pymisp package¶
Submodules¶
pymisp.api module¶
Python API using the REST interface of MISP
-
class
pymisp.api.
PyMISP
(url, key, ssl=True, out_type='json', debug=None, proxies=None, cert=None, asynch=False)[source]¶ Bases:
object
Python API for MISP
Parameters: - url – URL of the MISP instance you want to connect to
- key – API key of the user you want to use
- ssl – can be True or False (to check ot not the validity of the certificate. Or a CA_BUNDLE in case of self signed certiifcate (the concatenation of all the *.crt of the chain)
- out_type – Type of object (json) NOTE: XML output isn’t supported anymore, keeping the flag for compatibility reasons.
- debug – deprecated, configure logging in api client instead
- proxies – Proxy dict as describes here: http://docs.python-requests.org/en/master/user/advanced/#proxies
- cert – Client certificate, as described there: http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
- asynch – Use asynchronous processing where possible
-
add_attachment
(event, attachment, category='Artifacts dropped', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶ Add an attachment to the MISP event
Parameters: - event – The event to add an attachment to
- attachment – Either a file handle or a path to a file - will be uploaded
-
add_detection_name
(event, name, category='Antivirus detection', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_domain
(event, domain, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_domain_ip
(event, domain, ip, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_domains_ips
(event, domain_ips, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_email_attachment
(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_email_dst
(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_email_src
(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_email_subject
(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_filename
(event, filename, category='Artifacts dropped', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_hashes
(event, category='Artifacts dropped', filename=None, md5=None, sha1=None, sha256=None, ssdeep=None, comment=None, to_ids=True, distribution=None, proposal=False, **kwargs)[source]¶
-
add_hostname
(event, hostname, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_internal_comment
(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_internal_link
(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_internal_other
(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_internal_text
(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_ipdst
(event, ipdst, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_ipsrc
(event, ipsrc, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_mutex
(event, mutex, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_named_attribute
(event, type_value, value, category=None, to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_net_other
(event, netother, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_pattern
(event, pattern, in_file=True, in_memory=False, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_pipe
(event, named_pipe, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_regkey
(event, regkey, rvalue=None, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_regkeys
(event, regkeys_values, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_server
(url, name, authkey, organisation, internal=None, push=False, pull=False, self_signed=False, push_rules='', pull_rules='', submitted_cert=None, submitted_client_cert=None)[source]¶
-
add_snort
(event, snort, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_email
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_external
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_location
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_machine
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_org
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_target_user
(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_threat_actor
(event, target, category='Attribution', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_traffic_pattern
(event, pattern, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_url
(event, url, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_useragent
(event, useragent, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
add_yara
(event, yara, category='Payload delivery', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
av_detection_link
(event, link, category='Antivirus detection', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]¶
-
download_last
(last)[source]¶ Download the last updated events.
Parameters: last – can be defined in days, hours, minutes (for example 5d or 12h or 30m)
-
download_suricata_rule_event
(event_id)[source]¶ Download one suricata rule event.
Parameters: event_id – ID of the event to download (same as get)
-
edit_server
(server_id, url=None, name=None, authkey=None, organisation=None, internal=None, push=False, pull=False, self_signed=False, push_rules='', pull_rules='', submitted_cert=None, submitted_client_cert=None, delete_cert=None, delete_client_cert=None)[source]¶
-
get_all_attributes_txt
(type_attr, tags=False, eventId=False, allowNonIDS=False, date_from=False, date_to=False, last=False, enforceWarninglist=False, allowNotPublished=False)[source]¶ Get all attributes from a specific type as plain text. Only published and IDS flagged attributes are exported, except if stated otherwise.
-
get_attachment
(attribute_id)[source]¶ Get an attachement (not a malware sample) by attribute ID. Returns the attachment as a bytestream, or a dictionary containing the error message.
Parameters: attribute_id – Attribute ID to fetched
-
get_attributes_statistics
(context='type', percentage=None)[source]¶ Get attributes statistics from the MISP instance
-
get_index
(filters=None)[source]¶ Return the index.
Warning, there’s a limit on the number of results
-
get_stix_event
(event_id=None, with_attachments=False, from_date=False, to_date=False, tags=False)[source]¶ Get an event/events in STIX format
Get tags statistics from the MISP instance
-
new_event
(distribution=None, threat_level_id=None, analysis=None, info=None, date=None, published=False, orgc_id=None, org_id=None, sharing_group_id=None)[source]¶
-
publish
(event, alert=True)[source]¶ Publish event (with or without alert email) :param event: pass event or event id (as string or int) to publish :param alert: set to True by default (send alerting email) if False will not send alert :return publish status
-
search
(controller='events', async_callback=None, **kwargs)[source]¶ Search via the Rest API
Parameters: - values – values to search for
- not_values – values not to search for
- type_attribute – Type of attribute
- category – Category to search
- org – Org reporting the event
- tags – Tags to search for
- not_tags – Tags not to search for
- date_from – First date
- date_to – Last date
- last – Last updated events (for example 5d or 12h or 30m)
- eventid – Last date
- withAttachments – return events with or without the attachments
- uuid – search by uuid
- publish_timestamp – the publish timestamp
- timestamp – the creation timestamp
- enforceWarninglist – Enforce the warning lists
- searchall – full text search on the database
- metadata – return only metadata if True
- published – return only published events
- to_ids – return only the attributes with the to_ids flag set
- deleted – also return the deleted attributes
- async_callback – The function to run when results are returned
-
search_index
(published=None, eventid=None, tag=None, datefrom=None, dateuntil=None, eventinfo=None, threatlevel=None, distribution=None, analysis=None, attribute=None, org=None, async_callback=None, normalize=False)[source]¶ Search only at the index level. Use ! infront of value as NOT, default OR If using async, give a callback that takes 2 args, session and response:
basic usage is pymisp.search_index(…, async_callback=lambda ses,resp: print(resp.json()))Parameters: - published – Published (0,1)
- eventid – Evend ID(s) | str or list
- tag – Tag(s) | str or list
- datefrom – First date, in format YYYY-MM-DD
- dateuntil – Last date, in format YYYY-MM-DD
- eventinfo – Event info(s) to match | str or list
- threatlevel – Threat level(s) (1,2,3,4) | str or list
- distribution – Distribution level(s) (0,1,2,3) | str or list
- analysis – Analysis level(s) (0,1,2) | str or list
- org – Organisation(s) | str or list
- async_callback – Function to call when the request returns (if running async)
- normalize – Normalize output | True or False
-
update_event
(event_id, event)[source]¶ Update an event
Parameters: - event_id – Event id to update
- event – Event as JSON object / string to add
-
upload_sample
(filename, filepath_or_bytes, event_id, distribution=None, to_ids=True, category=None, comment=None, info=None, analysis=None, threat_level_id=None)[source]¶