pymisp - Classes¶
- class pymisp.AbstractMISP(**kwargs)[source]¶
- property edited: bool¶
Recursively check if an object has been edited and update the flag accordingly to the parent objects
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- to_dict(json_format=False)[source]¶
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.
- Return type:
dict
[str
,Any
]
- class pymisp.Analysis(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
- class pymisp.Distribution(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
- exception pymisp.InvalidMISPObject(message)[source]¶
Exception raised when an object doesn’t respect the constraints in the definition
- class pymisp.MISPAttribute(describe_types=None, strict=False)[source]¶
- add_galaxy(galaxy=None, **kwargs)[source]¶
Add a galaxy to the Attribute, either by passing a MISPGalaxy or a dictionary
- Return type:
- add_shadow_attribute(shadow_attribute=None, **kwargs)[source]¶
Add a shadow attribute to the attribute (by name or a MISPShadowAttribute object)
- Return type:
- add_sighting(sighting=None, **kwargs)[source]¶
Add a sighting to the attribute (by name or a MISPSighting object)
- Return type:
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- property galaxies: list[MISPGalaxy]¶
Returns a list of galaxies associated to this Attribute
- hash_values(algorithm='sha512')[source]¶
Compute the hash of every value for fast lookups
- Return type:
list
[str
]
- property known_types: list[str]¶
Returns a list of all the known MISP attributes types
- property malware_binary: BytesIO | None¶
Returns a BytesIO of the malware, if the attribute has one. Decrypts, unpacks and caches the binary on the first invocation, which may require some time for large attachments (~1s/MB).
- class pymisp.MISPCorrelationExclusion(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPDecayingModel(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPEvent(describe_types=None, strict_validation=False, **kwargs)[source]¶
- add_attribute(type, value, **kwargs)[source]¶
Add an attribute. type and value are required but you can pass all other parameters supported by MISPAttribute
- Return type:
MISPAttribute
|list
[MISPAttribute
]
- add_attribute_tag(tag, attribute_identifier)[source]¶
Add a tag to an existing attribute. Raise an Exception if the attribute doesn’t exist.
- Parameters:
tag (
MISPTag
|str
) – Tag name as a string, MISPTag instance, or dictionaryattribute_identifier (
str
) – can be an ID, UUID, or the value.
- Return type:
list
[MISPAttribute
]
- add_event_report(name, content, **kwargs)[source]¶
Add an event report. name and value are requred but you can pass all other parameters supported by MISPEventReport
- Return type:
- add_galaxy(galaxy=None, **kwargs)[source]¶
Add a galaxy and sub-clusters into an event, either by passing a MISPGalaxy or a dictionary. Supports all other parameters supported by MISPGalaxy
- Return type:
- add_object(obj=None, **kwargs)[source]¶
Add an object to the Event, either by passing a MISPObject, or a dictionary
- Return type:
- add_shadow_attribute(shadow_attribute=None, **kwargs)[source]¶
Add a tag to the attribute (by name or a MISPTag object)
- Return type:
- delete_attribute(attribute_id)[source]¶
Delete an attribute
- Parameters:
attribute_id (
str
) – ID or UUID- Return type:
None
- delete_object(object_id)[source]¶
Delete an object
- Parameters:
object_id (
str
) – ID or UUID- Return type:
None
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- get_attribute_by_id(attribute_id)[source]¶
Get an attribute by ID
- Parameters:
attribute_id (
str
|int
) – The ID of the seeking attribute- Return type:
- get_attribute_by_uuid(attribute_uuid)[source]¶
Get an attribute by UUID
- Parameters:
attribute_uuid (
str
) – The UUID of the seeking attribute- Return type:
- get_attribute_tag(attribute_identifier)[source]¶
Return the tags associated to an attribute or an object attribute.
- Parameters:
attribute_identifier (
str
) – can be an ID, UUID, or the value.- Return type:
list
[MISPTag
]
- get_object_by_id(object_id)[source]¶
Get an object by ID
- Parameters:
object_id (
str
|int
) – the ID is the one set by the server when creating the new object- Return type:
- get_object_by_uuid(object_uuid)[source]¶
Get an object by UUID
- Parameters:
object_uuid (
str
) – the UUID is set by the server when creating the new object- Return type:
- get_objects_by_name(object_name)[source]¶
Get objects by name
- Parameters:
object_name (
str
) – name is set by the server when creating the new object- Return type:
list
[MISPObject
]
- load(json_event, validate=False, metadata_only=False)[source]¶
Load a JSON dump from a pseudo file or a JSON string
- Return type:
None
- load_file(event_path, validate=False, metadata_only=False)[source]¶
Load a JSON dump from a file on the disk
- Return type:
None
- set_date(d=None, ignore_invalid=False)[source]¶
Set a date for the event
- Parameters:
d (
str
|int
|float
|datetime
|date
|None
) – String, datetime, or date objectignore_invalid (
bool
) – if True, assigns current date if d is not an expected type
- Return type:
None
- to_dict(json_format=False)[source]¶
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.
- Return type:
dict
[str
,Any
]
- to_feed(valid_distributions=[0, 1, 2, 3, 4, 5], with_meta=False, with_distribution=False, with_local_tags=True, with_event_reports=True)[source]¶
Generate a json output for MISP Feed.
- Parameters:
valid_distributions (
list
[int
]) – only makes sense if the distribution key is set; i.e., the event is exported from a MISP instance.with_distribution (
bool
) – exports distribution and Sharing Group info; otherwise all SharingGroup information is discarded (protecting privacy)with_local_tags (
bool
) – tag export includes local exportable tags along with global exportable tagswith_event_reports (
bool
) – include event reports in the returned MISP event
- Return type:
dict
[str
,Any
]
- class pymisp.MISPEventBlocklist(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPEventDelegation(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPEventReport(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPFeed(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPGalaxy[source]¶
Galaxy class, used to view a galaxy and respective clusters
- class pymisp.MISPGalaxyCluster[source]¶
A MISP galaxy cluster, storing respective galaxy elements and relations. Used to view default galaxy clusters and add/edit/update/delete Galaxy 2.0 clusters
Creating a new galaxy cluster can take the following parameters
- Parameters:
value (str) – The value of the galaxy cluster
description (str) – The description of the galaxy cluster
distribution (int) – The distribution type, one of 0, 1, 2, 3, 4
sharing_group_id (int, optional) – The sharing group ID, if distribution is set to 4
authors (list[str], optional) – A list of authors of the galaxy cluster
cluster_elements (list[MISPGalaxyClusterElement], optional) – List of MISPGalaxyClusterElement
cluster_relations (list[MISPGalaxyClusterRelation], optional) – List of MISPGalaxyClusterRelation
- add_cluster_element(key, value, **kwargs)[source]¶
Add a cluster relation to a MISPGalaxyCluster, key and value are required
- Parameters:
key (str) – The key name of the element
value (str) – The value of the element
- Return type:
- add_cluster_relation(referenced_galaxy_cluster_uuid, referenced_galaxy_cluster_type, galaxy_cluster_uuid=None, **kwargs)[source]¶
Add a cluster relation to a MISPGalaxyCluster.
- Parameters:
referenced_galaxy_cluster_uuid (uuid) – UUID of the related cluster
referenced_galaxy_cluster_type (uuid) – Relation type
galaxy_cluster_uuid (
str
|None
) – UUID of this cluster, leave blank to use the stored UUIDgalaxy_cluster_uuid – uuid, Optional
- Return type:
- property elements_meta: dict[str, Any]¶
Function to return the galaxy cluster elements as a dictionary structure of lists that comes from a MISPGalaxy within a MISPEvent. Lossy, you lose the element ID
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPGalaxyClusterElement(**kwargs)[source]¶
A MISP Galaxy cluster element, providing further info on a cluster
Creating a new galaxy cluster element can take the following parameters
- Parameters:
key (str) – The key/identifier of the element
value (str) – The value of the element
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPGalaxyClusterRelation[source]¶
A MISP Galaxy cluster relation, linking one cluster to another
Creating a new galaxy cluster can take the following parameters
- Parameters:
galaxy_cluster_uuid – The UUID of the galaxy the relation links to
referenced_galaxy_cluster_type – The relation type, e.g. dropped-by
referenced_galaxy_cluster_uuid – The UUID of the related galaxy
distribution – The distribution of the relation, one of 0, 1, 2, 3, 4, default 0
sharing_group_id – The sharing group of the relation, only when distribution is 4
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPInbox(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPLog(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPNote(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPNoticelist(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPObject(name, strict=False, standalone=True, default_attributes_parameters={}, **kwargs)[source]¶
- add_attribute(object_relation, simple_value=None, **value)[source]¶
Add an attribute. :type object_relation:
str
:param object_relation: The object relation of the attribute you’re adding to the object :type simple_value:str
|int
|float
|None
:param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute- Return type:
MISPAttribute
|None
- Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.
If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.
- add_attributes(object_relation, *attributes)[source]¶
Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.
- Return type:
list
[MISPAttribute
|None
]
- add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)[source]¶
Add a link (uuid) to another object
- Return type:
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- get_attribute_by_id(attribute_id)[source]¶
Get an object attribute by ID
- Parameters:
attribute_id (
str
|int
) – The ID of the seeking object attribute- Return type:
- get_attribute_by_uuid(attribute_uuid)[source]¶
Get an object attribute by UUID
- Parameters:
attribute_uuid (
str
) – The UUID of the seeking object attribute- Return type:
- get_attributes_by_relation(object_relation)[source]¶
Returns the list of attributes with the given object relation in the object
- Return type:
list
[MISPAttribute
]
- has_attributes_by_relation(list_of_relations)[source]¶
True if all the relations in the list are defined in the object
- Return type:
bool
- class pymisp.MISPObjectAttribute(definition)[source]¶
- from_dict(object_relation, value, **kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- class pymisp.MISPObjectReference[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPObjectTemplate(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPOpinion(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPOrganisation[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPOrganisationBlocklist(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPRelationship(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPRole(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPServer(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPShadowAttribute[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPSharingGroup[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPSighting[source]¶
- from_dict(**kwargs)[source]¶
Initialize the MISPSighting from a dictionary
- Parameters:
value – Value of the attribute the sighting is related too. Pushing this object will update the sighting count of each attribute with this value on the instance.
uuid – UUID of the attribute to update
id – ID of the attriute to update
source – Source of the sighting
type – Type of the sighting
timestamp – Timestamp associated to the sighting
- Return type:
None
- class pymisp.MISPTag(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPTaxonomy(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPUser(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPUserSetting(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.MISPWarninglist(**kwargs)[source]¶
- from_dict(**kwargs)[source]¶
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.
- Return type:
None
- class pymisp.PyMISP(url, key, ssl=True, debug=False, proxies=None, cert=None, auth=None, tool='', timeout=None, http_headers=None, https_adapter=None, http_auth_header_name='Authorization')[source]¶
Python API for MISP
- Parameters:
url (
str
) – URL of the MISP instance you want to connect tokey (
str
) – API key of the user you want to usessl (
bool
|str
) – can be True or False (to check or to not check the validity of the certificate. Or a CA_BUNDLE in case of self signed or other certificate (the concatenation of all the crt of the chain)debug (
bool
) – Write all the debug information to stderrproxies (
Optional
[MutableMapping
[str
,str
]]) – Proxy dict, as described here: http://docs.python-requests.org/en/master/user/advanced/#proxiescert (
str
|tuple
[str
,str
] |None
) – Client certificate, as described here: http://docs.python-requests.org/en/master/user/advanced/#client-side-certificatesauth (
AuthBase
|None
) – The auth parameter is passed directly to requests, as described here: http://docs.python-requests.org/en/master/user/authentication/tool (
str
) – The software using PyMISP (string), used to set a unique user-agenthttp_headers (
dict
[str
,str
] |None
) – Arbitrary headers to pass to all the requests.https_adapter (
BaseAdapter
|None
) – Arbitrary HTTPS adapter for the requests session.http_auth_header_name (
str
) – The name of the HTTP header to use for the API key. Can be either “Authorization” or “X-MISP-AUTH”.timeout (
float
|tuple
[float
,float
] |None
) – Timeout, as described here: https://requests.readthedocs.io/en/master/user/advanced/#timeouts
- accept_attribute_proposal(proposal)[source]¶
Accept a proposal. You cannot modify an existing proposal, only accept/discard
- Parameters:
proposal (
MISPShadowAttribute
|int
|str
|UUID
) – attribute proposal to accept- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- accept_event_delegation(delegation, pythonify=False)[source]¶
Accept the delegation of an event
- Parameters:
delegation (
MISPEventDelegation
|int
|str
) – event delegation to acceptpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- accept_user_registration(registration, organisation=None, role=None, perm_sync=False, perm_publish=False, perm_admin=False, unsafe_fallback=False)[source]¶
Accept a user registration
- Parameters:
registration (
MISPInbox
|int
|str
|UUID
) – the registration to acceptorganisation (
MISPOrganisation
|int
|str
|UUID
|None
) – user organizationrole (
MISPRole
|int
|str
|None
) – user roleperm_sync (
bool
) – indicator for syncperm_publish (
bool
) – indicator for publishperm_admin (
bool
) – indicator for adminunsafe_fallback (
bool
) – indicator for unsafe fallback
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_analyst_data(analyst_data, pythonify=False)[source]¶
Add an analyst data to an existing MISP element
- Parameters:
analyst_data (
MISPNote
|MISPOpinion
|MISPRelationship
) – analyst_data to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPNote
|MISPOpinion
|MISPRelationship
- add_attribute(event, attribute, pythonify=False, break_on_duplicate=True)[source]¶
Add an attribute to an existing MISP event: https://www.misp-project.org/openapi/#tag/Attributes/operation/addAttribute
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendattribute (
Union
[MISPAttribute
,Iterable
[str
]]) – attribute or (MISP version 2.4.113+) list of attributes to add. If a list is passed, the pythonified response is a dict with the following structure: {‘attributes’: [MISPAttribute], ‘errors’: {errors by attributes}}pythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputbreak_on_duplicate (
bool
) – if False, do not fail if the attribute already exists, updates existing attribute instead (timestamp will be always updated)
- Return type:
dict
[str
,Any
] |MISPAttribute
|MISPShadowAttribute
- add_attribute_proposal(event, attribute, pythonify=False)[source]¶
Propose a new attribute in an event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to receive new attributeattribute (
MISPAttribute
) – attribute to proposepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPShadowAttribute
- add_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶
Add a new correlation exclusion
- Parameters:
correlation_exclusion (
MISPCorrelationExclusion
) – correlation exclusion to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPCorrelationExclusion
- add_event(event, pythonify=False, metadata=False)[source]¶
Add a new event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/addEvent
- add_event_blocklist(uuids, comment=None, event_info=None, event_orgc=None)[source]¶
Add a new event in the blocklist
- Parameters:
uuids (
str
|list
[str
]) – UUIDscomment (
str
|None
) – commentevent_info (
str
|None
) – event informationevent_orgc (
str
|None
) – event organization
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_event_report(event, event_report, pythonify=False)[source]¶
Add an event report to an existing MISP event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendevent_report (
MISPEventReport
) – event report to add.pythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventReport
- add_feed(feed, pythonify=False)[source]¶
Add a new feed on a MISP instance: https://www.misp-project.org/openapi/#tag/Feeds/operation/addFeed
- add_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶
Add a new galaxy cluster to a MISP Galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/addGalaxyCluster
- Parameters:
galaxy (
MISPGalaxy
|str
|UUID
) – A MISPGalaxy (or UUID) where you wish to add the galaxy clustergalaxy_cluster (
MISPGalaxyCluster
) – A MISPGalaxyCluster you wish to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPGalaxyCluster
- add_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶
Add a galaxy cluster relation, cluster relation must include cluster UUIDs in both directions
- Parameters:
galaxy_cluster_relation (
MISPGalaxyClusterRelation
) – The MISPGalaxyClusterRelation to add- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_object(event, misp_object, pythonify=False, break_on_duplicate=False)[source]¶
Add a MISP Object to an existing MISP event: https://www.misp-project.org/openapi/#tag/Objects/operation/addObject
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendmisp_object (
MISPObject
) – object to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputbreak_on_duplicate (
bool
) – if True, check and reject if this object’s attributes match an existing object’s attributes; may require much time
- Return type:
dict
[str
,Any
] |MISPObject
- add_object_reference(misp_object_reference, pythonify=False)[source]¶
Add a reference to an object
- Parameters:
misp_object_reference (
MISPObjectReference
) – object referencepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPObjectReference
- add_opinion(opinion, pythonify=False)[source]¶
Add an opinion to an existing MISP element
- Parameters:
opinion (
MISPOpinion
) – opinion to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOpinion
- add_org_to_sharing_group(sharing_group, organisation, extend=False)[source]¶
Add an organisation to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addOrganisationToSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDorganisation (
MISPOrganisation
|int
|str
|UUID
) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instanceextend (
bool
) – Allow the organisation to extend the group
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_organisation(organisation, pythonify=False)[source]¶
Add an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/addOrganisation
- Parameters:
organisation (
MISPOrganisation
) – organization to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOrganisation
- add_organisation_blocklist(uuids, comment=None, org_name=None)[source]¶
Add a new organisation in the blocklist
- Parameters:
uuids (
str
|list
[str
]) – UUIDscomment (
str
|None
) – commentorg_name (
str
|None
) – organization name
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_relationship(relationship, pythonify=False)[source]¶
Add a relationship to an existing MISP element
- Parameters:
relationship (
MISPRelationship
) – relationship to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPRelationship
- add_server(server, pythonify=False)[source]¶
Add a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers Note: You probably want to use PyMISP.get_sync_config and PyMISP.import_server instead
- Parameters:
server (
MISPServer
) – sync server configpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPServer
- add_server_to_sharing_group(sharing_group, server, all_orgs=False)[source]¶
Add a server to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addServerToSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDserver (
MISPServer
|int
|str
|UUID
) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instanceall_orgs (
bool
) – Add all the organisations of the server to the group
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_sharing_group(sharing_group, pythonify=False)[source]¶
Add a new sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
) – sharing group to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPSharingGroup
- add_sighting(sighting, attribute=None, pythonify=False)[source]¶
Add a new sighting (globally, or to a specific attribute): https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting and https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId
- Parameters:
sighting (
MISPSighting
|dict
[str
,Any
]) – sighting to addattribute (
MISPAttribute
|int
|str
|UUID
|None
) – specific attribute to modify with the sightingpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPSighting
- add_tag(tag, pythonify=False)[source]¶
Add a new tag on a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/addTag The user calling this method needs the Tag Editor permission. It doesn’t add a tag to an event, simply creates it on the MISP instance.
- add_user(user, pythonify=False)[source]¶
Add a new user: https://www.misp-project.org/openapi/#tag/Users/operation/addUser
- attach_galaxy_cluster(misp_entity, galaxy_cluster, local=False, pythonify=False)[source]¶
Attach a galaxy cluster to an event or an attribute
- Parameters:
misp_entity (
MISPEvent
|MISPAttribute
) – a MISP Event or a MISP Attributegalaxy_cluster (
MISPGalaxyCluster
|int
|str
) – Galaxy cluster to attachlocal (
bool
) – whether the object should be attached locally or not to the targetpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- attribute_exists(attribute)[source]¶
Fast check if attribute exists.
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – Attribute to check- Return type:
bool
- attribute_proposals(event=None, pythonify=False)[source]¶
Get all the attribute proposals
- Parameters:
event (
MISPEvent
|int
|str
|UUID
|None
) – eventpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPShadowAttribute
] |list
[dict
[str
,Any
]]
- attributes(pythonify=False)[source]¶
Get all the attributes from the MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributes
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPAttribute
] |list
[dict
[str
,Any
]]
- attributes_statistics(context='type', percentage=False)[source]¶
Get attribute statistics from the MISP instance
- Parameters:
context (
str
) – “type” or “category”percentage (
bool
) – get percentages
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- build_complex_query(or_parameters=None, and_parameters=None, not_parameters=None)[source]¶
Build a complex search query. MISP expects a dictionary with AND, OR and NOT keys.
- Return type:
dict
[str
,list
[TypeVar
(SearchType
,str
,int
)]]
- cache_all_feeds()[source]¶
Cache all the feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_feed(feed)[source]¶
Cache a specific feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds
- Parameters:
feed (
MISPFeed
|int
|str
|UUID
) – feed to cache- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_freetext_feeds()[source]¶
Cache all the freetext feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_misp_feeds()[source]¶
Cache all the MISP feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- change_sharing_group_on_entity(misp_entity, sharing_group_id, pythonify=False)[source]¶
Change the sharing group of an event, an attribute, or an object
- Parameters:
misp_entity (
MISPEvent
|MISPAttribute
|MISPObject
) – entity to changesharing_group_id (
int
) – group to changepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEvent
|MISPObject
|MISPAttribute
|MISPShadowAttribute
- change_user_password(new_password)[source]¶
Change the password of the curent user:
- Parameters:
new_password (
str
) – password to set- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- clean_correlation_exclusions()[source]¶
Initiate correlation exclusions cleanup
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- communities(pythonify=False)[source]¶
Get all the communities
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPCommunity
] |list
[dict
[str
,Any
]]
- compare_feeds()[source]¶
Generate the comparison matrix for all the MISP feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- contact_event_reporter(event, message)[source]¶
Send a message to the reporter of an event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event with reporter to contactmessage (
str
) – message to send
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- correlation_exclusions(pythonify=False)[source]¶
Get all the correlation exclusions
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPCorrelationExclusion
] |list
[dict
[str
,Any
]]
- db_schema_diagnostic()[source]¶
Get the schema diagnostic
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- decaying_models(pythonify=False)[source]¶
Get all the decaying models
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output- Return type:
dict
[str
,Any
] |list
[MISPDecayingModel
] |list
[dict
[str
,Any
]]
- delegate_event(event=None, organisation=None, event_delegation=None, distribution=-1, message='', pythonify=False)[source]¶
Delegate an event. Either event and organisation OR event_delegation are required
- Parameters:
event (
MISPEvent
|int
|str
|UUID
|None
) – event to delegateorganisation (
MISPOrganisation
|int
|str
|UUID
|None
) – organizationevent_delegation (
MISPEventDelegation
|None
) – event delegationdistribution (
int
) – distribution == -1 means recipient decidesmessage (
str
) – messagepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventDelegation
- delete_analyst_data(analyst_data)[source]¶
Delete an analyst data from a MISP instance
- Parameters:
analyst_data (
MISPNote
|MISPOpinion
|MISPRelationship
|int
|str
|UUID
) – analyst data to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_attribute(attribute, hard=False)[source]¶
Delete an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/deleteAttribute
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_attribute_proposal(attribute)[source]¶
Propose the deletion of an attribute
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_correlation_exclusion(correlation_exclusion)[source]¶
Delete a correlation exclusion
- Parameters:
correlation_exclusion (
MISPCorrelationExclusion
|int
|str
|UUID
) – The MISPCorrelationExclusion you wish to delete from MISP- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event(event)[source]¶
Delete an event from a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/deleteEvent
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event_blocklist(event_blocklist)[source]¶
Delete a blocklisted event by id
- Parameters:
event_blocklist (
MISPEventBlocklist
|str
|UUID
) – event block list to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event_report(event_report, hard=False)[source]¶
Delete an event report from a MISP instance
- Parameters:
event_report (
MISPEventReport
|int
|str
|UUID
) – event report to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_feed(feed)[source]¶
Delete a feed from a MISP instance
- Parameters:
feed (
MISPFeed
|int
|str
|UUID
) – feed to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_galaxy_cluster(galaxy_cluster, hard=False)[source]¶
Deletes a galaxy cluster from MISP: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/deleteGalaxyCluster
- Parameters:
galaxy_cluster (
MISPGalaxyCluster
|int
|str
|UUID
) – The MISPGalaxyCluster you wish to delete from MISPhard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶
Delete a galaxy cluster relation
- Parameters:
galaxy_cluster_relation (
MISPGalaxyClusterRelation
|int
|str
|UUID
) – The MISPGalaxyClusterRelation to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_note(note)[source]¶
Delete a note from a MISP instance
- Parameters:
note (
MISPNote
|int
|str
|UUID
) – note delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_object(misp_object, hard=False)[source]¶
Delete an object from a MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/deleteObject
- Parameters:
misp_object (
MISPObject
|int
|str
|UUID
) – object to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_object_reference(object_reference, hard=False)[source]¶
Delete a reference to an object.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_opinion(opinion)[source]¶
Delete an opinion from a MISP instance
- Parameters:
opinion (
MISPOpinion
|int
|str
|UUID
) – opinion to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_organisation(organisation)[source]¶
Delete an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/deleteOrganisation
- Parameters:
organisation (
MISPOrganisation
|int
|str
|UUID
) – organization to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_organisation_blocklist(organisation_blocklist)[source]¶
Delete a blocklisted organisation by id
- Parameters:
organisation_blocklist (
MISPOrganisationBlocklist
|str
|UUID
) – organization block list to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_relationship(relationship)[source]¶
Delete a relationship from a MISP instance
- Parameters:
relationship (
MISPRelationship
|int
|str
|UUID
) – relationship to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_role(role)[source]¶
Delete a role
- Parameters:
role (
MISPRole
|int
|str
|UUID
) – role to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_server(server)[source]¶
Delete a sync server: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers
- Parameters:
server (
MISPServer
|int
|str
|UUID
) – sync server config- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_sharing_group(sharing_group)[source]¶
Delete a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/deleteSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – sharing group to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_sighting(sighting)[source]¶
Delete a sighting from a MISP instance: https://www.misp-project.org/openapi/#tag/Sightings/operation/deleteSighting
- Parameters:
sighting (
MISPSighting
|int
|str
|UUID
) – sighting to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_tag(tag)[source]¶
Delete a tag from a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/deleteTag
- Parameters:
tag (
MISPTag
|int
|str
|UUID
) – tag to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_user(user)[source]¶
Delete a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/deleteUser
- Parameters:
user (
MISPUser
|int
|str
|UUID
) – user to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_user_setting(user_setting, user=None)[source]¶
Delete a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/deleteUserSettingById
- Parameters:
user_setting (
str
) – name of user settinguser (
MISPUser
|int
|str
|UUID
|None
) – user
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- property describe_types_local: dict[str, Any] | list[dict[str, Any]]¶
Returns the content of describe types from the package
- property describe_types_remote: dict[str, Any] | list[dict[str, Any]]¶
Returns the content of describe types from the remote instance
- direct_call(url, data=None, params={}, kw_params={})[source]¶
Very lightweight call that posts a data blob (python dictionary or json string) on the URL
- Parameters:
url (
str
) – URL to post todata (
dict
[str
,Any
] |None
) – data to postparams (
Mapping
[str
,Any
]) – dict with parameters for requestkw_params (
Mapping
[str
,Any
]) – dict with keyword parameters for request
- Return type:
Any
- disable_decaying_model(decaying_model)[source]¶
Disable a decaying Model
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_feed(feed, pythonify=False)[source]¶
Disable a feed: https://www.misp-project.org/openapi/#tag/Feeds/operation/disableFeed
- disable_noticelist(noticelist)[source]¶
Disable a noticelist by id
- Parameters:
noticelist (
MISPNoticelist
|int
|str
|UUID
) – Noticelist to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_taxonomy(taxonomy)[source]¶
Disable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/disableTaxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_taxonomy_tags(taxonomy)[source]¶
Disable all the tags of a taxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy with tags to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_warninglist(warninglist)[source]¶
Disable a warninglist
- Parameters:
warninglist (
MISPWarninglist
|int
|str
|UUID
) – warninglist to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_attribute_proposal(proposal)[source]¶
Discard a proposal. You cannot modify an existing proposal, only accept/discard
- Parameters:
proposal (
MISPShadowAttribute
|int
|str
|UUID
) – attribute proposal to discard- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_event_delegation(delegation, pythonify=False)[source]¶
Discard the delegation of an event
- Parameters:
delegation (
MISPEventDelegation
|int
|str
) – event delegation to discardpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_user_registration(registration)[source]¶
Discard a user registration
- Parameters:
registration (
MISPInbox
|int
|str
|UUID
) – the registration to discard- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_decaying_model(decaying_model)[source]¶
Enable a decaying Model
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_feed(feed, pythonify=False)[source]¶
Enable a feed; fetching it will create event(s): https://www.misp-project.org/openapi/#tag/Feeds/operation/enableFeed
- enable_noticelist(noticelist)[source]¶
Enable a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/toggleEnableNoticelist
- Parameters:
noticelist (
MISPNoticelist
|int
|str
|UUID
) – Noticelist to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_taxonomy(taxonomy)[source]¶
Enable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/enableTaxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_taxonomy_tags(taxonomy)[source]¶
Enable all the tags of a taxonomy. NOTE: this is automatically done when you call enable_taxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy with tags to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_warninglist(warninglist)[source]¶
Enable a warninglist
- Parameters:
warninglist (
MISPWarninglist
|int
|str
|UUID
) – warninglist to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- event_blocklists(pythonify=False)[source]¶
Get all the blocklisted events
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEventBlocklist
] |list
[dict
[str
,Any
]]
- event_delegations(pythonify=False)[source]¶
Get all the event delegations
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEventDelegation
] |list
[dict
[str
,Any
]]
- event_exists(event)[source]¶
Fast check if event exists.
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – Event to check- Return type:
bool
- events(pythonify=False)[source]¶
Get all the events from the MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/getEvents
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEvent
] |list
[dict
[str
,Any
]]
- feeds(pythonify=False)[source]¶
Get the list of existing feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeeds
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPFeed
] |list
[dict
[str
,Any
]]
- fetch_feed(feed)[source]¶
Fetch one single feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/fetchFromFeed
- Parameters:
feed (
MISPFeed
|int
|str
|UUID
) – feed to fetch- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- fork_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶
Forks an existing galaxy cluster, creating a new one with matching attributes
- Parameters:
galaxy (
MISPGalaxy
|int
|str
|UUID
) – The galaxy (or galaxy ID) where the cluster you want to fork residesgalaxy_cluster (
MISPGalaxyCluster
) – The galaxy cluster you wish to forkpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPGalaxyCluster
- freetext(event, string, adhereToWarninglists=False, distribution=None, returnMetaAttributes=False, pythonify=False, **kwargs)[source]¶
Pass a text to the freetext importer
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – eventstring (
str
) – queryadhereToWarninglists (
bool
|str
) – flagdistribution (
int
|None
) – distribution == -1 means recipient decidesreturnMetaAttributes (
bool
) – flagpythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputkwargs – kwargs passed to prepare_request
- Return type:
dict
[str
,Any
] |list
[MISPAttribute
] |list
[dict
[str
,Any
]]
- galaxies(withCluster=False, pythonify=False)[source]¶
Get all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxies
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPGalaxy
] |list
[dict
[str
,Any
]]
- get_all_functions(not_implemented=False)[source]¶
Get all methods available via the API, including ones that are not implemented.
- Return type:
list
[str
]
- get_analyst_data(analyst_data, pythonify=False)[source]¶
Get an analyst data from a MISP instance
- Parameters:
analyst_data (
AnalystDataBehaviorMixin
|int
|str
|UUID
) – analyst data to getpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |MISPNote
|MISPOpinion
|MISPRelationship
- get_attribute(attribute, pythonify=False)[source]¶
Get an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributeById
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPAttribute
- get_attribute_proposal(proposal, pythonify=False)[source]¶
Get an attribute proposal
- Parameters:
proposal (
MISPShadowAttribute
|int
|str
|UUID
) – proposal to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPShadowAttribute
- get_community(community, pythonify=False)[source]¶
Get a community by id from a MISP instance
- Parameters:
community (
MISPCommunity
|int
|str
|UUID
) – community to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPCommunity
- get_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶
Get a correlation exclusion by ID
- Parameters:
correlation_exclusion (
MISPCorrelationExclusion
|int
|str
|UUID
) – Correlation exclusion to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPCorrelationExclusion
- get_event(event, deleted=False, extended=False, pythonify=False)[source]¶
Get an event from a MISP instance. Includes collections like Attribute, EventReport, Feed, Galaxy, Object, Tag, etc. so the response size may be large : https://www.misp-project.org/openapi/#tag/Events/operation/getEventById
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to getdeleted (
bool
|int
|list
[int
]) – whether to include soft-deleted attributesextended (
bool
|int
) – whether to get extended eventspythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |MISPEvent
- get_event_report(event_report, pythonify=False)[source]¶
Get an event report from a MISP instance
- Parameters:
event_report (
MISPEventReport
|int
|str
|UUID
) – event report to getpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |MISPEventReport
- get_event_reports(event_id, pythonify=False)[source]¶
Get event report from a MISP instance that are attached to an event ID
- Parameters:
event_id (
int
|str
) – event id to get the event reports forpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output.
- Return type:
dict
[str
,Any
] |list
[MISPEventReport
] |list
[dict
[str
,Any
]]
- get_feed(feed, pythonify=False)[source]¶
Get a feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeedById
- get_galaxy(galaxy, withCluster=False, pythonify=False)[source]¶
Get a galaxy by id: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxyById
- Parameters:
galaxy (
MISPGalaxy
|int
|str
|UUID
) – galaxy to getwithCluster (
bool
) – Include the clusters associated with the galaxypythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPGalaxy
- get_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶
Gets a specific galaxy cluster
- Parameters:
galaxy_cluster (
MISPGalaxyCluster
|int
|str
|UUID
) – The MISPGalaxyCluster you want to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPGalaxyCluster
- get_new_authkey(user='me')[source]¶
Get a new authorization key for a specific user, defaults to user doing the call: https://www.misp-project.org/openapi/#tag/AuthKeys/operation/addAuthKey
- Parameters:
user (
MISPUser
|int
|str
|UUID
) – The owner of the key- Return type:
str
- get_noticelist(noticelist, pythonify=False)[source]¶
Get a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelistById
- Parameters:
notistlist – Noticelist to get
pythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPNoticelist
- get_object(misp_object, pythonify=False)[source]¶
Get an object from the remote MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/getObjectById
- Parameters:
misp_object (
MISPObject
|int
|str
|UUID
) – object to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPObject
- get_object_template(object_template, pythonify=False)[source]¶
Gets the full object template
- Parameters:
object_template (
MISPObjectTemplate
|int
|str
|UUID
) – template or ID to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPObjectTemplate
- get_opinion(opinion, pythonify=False)[source]¶
Get an opinion from a MISP instance
- Parameters:
opinion (
MISPOpinion
) – opinion to getpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |MISPOpinion
- get_organisation(organisation, pythonify=False)[source]¶
Get an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisationById
- Parameters:
organisation (
MISPOrganisation
|int
|str
|UUID
) – organization to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOrganisation
- get_raw_object_template(uuid_or_name)[source]¶
Get a row template. It needs to be present on disk on the MISP instance you’re connected to. The response of this method can be passed to MISPObject(<name>, misp_objects_template_custom=<response>)
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- get_relationship(relationship, pythonify=False)[source]¶
Get a relationship from a MISP instance
- Parameters:
relationship (
MISPRelationship
) – relationship to getpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |MISPRelationship
- get_server_setting(setting)[source]¶
Get a setting from the MISP instance
- Parameters:
setting (
str
) – server setting name- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- get_sharing_group(sharing_group, pythonify=False)[source]¶
Get a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroupById
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – sharing group to findpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPSharingGroup
- get_sync_config(pythonify=False)[source]¶
Get the sync server config. WARNING: This method only works if the user calling it is a sync user
- Parameters:
pythonify (
bool
) – Returns a PyMISP Object instead of the plain json output- Return type:
dict
[str
,Any
] |MISPServer
- get_tag(tag, pythonify=False)[source]¶
Get a tag by id: https://www.misp-project.org/openapi/#tag/Tags/operation/getTagById
- get_taxonomy(taxonomy, pythonify=False)[source]¶
Get a taxonomy by id or namespace from a MISP instance: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomyById
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPTaxonomy
- get_user(user='me', pythonify=False, expanded=False)[source]¶
Get a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers
- Parameters:
user (
MISPUser
|int
|str
|UUID
) – user to get; me means the owner of the API key doing the querypythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputexpanded (
bool
) – Also returns a MISPRole and a MISPUserSetting. Only taken in account if pythonify is True.
- Return type:
dict
[str
,Any
] |MISPUser
|tuple
[MISPUser
,MISPRole
,list
[MISPUserSetting
]]
- get_user_setting(user_setting, user=None, pythonify=False)[source]¶
Get a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettingById
- Parameters:
user_setting (
str
) – name of user settinguser (
MISPUser
|int
|str
|UUID
|None
) – userpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPUserSetting
- get_warninglist(warninglist, pythonify=False)[source]¶
Get a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglistById
- Parameters:
warninglist (
MISPWarninglist
|int
|str
|UUID
) – warninglist to getpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPWarninglist
- import_server(server, pythonify=False)[source]¶
Import a sync server config received from get_sync_config
- Parameters:
server (
MISPServer
) – sync server configpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPServer
- load_default_feeds()[source]¶
Load all the default feeds.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- property misp_instance_version: dict[str, Any] | list[dict[str, Any]]¶
Returns the version of the instance.
- property misp_instance_version_master: dict[str, Any] | list[dict[str, Any]]¶
Get the most recent version from github
- noticelists(pythonify=False)[source]¶
Get all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelists
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPNoticelist
] |list
[dict
[str
,Any
]]
- object_exists(misp_object)[source]¶
Fast check if object exists.
- Parameters:
misp_object (
MISPObject
|int
|str
|UUID
) – Attribute to check- Return type:
bool
- object_templates(pythonify=False)[source]¶
Get all the object templates
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPObjectTemplate
] |list
[dict
[str
,Any
]]
- organisation_blocklists(pythonify=False)[source]¶
Get all the blocklisted organisations
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPOrganisationBlocklist
] |list
[dict
[str
,Any
]]
- organisation_exists(organisation)[source]¶
Fast check if organisation exists.
- Parameters:
organisation (
MISPOrganisation
|int
|str
|UUID
) – Organisation to check- Return type:
bool
- organisations(scope='local', search=None, pythonify=False)[source]¶
Get all the organisations: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisations
- Parameters:
scope (
str
) – scope of organizations to getsearch (
str
|None
) – The search to make against the list of organisationspythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPOrganisation
] |list
[dict
[str
,Any
]]
- publish(event, alert=False)[source]¶
Publish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/publishEvent
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to publishalert (
bool
) – whether to send an email. The default is to not send a mail as it is assumed this method is called on update.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- publish_galaxy_cluster(galaxy_cluster)[source]¶
Publishes a galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/publishGalaxyCluster
- Parameters:
galaxy_cluster (
MISPGalaxyCluster
|int
|str
|UUID
) – The galaxy cluster you wish to publish- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- push_event_to_ZMQ(event)[source]¶
Force push an event by id on ZMQ
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – the event to push- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- property pymisp_version_main: dict[str, Any] | list[dict[str, Any]]¶
Get the most recent version of PyMISP from github
- property pymisp_version_master: dict[str, Any] | list[dict[str, Any]]¶
PyMISP version as defined in the main repository
- property recommended_pymisp_version: dict[str, Any] | list[dict[str, Any]]¶
Returns the recommended API version from the server
- remote_acl(debug_type='findMissingFunctionNames')[source]¶
This should return an empty list, unless the ACL is outdated.
- Parameters:
debug_type (
str
) – printAllFunctionNames, findMissingFunctionNames, or printRoleAccess- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- remove_org_from_sharing_group(sharing_group, organisation)[source]¶
Remove an organisation from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeOrganisationFromSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDorganisation (
MISPOrganisation
|int
|str
|UUID
) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instance
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- remove_server_from_sharing_group(sharing_group, server)[source]¶
Remove a server from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeServerFromSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDserver (
MISPServer
|int
|str
|UUID
) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instance
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- request_community_access(community, requestor_email_address=None, requestor_gpg_key=None, requestor_organisation_name=None, requestor_organisation_uuid=None, requestor_organisation_description=None, message=None, sync=False, anonymise_requestor_server=False, mock=False)[source]¶
Request the access to a community
- Parameters:
community (
MISPCommunity
|int
|str
|UUID
) – community to request accessrequestor_email_address (
str
|None
) – requestor emailrequestor_gpg_key (
str
|None
) – requestor keyrequestor_organisation_name (
str
|None
) – requestor org namerequestor_organisation_uuid (
str
|None
) – requestor org IDrequestor_organisation_description (
str
|None
) – requestor org descmessage (
str
|None
) – requestor messagesync (
bool
) – synchronize flaganonymise_requestor_server (
bool
) – anonymise flagmock (
bool
) – mock flag
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- restart_workers()[source]¶
Restart all the workers
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- restore_attribute(attribute, pythonify=False)[source]¶
Restore a soft deleted attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/restoreAttribute
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to restore- Return type:
dict
[str
,Any
] |MISPAttribute
- roles(pythonify=False)[source]¶
Get the existing roles
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPRole
] |list
[dict
[str
,Any
]]
- search(controller='events', return_format='json', limit=None, page=None, value=None, type_attribute=None, category=None, org=None, tags=None, event_tags=None, quick_filter=None, quickFilter=None, date_from=None, date_to=None, eventid=None, with_attachments=None, withAttachments=None, metadata=None, uuid=None, publish_timestamp=None, last=None, timestamp=None, published=None, enforce_warninglist=None, enforceWarninglist=None, to_ids=None, deleted=None, include_event_uuid=None, includeEventUuid=None, include_event_tags=None, includeEventTags=None, event_timestamp=None, sg_reference_only=None, eventinfo=None, searchall=None, requested_attributes=None, include_context=None, includeContext=None, headerless=None, include_sightings=None, includeSightings=None, include_correlations=None, includeCorrelations=None, include_decay_score=None, includeDecayScore=None, object_name=None, exclude_decayed=None, sharinggroup=None, pythonify=False, **kwargs)[source]¶
Search in the MISP instance
- Parameters:
controller (
str
) –Controller to search on, it can be events, objects, attributes. The response will either be a list of events, objects, or attributes. Reference documentation for each controller:
return_format (
str
) – Set the return format of the search (Currently supported: json, xml, openioc, suricata, snort - more formats are being moved to restSearch with the goal being that all searches happen through this API). Can be passed as the first parameter after restSearch or via the JSON payload.limit (
int
|None
) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).page (
int
|None
) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).value (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Search for the given value in the attributes’ value field.type_attribute (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – The attribute type, any valid MISP attribute type is accepted.category (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – The attribute category, any valid MISP attribute category is accepted.org (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Search by the creator organisation by supplying the organisation identifier.tags (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_queryevent_tags (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Tags to search or to exclude at the event level. You can pass a list, or the output of build_complex_queryquick_filter (
str
|None
) – The string passed to this field will ignore all of the other arguments. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.date_from (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date after the one specified. This filter will use the date of the event.date_to (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date before the one specified. This filter will use the date of the event.eventid (
Optional
[TypeVar
(SearchType
,str
,int
)]) – The events that should be included / excluded from the searchwith_attachments (
bool
|None
) – If set, encodes the attachments / zipped malware samples as base64 in the data field within each attributemetadata (
bool
|None
) – Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.uuid (
str
|None
) – Restrict the results by uuid.publish_timestamp (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – Restrict the results by the last publish timestamp (newer than).timestamp (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example [“14d”, “7d”]).published (
bool
|None
) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.enforce_warninglist (
bool
|None
) – Remove any attributes from the result that would cause a hit on a warninglist entry.to_ids (
Union
[TypeVar
(ToIDSType
,str
,int
,bool
),list
[TypeVar
(ToIDSType
,str
,int
,bool
)],None
]) – By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.deleted (
str
|None
) – If this parameter is set to 1, it will only return soft-deleted attributes. [“0”, “1”] will return the active ones as well as the soft-deleted ones.include_event_uuid (
bool
|None
) – Instead of just including the event ID, also include the event UUID in each of the attributes.include_event_tags (
bool
|None
) – Include the event level tags in each of the attributes.event_timestamp (
datetime
|date
|int
|str
|float
|None
) – Only return attributes from events that have received a modification after the given timestamp.sg_reference_only (
bool
|None
) – If this flag is set, sharing group objects will not be included, instead only the sharing group ID is set.eventinfo (
str
|None
) – Filter on the event’s info field.searchall (
bool
|None
) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.requested_attributes (
str
|None
) – [CSV only] Select the fields that you wish to include in the CSV export. By setting event level fields additionally, includeContext is not required to get event metadata.include_context (
bool
|None
) – [Attribute only] Include the event data with each attribute. [CSV output] Add event level metadata in every line of the CSV.headerless (
bool
|None
) – [CSV Only] The CSV created when this setting is set to true will not contain the header row.include_sightings (
bool
|None
) – [JSON Only - Attribute] Include the sightings of the matching attributes.include_decay_score (
bool
|None
) – Include the decay score at attribute level.include_correlations (
bool
|None
) – [JSON Only - attribute] Include the correlations of the matching attributes.object_name (
str
|None
) – [objects controller only] Search for objects with that nameexclude_decayed (
bool
|None
) – [attributes controller only] Exclude the decayed attributes from the responsesharinggroup (
int
|list
[int
] |None
) – Filter by sharing group ID(s)pythonify (
bool
|None
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |str
|list
[MISPEvent
|MISPAttribute
|MISPObject
] |list
[dict
[str
,Any
]]
Deprecated:
- Parameters:
quickFilter (
str
|None
) – synonym for quick_filterwithAttachments (
bool
|None
) – synonym for with_attachmentslast (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – synonym for publish_timestampenforceWarninglist (
bool
|None
) – synonym for enforce_warninglistincludeEventUuid (
bool
|None
) – synonym for include_event_uuidincludeEventTags (
bool
|None
) – synonym for include_event_tagsincludeContext (
bool
|None
) – synonym for include_context
- search_feeds(value=None, pythonify=False)[source]¶
Search in the feeds cached on the servers
- Return type:
dict
[str
,Any
] |list
[MISPFeed
] |list
[dict
[str
,Any
]]
- search_galaxy(value, withCluster=False, pythonify=False)[source]¶
Text search to find a matching galaxy name, namespace, description, or uuid.
- Return type:
dict
[str
,Any
] |list
[MISPGalaxy
] |list
[dict
[str
,Any
]]
- search_galaxy_clusters(galaxy, context='all', searchall=None, pythonify=False)[source]¶
Searches the galaxy clusters within a specific galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusters and https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusterById
- Parameters:
galaxy (
MISPGalaxy
|int
|str
|UUID
) – The MISPGalaxy you wish to search incontext (
str
) – The context of how you want to search within the galaxy_searchall (
str
|None
) – The search you want to make against the galaxy and contextpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[MISPGalaxyCluster
] |list
[dict
[str
,Any
]]
- search_index(all=None, attribute=None, email=None, published=None, hasproposal=None, eventid=None, tags=None, date_from=None, date_to=None, eventinfo=None, threatlevel=None, distribution=None, analysis=None, org=None, timestamp=None, publish_timestamp=None, sharinggroup=None, minimal=None, sort=None, desc=None, limit=None, page=None, pythonify=None)[source]¶
Search event metadata shown on the event index page. Using ! in front of a value means NOT, except for parameters date_from, date_to and timestamp which cannot be negated. Criteria are AND-ed together; values in lists are OR-ed together. Return matching events with metadata but no attributes or objects; also see minimal parameter.
- Parameters:
all (
str
|None
) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.attribute (
str
|None
) – Filter on attribute’s value.email (
str
|None
) – Filter on user’s email.published (
bool
|None
) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.hasproposal (
bool
|None
) – Filter for events containing proposal(s).eventid (
Optional
[TypeVar
(SearchType
,str
,int
)]) – The events that should be included / excluded from the searchtags (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_querydate_from (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date after the one specified. This filter will use the date of the event.date_to (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date before the one specified. This filter will use the date of the event.eventinfo (
str
|None
) – Filter on the event’s info field.threatlevel (
list
[TypeVar
(SearchType
,str
,int
)] |None
) – Threat level(s) (1,2,3,4) | listdistribution (
list
[TypeVar
(SearchType
,str
,int
)] |None
) – Distribution level(s) (0,1,2,3) | listanalysis (
list
[TypeVar
(SearchType
,str
,int
)] |None
) – Analysis level(s) (0,1,2) | listorg (
Optional
[TypeVar
(SearchParameterTypes
,str
,List
[Union
[str
,int
]],Dict
[str
,Union
[str
,int
]])]) – Search by the creator organisation by supplying the organisation identifier.timestamp (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup.publish_timestamp (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – Filter on event’s publish timestamp.sharinggroup (
list
[TypeVar
(SearchType
,str
,int
)] |None
) – Restrict by a sharing group | listminimal (
bool
|None
) – Return only event ID, UUID, timestamp, sighting_timestamp and published.sort (
str
|None
) – The field to sort the events by, such as ‘id’, ‘date’, ‘attribute_count’.desc (
bool
|None
) – Whether to sort events ascending (default) or descending.limit (
int
|None
) – Limit the number of events returnedpage (
int
|None
) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).pythonify (
bool
|None
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPEvent
] |list
[dict
[str
,Any
]]
- search_logs(limit=None, page=None, log_id=None, title=None, created=None, model=None, action=None, user_id=None, change=None, email=None, org=None, description=None, ip=None, pythonify=False)[source]¶
Search in logs
Note: to run substring queries simply append/prepend/encapsulate the search term with %
- Parameters:
limit (
int
|None
) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).page (
int
|None
) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).log_id (
int
|None
) – Log IDtitle (
str
|None
) – Log Titlecreated (
datetime
|date
|int
|str
|float
|None
) – Creation timestampmodel (
str
|None
) – Model name that generated the log entryaction (
str
|None
) – The thing that was doneuser_id (
int
|None
) – ID of the user doing the actionchange (
str
|None
) – Change that occuredemail (
str
|None
) – Email of the userorg (
str
|None
) – Organisation of the User doing the actiondescription (
str
|None
) – Description of the actionip (
str
|None
) – Origination IP of the User doing the actionpythonify (
bool
|None
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPLog
] |list
[dict
[str
,Any
]]
- search_sightings(context=None, context_id=None, type_sighting=None, date_from=None, date_to=None, publish_timestamp=None, last=None, org=None, source=None, include_attribute=None, include_event_meta=None, pythonify=False)[source]¶
Search sightings
- Parameters:
context (
str
|None
) – The context of the search. Can be either “attribute”, “event”, or nothing (will then match on events and attributes).context_id (
Optional
[TypeVar
(SearchType
,str
,int
)]) – Only relevant if context is either “attribute” or “event”. Then it is the relevant ID.type_sighting (
str
|None
) – Type of sightingdate_from (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date after the one specified. This filter will use the date of the event.date_to (
datetime
|date
|int
|str
|float
|None
) – Events with the date set to a date before the one specified. This filter will use the date of the event.publish_timestamp (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – Restrict the results by the last publish timestamp (newer than).org (
Optional
[TypeVar
(SearchType
,str
,int
)]) – Search by the creator organisation by supplying the organisation identifier.source (
str
|None
) – Source of the sightinginclude_attribute (
bool
|None
) – Include the attribute.include_event_meta (
bool
|None
) – Include the meta information of the event.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,MISPEvent
|MISPAttribute
|MISPSighting
]]
Deprecated:
- Parameters:
last (
None
|datetime
|date
|int
|str
|float
|tuple
[datetime
|date
|int
|str
|float
|None
,datetime
|date
|int
|str
|float
|None
]) – synonym for publish_timestamp- Example:
>>> misp.search_sightings(publish_timestamp='30d') # search sightings for the last 30 days on the instance [ ... ] >>> misp.search_sightings(context='attribute', context_id=6, include_attribute=True) # return list of sighting for attribute 6 along with the attribute itself [ ... ] >>> misp.search_sightings(context='event', context_id=17, include_event_meta=True, org=2) # return list of sighting for event 17 filtered with org id 2
- search_tags(tagname, strict_tagname=False, pythonify=False)[source]¶
Search for tags by name: https://www.misp-project.org/openapi/#tag/Tags/operation/searchTag
- Parameters:
tag_name – Name to search, use % for substrings matches.
strict_tagname (
bool
) – only return tags matching exactly the tag name (so skipping synonyms and cluster’s value)
- Return type:
dict
[str
,Any
] |list
[MISPTag
] |list
[dict
[str
,Any
]]
- server_pull(server, event=None)[source]¶
Initialize a pull from a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pullServer
- Parameters:
server (
MISPServer
|int
|str
|UUID
) – sync server configevent (
MISPEvent
|int
|str
|UUID
|None
) – event
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- server_push(server, event=None)[source]¶
Initialize a push to a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pushServer
- Parameters:
server (
MISPServer
|int
|str
|UUID
) – sync server configevent (
MISPEvent
|int
|str
|UUID
|None
) – event
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- server_settings()[source]¶
Get all the settings from the server
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- servers(pythonify=False)[source]¶
Get the existing servers the MISP instance can synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPServer
] |list
[dict
[str
,Any
]]
- set_default_role(role)[source]¶
Set a default role for the new user accounts
- Parameters:
role (
MISPRole
|int
|str
|UUID
) – the default role to set- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- set_server_setting(setting, value, force=False)[source]¶
Set a setting on the MISP instance
- Parameters:
setting (
str
) – server setting namevalue (
str
|int
|bool
) – value to setforce (
bool
) – override value test
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- set_user_setting(user_setting, value, user=None, pythonify=False)[source]¶
Set a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/setUserSetting
- Parameters:
user_setting (
str
) – name of user settingvalue (
str
|dict
[str
,Any
]) – value to setuser (
MISPUser
|int
|str
|UUID
|None
) – userpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPUserSetting
- sharing_group_exists(sharing_group)[source]¶
Fast check if sharing group exists.
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group to check- Return type:
bool
- sharing_groups(pythonify=False)[source]¶
Get the existing sharing groups: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroup
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPSharingGroup
] |list
[dict
[str
,Any
]]
- sightings(misp_entity=None, org=None, pythonify=False)[source]¶
Get the list of sightings related to a MISPEvent or a MISPAttribute (depending on type of misp_entity): https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId
- Parameters:
misp_entity (
AbstractMISP
|None
) – MISP entityorg (
MISPOrganisation
|int
|str
|UUID
|None
) – MISP organizationpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPSighting
] |list
[dict
[str
,Any
]]
- tag(misp_entity, tag, local=False, relationship_type=None)[source]¶
Tag an event or an attribute.
- Parameters:
misp_entity (
AbstractMISP
|str
|dict
[str
,Any
]) – a MISPEvent, a MISP Attribute, or a UUIDtag (
MISPTag
|str
|dict
[str
,Any
]) – tag to addlocal (
bool
) – whether to tag locallyrelationship_type (
str
|None
) – Type of relationship between the tag and the attribute or event
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- tags(pythonify=False, **kw_params)[source]¶
Get the list of existing tags: https://www.misp-project.org/openapi/#tag/Tags/operation/getTags
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPTag
]
- tags_statistics(percentage=False, name_sort=False)[source]¶
Get tag statistics from the MISP instance
- Parameters:
percentage (
bool
) – get percentagesname_sort (
bool
) – sort by name
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- taxonomies(pythonify=False)[source]¶
Get all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomies
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPTaxonomy
] |list
[dict
[str
,Any
]]
- test_server(server)[source]¶
Test if a sync link is working as expected
- Parameters:
server (
MISPServer
|int
|str
|UUID
) – sync server config- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- toggle_warninglist(warninglist_id=None, warninglist_name=None, force_enable=None)[source]¶
Toggle (enable/disable) the status of a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/toggleEnableWarninglist
- Parameters:
warninglist_id (
str
|int
|list
[int
] |None
) – ID of the WarningListwarninglist_name (
str
|list
[str
] |None
) – name of the WarningListforce_enable (
bool
|None
) – Force the warning list in the enabled state (does nothing if already enabled) - None means toggle.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- unpublish(event)[source]¶
Unpublish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/unpublishEvent
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to unpublish- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- untag(misp_entity, tag)[source]¶
Untag an event or an attribute
- Parameters:
misp_entity (
AbstractMISP
|str
|dict
[str
,Any
]) – misp_entity can be a UUIDtag (
MISPTag
|str
) – tag to remove
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_analyst_data(analyst_data, analyst_data_id=None, pythonify=False)[source]¶
Update an analyst data on a MISP instance
- Parameters:
analyst_data (
MISPNote
|MISPOpinion
|MISPRelationship
) – analyst data to updateanalyst_data_id (
int
|None
) – analyst data ID to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPNote
|MISPOpinion
|MISPRelationship
- update_attribute(attribute, attribute_id=None, pythonify=False)[source]¶
Update an attribute on a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/editAttribute
- Parameters:
attribute (
MISPAttribute
) – attribute to updateattribute_id (
int
|None
) – attribute ID to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPAttribute
|MISPShadowAttribute
- update_attribute_proposal(initial_attribute, attribute, pythonify=False)[source]¶
Propose a change for an attribute
- Parameters:
initial_attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to changeattribute (
MISPAttribute
) – attribute to proposepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPShadowAttribute
- update_decaying_models()[source]¶
Update all the Decaying models
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_event(event, event_id=None, pythonify=False, metadata=False)[source]¶
Update an event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/editEvent
- update_event_blocklist(event_blocklist, event_blocklist_id=None, pythonify=False)[source]¶
Update an event in the blocklist
- Parameters:
event_blocklist (
MISPEventBlocklist
) – event block listevent_blocklist_id (
int
|str
|UUID
|None
) – event block lisd idpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventBlocklist
- update_event_report(event_report, event_report_id=None, pythonify=False)[source]¶
Update an event report on a MISP instance
- Parameters:
event_report (
MISPEventReport
) – event report to updateevent_report_id (
int
|None
) – event report ID to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventReport
- update_galaxies()[source]¶
Update all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/updateGalaxies
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶
Update a custom galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/editGalaxyCluster
;param galaxy_cluster: The MISPGalaxyCluster you wish to update :type pythonify:
bool
:param pythonify: Returns a PyMISP Object instead of the plain json output- Return type:
dict
[str
,Any
] |MISPGalaxyCluster
- update_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶
Update a galaxy cluster relation
- Parameters:
galaxy_cluster_relation (
MISPGalaxyClusterRelation
) – The MISPGalaxyClusterRelation to update- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_noticelists()[source]¶
Update all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/updateNoticelists
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_object(misp_object, object_id=None, pythonify=False)[source]¶
Update an object on a MISP instance
- Parameters:
misp_object (
MISPObject
) – object to updateobject_id (
int
|None
) – ID of object to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPObject
- update_object_templates()[source]¶
Trigger an update of the object templates
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_opinion(opinion, opinion_id=None, pythonify=False)[source]¶
Update an opinion on a MISP instance
- Parameters:
opinion (
MISPOpinion
) – opinion to updateopinion_id (
int
|None
) – opinion ID to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOpinion
- update_organisation(organisation, organisation_id=None, pythonify=False)[source]¶
Update an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/editOrganisation
- Parameters:
organisation (
MISPOrganisation
) – organization to updateorganisation_id (
int
|None
) – id to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOrganisation
- update_organisation_blocklist(organisation_blocklist, organisation_blocklist_id=None, pythonify=False)[source]¶
Update an organisation in the blocklist
- Parameters:
organisation_blocklist (
MISPOrganisationBlocklist
) – organization block listorganisation_blocklist_id (
int
|str
|UUID
|None
) – organization block lisd idpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOrganisationBlocklist
- update_relationship(relationship, relationship_id=None, pythonify=False)[source]¶
Update a relationship on a MISP instance
- Parameters:
relationship (
MISPRelationship
) – relationship to updaterelationship_id (
int
|None
) – relationship ID to updatepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPRelationship
- update_server(server, server_id=None, pythonify=False)[source]¶
Update a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers
- Parameters:
server (
MISPServer
) – sync server configpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPServer
- update_sharing_group(sharing_group, sharing_group_id=None, pythonify=False)[source]¶
Update sharing group parameters: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/editSharingGroup :rtype:
dict
[str
,Any
] |MISPSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|dict
[str
,Any
]) – MISP Sharing Group
:param sharing_group_id Sharing group ID :type pythonify:
bool
:param pythonify: Returns a PyMISP Object instead of the plain json output
- update_tag(tag, tag_id=None, pythonify=False)[source]¶
Edit only the provided parameters of a tag: https://www.misp-project.org/openapi/#tag/Tags/operation/editTag
- update_taxonomies()[source]¶
Update all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/updateTaxonomies
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- update_user(user, user_id=None, pythonify=False)[source]¶
Update a user on a MISP instance: https://www.misp-project.org/openapi/#tag/Users/operation/editUser
- update_warninglists()[source]¶
Update all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/updateWarninglists
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- upload_stix(path=None, data=None, version='2')[source]¶
Upload a STIX file to MISP.
- Parameters:
path (
str
|Path
|BytesIO
|StringIO
|None
) – Path to the STIX on the disk (can be a path-like object, or a pseudofile)data (
str
|bytes
|None
) – stix objectversion (
str
) – Can be 1 or 2
- Return type:
Response
- user_registrations(pythonify=False)[source]¶
Get all the user registrations
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPInbox
] |list
[dict
[str
,Any
]]
- user_settings(pythonify=False)[source]¶
Get all the user settings: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettings
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPUserSetting
] |list
[dict
[str
,Any
]]
- users(search=None, organisation=None, pythonify=False)[source]¶
Get all the users, or a filtered set of users: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers
- Parameters:
search (
str
|None
) – The search to make against the list of usersorganisation (
int
|None
) – The ID of an organisation to filter againstpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPUser
] |list
[dict
[str
,Any
]]
- users_statistics(context='data')[source]¶
Get user statistics from the MISP instance
- Parameters:
context (
str
) – one of ‘data’, ‘orgs’, ‘users’, ‘tags’, ‘attributehistogram’, ‘sightings’, ‘galaxyMatrix’- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- values_in_warninglist(value)[source]¶
Check if IOC values are in warninglist
- Parameters:
value (
Iterable
[str
]) – iterator with values to check- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- property version: dict[str, Any] | list[dict[str, Any]]¶
Returns the version of PyMISP you’re currently using
- warninglists(pythonify=False)[source]¶
Get all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglists
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPWarninglist
]
- class pymisp.ThreatLevel(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶
- exception pymisp.UnknownMISPObjectTemplate(message)[source]¶
Exception raised when the template is unknown
- pymisp.register_user(misp_url, email, organisation=None, org_id=None, org_name=None, message=None, custom_perms=None, perm_sync=False, perm_publish=False, perm_admin=False, verify=True)[source]¶
Ask for the creation of an account for the user with the given email address
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
PyMISP¶
- class pymisp.PyMISP(url, key, ssl=True, debug=False, proxies=None, cert=None, auth=None, tool='', timeout=None, http_headers=None, https_adapter=None, http_auth_header_name='Authorization')[source]¶
Python API for MISP
- Parameters:
url (
str
) – URL of the MISP instance you want to connect tokey (
str
) – API key of the user you want to usessl (
bool
|str
) – can be True or False (to check or to not check the validity of the certificate. Or a CA_BUNDLE in case of self signed or other certificate (the concatenation of all the crt of the chain)debug (
bool
) – Write all the debug information to stderrproxies (
Optional
[MutableMapping
[str
,str
]]) – Proxy dict, as described here: http://docs.python-requests.org/en/master/user/advanced/#proxiescert (
str
|tuple
[str
,str
] |None
) – Client certificate, as described here: http://docs.python-requests.org/en/master/user/advanced/#client-side-certificatesauth (
AuthBase
|None
) – The auth parameter is passed directly to requests, as described here: http://docs.python-requests.org/en/master/user/authentication/tool (
str
) – The software using PyMISP (string), used to set a unique user-agenthttp_headers (
dict
[str
,str
] |None
) – Arbitrary headers to pass to all the requests.https_adapter (
BaseAdapter
|None
) – Arbitrary HTTPS adapter for the requests session.http_auth_header_name (
str
) – The name of the HTTP header to use for the API key. Can be either “Authorization” or “X-MISP-AUTH”.timeout (
float
|tuple
[float
,float
] |None
) – Timeout, as described here: https://requests.readthedocs.io/en/master/user/advanced/#timeouts
- accept_attribute_proposal(proposal)[source]¶
Accept a proposal. You cannot modify an existing proposal, only accept/discard
- Parameters:
proposal (
MISPShadowAttribute
|int
|str
|UUID
) – attribute proposal to accept- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- accept_event_delegation(delegation, pythonify=False)[source]¶
Accept the delegation of an event
- Parameters:
delegation (
MISPEventDelegation
|int
|str
) – event delegation to acceptpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- accept_user_registration(registration, organisation=None, role=None, perm_sync=False, perm_publish=False, perm_admin=False, unsafe_fallback=False)[source]¶
Accept a user registration
- Parameters:
registration (
MISPInbox
|int
|str
|UUID
) – the registration to acceptorganisation (
MISPOrganisation
|int
|str
|UUID
|None
) – user organizationrole (
MISPRole
|int
|str
|None
) – user roleperm_sync (
bool
) – indicator for syncperm_publish (
bool
) – indicator for publishperm_admin (
bool
) – indicator for adminunsafe_fallback (
bool
) – indicator for unsafe fallback
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_analyst_data(analyst_data, pythonify=False)[source]¶
Add an analyst data to an existing MISP element
- Parameters:
analyst_data (
MISPNote
|MISPOpinion
|MISPRelationship
) – analyst_data to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPNote
|MISPOpinion
|MISPRelationship
- add_attribute(event, attribute, pythonify=False, break_on_duplicate=True)[source]¶
Add an attribute to an existing MISP event: https://www.misp-project.org/openapi/#tag/Attributes/operation/addAttribute
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendattribute (
Union
[MISPAttribute
,Iterable
[str
]]) – attribute or (MISP version 2.4.113+) list of attributes to add. If a list is passed, the pythonified response is a dict with the following structure: {‘attributes’: [MISPAttribute], ‘errors’: {errors by attributes}}pythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputbreak_on_duplicate (
bool
) – if False, do not fail if the attribute already exists, updates existing attribute instead (timestamp will be always updated)
- Return type:
dict
[str
,Any
] |MISPAttribute
|MISPShadowAttribute
- add_attribute_proposal(event, attribute, pythonify=False)[source]¶
Propose a new attribute in an event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to receive new attributeattribute (
MISPAttribute
) – attribute to proposepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPShadowAttribute
- add_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶
Add a new correlation exclusion
- Parameters:
correlation_exclusion (
MISPCorrelationExclusion
) – correlation exclusion to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPCorrelationExclusion
- add_event(event, pythonify=False, metadata=False)[source]¶
Add a new event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/addEvent
- add_event_blocklist(uuids, comment=None, event_info=None, event_orgc=None)[source]¶
Add a new event in the blocklist
- Parameters:
uuids (
str
|list
[str
]) – UUIDscomment (
str
|None
) – commentevent_info (
str
|None
) – event informationevent_orgc (
str
|None
) – event organization
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_event_report(event, event_report, pythonify=False)[source]¶
Add an event report to an existing MISP event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendevent_report (
MISPEventReport
) – event report to add.pythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventReport
- add_feed(feed, pythonify=False)[source]¶
Add a new feed on a MISP instance: https://www.misp-project.org/openapi/#tag/Feeds/operation/addFeed
- add_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶
Add a new galaxy cluster to a MISP Galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/addGalaxyCluster
- Parameters:
galaxy (
MISPGalaxy
|str
|UUID
) – A MISPGalaxy (or UUID) where you wish to add the galaxy clustergalaxy_cluster (
MISPGalaxyCluster
) – A MISPGalaxyCluster you wish to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPGalaxyCluster
- add_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶
Add a galaxy cluster relation, cluster relation must include cluster UUIDs in both directions
- Parameters:
galaxy_cluster_relation (
MISPGalaxyClusterRelation
) – The MISPGalaxyClusterRelation to add- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_object(event, misp_object, pythonify=False, break_on_duplicate=False)[source]¶
Add a MISP Object to an existing MISP event: https://www.misp-project.org/openapi/#tag/Objects/operation/addObject
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to extendmisp_object (
MISPObject
) – object to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json outputbreak_on_duplicate (
bool
) – if True, check and reject if this object’s attributes match an existing object’s attributes; may require much time
- Return type:
dict
[str
,Any
] |MISPObject
- add_object_reference(misp_object_reference, pythonify=False)[source]¶
Add a reference to an object
- Parameters:
misp_object_reference (
MISPObjectReference
) – object referencepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPObjectReference
- add_opinion(opinion, pythonify=False)[source]¶
Add an opinion to an existing MISP element
- Parameters:
opinion (
MISPOpinion
) – opinion to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOpinion
- add_org_to_sharing_group(sharing_group, organisation, extend=False)[source]¶
Add an organisation to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addOrganisationToSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDorganisation (
MISPOrganisation
|int
|str
|UUID
) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instanceextend (
bool
) – Allow the organisation to extend the group
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_organisation(organisation, pythonify=False)[source]¶
Add an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/addOrganisation
- Parameters:
organisation (
MISPOrganisation
) – organization to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPOrganisation
- add_organisation_blocklist(uuids, comment=None, org_name=None)[source]¶
Add a new organisation in the blocklist
- Parameters:
uuids (
str
|list
[str
]) – UUIDscomment (
str
|None
) – commentorg_name (
str
|None
) – organization name
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_relationship(relationship, pythonify=False)[source]¶
Add a relationship to an existing MISP element
- Parameters:
relationship (
MISPRelationship
) – relationship to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPRelationship
- add_server(server, pythonify=False)[source]¶
Add a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers Note: You probably want to use PyMISP.get_sync_config and PyMISP.import_server instead
- Parameters:
server (
MISPServer
) – sync server configpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPServer
- add_server_to_sharing_group(sharing_group, server, all_orgs=False)[source]¶
Add a server to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addServerToSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – Sharing group’s local instance ID, or Sharing group’s global UUIDserver (
MISPServer
|int
|str
|UUID
) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instanceall_orgs (
bool
) – Add all the organisations of the server to the group
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- add_sharing_group(sharing_group, pythonify=False)[source]¶
Add a new sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
) – sharing group to addpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPSharingGroup
- add_sighting(sighting, attribute=None, pythonify=False)[source]¶
Add a new sighting (globally, or to a specific attribute): https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting and https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId
- Parameters:
sighting (
MISPSighting
|dict
[str
,Any
]) – sighting to addattribute (
MISPAttribute
|int
|str
|UUID
|None
) – specific attribute to modify with the sightingpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPSighting
- add_tag(tag, pythonify=False)[source]¶
Add a new tag on a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/addTag The user calling this method needs the Tag Editor permission. It doesn’t add a tag to an event, simply creates it on the MISP instance.
- add_user(user, pythonify=False)[source]¶
Add a new user: https://www.misp-project.org/openapi/#tag/Users/operation/addUser
- attach_galaxy_cluster(misp_entity, galaxy_cluster, local=False, pythonify=False)[source]¶
Attach a galaxy cluster to an event or an attribute
- Parameters:
misp_entity (
MISPEvent
|MISPAttribute
) – a MISP Event or a MISP Attributegalaxy_cluster (
MISPGalaxyCluster
|int
|str
) – Galaxy cluster to attachlocal (
bool
) – whether the object should be attached locally or not to the targetpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- attribute_exists(attribute)[source]¶
Fast check if attribute exists.
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – Attribute to check- Return type:
bool
- attribute_proposals(event=None, pythonify=False)[source]¶
Get all the attribute proposals
- Parameters:
event (
MISPEvent
|int
|str
|UUID
|None
) – eventpythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
- Return type:
dict
[str
,Any
] |list
[MISPShadowAttribute
] |list
[dict
[str
,Any
]]
- attributes(pythonify=False)[source]¶
Get all the attributes from the MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributes
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPAttribute
] |list
[dict
[str
,Any
]]
- attributes_statistics(context='type', percentage=False)[source]¶
Get attribute statistics from the MISP instance
- Parameters:
context (
str
) – “type” or “category”percentage (
bool
) – get percentages
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- build_complex_query(or_parameters=None, and_parameters=None, not_parameters=None)[source]¶
Build a complex search query. MISP expects a dictionary with AND, OR and NOT keys.
- Return type:
dict
[str
,list
[TypeVar
(SearchType
,str
,int
)]]
- cache_all_feeds()[source]¶
Cache all the feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_feed(feed)[source]¶
Cache a specific feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds
- Parameters:
feed (
MISPFeed
|int
|str
|UUID
) – feed to cache- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_freetext_feeds()[source]¶
Cache all the freetext feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- cache_misp_feeds()[source]¶
Cache all the MISP feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- change_sharing_group_on_entity(misp_entity, sharing_group_id, pythonify=False)[source]¶
Change the sharing group of an event, an attribute, or an object
- Parameters:
misp_entity (
MISPEvent
|MISPAttribute
|MISPObject
) – entity to changesharing_group_id (
int
) – group to changepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEvent
|MISPObject
|MISPAttribute
|MISPShadowAttribute
- change_user_password(new_password)[source]¶
Change the password of the curent user:
- Parameters:
new_password (
str
) – password to set- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- clean_correlation_exclusions()[source]¶
Initiate correlation exclusions cleanup
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- communities(pythonify=False)[source]¶
Get all the communities
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPCommunity
] |list
[dict
[str
,Any
]]
- compare_feeds()[source]¶
Generate the comparison matrix for all the MISP feeds
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- contact_event_reporter(event, message)[source]¶
Send a message to the reporter of an event
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event with reporter to contactmessage (
str
) – message to send
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- correlation_exclusions(pythonify=False)[source]¶
Get all the correlation exclusions
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPCorrelationExclusion
] |list
[dict
[str
,Any
]]
- db_schema_diagnostic()[source]¶
Get the schema diagnostic
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- decaying_models(pythonify=False)[source]¶
Get all the decaying models
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output- Return type:
dict
[str
,Any
] |list
[MISPDecayingModel
] |list
[dict
[str
,Any
]]
- delegate_event(event=None, organisation=None, event_delegation=None, distribution=-1, message='', pythonify=False)[source]¶
Delegate an event. Either event and organisation OR event_delegation are required
- Parameters:
event (
MISPEvent
|int
|str
|UUID
|None
) – event to delegateorganisation (
MISPOrganisation
|int
|str
|UUID
|None
) – organizationevent_delegation (
MISPEventDelegation
|None
) – event delegationdistribution (
int
) – distribution == -1 means recipient decidesmessage (
str
) – messagepythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |MISPEventDelegation
- delete_analyst_data(analyst_data)[source]¶
Delete an analyst data from a MISP instance
- Parameters:
analyst_data (
MISPNote
|MISPOpinion
|MISPRelationship
|int
|str
|UUID
) – analyst data to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_attribute(attribute, hard=False)[source]¶
Delete an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/deleteAttribute
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_attribute_proposal(attribute)[source]¶
Propose the deletion of an attribute
- Parameters:
attribute (
MISPAttribute
|int
|str
|UUID
) – attribute to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_correlation_exclusion(correlation_exclusion)[source]¶
Delete a correlation exclusion
- Parameters:
correlation_exclusion (
MISPCorrelationExclusion
|int
|str
|UUID
) – The MISPCorrelationExclusion you wish to delete from MISP- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event(event)[source]¶
Delete an event from a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/deleteEvent
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – event to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event_blocklist(event_blocklist)[source]¶
Delete a blocklisted event by id
- Parameters:
event_blocklist (
MISPEventBlocklist
|str
|UUID
) – event block list to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_event_report(event_report, hard=False)[source]¶
Delete an event report from a MISP instance
- Parameters:
event_report (
MISPEventReport
|int
|str
|UUID
) – event report to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_feed(feed)[source]¶
Delete a feed from a MISP instance
- Parameters:
feed (
MISPFeed
|int
|str
|UUID
) – feed to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_galaxy_cluster(galaxy_cluster, hard=False)[source]¶
Deletes a galaxy cluster from MISP: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/deleteGalaxyCluster
- Parameters:
galaxy_cluster (
MISPGalaxyCluster
|int
|str
|UUID
) – The MISPGalaxyCluster you wish to delete from MISPhard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶
Delete a galaxy cluster relation
- Parameters:
galaxy_cluster_relation (
MISPGalaxyClusterRelation
|int
|str
|UUID
) – The MISPGalaxyClusterRelation to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_note(note)[source]¶
Delete a note from a MISP instance
- Parameters:
note (
MISPNote
|int
|str
|UUID
) – note delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_object(misp_object, hard=False)[source]¶
Delete an object from a MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/deleteObject
- Parameters:
misp_object (
MISPObject
|int
|str
|UUID
) – object to deletehard (
bool
) – flag for hard delete
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_object_reference(object_reference, hard=False)[source]¶
Delete a reference to an object.
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_opinion(opinion)[source]¶
Delete an opinion from a MISP instance
- Parameters:
opinion (
MISPOpinion
|int
|str
|UUID
) – opinion to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_organisation(organisation)[source]¶
Delete an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/deleteOrganisation
- Parameters:
organisation (
MISPOrganisation
|int
|str
|UUID
) – organization to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_organisation_blocklist(organisation_blocklist)[source]¶
Delete a blocklisted organisation by id
- Parameters:
organisation_blocklist (
MISPOrganisationBlocklist
|str
|UUID
) – organization block list to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_relationship(relationship)[source]¶
Delete a relationship from a MISP instance
- Parameters:
relationship (
MISPRelationship
|int
|str
|UUID
) – relationship to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_role(role)[source]¶
Delete a role
- Parameters:
role (
MISPRole
|int
|str
|UUID
) – role to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_server(server)[source]¶
Delete a sync server: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers
- Parameters:
server (
MISPServer
|int
|str
|UUID
) – sync server config- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_sharing_group(sharing_group)[source]¶
Delete a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/deleteSharingGroup
- Parameters:
sharing_group (
MISPSharingGroup
|int
|str
|UUID
) – sharing group to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_sighting(sighting)[source]¶
Delete a sighting from a MISP instance: https://www.misp-project.org/openapi/#tag/Sightings/operation/deleteSighting
- Parameters:
sighting (
MISPSighting
|int
|str
|UUID
) – sighting to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_tag(tag)[source]¶
Delete a tag from a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/deleteTag
- Parameters:
tag (
MISPTag
|int
|str
|UUID
) – tag to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_user(user)[source]¶
Delete a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/deleteUser
- Parameters:
user (
MISPUser
|int
|str
|UUID
) – user to delete- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- delete_user_setting(user_setting, user=None)[source]¶
Delete a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/deleteUserSettingById
- Parameters:
user_setting (
str
) – name of user settinguser (
MISPUser
|int
|str
|UUID
|None
) – user
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- property describe_types_local: dict[str, Any] | list[dict[str, Any]]¶
Returns the content of describe types from the package
- property describe_types_remote: dict[str, Any] | list[dict[str, Any]]¶
Returns the content of describe types from the remote instance
- direct_call(url, data=None, params={}, kw_params={})[source]¶
Very lightweight call that posts a data blob (python dictionary or json string) on the URL
- Parameters:
url (
str
) – URL to post todata (
dict
[str
,Any
] |None
) – data to postparams (
Mapping
[str
,Any
]) – dict with parameters for requestkw_params (
Mapping
[str
,Any
]) – dict with keyword parameters for request
- Return type:
Any
- disable_decaying_model(decaying_model)[source]¶
Disable a decaying Model
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_feed(feed, pythonify=False)[source]¶
Disable a feed: https://www.misp-project.org/openapi/#tag/Feeds/operation/disableFeed
- disable_noticelist(noticelist)[source]¶
Disable a noticelist by id
- Parameters:
noticelist (
MISPNoticelist
|int
|str
|UUID
) – Noticelist to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_taxonomy(taxonomy)[source]¶
Disable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/disableTaxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_taxonomy_tags(taxonomy)[source]¶
Disable all the tags of a taxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy with tags to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- disable_warninglist(warninglist)[source]¶
Disable a warninglist
- Parameters:
warninglist (
MISPWarninglist
|int
|str
|UUID
) – warninglist to disable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_attribute_proposal(proposal)[source]¶
Discard a proposal. You cannot modify an existing proposal, only accept/discard
- Parameters:
proposal (
MISPShadowAttribute
|int
|str
|UUID
) – attribute proposal to discard- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_event_delegation(delegation, pythonify=False)[source]¶
Discard the delegation of an event
- Parameters:
delegation (
MISPEventDelegation
|int
|str
) – event delegation to discardpythonify (
bool
) – Returns a PyMISP Object instead of the plain json output
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- discard_user_registration(registration)[source]¶
Discard a user registration
- Parameters:
registration (
MISPInbox
|int
|str
|UUID
) – the registration to discard- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_decaying_model(decaying_model)[source]¶
Enable a decaying Model
- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_feed(feed, pythonify=False)[source]¶
Enable a feed; fetching it will create event(s): https://www.misp-project.org/openapi/#tag/Feeds/operation/enableFeed
- enable_noticelist(noticelist)[source]¶
Enable a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/toggleEnableNoticelist
- Parameters:
noticelist (
MISPNoticelist
|int
|str
|UUID
) – Noticelist to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_taxonomy(taxonomy)[source]¶
Enable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/enableTaxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_taxonomy_tags(taxonomy)[source]¶
Enable all the tags of a taxonomy. NOTE: this is automatically done when you call enable_taxonomy
- Parameters:
taxonomy (
MISPTaxonomy
|int
|str
|UUID
) – taxonomy with tags to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- enable_warninglist(warninglist)[source]¶
Enable a warninglist
- Parameters:
warninglist (
MISPWarninglist
|int
|str
|UUID
) – warninglist to enable- Return type:
dict
[str
,Any
] |list
[dict
[str
,Any
]]
- event_blocklists(pythonify=False)[source]¶
Get all the blocklisted events
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEventBlocklist
] |list
[dict
[str
,Any
]]
- event_delegations(pythonify=False)[source]¶
Get all the event delegations
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEventDelegation
] |list
[dict
[str
,Any
]]
- event_exists(event)[source]¶
Fast check if event exists.
- Parameters:
event (
MISPEvent
|int
|str
|UUID
) – Event to check- Return type:
bool
- events(pythonify=False)[source]¶
Get all the events from the MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/getEvents
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPEvent
] |list
[dict
[str
,Any
]]
- feeds(pythonify=False)[source]¶
Get the list of existing feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeeds
- Parameters:
pythonify (
bool
) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM- Return type:
dict
[str
,Any
] |list
[MISPFeed
] |list
[dict
[str
,Any
]]