pymisp package

Submodules

pymisp.api module

Python API using the REST interface of MISP

class pymisp.api.PyMISP(url, key, ssl=True, out_type='json', debug=None, proxies=None, cert=None, asynch=False)[source]

Bases: object

Python API for MISP

Parameters:
  • url – URL of the MISP instance you want to connect to
  • key – API key of the user you want to use
  • ssl – can be True or False (to check ot not the validity of the certificate. Or a CA_BUNDLE in case of self signed certiifcate (the concatenation of all the *.crt of the chain)
  • out_type – Type of object (json) NOTE: XML output isn’t supported anymore, keeping the flag for compatibility reasons.
  • debug – deprecated, configure logging in api client instead
  • proxies – Proxy dict as describes here: http://docs.python-requests.org/en/master/user/advanced/#proxies
  • cert – Client certificate, as described there: http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
  • asynch – Use asynchronous processing where possible
add_attachment(event, attachment, category='Artifacts dropped', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]

Add an attachment to the MISP event

Parameters:
  • event – The event to add an attachment to
  • attachment – Either a file handle or a path to a file - will be uploaded
add_detection_name(event, name, category='Antivirus detection', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_domain(event, domain, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_domain_ip(event, domain, ip, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_domains_ips(event, domain_ips, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_email_attachment(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_email_dst(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_email_src(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_email_subject(event, email, category='Payload delivery', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_event(event)[source]

Add a new event

Parameters:event – Event as JSON object / string to add
add_filename(event, filename, category='Artifacts dropped', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_hashes(event, category='Artifacts dropped', filename=None, md5=None, sha1=None, sha256=None, ssdeep=None, comment=None, to_ids=True, distribution=None, proposal=False, **kwargs)[source]
add_hostname(event, hostname, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_internal_comment(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_internal_other(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_internal_text(event, reference, category='Internal reference', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_ipdst(event, ipdst, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_ipsrc(event, ipsrc, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_mutex(event, mutex, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_named_attribute(event, type_value, value, category=None, to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_net_other(event, netother, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_organisation(name, **kwargs)[source]
add_organisation_json(json_file)[source]
add_pattern(event, pattern, in_file=True, in_memory=False, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_pipe(event, named_pipe, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_regkey(event, regkey, rvalue=None, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_regkeys(event, regkeys_values, category='Artifacts dropped', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_server(url, name, authkey, organisation, internal=None, push=False, pull=False, self_signed=False, push_rules='', pull_rules='', submitted_cert=None, submitted_client_cert=None)[source]
add_server_json(json_file)[source]
add_snort(event, snort, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_tag(event, tag, attribute=False)[source]
add_target_email(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_target_external(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_target_location(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_target_machine(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_target_org(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_target_user(event, target, category='Targeting data', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_threat_actor(event, target, category='Attribution', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_traffic_pattern(event, pattern, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_url(event, url, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_user(email, org_id, role_id, **kwargs)[source]
add_user_json(json_file)[source]
add_useragent(event, useragent, category='Network activity', to_ids=True, comment=None, distribution=None, proposal=False, **kwargs)[source]
add_yara(event, yara, category='Payload delivery', to_ids=False, comment=None, distribution=None, proposal=False, **kwargs)[source]
change_sharing_group(event, sharing_group_id)[source]
change_threat_level(event, threat_level_id)[source]
change_toids(attribute_uuid, to_ids)[source]
delete_attribute(attribute_id)[source]
delete_event(event_id)[source]

Delete an event

Parameters:event_id – Event id to delete
delete_organisation(org_id)[source]
delete_user(user_id)[source]
download_all_suricata()[source]

Download all suricata rules events.

download_last(last)[source]

Download the last updated events.

Parameters:last – can be defined in days, hours, minutes (for example 5d or 12h or 30m)
download_samples(sample_hash=None, event_id=None, all_samples=False)[source]
download_suricata_rule_event(event_id)[source]

Download one suricata rule event.

Parameters:event_id – ID of the event to download (same as get)
edit_organisation(org_id, **kwargs)[source]
edit_organisation_json(json_file, org_id)[source]
edit_server(server_id, url=None, name=None, authkey=None, organisation=None, internal=None, push=False, pull=False, self_signed=False, push_rules='', pull_rules='', submitted_cert=None, submitted_client_cert=None, delete_cert=None, delete_client_cert=None)[source]
edit_server_json(json_file, server_id)[source]
edit_user(user_id, **kwargs)[source]
edit_user_json(json_file, user_id)[source]
fetch_feed(feed_id)[source]
flatten_error_messages(response)[source]
freetext(event_id, string, adhereToWarninglists=False, distribution=None)[source]
get(eid)[source]
get_all_attributes_txt(type_attr, tags=False, eventId=False, allowNonIDS=False, date_from=False, date_to=False, last=False, enforceWarninglist=False, allowNotPublished=False)[source]

Get all attributes from a specific type as plain text. Only published and IDS flagged attributes are exported, except if stated otherwise.

get_all_tags(quiet=False)[source]
get_api_version()[source]

Returns the current version of PyMISP installed on the system

get_api_version_master()[source]

Get the most recent version of PyMISP from github

get_attachment(event_id)[source]

Get attachement of an event (not sample)

Parameters:event_id – Event id from where the attachements will be fetched
get_attributes_statistics(context='type', percentage=None)[source]

Get attributes statistics from the MISP instance

get_event(event_id)[source]

Get an event

Parameters:event_id – Event id to get
get_index(filters=None)[source]

Return the index.

Warning, there’s a limit on the number of results

get_organisation(organisation_id)[source]
get_organisation_fields_list()[source]
get_organisations_list(scope='local')[source]

Returns the recommended API version from the server

get_sharing_groups()[source]
get_stix(**kwargs)[source]
get_stix_event(event_id=None, with_attachments=False, from_date=False, to_date=False, tags=False)[source]

Get an event/events in STIX format

get_tags_statistics(percentage=None, name_sort=None)[source]

Get tags statistics from the MISP instance

get_user(user_id)[source]
get_user_fields_list()[source]
get_users_list()[source]
get_version()[source]

Returns the version of the instance.

get_version_master()[source]

Get the most recent version from github

get_yara(event_id)[source]
new_event(distribution=None, threat_level_id=None, analysis=None, info=None, date=None, published=False, orgc_id=None, org_id=None, sharing_group_id=None)[source]
new_tag(name=None, colour='#00ace6', exportable=False)[source]
proposal_accept(proposal_id)[source]
proposal_add(event_id, attribute)[source]
proposal_discard(proposal_id)[source]
proposal_edit(attribute_id, attribute)[source]
proposal_view(event_id=None, proposal_id=None)[source]
publish(event)[source]
remove_tag(event, tag, attribute=False)[source]
search(controller='events', async_callback=None, **kwargs)[source]

Search via the Rest API

Parameters:
  • values – values to search for
  • not_values – values not to search for
  • type_attribute – Type of attribute
  • category – Category to search
  • org – Org reporting the event
  • tags – Tags to search for
  • not_tags – Tags not to search for
  • date_from – First date
  • date_to – Last date
  • last – Last updated events (for example 5d or 12h or 30m)
  • eventid – Last date
  • withAttachments – return events with or without the attachments
  • uuid – search by uuid
  • publish_timestamp – the publish timestamp
  • timestamp – the creation timestamp
  • enforceWarninglist – Enforce the warning lists
  • searchall – full text search on the database
  • metadata – return only metadata if True
  • published – return only published events
  • to_ids – return only the attributes with the to_ids flag set
  • deleted – also return the deleted attributes
  • async_callback – The function to run when results are returned
search_all(value)[source]
search_index(published=None, eventid=None, tag=None, datefrom=None, dateuntil=None, eventinfo=None, threatlevel=None, distribution=None, analysis=None, attribute=None, org=None, async_callback=None, normalize=False)[source]

Search only at the index level. Use ! infront of value as NOT, default OR If using async, give a callback that takes 2 args, session and response:

basic usage is pymisp.search_index(..., async_callback=lambda ses,resp: print(resp.json()))
Parameters:
  • published – Published (0,1)
  • eventid – Evend ID(s) | str or list
  • tag – Tag(s) | str or list
  • datefrom – First date, in format YYYY-MM-DD
  • dateuntil – Last date, in format YYYY-MM-DD
  • eventinfo – Event info(s) to match | str or list
  • threatlevel – Threat level(s) (1,2,3,4) | str or list
  • distribution – Distribution level(s) (0,1,2,3) | str or list
  • analysis – Analysis level(s) (0,1,2) | str or list
  • org – Organisation(s) | str or list
  • async_callback – Function to call when the request returns (if running async)
  • normalize – Normalize output | True or False
set_sightings(sightings)[source]
sighting_per_id(attribute_id)[source]
sighting_per_json(json_file)[source]
sighting_per_uuid(attribute_uuid)[source]
tag(uuid, tag)[source]
untag(uuid, tag)[source]
update(event)[source]
update_event(event_id, event)[source]

Update an event

Parameters:
  • event_id – Event id to update
  • event – Event as JSON object / string to add
upload_sample(filename, filepath, event_id, distribution=None, to_ids=True, category=None, comment=None, info=None, analysis=None, threat_level_id=None)[source]
upload_samplelist(filepaths, event_id, distribution=None, to_ids=True, category=None, comment=None, info=None, analysis=None, threat_level_id=None)[source]
pymisp.api.deprecated(func)[source]

This is a decorator which can be used to mark functions as deprecated. It will result in a warning being emitted when the function is used.

Module contents