
logger.info(f"Reported sighting: {resp}")
def create_attribute(misp: pymisp.api.PyMISP, event: pymisp.MISPEvent,
ioc: str):
"""
Creates a new MISP Attribute with the given 'ioc' string for the given MISP
Event.
@param misp The PyMISP instance to use
@param event the MISP Event to create the Attribute for
@param ioc The desired Attribute value
"""
attr = pymisp.MISPAttribute()
attr.type = "domain"
attr.value = ioc
attr = misp.add_attribute(event, attr, pythonify=True)
if not attr or attr.get("errors", {}):
errors = attr.get("errors", {})
logger.critical(
f"Error creating MISP Attribute with IoC {ioc}: {errors}")
return
logger.info(f"Created new MISP Attribute with IoC '{ioc}'")
return attr