pymisp - Classes ¶

MISPGalaxyClusterElement

property tags: list[MISPTag]¶: Returns a list of tags associated to this Event

to_dict(json_format=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_feed(valid_distributions=[0, 1, 2, 3, 4, 5], with_meta=False, with_distribution=False, with_local_tags=True, with_event_reports=True)[source]¶

Generate a json output for MISP Feed.

Parameters:

valid_distributions (list[int]) – only makes sense if the distribution key is set; i.e., the event is exported from a MISP instance.
with_distribution (bool) – exports distribution and Sharing Group info; otherwise all SharingGroup information is discarded (protecting privacy)
with_local_tags (bool) – tag export includes local exportable tags along with global exportable tags
with_event_reports (bool) – include event reports in the returned MISP event

Return type:

dict[str, Any]

unpublish()[source]¶

Mark the attribute as un-published (set publish flag to false)

Return type:: None

class pymisp.MISPEventBlocklist(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPEventDelegation(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPEventReport(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPFeed(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPGalaxy[source]¶

Galaxy class, used to view a galaxy and respective clusters

add_galaxy_cluster(**kwargs)[source]¶

Add a MISP galaxy cluster into a MISPGalaxy. Supports all other parameters supported by MISPGalaxyCluster

Return type:: MISPGalaxyCluster

from_dict(**kwargs)[source]¶

Galaxy could be in one of the following formats: {‘Galaxy’: {}, ‘GalaxyCluster’: []} {‘Galaxy’: {‘GalaxyCluster’: []}}

Return type:: None

class pymisp.MISPGalaxyCluster[source]¶

A MISP galaxy cluster, storing respective galaxy elements and relations. Used to view default galaxy clusters and add/edit/update/delete Galaxy 2.0 clusters

Creating a new galaxy cluster can take the following parameters

Parameters:

value (str) – The value of the galaxy cluster
description (str) – The description of the galaxy cluster
distribution (int) – The distribution type, one of 0, 1, 2, 3, 4
sharing_group_id (int, optional) – The sharing group ID, if distribution is set to 4
authors (list[str], optional) – A list of authors of the galaxy cluster
cluster_elements (list[MISPGalaxyClusterElement], optional) – List of MISPGalaxyClusterElement
cluster_relations (list[MISPGalaxyClusterRelation], optional) – List of MISPGalaxyClusterRelation

add_cluster_element(key, value, **kwargs)[source]¶

Add a cluster relation to a MISPGalaxyCluster, key and value are required

Parameters:

key (str) – The key name of the element
value (str) – The value of the element

Return type:

add_cluster_relation(referenced_galaxy_cluster_uuid, referenced_galaxy_cluster_type, galaxy_cluster_uuid=None, **kwargs)[source]¶

Add a cluster relation to a MISPGalaxyCluster.

Parameters:

referenced_galaxy_cluster_uuid (uuid) – UUID of the related cluster
referenced_galaxy_cluster_type (uuid) – Relation type
galaxy_cluster_uuid (str | None) – UUID of this cluster, leave blank to use the stored UUID
galaxy_cluster_uuid – uuid, Optional

Return type:

MISPGalaxyClusterRelation

property elements_meta: dict[str, Any]¶: Function to return the galaxy cluster elements as a dictionary structure of lists that comes from a MISPGalaxy within a MISPEvent. Lossy, you lose the element ID

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

parse_meta_as_elements()[source]¶

Function to parse the meta field into GalaxyClusterElements

Return type:: None

class pymisp.MISPGalaxyClusterElement(**kwargs)[source]¶

A MISP Galaxy cluster element, providing further info on a cluster

Creating a new galaxy cluster element can take the following parameters

Parameters:

key (str) – The key/identifier of the element
value (str) – The value of the element

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPGalaxyClusterRelation[source]¶

A MISP Galaxy cluster relation, linking one cluster to another

Creating a new galaxy cluster can take the following parameters

Parameters:

galaxy_cluster_uuid – The UUID of the galaxy the relation links to
referenced_galaxy_cluster_type – The relation type, e.g. dropped-by
referenced_galaxy_cluster_uuid – The UUID of the related galaxy
distribution – The distribution of the relation, one of 0, 1, 2, 3, 4, default 0
sharing_group_id – The sharing group of the relation, only when distribution is 4

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

property tags: list[MISPTag]¶: Returns a list of tags associated to this Attribute

class pymisp.MISPInbox(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPLog(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPNoticelist(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPObject(name, strict=False, standalone=True, default_attributes_parameters={}, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)[source]¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)[source]¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)[source]¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

delete()[source]¶

Mark the object as deleted (soft delete)

Return type:: None

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

get_attributes_by_relation(object_relation)[source]¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)[source]¶

True if all the relations in the list are defined in the object

Return type:: bool

to_dict(json_format=False, strict=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)[source]¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

class pymisp.MISPObjectAttribute(definition)[source]¶

from_dict(object_relation, value, **kwargs)[source]¶: Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

class pymisp.MISPObjectReference[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPObjectTemplate(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPOrganisation[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPOrganisationBlocklist(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPRole(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPServer(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPShadowAttribute[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPSharingGroup[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPSighting[source]¶

from_dict(**kwargs)[source]¶

Initialize the MISPSighting from a dictionary

Parameters:

value – Value of the attribute the sighting is related too. Pushing this object will update the sighting count of each attribute with this value on the instance.
uuid – UUID of the attribute to update
id – ID of the attriute to update
source – Source of the sighting
type – Type of the sighting
timestamp – Timestamp associated to the sighting

Return type:

class pymisp.MISPTag(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPTaxonomy(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPUser(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPUserSetting(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

class pymisp.MISPWarninglist(**kwargs)[source]¶

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

exception pymisp.NewAttributeError(message)[source]¶

exception pymisp.NewEventError(message)[source]¶

exception pymisp.NoKey(message)[source]¶

exception pymisp.NoURL(message)[source]¶

class pymisp.PyMISP(url, key, ssl=True, debug=False, proxies=None, cert=None, auth=None, tool='', timeout=None, http_headers=None, https_adapter=None, http_auth_header_name='Authorization')[source]¶

Python API for MISP

Parameters:

url (str) – URL of the MISP instance you want to connect to
key (str) – API key of the user you want to use
ssl (bool | str) – can be True or False (to check or to not check the validity of the certificate. Or a CA_BUNDLE in case of self signed or other certificate (the concatenation of all the crt of the chain)
debug (bool) – Write all the debug information to stderr
proxies (Optional[MutableMapping[str, str]]) – Proxy dict, as described here: http://docs.python-requests.org/en/master/user/advanced/#proxies
cert (str | tuple[str, str] | None) – Client certificate, as described here: http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates
auth (AuthBase | None) – The auth parameter is passed directly to requests, as described here: http://docs.python-requests.org/en/master/user/authentication/
tool (str) – The software using PyMISP (string), used to set a unique user-agent
http_headers (dict[str, str] | None) – Arbitrary headers to pass to all the requests.
https_adapter (BaseAdapter | None) – Arbitrary HTTPS adapter for the requests session.
http_auth_header_name (str) – The name of the HTTP header to use for the API key. Can be either “Authorization” or “X-MISP-AUTH”.
timeout (float | tuple[float, float] | None) – Timeout, as described here: https://requests.readthedocs.io/en/master/user/advanced/#timeouts

accept_attribute_proposal(proposal)[source]¶

Accept a proposal. You cannot modify an existing proposal, only accept/discard

Parameters:: proposal (MISPShadowAttribute | int | str | UUID) – attribute proposal to accept
Return type:: dict[str, Any] | list[dict[str, Any]]

accept_event_delegation(delegation, pythonify=False)[source]¶

Accept the delegation of an event

Parameters:

delegation (MISPEventDelegation | int | str) – event delegation to accept
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[dict[str, Any]]

accept_user_registration(registration, organisation=None, role=None, perm_sync=False, perm_publish=False, perm_admin=False, unsafe_fallback=False)[source]¶

Accept a user registration

Parameters:

registration (MISPInbox | int | str | UUID) – the registration to accept
organisation (MISPOrganisation | int | str | UUID | None) – user organization
role (MISPRole | int | str | None) – user role
perm_sync (bool) – indicator for sync
perm_publish (bool) – indicator for publish
perm_admin (bool) – indicator for admin
unsafe_fallback (bool) – indicator for unsafe fallback

Return type:

dict[str, Any] | list[dict[str, Any]]

add_attribute(event, attribute, pythonify=False, break_on_duplicate=True)[source]¶

Add an attribute to an existing MISP event: https://www.misp-project.org/openapi/#tag/Attributes/operation/addAttribute

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
attribute (Union[MISPAttribute, Iterable[str]]) – attribute or (MISP version 2.4.113+) list of attributes to add. If a list is passed, the pythonified response is a dict with the following structure: {‘attributes’: [MISPAttribute], ‘errors’: {errors by attributes}}
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
break_on_duplicate (bool) – if False, do not fail if the attribute already exists, updates existing attribute instead (timestamp will be always updated)

Return type:

dict[str, Any] | MISPAttribute | MISPShadowAttribute

add_attribute_proposal(event, attribute, pythonify=False)[source]¶

Propose a new attribute in an event

Parameters:

event (MISPEvent | int | str | UUID) – event to receive new attribute
attribute (MISPAttribute) – attribute to propose
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶

Add a new correlation exclusion

Parameters:

correlation_exclusion (MISPCorrelationExclusion) – correlation exclusion to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_event(event, pythonify=False, metadata=False)[source]¶

Add a new event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/addEvent

Parameters:

event (MISPEvent) – event to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
metadata (bool) – Return just event metadata after successful creating

Return type:

add_event_blocklist(uuids, comment=None, event_info=None, event_orgc=None)[source]¶

Add a new event in the blocklist

Parameters:

uuids (str | list[str]) – UUIDs
comment (str | None) – comment
event_info (str | None) – event information
event_orgc (str | None) – event organization

Return type:

dict[str, Any] | list[dict[str, Any]]

add_event_report(event, event_report, pythonify=False)[source]¶

Add an event report to an existing MISP event

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
event_report (MISPEventReport) – event report to add.
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_feed(feed, pythonify=False)[source]¶

Add a new feed on a MISP instance: https://www.misp-project.org/openapi/#tag/Feeds/operation/addFeed

Parameters:

feed (MISPFeed) – feed to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶

Add a new galaxy cluster to a MISP Galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/addGalaxyCluster

Parameters:

galaxy (MISPGalaxy | str | UUID) – A MISPGalaxy (or UUID) where you wish to add the galaxy cluster
galaxy_cluster (MISPGalaxyCluster) – A MISPGalaxyCluster you wish to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Add a galaxy cluster relation, cluster relation must include cluster UUIDs in both directions

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation) – The MISPGalaxyClusterRelation to add
Return type:: dict[str, Any] | list[dict[str, Any]]

add_object(event, misp_object, pythonify=False, break_on_duplicate=False)[source]¶

Add a MISP Object to an existing MISP event: https://www.misp-project.org/openapi/#tag/Objects/operation/addObject

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
misp_object (MISPObject) – object to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
break_on_duplicate (bool) – if True, check and reject if this object’s attributes match an existing object’s attributes; may require much time

Return type:

add_object_reference(misp_object_reference, pythonify=False)[source]¶

Add a reference to an object

Parameters:

misp_object_reference (MISPObjectReference) – object reference
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPObjectReference

add_org_to_sharing_group(sharing_group, organisation, extend=False)[source]¶

Add an organisation to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addOrganisationToSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
organisation (MISPOrganisation | int | str | UUID) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instance
extend (bool) – Allow the organisation to extend the group

Return type:

dict[str, Any] | list[dict[str, Any]]

add_organisation(organisation, pythonify=False)[source]¶

Add an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/addOrganisation

Parameters:

organisation (MISPOrganisation) – organization to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_organisation_blocklist(uuids, comment=None, org_name=None)[source]¶

Add a new organisation in the blocklist

Parameters:

uuids (str | list[str]) – UUIDs
comment (str | None) – comment
org_name (str | None) – organization name

Return type:

dict[str, Any] | list[dict[str, Any]]

add_server(server, pythonify=False)[source]¶

Add a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers Note: You probably want to use PyMISP.get_sync_config and PyMISP.import_server instead

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_server_to_sharing_group(sharing_group, server, all_orgs=False)[source]¶

Add a server to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addServerToSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
server (MISPServer | int | str | UUID) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instance
all_orgs (bool) – Add all the organisations of the server to the group

Return type:

dict[str, Any] | list[dict[str, Any]]

add_sharing_group(sharing_group, pythonify=False)[source]¶

Add a new sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addSharingGroup

Parameters:

sharing_group (MISPSharingGroup) – sharing group to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_sighting(sighting, attribute=None, pythonify=False)[source]¶

Add a new sighting (globally, or to a specific attribute): https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting and https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId

Parameters:

sighting (MISPSighting | dict[str, Any]) – sighting to add
attribute (MISPAttribute | int | str | UUID | None) – specific attribute to modify with the sighting
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPSighting

add_tag(tag, pythonify=False)[source]¶

Add a new tag on a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/addTag The user calling this method needs the Tag Editor permission. It doesn’t add a tag to an event, simply creates it on the MISP instance.

Parameters:

tag (MISPTag) – tag to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_user(user, pythonify=False)[source]¶

Add a new user: https://www.misp-project.org/openapi/#tag/Users/operation/addUser

Parameters:

user (MISPUser) – user to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

attribute_exists(attribute)[source]¶

Fast check if attribute exists.

Parameters:: attribute (MISPAttribute | int | str | UUID) – Attribute to check
Return type:: bool

attribute_proposals(event=None, pythonify=False)[source]¶

Get all the attribute proposals

Parameters:

event (MISPEvent | int | str | UUID | None) – event
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPShadowAttribute] | list[dict[str, Any]]

attributes(pythonify=False)[source]¶

Get all the attributes from the MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributes

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPAttribute] | list[dict[str, Any]]

attributes_statistics(context='type', percentage=False)[source]¶

Get attribute statistics from the MISP instance

Parameters:

context (str) – “type” or “category”
percentage (bool) – get percentages

Return type:

dict[str, Any] | list[dict[str, Any]]

build_complex_query(or_parameters=None, and_parameters=None, not_parameters=None)[source]¶

Build a complex search query. MISP expects a dictionary with AND, OR and NOT keys.

Return type:: dict[str, list[TypeVar(SearchType, str, int)]]

cache_all_feeds()[source]¶

Cache all the feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds

Return type:: dict[str, Any] | list[dict[str, Any]]

cache_feed(feed)[source]¶

Cache a specific feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds

Parameters:: feed (MISPFeed | int | str | UUID) – feed to cache
Return type:: dict[str, Any] | list[dict[str, Any]]

cache_freetext_feeds()[source]¶

Cache all the freetext feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

cache_misp_feeds()[source]¶

Cache all the MISP feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

change_sharing_group_on_entity(misp_entity, sharing_group_id, pythonify=False)[source]¶

Change the sharing group of an event, an attribute, or an object

Parameters:

misp_entity (MISPEvent | MISPAttribute | MISPObject) – entity to change
sharing_group_id (int) – group to change
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEvent | MISPObject | MISPAttribute | MISPShadowAttribute

change_user_password(new_password)[source]¶

Change the password of the curent user:

Parameters:: new_password (str) – password to set
Return type:: dict[str, Any] | list[dict[str, Any]]

clean_correlation_exclusions()[source]¶

Initiate correlation exclusions cleanup

Return type:: dict[str, Any] | list[dict[str, Any]]

communities(pythonify=False)[source]¶

Get all the communities

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPCommunity] | list[dict[str, Any]]

compare_feeds()[source]¶

Generate the comparison matrix for all the MISP feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

contact_event_reporter(event, message)[source]¶

Send a message to the reporter of an event

Parameters:

event (MISPEvent | int | str | UUID) – event with reporter to contact
message (str) – message to send

Return type:

dict[str, Any] | list[dict[str, Any]]

correlation_exclusions(pythonify=False)[source]¶

Get all the correlation exclusions

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPCorrelationExclusion] | list[dict[str, Any]]

db_schema_diagnostic()[source]¶

Get the schema diagnostic

Return type:: dict[str, Any] | list[dict[str, Any]]

decaying_models(pythonify=False)[source]¶

Get all the decaying models

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output
Return type:: dict[str, Any] | list[MISPDecayingModel] | list[dict[str, Any]]

delegate_event(event=None, organisation=None, event_delegation=None, distribution=-1, message='', pythonify=False)[source]¶

Delegate an event. Either event and organisation OR event_delegation are required

Parameters:

event (MISPEvent | int | str | UUID | None) – event to delegate
organisation (MISPOrganisation | int | str | UUID | None) – organization
event_delegation (MISPEventDelegation | None) – event delegation
distribution (int) – distribution == -1 means recipient decides
message (str) – message
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEventDelegation

delete_attribute(attribute, hard=False)[source]¶

Delete an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/deleteAttribute

Parameters:

attribute (MISPAttribute | int | str | UUID) – attribute to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_attribute_proposal(attribute)[source]¶

Propose the deletion of an attribute

Parameters:: attribute (MISPAttribute | int | str | UUID) – attribute to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_correlation_exclusion(correlation_exclusion)[source]¶

Delete a correlation exclusion

Parameters:: correlation_exclusion (MISPCorrelationExclusion | int | str | UUID) – The MISPCorrelationExclusion you wish to delete from MISP
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event(event)[source]¶

Delete an event from a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/deleteEvent

Parameters:: event (MISPEvent | int | str | UUID) – event to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event_blocklist(event_blocklist)[source]¶

Delete a blocklisted event by id

Parameters:: event_blocklist (MISPEventBlocklist | str | UUID) – event block list to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event_report(event_report, hard=False)[source]¶

Delete an event report from a MISP instance

Parameters:

event_report (MISPEventReport | int | str | UUID) – event report to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_feed(feed)[source]¶

Delete a feed from a MISP instance

Parameters:: feed (MISPFeed | int | str | UUID) – feed to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_galaxy_cluster(galaxy_cluster, hard=False)[source]¶

Deletes a galaxy cluster from MISP: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/deleteGalaxyCluster

Parameters:

galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The MISPGalaxyCluster you wish to delete from MISP
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Delete a galaxy cluster relation

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation | int | str | UUID) – The MISPGalaxyClusterRelation to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_object(misp_object, hard=False)[source]¶

Delete an object from a MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/deleteObject

Parameters:

misp_object (MISPObject | int | str | UUID) – object to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_object_reference(object_reference, hard=False)[source]¶

Delete a reference to an object.

Return type:: dict[str, Any] | list[dict[str, Any]]

delete_organisation(organisation)[source]¶

Delete an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/deleteOrganisation

Parameters:: organisation (MISPOrganisation | int | str | UUID) – organization to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_organisation_blocklist(organisation_blocklist)[source]¶

Delete a blocklisted organisation by id

Parameters:: organisation_blocklist (MISPOrganisationBlocklist | str | UUID) – organization block list to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_server(server)[source]¶

Delete a sync server: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:: server (MISPServer | int | str | UUID) – sync server config
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_sharing_group(sharing_group)[source]¶

Delete a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/deleteSharingGroup

Parameters:: sharing_group (MISPSharingGroup | int | str | UUID) – sharing group to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_sighting(sighting)[source]¶

Delete a sighting from a MISP instance: https://www.misp-project.org/openapi/#tag/Sightings/operation/deleteSighting

Parameters:: sighting (MISPSighting | int | str | UUID) – sighting to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_tag(tag)[source]¶

Delete a tag from a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/deleteTag

Parameters:: tag (MISPTag | int | str | UUID) – tag to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_user(user)[source]¶

Delete a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/deleteUser

Parameters:: user (MISPUser | int | str | UUID) – user to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_user_setting(user_setting, user=None)[source]¶

Delete a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/deleteUserSettingById

Parameters:

user_setting (str) – name of user setting
user (MISPUser | int | str | UUID | None) – user

Return type:

dict[str, Any] | list[dict[str, Any]]

property describe_types_local: dict[str, Any] | list[dict[str, Any]]¶: Returns the content of describe types from the package

property describe_types_remote: dict[str, Any] | list[dict[str, Any]]¶: Returns the content of describe types from the remote instance

direct_call(url, data=None, params={}, kw_params={})[source]¶

Very lightweight call that posts a data blob (python dictionary or json string) on the URL

Parameters:

url (str) – URL to post to
data (dict[str, Any] | None) – data to post
params (Mapping[str, Any]) – dict with parameters for request
kw_params (Mapping[str, Any]) – dict with keyword parameters for request

Return type:

Any

disable_decaying_model(decaying_model)[source]¶

Disable a decaying Model

Return type:: dict[str, Any] | list[dict[str, Any]]

disable_feed(feed, pythonify=False)[source]¶

Disable a feed: https://www.misp-project.org/openapi/#tag/Feeds/operation/disableFeed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to disable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_feed_cache(feed, pythonify=False)[source]¶

Disable the caching of a feed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to disable caching
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_noticelist(noticelist)[source]¶

Disable a noticelist by id

Parameters:: noticelist (MISPNoticelist | int | str | UUID) – Noticelist to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_tag(tag, pythonify=False)[source]¶

Disable a tag

Parameters:

tag (MISPTag) – tag to disable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_taxonomy(taxonomy)[source]¶

Disable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/disableTaxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_taxonomy_tags(taxonomy)[source]¶

Disable all the tags of a taxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy with tags to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_warninglist(warninglist)[source]¶

Disable a warninglist

Parameters:: warninglist (MISPWarninglist | int | str | UUID) – warninglist to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

discard_attribute_proposal(proposal)[source]¶

Discard a proposal. You cannot modify an existing proposal, only accept/discard

Parameters:: proposal (MISPShadowAttribute | int | str | UUID) – attribute proposal to discard
Return type:: dict[str, Any] | list[dict[str, Any]]

discard_event_delegation(delegation, pythonify=False)[source]¶

Discard the delegation of an event

Parameters:

delegation (MISPEventDelegation | int | str) – event delegation to discard
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[dict[str, Any]]

discard_user_registration(registration)[source]¶

Discard a user registration

Parameters:: registration (MISPInbox | int | str | UUID) – the registration to discard
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_decaying_model(decaying_model)[source]¶

Enable a decaying Model

Return type:: dict[str, Any] | list[dict[str, Any]]

enable_feed(feed, pythonify=False)[source]¶

Enable a feed; fetching it will create event(s): https://www.misp-project.org/openapi/#tag/Feeds/operation/enableFeed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to enable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_feed_cache(feed, pythonify=False)[source]¶

Enable the caching of a feed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to enable caching
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_noticelist(noticelist)[source]¶

Enable a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/toggleEnableNoticelist

Parameters:: noticelist (MISPNoticelist | int | str | UUID) – Noticelist to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_tag(tag, pythonify=False)[source]¶

Enable a tag

Parameters:

tag (MISPTag) – tag to enable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_taxonomy(taxonomy)[source]¶

Enable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/enableTaxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_taxonomy_tags(taxonomy)[source]¶

Enable all the tags of a taxonomy. NOTE: this is automatically done when you call enable_taxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy with tags to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_warninglist(warninglist)[source]¶

Enable a warninglist

Parameters:: warninglist (MISPWarninglist | int | str | UUID) – warninglist to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

event_blocklists(pythonify=False)[source]¶

Get all the blocklisted events

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEventBlocklist] | list[dict[str, Any]]

event_delegations(pythonify=False)[source]¶

Get all the event delegations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEventDelegation] | list[dict[str, Any]]

event_exists(event)[source]¶

Fast check if event exists.

Parameters:: event (MISPEvent | int | str | UUID) – Event to check
Return type:: bool

events(pythonify=False)[source]¶

Get all the events from the MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/getEvents

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEvent] | list[dict[str, Any]]

feeds(pythonify=False)[source]¶

Get the list of existing feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeeds

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPFeed] | list[dict[str, Any]]

fetch_feed(feed)[source]¶

Fetch one single feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/fetchFromFeed

Parameters:: feed (MISPFeed | int | str | UUID) – feed to fetch
Return type:: dict[str, Any] | list[dict[str, Any]]

fork_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶

Forks an existing galaxy cluster, creating a new one with matching attributes

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – The galaxy (or galaxy ID) where the cluster you want to fork resides
galaxy_cluster (MISPGalaxyCluster) – The galaxy cluster you wish to fork
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

freetext(event, string, adhereToWarninglists=False, distribution=None, returnMetaAttributes=False, pythonify=False, **kwargs)[source]¶

Pass a text to the freetext importer

Parameters:

event (MISPEvent | int | str | UUID) – event
string (str) – query
adhereToWarninglists (bool | str) – flag
distribution (int | None) – distribution == -1 means recipient decides
returnMetaAttributes (bool) – flag
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
kwargs – kwargs passed to prepare_request

Return type:

dict[str, Any] | list[MISPAttribute] | list[dict[str, Any]]

galaxies(withCluster=False, pythonify=False)[source]¶

Get all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxies

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPGalaxy] | list[dict[str, Any]]

get_all_functions(not_implemented=False)[source]¶

Get all methods available via the API, including ones that are not implemented.

Return type:: list[str]

get_attribute(attribute, pythonify=False)[source]¶

Get an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributeById

Parameters:

attribute (MISPAttribute | int | str | UUID) – attribute to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPAttribute

get_attribute_proposal(proposal, pythonify=False)[source]¶

Get an attribute proposal

Parameters:

proposal (MISPShadowAttribute | int | str | UUID) – proposal to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_community(community, pythonify=False)[source]¶

Get a community by id from a MISP instance

Parameters:

community (MISPCommunity | int | str | UUID) – community to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPCommunity

get_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶

Get a correlation exclusion by ID

Parameters:

correlation_exclusion (MISPCorrelationExclusion | int | str | UUID) – Correlation exclusion to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_event(event, deleted=False, extended=False, pythonify=False)[source]¶

Get an event from a MISP instance. Includes collections like Attribute, EventReport, Feed, Galaxy, Object, Tag, etc. so the response size may be large : https://www.misp-project.org/openapi/#tag/Events/operation/getEventById

Parameters:

event (MISPEvent | int | str | UUID) – event to get
deleted (bool | int | list[int]) – whether to include soft-deleted attributes
extended (bool | int) – whether to get extended events
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

get_event_report(event_report, pythonify=False)[source]¶

Get an event report from a MISP instance

Parameters:

event_report (MISPEventReport | int | str | UUID) – event report to get
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

get_event_reports(event_id, pythonify=False)[source]¶

Get event report from a MISP instance that are attached to an event ID

Parameters:

event_id (int | str) – event id to get the event reports for
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output.

Return type:

dict[str, Any] | list[MISPEventReport] | list[dict[str, Any]]

get_feed(feed, pythonify=False)[source]¶

Get a feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeedById

Parameters:

feed (MISPFeed | int | str | UUID) – feed to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_galaxy(galaxy, withCluster=False, pythonify=False)[source]¶

Get a galaxy by id: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxyById

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – galaxy to get
withCluster (bool) – Include the clusters associated with the galaxy
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPGalaxy

get_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶

Gets a specific galaxy cluster

Parameters:

galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The MISPGalaxyCluster you want to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_new_authkey(user='me')[source]¶

Get a new authorization key for a specific user, defaults to user doing the call: https://www.misp-project.org/openapi/#tag/AuthKeys/operation/addAuthKey

Parameters:: user (MISPUser | int | str | UUID) – The owner of the key
Return type:: str

get_noticelist(noticelist, pythonify=False)[source]¶

Get a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelistById

Parameters:

notistlist – Noticelist to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPNoticelist

get_object(misp_object, pythonify=False)[source]¶

Get an object from the remote MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/getObjectById

Parameters:

misp_object (MISPObject | int | str | UUID) – object to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_object_template(object_template, pythonify=False)[source]¶

Gets the full object template

Parameters:

object_template (MISPObjectTemplate | int | str | UUID) – template or ID to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPObjectTemplate

get_organisation(organisation, pythonify=False)[source]¶

Get an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisationById

Parameters:

organisation (MISPOrganisation | int | str | UUID) – organization to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_raw_object_template(uuid_or_name)[source]¶

Get a row template. It needs to be present on disk on the MISP instance you’re connected to. The response of this method can be passed to MISPObject(<name>, misp_objects_template_custom=<response>)

Return type:: dict[str, Any] | list[dict[str, Any]]

get_server_setting(setting)[source]¶

Get a setting from the MISP instance

Parameters:: setting (str) – server setting name
Return type:: dict[str, Any] | list[dict[str, Any]]

get_sharing_group(sharing_group, pythonify=False)[source]¶

Get a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroupById

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – sharing group to find
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_sync_config(pythonify=False)[source]¶

Get the sync server config. WARNING: This method only works if the user calling it is a sync user

Parameters:: pythonify (bool) – Returns a PyMISP Object instead of the plain json output
Return type:: dict[str, Any] | MISPServer

get_tag(tag, pythonify=False)[source]¶

Get a tag by id: https://www.misp-project.org/openapi/#tag/Tags/operation/getTagById

Parameters:

tag (MISPTag | int | str | UUID) – tag to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_taxonomy(taxonomy, pythonify=False)[source]¶

Get a taxonomy by id or namespace from a MISP instance: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomyById

Parameters:

taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPTaxonomy

get_user(user='me', pythonify=False, expanded=False)[source]¶

Get a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers

Parameters:

user (MISPUser | int | str | UUID) – user to get; me means the owner of the API key doing the query
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
expanded (bool) – Also returns a MISPRole and a MISPUserSetting. Only taken in account if pythonify is True.

Return type:

dict[str, Any] | MISPUser | tuple[MISPUser, MISPRole, list[MISPUserSetting]]

get_user_setting(user_setting, user=None, pythonify=False)[source]¶

Get a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettingById

Parameters:

user_setting (str) – name of user setting
user (MISPUser | int | str | UUID | None) – user
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_warninglist(warninglist, pythonify=False)[source]¶

Get a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglistById

Parameters:

warninglist (MISPWarninglist | int | str | UUID) – warninglist to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPWarninglist

import_server(server, pythonify=False)[source]¶

Import a sync server config received from get_sync_config

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

load_default_feeds()[source]¶

Load all the default feeds.

Return type:: dict[str, Any] | list[dict[str, Any]]

property misp_instance_version: dict[str, Any] | list[dict[str, Any]]¶: Returns the version of the instance.

property misp_instance_version_master: dict[str, Any] | list[dict[str, Any]]¶: Get the most recent version from github

noticelists(pythonify=False)[source]¶

Get all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelists

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPNoticelist] | list[dict[str, Any]]

object_exists(misp_object)[source]¶

Fast check if object exists.

Parameters:: misp_object (MISPObject | int | str | UUID) – Attribute to check
Return type:: bool

object_templates(pythonify=False)[source]¶

Get all the object templates

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPObjectTemplate] | list[dict[str, Any]]

organisation_blocklists(pythonify=False)[source]¶

Get all the blocklisted organisations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPOrganisationBlocklist] | list[dict[str, Any]]

organisation_exists(organisation)[source]¶

Fast check if organisation exists.

Parameters:: organisation (MISPOrganisation | int | str | UUID) – Organisation to check
Return type:: bool

organisations(scope='local', search=None, pythonify=False)[source]¶

Get all the organisations: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisations

Parameters:

scope (str) – scope of organizations to get
search (str | None) – The search to make against the list of organisations
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPOrganisation] | list[dict[str, Any]]

publish(event, alert=False)[source]¶

Publish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/publishEvent

Parameters:

event (MISPEvent | int | str | UUID) – event to publish
alert (bool) – whether to send an email. The default is to not send a mail as it is assumed this method is called on update.

Return type:

dict[str, Any] | list[dict[str, Any]]

publish_galaxy_cluster(galaxy_cluster)[source]¶

Publishes a galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/publishGalaxyCluster

Parameters:: galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The galaxy cluster you wish to publish
Return type:: dict[str, Any] | list[dict[str, Any]]

push_event_to_ZMQ(event)[source]¶

Force push an event by id on ZMQ

Parameters:: event (MISPEvent | int | str | UUID) – the event to push
Return type:: dict[str, Any] | list[dict[str, Any]]

property pymisp_version_main: dict[str, Any] | list[dict[str, Any]]¶: Get the most recent version of PyMISP from github

property pymisp_version_master: dict[str, Any] | list[dict[str, Any]]¶: PyMISP version as defined in the main repository

property recommended_pymisp_version: dict[str, Any] | list[dict[str, Any]]¶: Returns the recommended API version from the server

remote_acl(debug_type='findMissingFunctionNames')[source]¶

This should return an empty list, unless the ACL is outdated.

Parameters:: debug_type (str) – printAllFunctionNames, findMissingFunctionNames, or printRoleAccess
Return type:: dict[str, Any] | list[dict[str, Any]]

remove_org_from_sharing_group(sharing_group, organisation)[source]¶

Remove an organisation from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeOrganisationFromSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
organisation (MISPOrganisation | int | str | UUID) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instance

Return type:

dict[str, Any] | list[dict[str, Any]]

remove_server_from_sharing_group(sharing_group, server)[source]¶

Remove a server from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeServerFromSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
server (MISPServer | int | str | UUID) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instance

Return type:

dict[str, Any] | list[dict[str, Any]]

request_community_access(community, requestor_email_address=None, requestor_gpg_key=None, requestor_organisation_name=None, requestor_organisation_uuid=None, requestor_organisation_description=None, message=None, sync=False, anonymise_requestor_server=False, mock=False)[source]¶

Request the access to a community

Parameters:

community (MISPCommunity | int | str | UUID) – community to request access
requestor_email_address (str | None) – requestor email
requestor_gpg_key (str | None) – requestor key
requestor_organisation_name (str | None) – requestor org name
requestor_organisation_uuid (str | None) – requestor org ID
requestor_organisation_description (str | None) – requestor org desc
message (str | None) – requestor message
sync (bool) – synchronize flag
anonymise_requestor_server (bool) – anonymise flag
mock (bool) – mock flag

Return type:

dict[str, Any] | list[dict[str, Any]]

restart_workers()[source]¶

Restart all the workers

Return type:: dict[str, Any] | list[dict[str, Any]]

restore_attribute(attribute, pythonify=False)[source]¶

Restore a soft deleted attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/restoreAttribute

Parameters:: attribute (MISPAttribute | int | str | UUID) – attribute to restore
Return type:: dict[str, Any] | MISPAttribute

roles(pythonify=False)[source]¶

Get the existing roles

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPRole] | list[dict[str, Any]]

search(controller='events', return_format='json', limit=None, page=None, value=None, type_attribute=None, category=None, org=None, tags=None, event_tags=None, quick_filter=None, quickFilter=None, date_from=None, date_to=None, eventid=None, with_attachments=None, withAttachments=None, metadata=None, uuid=None, publish_timestamp=None, last=None, timestamp=None, published=None, enforce_warninglist=None, enforceWarninglist=None, to_ids=None, deleted=None, include_event_uuid=None, includeEventUuid=None, include_event_tags=None, includeEventTags=None, event_timestamp=None, sg_reference_only=None, eventinfo=None, searchall=None, requested_attributes=None, include_context=None, includeContext=None, headerless=None, include_sightings=None, includeSightings=None, include_correlations=None, includeCorrelations=None, include_decay_score=None, includeDecayScore=None, object_name=None, exclude_decayed=None, sharinggroup=None, pythonify=False, **kwargs)[source]¶

Search in the MISP instance

Parameters:

controller (str) –
Controller to search on, it can be events, objects, attributes. The response will either be a list of events, objects, or attributes. Reference documentation for each controller:
- events: https://www.misp-project.org/openapi/#tag/Events/operation/restSearchEvents
- attributes: https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes
- objects: N/A
return_format (str) – Set the return format of the search (Currently supported: json, xml, openioc, suricata, snort - more formats are being moved to restSearch with the goal being that all searches happen through this API). Can be passed as the first parameter after restSearch or via the JSON payload.
limit (int | None) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
value (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search for the given value in the attributes’ value field.
type_attribute (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – The attribute type, any valid MISP attribute type is accepted.
category (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – The attribute category, any valid MISP attribute category is accepted.
org (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search by the creator organisation by supplying the organisation identifier.
tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_query
event_tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude at the event level. You can pass a list, or the output of build_complex_query
quick_filter (str | None) – The string passed to this field will ignore all of the other arguments. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
eventid (Optional[TypeVar(SearchType, str, int)]) – The events that should be included / excluded from the search
with_attachments (bool | None) – If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute
metadata (bool | None) – Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.
uuid (str | None) – Restrict the results by uuid.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the last publish timestamp (newer than).
timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example [“14d”, “7d”]).
published (bool | None) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
enforce_warninglist (bool | None) – Remove any attributes from the result that would cause a hit on a warninglist entry.
to_ids (Union[TypeVar(ToIDSType, str, int, bool), list[TypeVar(ToIDSType, str, int, bool)], None]) – By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
deleted (str | None) – If this parameter is set to 1, it will only return soft-deleted attributes. [“0”, “1”] will return the active ones as well as the soft-deleted ones.
include_event_uuid (bool | None) – Instead of just including the event ID, also include the event UUID in each of the attributes.
include_event_tags (bool | None) – Include the event level tags in each of the attributes.
event_timestamp (datetime | date | int | str | float | None) – Only return attributes from events that have received a modification after the given timestamp.
sg_reference_only (bool | None) – If this flag is set, sharing group objects will not be included, instead only the sharing group ID is set.
eventinfo (str | None) – Filter on the event’s info field.
searchall (bool | None) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.
requested_attributes (str | None) – [CSV only] Select the fields that you wish to include in the CSV export. By setting event level fields additionally, includeContext is not required to get event metadata.
include_context (bool | None) – [Attribute only] Include the event data with each attribute. [CSV output] Add event level metadata in every line of the CSV.
headerless (bool | None) – [CSV Only] The CSV created when this setting is set to true will not contain the header row.
include_sightings (bool | None) – [JSON Only - Attribute] Include the sightings of the matching attributes.
include_decay_score (bool | None) – Include the decay score at attribute level.
include_correlations (bool | None) – [JSON Only - attribute] Include the correlations of the matching attributes.
object_name (str | None) – [objects controller only] Search for objects with that name
exclude_decayed (bool | None) – [attributes controller only] Exclude the decayed attributes from the response
sharinggroup (int | list[int] | None) – Filter by sharing group ID(s)
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

Deprecated:

Parameters:

quickFilter (str | None) – synonym for quick_filter
withAttachments (bool | None) – synonym for with_attachments
last (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – synonym for publish_timestamp
enforceWarninglist (bool | None) – synonym for enforce_warninglist
includeEventUuid (bool | None) – synonym for include_event_uuid
includeEventTags (bool | None) – synonym for include_event_tags
includeContext (bool | None) – synonym for include_context

search_feeds(value=None, pythonify=False)[source]¶

Search in the feeds cached on the servers

Return type:: dict[str, Any] | list[MISPFeed] | list[dict[str, Any]]

search_galaxy(value, withCluster=False, pythonify=False)[source]¶

Text search to find a matching galaxy name, namespace, description, or uuid.

Return type:: dict[str, Any] | list[MISPGalaxy] | list[dict[str, Any]]

search_galaxy_clusters(galaxy, context='all', searchall=None, pythonify=False)[source]¶

Searches the galaxy clusters within a specific galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusters and https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusterById

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – The MISPGalaxy you wish to search in
context (str) – The context of how you want to search within the galaxy_
searchall (str | None) – The search you want to make against the galaxy and context
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[MISPGalaxyCluster] | list[dict[str, Any]]

search_index(all=None, attribute=None, email=None, published=None, hasproposal=None, eventid=None, tags=None, date_from=None, date_to=None, eventinfo=None, threatlevel=None, distribution=None, analysis=None, org=None, timestamp=None, publish_timestamp=None, sharinggroup=None, minimal=None, sort=None, desc=None, limit=None, page=None, pythonify=None)[source]¶

Search event metadata shown on the event index page. Using ! in front of a value means NOT, except for parameters date_from, date_to and timestamp which cannot be negated. Criteria are AND-ed together; values in lists are OR-ed together. Return matching events with metadata but no attributes or objects; also see minimal parameter.

Parameters:

all (str | None) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.
attribute (str | None) – Filter on attribute’s value.
email (str | None) – Filter on user’s email.
published (bool | None) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
hasproposal (bool | None) – Filter for events containing proposal(s).
eventid (Optional[TypeVar(SearchType, str, int)]) – The events that should be included / excluded from the search
tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_query
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
eventinfo (str | None) – Filter on the event’s info field.
threatlevel (list[TypeVar(SearchType, str, int)] | None) – Threat level(s) (1,2,3,4) | list
distribution (list[TypeVar(SearchType, str, int)] | None) – Distribution level(s) (0,1,2,3) | list
analysis (list[TypeVar(SearchType, str, int)] | None) – Analysis level(s) (0,1,2) | list
org (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search by the creator organisation by supplying the organisation identifier.
timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Filter on event’s publish timestamp.
sharinggroup (list[TypeVar(SearchType, str, int)] | None) – Restrict by a sharing group | list
minimal (bool | None) – Return only event ID, UUID, timestamp, sighting_timestamp and published.
sort (str | None) – The field to sort the events by, such as ‘id’, ‘date’, ‘attribute_count’.
desc (bool | None) – Whether to sort events ascending (default) or descending.
limit (int | None) – Limit the number of events returned
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPEvent] | list[dict[str, Any]]

search_logs(limit=None, page=None, log_id=None, title=None, created=None, model=None, action=None, user_id=None, change=None, email=None, org=None, description=None, ip=None, pythonify=False)[source]¶

Search in logs

Note: to run substring queries simply append/prepend/encapsulate the search term with %

Parameters:

limit (int | None) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
log_id (int | None) – Log ID
title (str | None) – Log Title
created (datetime | date | int | str | float | None) – Creation timestamp
model (str | None) – Model name that generated the log entry
action (str | None) – The thing that was done
user_id (int | None) – ID of the user doing the action
change (str | None) – Change that occured
email (str | None) – Email of the user
org (str | None) – Organisation of the User doing the action
description (str | None) – Description of the action
ip (str | None) – Origination IP of the User doing the action
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPLog] | list[dict[str, Any]]

search_sightings(context=None, context_id=None, type_sighting=None, date_from=None, date_to=None, publish_timestamp=None, last=None, org=None, source=None, include_attribute=None, include_event_meta=None, pythonify=False)[source]¶

Search sightings

Parameters:

context (str | None) – The context of the search. Can be either “attribute”, “event”, or nothing (will then match on events and attributes).
context_id (Optional[TypeVar(SearchType, str, int)]) – Only relevant if context is either “attribute” or “event”. Then it is the relevant ID.
type_sighting (str | None) – Type of sighting
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the last publish timestamp (newer than).
org (Optional[TypeVar(SearchType, str, int)]) – Search by the creator organisation by supplying the organisation identifier.
source (str | None) – Source of the sighting
include_attribute (bool | None) – Include the attribute.
include_event_meta (bool | None) – Include the meta information of the event.

Return type:

dict[str, Any] | list[dict[str, MISPEvent | MISPAttribute | MISPSighting]]

Deprecated:

Parameters:: last (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – synonym for publish_timestamp
Example:

>>> misp.search_sightings(publish_timestamp='30d') # search sightings for the last 30 days on the instance
[ ... ]
>>> misp.search_sightings(context='attribute', context_id=6, include_attribute=True) # return list of sighting for attribute 6 along with the attribute itself
[ ... ]
>>> misp.search_sightings(context='event', context_id=17, include_event_meta=True, org=2) # return list of sighting for event 17 filtered with org id 2

search_tags(tagname, strict_tagname=False, pythonify=False)[source]¶

Search for tags by name: https://www.misp-project.org/openapi/#tag/Tags/operation/searchTag

Parameters:

tag_name – Name to search, use % for substrings matches.
strict_tagname (bool) – only return tags matching exactly the tag name (so skipping synonyms and cluster’s value)

Return type:

dict[str, Any] | list[MISPTag] | list[dict[str, Any]]

server_pull(server, event=None)[source]¶

Initialize a pull from a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pullServer

Parameters:

server (MISPServer | int | str | UUID) – sync server config
event (MISPEvent | int | str | UUID | None) – event

Return type:

dict[str, Any] | list[dict[str, Any]]

server_push(server, event=None)[source]¶

Initialize a push to a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pushServer

Parameters:

server (MISPServer | int | str | UUID) – sync server config
event (MISPEvent | int | str | UUID | None) – event

Return type:

dict[str, Any] | list[dict[str, Any]]

server_settings()[source]¶

Get all the settings from the server

Return type:: dict[str, Any] | list[dict[str, Any]]

servers(pythonify=False)[source]¶

Get the existing servers the MISP instance can synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPServer] | list[dict[str, Any]]

set_default_role(role)[source]¶

Set a default role for the new user accounts

Parameters:: role (MISPRole | int | str | UUID) – the default role to set
Return type:: dict[str, Any] | list[dict[str, Any]]

set_server_setting(setting, value, force=False)[source]¶

Set a setting on the MISP instance

Parameters:

setting (str) – server setting name
value (str | int | bool) – value to set
force (bool) – override value test

Return type:

dict[str, Any] | list[dict[str, Any]]

set_user_setting(user_setting, value, user=None, pythonify=False)[source]¶

Set a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/setUserSetting

Parameters:

user_setting (str) – name of user setting
value (str | dict[str, Any]) – value to set
user (MISPUser | int | str | UUID | None) – user
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

sharing_group_exists(sharing_group)[source]¶

Fast check if sharing group exists.

Parameters:: sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group to check
Return type:: bool

sharing_groups(pythonify=False)[source]¶

Get the existing sharing groups: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroup

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPSharingGroup] | list[dict[str, Any]]

sightings(misp_entity=None, org=None, pythonify=False)[source]¶

Get the list of sightings related to a MISPEvent or a MISPAttribute (depending on type of misp_entity): https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId

Parameters:

misp_entity (AbstractMISP | None) – MISP entity
org (MISPOrganisation | int | str | UUID | None) – MISP organization
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPSighting] | list[dict[str, Any]]

tag(misp_entity, tag, local=False, relationship_type=None)[source]¶

Tag an event or an attribute.

Parameters:

misp_entity (AbstractMISP | str | dict[str, Any]) – a MISPEvent, a MISP Attribute, or a UUID
tag (MISPTag | str) – tag to add
local (bool) – whether to tag locally
relationship_type (str | None) – Type of relationship between the tag and the attribute or event

Return type:

dict[str, Any] | list[dict[str, Any]]

tags(pythonify=False, **kw_params)[source]¶

Get the list of existing tags: https://www.misp-project.org/openapi/#tag/Tags/operation/getTags

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPTag]

tags_statistics(percentage=False, name_sort=False)[source]¶

Get tag statistics from the MISP instance

Parameters:

percentage (bool) – get percentages
name_sort (bool) – sort by name

Return type:

dict[str, Any] | list[dict[str, Any]]

taxonomies(pythonify=False)[source]¶

Get all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomies

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPTaxonomy] | list[dict[str, Any]]

test_server(server)[source]¶

Test if a sync link is working as expected

Parameters:: server (MISPServer | int | str | UUID) – sync server config
Return type:: dict[str, Any] | list[dict[str, Any]]

toggle_global_pythonify()[source]¶

Toggle the pythonify variable for the class

Return type:: None

toggle_warninglist(warninglist_id=None, warninglist_name=None, force_enable=None)[source]¶

Toggle (enable/disable) the status of a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/toggleEnableWarninglist

Parameters:

warninglist_id (str | int | list[int] | None) – ID of the WarningList
warninglist_name (str | list[str] | None) – name of the WarningList
force_enable (bool | None) – Force the warning list in the enabled state (does nothing if already enabled) - None means toggle.

Return type:

dict[str, Any] | list[dict[str, Any]]

unpublish(event)[source]¶

Unpublish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/unpublishEvent

Parameters:: event (MISPEvent | int | str | UUID) – event to unpublish
Return type:: dict[str, Any] | list[dict[str, Any]]

untag(misp_entity, tag)[source]¶

Untag an event or an attribute

Parameters:

misp_entity (AbstractMISP | str | dict[str, Any]) – misp_entity can be a UUID
tag (MISPTag | str) – tag to remove

Return type:

dict[str, Any] | list[dict[str, Any]]

update_attribute(attribute, attribute_id=None, pythonify=False)[source]¶

Update an attribute on a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/editAttribute

Parameters:

attribute (MISPAttribute) – attribute to update
attribute_id (int | None) – attribute ID to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPAttribute | MISPShadowAttribute

update_attribute_proposal(initial_attribute, attribute, pythonify=False)[source]¶

Propose a change for an attribute

Parameters:

initial_attribute (MISPAttribute | int | str | UUID) – attribute to change
attribute (MISPAttribute) – attribute to propose
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_decaying_models()[source]¶

Update all the Decaying models

Return type:: dict[str, Any] | list[dict[str, Any]]

update_event(event, event_id=None, pythonify=False, metadata=False)[source]¶

Update an event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/editEvent

Parameters:

event (MISPEvent) – event to update
event_id (int | None) – ID of event to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
metadata (bool) – Return just event metadata after successful update

Return type:

update_event_blocklist(event_blocklist, event_blocklist_id=None, pythonify=False)[source]¶

Update an event in the blocklist

Parameters:

event_blocklist (MISPEventBlocklist) – event block list
event_blocklist_id (int | str | UUID | None) – event block lisd id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEventBlocklist

update_event_report(event_report, event_report_id=None, pythonify=False)[source]¶

Update an event report on a MISP instance

Parameters:

event_report (MISPEventReport) – event report to update
event_report_id (int | None) – event report ID to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_feed(feed, feed_id=None, pythonify=False)[source]¶

Update a feed on a MISP instance

Parameters:

feed (MISPFeed) – feed to update
feed_id (int | None) – feed id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_galaxies()[source]¶

Update all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/updateGalaxies

Return type:: dict[str, Any] | list[dict[str, Any]]

update_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶

Update a custom galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/editGalaxyCluster

;param galaxy_cluster: The MISPGalaxyCluster you wish to update :type pythonify: bool :param pythonify: Returns a PyMISP Object instead of the plain json output

Return type:: dict[str, Any] | MISPGalaxyCluster

update_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Update a galaxy cluster relation

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation) – The MISPGalaxyClusterRelation to update
Return type:: dict[str, Any] | list[dict[str, Any]]

update_misp()[source]¶

Trigger a server update

Return type:: dict[str, Any] | list[dict[str, Any]]

update_noticelists()[source]¶

Update all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/updateNoticelists

Return type:: dict[str, Any] | list[dict[str, Any]]

update_object(misp_object, object_id=None, pythonify=False)[source]¶

Update an object on a MISP instance

Parameters:

misp_object (MISPObject) – object to update
object_id (int | None) – ID of object to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_object_templates()[source]¶

Trigger an update of the object templates

Return type:: dict[str, Any] | list[dict[str, Any]]

update_organisation(organisation, organisation_id=None, pythonify=False)[source]¶

Update an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/editOrganisation

Parameters:

organisation (MISPOrganisation) – organization to update
organisation_id (int | None) – id to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_organisation_blocklist(organisation_blocklist, organisation_blocklist_id=None, pythonify=False)[source]¶

Update an organisation in the blocklist

Parameters:

organisation_blocklist (MISPOrganisationBlocklist) – organization block list
organisation_blocklist_id (int | str | UUID | None) – organization block lisd id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPOrganisationBlocklist

update_server(server, server_id=None, pythonify=False)[source]¶

Update a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_sharing_group(sharing_group, sharing_group_id=None, pythonify=False)[source]¶

Update sharing group parameters: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/editSharingGroup :rtype: dict[str, Any] | MISPSharingGroup

Parameters:: sharing_group (MISPSharingGroup | dict[str, Any]) – MISP Sharing Group

:param sharing_group_id Sharing group ID :type pythonify: bool :param pythonify: Returns a PyMISP Object instead of the plain json output

update_tag(tag, tag_id=None, pythonify=False)[source]¶

Edit only the provided parameters of a tag: https://www.misp-project.org/openapi/#tag/Tags/operation/editTag

Parameters:

tag (MISPTag) – tag to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Aram tag_id:

tag ID to update

Return type:

update_taxonomies()[source]¶

Update all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/updateTaxonomies

Return type:: dict[str, Any] | list[dict[str, Any]]

update_user(user, user_id=None, pythonify=False)[source]¶

Update a user on a MISP instance: https://www.misp-project.org/openapi/#tag/Users/operation/editUser

Parameters:

user (MISPUser) – user to update
user_id (int | None) – id to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_warninglists()[source]¶

Update all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/updateWarninglists

Return type:: dict[str, Any] | list[dict[str, Any]]

upload_stix(path=None, data=None, version='2')[source]¶

Upload a STIX file to MISP.

Parameters:

path (str | Path | BytesIO | StringIO | None) – Path to the STIX on the disk (can be a path-like object, or a pseudofile)
data (str | bytes | None) – stix object
version (str) – Can be 1 or 2

Return type:

Response

user_registrations(pythonify=False)[source]¶

Get all the user registrations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPInbox] | list[dict[str, Any]]

user_settings(pythonify=False)[source]¶

Get all the user settings: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettings

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPUserSetting] | list[dict[str, Any]]

users(search=None, organisation=None, pythonify=False)[source]¶

Get all the users, or a filtered set of users: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers

Parameters:

search (str | None) – The search to make against the list of users
organisation (int | None) – The ID of an organisation to filter against
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPUser] | list[dict[str, Any]]

users_statistics(context='data')[source]¶

Get user statistics from the MISP instance

Parameters:: context (str) – one of ‘data’, ‘orgs’, ‘users’, ‘tags’, ‘attributehistogram’, ‘sightings’, ‘galaxyMatrix’
Return type:: dict[str, Any] | list[dict[str, Any]]

values_in_warninglist(value)[source]¶

Check if IOC values are in warninglist

Parameters:: value (Iterable[str]) – iterator with values to check
Return type:: dict[str, Any] | list[dict[str, Any]]

property version: dict[str, Any] | list[dict[str, Any]]¶: Returns the version of PyMISP you’re currently using

warninglists(pythonify=False)[source]¶

Get all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglists

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPWarninglist]

exception pymisp.PyMISPError(message)[source]¶

exception pymisp.PyMISPInvalidFormat(message)[source]¶

class pymisp.ThreatLevel(value, names=None, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶

exception pymisp.UnknownMISPObjectTemplate(message)[source]¶: Exception raised when the template is unknown

pymisp.register_user(misp_url, email, organisation=None, org_id=None, org_name=None, message=None, custom_perms=None, perm_sync=False, perm_publish=False, perm_admin=False, verify=True)[source]¶

Ask for the creation of an account for the user with the given email address

Return type:: dict[str, Any] | list[dict[str, Any]]

PyMISP¶

class pymisp.PyMISP(url, key, ssl=True, debug=False, proxies=None, cert=None, auth=None, tool='', timeout=None, http_headers=None, https_adapter=None, http_auth_header_name='Authorization')[source]¶

Python API for MISP

Parameters:

url (str) – URL of the MISP instance you want to connect to
key (str) – API key of the user you want to use
ssl (bool | str) – can be True or False (to check or to not check the validity of the certificate. Or a CA_BUNDLE in case of self signed or other certificate (the concatenation of all the crt of the chain)
debug (bool) – Write all the debug information to stderr
proxies (Optional[MutableMapping[str, str]]) – Proxy dict, as described here: http://docs.python-requests.org/en/master/user/advanced/#proxies
cert (str | tuple[str, str] | None) – Client certificate, as described here: http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates
auth (AuthBase | None) – The auth parameter is passed directly to requests, as described here: http://docs.python-requests.org/en/master/user/authentication/
tool (str) – The software using PyMISP (string), used to set a unique user-agent
http_headers (dict[str, str] | None) – Arbitrary headers to pass to all the requests.
https_adapter (BaseAdapter | None) – Arbitrary HTTPS adapter for the requests session.
http_auth_header_name (str) – The name of the HTTP header to use for the API key. Can be either “Authorization” or “X-MISP-AUTH”.
timeout (float | tuple[float, float] | None) – Timeout, as described here: https://requests.readthedocs.io/en/master/user/advanced/#timeouts

accept_attribute_proposal(proposal)[source]¶

Accept a proposal. You cannot modify an existing proposal, only accept/discard

Parameters:: proposal (MISPShadowAttribute | int | str | UUID) – attribute proposal to accept
Return type:: dict[str, Any] | list[dict[str, Any]]

accept_event_delegation(delegation, pythonify=False)[source]¶

Accept the delegation of an event

Parameters:

delegation (MISPEventDelegation | int | str) – event delegation to accept
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[dict[str, Any]]

accept_user_registration(registration, organisation=None, role=None, perm_sync=False, perm_publish=False, perm_admin=False, unsafe_fallback=False)[source]¶

Accept a user registration

Parameters:

registration (MISPInbox | int | str | UUID) – the registration to accept
organisation (MISPOrganisation | int | str | UUID | None) – user organization
role (MISPRole | int | str | None) – user role
perm_sync (bool) – indicator for sync
perm_publish (bool) – indicator for publish
perm_admin (bool) – indicator for admin
unsafe_fallback (bool) – indicator for unsafe fallback

Return type:

dict[str, Any] | list[dict[str, Any]]

add_attribute(event, attribute, pythonify=False, break_on_duplicate=True)[source]¶

Add an attribute to an existing MISP event: https://www.misp-project.org/openapi/#tag/Attributes/operation/addAttribute

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
attribute (Union[MISPAttribute, Iterable[str]]) – attribute or (MISP version 2.4.113+) list of attributes to add. If a list is passed, the pythonified response is a dict with the following structure: {‘attributes’: [MISPAttribute], ‘errors’: {errors by attributes}}
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
break_on_duplicate (bool) – if False, do not fail if the attribute already exists, updates existing attribute instead (timestamp will be always updated)

Return type:

dict[str, Any] | MISPAttribute | MISPShadowAttribute

add_attribute_proposal(event, attribute, pythonify=False)[source]¶

Propose a new attribute in an event

Parameters:

event (MISPEvent | int | str | UUID) – event to receive new attribute
attribute (MISPAttribute) – attribute to propose
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶

Add a new correlation exclusion

Parameters:

correlation_exclusion (MISPCorrelationExclusion) – correlation exclusion to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_event(event, pythonify=False, metadata=False)[source]¶

Add a new event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/addEvent

Parameters:

event (MISPEvent) – event to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
metadata (bool) – Return just event metadata after successful creating

Return type:

add_event_blocklist(uuids, comment=None, event_info=None, event_orgc=None)[source]¶

Add a new event in the blocklist

Parameters:

uuids (str | list[str]) – UUIDs
comment (str | None) – comment
event_info (str | None) – event information
event_orgc (str | None) – event organization

Return type:

dict[str, Any] | list[dict[str, Any]]

add_event_report(event, event_report, pythonify=False)[source]¶

Add an event report to an existing MISP event

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
event_report (MISPEventReport) – event report to add.
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_feed(feed, pythonify=False)[source]¶

Add a new feed on a MISP instance: https://www.misp-project.org/openapi/#tag/Feeds/operation/addFeed

Parameters:

feed (MISPFeed) – feed to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶

Add a new galaxy cluster to a MISP Galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/addGalaxyCluster

Parameters:

galaxy (MISPGalaxy | str | UUID) – A MISPGalaxy (or UUID) where you wish to add the galaxy cluster
galaxy_cluster (MISPGalaxyCluster) – A MISPGalaxyCluster you wish to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Add a galaxy cluster relation, cluster relation must include cluster UUIDs in both directions

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation) – The MISPGalaxyClusterRelation to add
Return type:: dict[str, Any] | list[dict[str, Any]]

add_object(event, misp_object, pythonify=False, break_on_duplicate=False)[source]¶

Add a MISP Object to an existing MISP event: https://www.misp-project.org/openapi/#tag/Objects/operation/addObject

Parameters:

event (MISPEvent | int | str | UUID) – event to extend
misp_object (MISPObject) – object to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
break_on_duplicate (bool) – if True, check and reject if this object’s attributes match an existing object’s attributes; may require much time

Return type:

add_object_reference(misp_object_reference, pythonify=False)[source]¶

Add a reference to an object

Parameters:

misp_object_reference (MISPObjectReference) – object reference
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPObjectReference

add_org_to_sharing_group(sharing_group, organisation, extend=False)[source]¶

Add an organisation to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addOrganisationToSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
organisation (MISPOrganisation | int | str | UUID) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instance
extend (bool) – Allow the organisation to extend the group

Return type:

dict[str, Any] | list[dict[str, Any]]

add_organisation(organisation, pythonify=False)[source]¶

Add an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/addOrganisation

Parameters:

organisation (MISPOrganisation) – organization to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_organisation_blocklist(uuids, comment=None, org_name=None)[source]¶

Add a new organisation in the blocklist

Parameters:

uuids (str | list[str]) – UUIDs
comment (str | None) – comment
org_name (str | None) – organization name

Return type:

dict[str, Any] | list[dict[str, Any]]

add_server(server, pythonify=False)[source]¶

Add a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers Note: You probably want to use PyMISP.get_sync_config and PyMISP.import_server instead

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_server_to_sharing_group(sharing_group, server, all_orgs=False)[source]¶

Add a server to a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addServerToSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
server (MISPServer | int | str | UUID) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instance
all_orgs (bool) – Add all the organisations of the server to the group

Return type:

dict[str, Any] | list[dict[str, Any]]

add_sharing_group(sharing_group, pythonify=False)[source]¶

Add a new sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/addSharingGroup

Parameters:

sharing_group (MISPSharingGroup) – sharing group to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_sighting(sighting, attribute=None, pythonify=False)[source]¶

Add a new sighting (globally, or to a specific attribute): https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting and https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId

Parameters:

sighting (MISPSighting | dict[str, Any]) – sighting to add
attribute (MISPAttribute | int | str | UUID | None) – specific attribute to modify with the sighting
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPSighting

add_tag(tag, pythonify=False)[source]¶

Add a new tag on a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/addTag The user calling this method needs the Tag Editor permission. It doesn’t add a tag to an event, simply creates it on the MISP instance.

Parameters:

tag (MISPTag) – tag to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

add_user(user, pythonify=False)[source]¶

Add a new user: https://www.misp-project.org/openapi/#tag/Users/operation/addUser

Parameters:

user (MISPUser) – user to add
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

attribute_exists(attribute)[source]¶

Fast check if attribute exists.

Parameters:: attribute (MISPAttribute | int | str | UUID) – Attribute to check
Return type:: bool

attribute_proposals(event=None, pythonify=False)[source]¶

Get all the attribute proposals

Parameters:

event (MISPEvent | int | str | UUID | None) – event
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPShadowAttribute] | list[dict[str, Any]]

attributes(pythonify=False)[source]¶

Get all the attributes from the MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributes

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPAttribute] | list[dict[str, Any]]

attributes_statistics(context='type', percentage=False)[source]¶

Get attribute statistics from the MISP instance

Parameters:

context (str) – “type” or “category”
percentage (bool) – get percentages

Return type:

dict[str, Any] | list[dict[str, Any]]

build_complex_query(or_parameters=None, and_parameters=None, not_parameters=None)[source]¶

Build a complex search query. MISP expects a dictionary with AND, OR and NOT keys.

Return type:: dict[str, list[TypeVar(SearchType, str, int)]]

cache_all_feeds()[source]¶

Cache all the feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds

Return type:: dict[str, Any] | list[dict[str, Any]]

cache_feed(feed)[source]¶

Cache a specific feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/cacheFeeds

Parameters:: feed (MISPFeed | int | str | UUID) – feed to cache
Return type:: dict[str, Any] | list[dict[str, Any]]

cache_freetext_feeds()[source]¶

Cache all the freetext feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

cache_misp_feeds()[source]¶

Cache all the MISP feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

change_sharing_group_on_entity(misp_entity, sharing_group_id, pythonify=False)[source]¶

Change the sharing group of an event, an attribute, or an object

Parameters:

misp_entity (MISPEvent | MISPAttribute | MISPObject) – entity to change
sharing_group_id (int) – group to change
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEvent | MISPObject | MISPAttribute | MISPShadowAttribute

change_user_password(new_password)[source]¶

Change the password of the curent user:

Parameters:: new_password (str) – password to set
Return type:: dict[str, Any] | list[dict[str, Any]]

clean_correlation_exclusions()[source]¶

Initiate correlation exclusions cleanup

Return type:: dict[str, Any] | list[dict[str, Any]]

communities(pythonify=False)[source]¶

Get all the communities

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPCommunity] | list[dict[str, Any]]

compare_feeds()[source]¶

Generate the comparison matrix for all the MISP feeds

Return type:: dict[str, Any] | list[dict[str, Any]]

contact_event_reporter(event, message)[source]¶

Send a message to the reporter of an event

Parameters:

event (MISPEvent | int | str | UUID) – event with reporter to contact
message (str) – message to send

Return type:

dict[str, Any] | list[dict[str, Any]]

correlation_exclusions(pythonify=False)[source]¶

Get all the correlation exclusions

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPCorrelationExclusion] | list[dict[str, Any]]

db_schema_diagnostic()[source]¶

Get the schema diagnostic

Return type:: dict[str, Any] | list[dict[str, Any]]

decaying_models(pythonify=False)[source]¶

Get all the decaying models

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output
Return type:: dict[str, Any] | list[MISPDecayingModel] | list[dict[str, Any]]

delegate_event(event=None, organisation=None, event_delegation=None, distribution=-1, message='', pythonify=False)[source]¶

Delegate an event. Either event and organisation OR event_delegation are required

Parameters:

event (MISPEvent | int | str | UUID | None) – event to delegate
organisation (MISPOrganisation | int | str | UUID | None) – organization
event_delegation (MISPEventDelegation | None) – event delegation
distribution (int) – distribution == -1 means recipient decides
message (str) – message
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEventDelegation

delete_attribute(attribute, hard=False)[source]¶

Delete an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/deleteAttribute

Parameters:

attribute (MISPAttribute | int | str | UUID) – attribute to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_attribute_proposal(attribute)[source]¶

Propose the deletion of an attribute

Parameters:: attribute (MISPAttribute | int | str | UUID) – attribute to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_correlation_exclusion(correlation_exclusion)[source]¶

Delete a correlation exclusion

Parameters:: correlation_exclusion (MISPCorrelationExclusion | int | str | UUID) – The MISPCorrelationExclusion you wish to delete from MISP
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event(event)[source]¶

Delete an event from a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/deleteEvent

Parameters:: event (MISPEvent | int | str | UUID) – event to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event_blocklist(event_blocklist)[source]¶

Delete a blocklisted event by id

Parameters:: event_blocklist (MISPEventBlocklist | str | UUID) – event block list to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_event_report(event_report, hard=False)[source]¶

Delete an event report from a MISP instance

Parameters:

event_report (MISPEventReport | int | str | UUID) – event report to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_feed(feed)[source]¶

Delete a feed from a MISP instance

Parameters:: feed (MISPFeed | int | str | UUID) – feed to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_galaxy_cluster(galaxy_cluster, hard=False)[source]¶

Deletes a galaxy cluster from MISP: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/deleteGalaxyCluster

Parameters:

galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The MISPGalaxyCluster you wish to delete from MISP
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Delete a galaxy cluster relation

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation | int | str | UUID) – The MISPGalaxyClusterRelation to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_object(misp_object, hard=False)[source]¶

Delete an object from a MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/deleteObject

Parameters:

misp_object (MISPObject | int | str | UUID) – object to delete
hard (bool) – flag for hard delete

Return type:

dict[str, Any] | list[dict[str, Any]]

delete_object_reference(object_reference, hard=False)[source]¶

Delete a reference to an object.

Return type:: dict[str, Any] | list[dict[str, Any]]

delete_organisation(organisation)[source]¶

Delete an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/deleteOrganisation

Parameters:: organisation (MISPOrganisation | int | str | UUID) – organization to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_organisation_blocklist(organisation_blocklist)[source]¶

Delete a blocklisted organisation by id

Parameters:: organisation_blocklist (MISPOrganisationBlocklist | str | UUID) – organization block list to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_server(server)[source]¶

Delete a sync server: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:: server (MISPServer | int | str | UUID) – sync server config
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_sharing_group(sharing_group)[source]¶

Delete a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/deleteSharingGroup

Parameters:: sharing_group (MISPSharingGroup | int | str | UUID) – sharing group to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_sighting(sighting)[source]¶

Delete a sighting from a MISP instance: https://www.misp-project.org/openapi/#tag/Sightings/operation/deleteSighting

Parameters:: sighting (MISPSighting | int | str | UUID) – sighting to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_tag(tag)[source]¶

Delete a tag from a MISP instance: https://www.misp-project.org/openapi/#tag/Tags/operation/deleteTag

Parameters:: tag (MISPTag | int | str | UUID) – tag to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_user(user)[source]¶

Delete a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/deleteUser

Parameters:: user (MISPUser | int | str | UUID) – user to delete
Return type:: dict[str, Any] | list[dict[str, Any]]

delete_user_setting(user_setting, user=None)[source]¶

Delete a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/deleteUserSettingById

Parameters:

user_setting (str) – name of user setting
user (MISPUser | int | str | UUID | None) – user

Return type:

dict[str, Any] | list[dict[str, Any]]

property describe_types_local: dict[str, Any] | list[dict[str, Any]]¶: Returns the content of describe types from the package

property describe_types_remote: dict[str, Any] | list[dict[str, Any]]¶: Returns the content of describe types from the remote instance

direct_call(url, data=None, params={}, kw_params={})[source]¶

Very lightweight call that posts a data blob (python dictionary or json string) on the URL

Parameters:

url (str) – URL to post to
data (dict[str, Any] | None) – data to post
params (Mapping[str, Any]) – dict with parameters for request
kw_params (Mapping[str, Any]) – dict with keyword parameters for request

Return type:

Any

disable_decaying_model(decaying_model)[source]¶

Disable a decaying Model

Return type:: dict[str, Any] | list[dict[str, Any]]

disable_feed(feed, pythonify=False)[source]¶

Disable a feed: https://www.misp-project.org/openapi/#tag/Feeds/operation/disableFeed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to disable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_feed_cache(feed, pythonify=False)[source]¶

Disable the caching of a feed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to disable caching
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_noticelist(noticelist)[source]¶

Disable a noticelist by id

Parameters:: noticelist (MISPNoticelist | int | str | UUID) – Noticelist to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_tag(tag, pythonify=False)[source]¶

Disable a tag

Parameters:

tag (MISPTag) – tag to disable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

disable_taxonomy(taxonomy)[source]¶

Disable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/disableTaxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_taxonomy_tags(taxonomy)[source]¶

Disable all the tags of a taxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy with tags to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

disable_warninglist(warninglist)[source]¶

Disable a warninglist

Parameters:: warninglist (MISPWarninglist | int | str | UUID) – warninglist to disable
Return type:: dict[str, Any] | list[dict[str, Any]]

discard_attribute_proposal(proposal)[source]¶

Discard a proposal. You cannot modify an existing proposal, only accept/discard

Parameters:: proposal (MISPShadowAttribute | int | str | UUID) – attribute proposal to discard
Return type:: dict[str, Any] | list[dict[str, Any]]

discard_event_delegation(delegation, pythonify=False)[source]¶

Discard the delegation of an event

Parameters:

delegation (MISPEventDelegation | int | str) – event delegation to discard
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[dict[str, Any]]

discard_user_registration(registration)[source]¶

Discard a user registration

Parameters:: registration (MISPInbox | int | str | UUID) – the registration to discard
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_decaying_model(decaying_model)[source]¶

Enable a decaying Model

Return type:: dict[str, Any] | list[dict[str, Any]]

enable_feed(feed, pythonify=False)[source]¶

Enable a feed; fetching it will create event(s): https://www.misp-project.org/openapi/#tag/Feeds/operation/enableFeed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to enable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_feed_cache(feed, pythonify=False)[source]¶

Enable the caching of a feed

Parameters:

feed (MISPFeed | int | str | UUID) – feed to enable caching
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_noticelist(noticelist)[source]¶

Enable a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/toggleEnableNoticelist

Parameters:: noticelist (MISPNoticelist | int | str | UUID) – Noticelist to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_tag(tag, pythonify=False)[source]¶

Enable a tag

Parameters:

tag (MISPTag) – tag to enable
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

enable_taxonomy(taxonomy)[source]¶

Enable a taxonomy: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/enableTaxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_taxonomy_tags(taxonomy)[source]¶

Enable all the tags of a taxonomy. NOTE: this is automatically done when you call enable_taxonomy

Parameters:: taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy with tags to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

enable_warninglist(warninglist)[source]¶

Enable a warninglist

Parameters:: warninglist (MISPWarninglist | int | str | UUID) – warninglist to enable
Return type:: dict[str, Any] | list[dict[str, Any]]

event_blocklists(pythonify=False)[source]¶

Get all the blocklisted events

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEventBlocklist] | list[dict[str, Any]]

event_delegations(pythonify=False)[source]¶

Get all the event delegations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEventDelegation] | list[dict[str, Any]]

event_exists(event)[source]¶

Fast check if event exists.

Parameters:: event (MISPEvent | int | str | UUID) – Event to check
Return type:: bool

events(pythonify=False)[source]¶

Get all the events from the MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/getEvents

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPEvent] | list[dict[str, Any]]

feeds(pythonify=False)[source]¶

Get the list of existing feeds: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeeds

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPFeed] | list[dict[str, Any]]

fetch_feed(feed)[source]¶

Fetch one single feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/fetchFromFeed

Parameters:: feed (MISPFeed | int | str | UUID) – feed to fetch
Return type:: dict[str, Any] | list[dict[str, Any]]

fork_galaxy_cluster(galaxy, galaxy_cluster, pythonify=False)[source]¶

Forks an existing galaxy cluster, creating a new one with matching attributes

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – The galaxy (or galaxy ID) where the cluster you want to fork resides
galaxy_cluster (MISPGalaxyCluster) – The galaxy cluster you wish to fork
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

freetext(event, string, adhereToWarninglists=False, distribution=None, returnMetaAttributes=False, pythonify=False, **kwargs)[source]¶

Pass a text to the freetext importer

Parameters:

event (MISPEvent | int | str | UUID) – event
string (str) – query
adhereToWarninglists (bool | str) – flag
distribution (int | None) – distribution == -1 means recipient decides
returnMetaAttributes (bool) – flag
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
kwargs – kwargs passed to prepare_request

Return type:

dict[str, Any] | list[MISPAttribute] | list[dict[str, Any]]

galaxies(withCluster=False, pythonify=False)[source]¶

Get all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxies

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPGalaxy] | list[dict[str, Any]]

get_all_functions(not_implemented=False)[source]¶

Get all methods available via the API, including ones that are not implemented.

Return type:: list[str]

get_attribute(attribute, pythonify=False)[source]¶

Get an attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/getAttributeById

Parameters:

attribute (MISPAttribute | int | str | UUID) – attribute to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPAttribute

get_attribute_proposal(proposal, pythonify=False)[source]¶

Get an attribute proposal

Parameters:

proposal (MISPShadowAttribute | int | str | UUID) – proposal to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_community(community, pythonify=False)[source]¶

Get a community by id from a MISP instance

Parameters:

community (MISPCommunity | int | str | UUID) – community to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPCommunity

get_correlation_exclusion(correlation_exclusion, pythonify=False)[source]¶

Get a correlation exclusion by ID

Parameters:

correlation_exclusion (MISPCorrelationExclusion | int | str | UUID) – Correlation exclusion to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_event(event, deleted=False, extended=False, pythonify=False)[source]¶

Get an event from a MISP instance. Includes collections like Attribute, EventReport, Feed, Galaxy, Object, Tag, etc. so the response size may be large : https://www.misp-project.org/openapi/#tag/Events/operation/getEventById

Parameters:

event (MISPEvent | int | str | UUID) – event to get
deleted (bool | int | list[int]) – whether to include soft-deleted attributes
extended (bool | int) – whether to get extended events
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

get_event_report(event_report, pythonify=False)[source]¶

Get an event report from a MISP instance

Parameters:

event_report (MISPEventReport | int | str | UUID) – event report to get
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

get_event_reports(event_id, pythonify=False)[source]¶

Get event report from a MISP instance that are attached to an event ID

Parameters:

event_id (int | str) – event id to get the event reports for
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output.

Return type:

dict[str, Any] | list[MISPEventReport] | list[dict[str, Any]]

get_feed(feed, pythonify=False)[source]¶

Get a feed by id: https://www.misp-project.org/openapi/#tag/Feeds/operation/getFeedById

Parameters:

feed (MISPFeed | int | str | UUID) – feed to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_galaxy(galaxy, withCluster=False, pythonify=False)[source]¶

Get a galaxy by id: https://www.misp-project.org/openapi/#tag/Galaxies/operation/getGalaxyById

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – galaxy to get
withCluster (bool) – Include the clusters associated with the galaxy
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPGalaxy

get_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶

Gets a specific galaxy cluster

Parameters:

galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The MISPGalaxyCluster you want to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_new_authkey(user='me')[source]¶

Get a new authorization key for a specific user, defaults to user doing the call: https://www.misp-project.org/openapi/#tag/AuthKeys/operation/addAuthKey

Parameters:: user (MISPUser | int | str | UUID) – The owner of the key
Return type:: str

get_noticelist(noticelist, pythonify=False)[source]¶

Get a noticelist by id: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelistById

Parameters:

notistlist – Noticelist to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPNoticelist

get_object(misp_object, pythonify=False)[source]¶

Get an object from the remote MISP instance: https://www.misp-project.org/openapi/#tag/Objects/operation/getObjectById

Parameters:

misp_object (MISPObject | int | str | UUID) – object to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_object_template(object_template, pythonify=False)[source]¶

Gets the full object template

Parameters:

object_template (MISPObjectTemplate | int | str | UUID) – template or ID to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPObjectTemplate

get_organisation(organisation, pythonify=False)[source]¶

Get an organisation by id: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisationById

Parameters:

organisation (MISPOrganisation | int | str | UUID) – organization to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_raw_object_template(uuid_or_name)[source]¶

Get a row template. It needs to be present on disk on the MISP instance you’re connected to. The response of this method can be passed to MISPObject(<name>, misp_objects_template_custom=<response>)

Return type:: dict[str, Any] | list[dict[str, Any]]

get_server_setting(setting)[source]¶

Get a setting from the MISP instance

Parameters:: setting (str) – server setting name
Return type:: dict[str, Any] | list[dict[str, Any]]

get_sharing_group(sharing_group, pythonify=False)[source]¶

Get a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroupById

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – sharing group to find
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_sync_config(pythonify=False)[source]¶

Get the sync server config. WARNING: This method only works if the user calling it is a sync user

Parameters:: pythonify (bool) – Returns a PyMISP Object instead of the plain json output
Return type:: dict[str, Any] | MISPServer

get_tag(tag, pythonify=False)[source]¶

Get a tag by id: https://www.misp-project.org/openapi/#tag/Tags/operation/getTagById

Parameters:

tag (MISPTag | int | str | UUID) – tag to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_taxonomy(taxonomy, pythonify=False)[source]¶

Get a taxonomy by id or namespace from a MISP instance: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomyById

Parameters:

taxonomy (MISPTaxonomy | int | str | UUID) – taxonomy to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPTaxonomy

get_user(user='me', pythonify=False, expanded=False)[source]¶

Get a user by id: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers

Parameters:

user (MISPUser | int | str | UUID) – user to get; me means the owner of the API key doing the query
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
expanded (bool) – Also returns a MISPRole and a MISPUserSetting. Only taken in account if pythonify is True.

Return type:

dict[str, Any] | MISPUser | tuple[MISPUser, MISPRole, list[MISPUserSetting]]

get_user_setting(user_setting, user=None, pythonify=False)[source]¶

Get a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettingById

Parameters:

user_setting (str) – name of user setting
user (MISPUser | int | str | UUID | None) – user
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

get_warninglist(warninglist, pythonify=False)[source]¶

Get a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglistById

Parameters:

warninglist (MISPWarninglist | int | str | UUID) – warninglist to get
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPWarninglist

import_server(server, pythonify=False)[source]¶

Import a sync server config received from get_sync_config

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

load_default_feeds()[source]¶

Load all the default feeds.

Return type:: dict[str, Any] | list[dict[str, Any]]

property misp_instance_version: dict[str, Any] | list[dict[str, Any]]¶: Returns the version of the instance.

property misp_instance_version_master: dict[str, Any] | list[dict[str, Any]]¶: Get the most recent version from github

noticelists(pythonify=False)[source]¶

Get all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/getNoticelists

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPNoticelist] | list[dict[str, Any]]

object_exists(misp_object)[source]¶

Fast check if object exists.

Parameters:: misp_object (MISPObject | int | str | UUID) – Attribute to check
Return type:: bool

object_templates(pythonify=False)[source]¶

Get all the object templates

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPObjectTemplate] | list[dict[str, Any]]

organisation_blocklists(pythonify=False)[source]¶

Get all the blocklisted organisations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPOrganisationBlocklist] | list[dict[str, Any]]

organisation_exists(organisation)[source]¶

Fast check if organisation exists.

Parameters:: organisation (MISPOrganisation | int | str | UUID) – Organisation to check
Return type:: bool

organisations(scope='local', search=None, pythonify=False)[source]¶

Get all the organisations: https://www.misp-project.org/openapi/#tag/Organisations/operation/getOrganisations

Parameters:

scope (str) – scope of organizations to get
search (str | None) – The search to make against the list of organisations
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPOrganisation] | list[dict[str, Any]]

publish(event, alert=False)[source]¶

Publish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/publishEvent

Parameters:

event (MISPEvent | int | str | UUID) – event to publish
alert (bool) – whether to send an email. The default is to not send a mail as it is assumed this method is called on update.

Return type:

dict[str, Any] | list[dict[str, Any]]

publish_galaxy_cluster(galaxy_cluster)[source]¶

Publishes a galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/publishGalaxyCluster

Parameters:: galaxy_cluster (MISPGalaxyCluster | int | str | UUID) – The galaxy cluster you wish to publish
Return type:: dict[str, Any] | list[dict[str, Any]]

push_event_to_ZMQ(event)[source]¶

Force push an event by id on ZMQ

Parameters:: event (MISPEvent | int | str | UUID) – the event to push
Return type:: dict[str, Any] | list[dict[str, Any]]

property pymisp_version_main: dict[str, Any] | list[dict[str, Any]]¶: Get the most recent version of PyMISP from github

property pymisp_version_master: dict[str, Any] | list[dict[str, Any]]¶: PyMISP version as defined in the main repository

property recommended_pymisp_version: dict[str, Any] | list[dict[str, Any]]¶: Returns the recommended API version from the server

remote_acl(debug_type='findMissingFunctionNames')[source]¶

This should return an empty list, unless the ACL is outdated.

Parameters:: debug_type (str) – printAllFunctionNames, findMissingFunctionNames, or printRoleAccess
Return type:: dict[str, Any] | list[dict[str, Any]]

remove_org_from_sharing_group(sharing_group, organisation)[source]¶

Remove an organisation from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeOrganisationFromSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
organisation (MISPOrganisation | int | str | UUID) – Organisation’s local instance ID, or Organisation’s global UUID, or Organisation’s name as known to the curent instance

Return type:

dict[str, Any] | list[dict[str, Any]]

remove_server_from_sharing_group(sharing_group, server)[source]¶

Remove a server from a sharing group: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/removeServerFromSharingGroup

Parameters:

sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group’s local instance ID, or Sharing group’s global UUID
server (MISPServer | int | str | UUID) – Server’s local instance ID, or URL of the Server, or Server’s name as known to the curent instance

Return type:

dict[str, Any] | list[dict[str, Any]]

request_community_access(community, requestor_email_address=None, requestor_gpg_key=None, requestor_organisation_name=None, requestor_organisation_uuid=None, requestor_organisation_description=None, message=None, sync=False, anonymise_requestor_server=False, mock=False)[source]¶

Request the access to a community

Parameters:

community (MISPCommunity | int | str | UUID) – community to request access
requestor_email_address (str | None) – requestor email
requestor_gpg_key (str | None) – requestor key
requestor_organisation_name (str | None) – requestor org name
requestor_organisation_uuid (str | None) – requestor org ID
requestor_organisation_description (str | None) – requestor org desc
message (str | None) – requestor message
sync (bool) – synchronize flag
anonymise_requestor_server (bool) – anonymise flag
mock (bool) – mock flag

Return type:

dict[str, Any] | list[dict[str, Any]]

restart_workers()[source]¶

Restart all the workers

Return type:: dict[str, Any] | list[dict[str, Any]]

restore_attribute(attribute, pythonify=False)[source]¶

Restore a soft deleted attribute from a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/restoreAttribute

Parameters:: attribute (MISPAttribute | int | str | UUID) – attribute to restore
Return type:: dict[str, Any] | MISPAttribute

roles(pythonify=False)[source]¶

Get the existing roles

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPRole] | list[dict[str, Any]]

search(controller='events', return_format='json', limit=None, page=None, value=None, type_attribute=None, category=None, org=None, tags=None, event_tags=None, quick_filter=None, quickFilter=None, date_from=None, date_to=None, eventid=None, with_attachments=None, withAttachments=None, metadata=None, uuid=None, publish_timestamp=None, last=None, timestamp=None, published=None, enforce_warninglist=None, enforceWarninglist=None, to_ids=None, deleted=None, include_event_uuid=None, includeEventUuid=None, include_event_tags=None, includeEventTags=None, event_timestamp=None, sg_reference_only=None, eventinfo=None, searchall=None, requested_attributes=None, include_context=None, includeContext=None, headerless=None, include_sightings=None, includeSightings=None, include_correlations=None, includeCorrelations=None, include_decay_score=None, includeDecayScore=None, object_name=None, exclude_decayed=None, sharinggroup=None, pythonify=False, **kwargs)[source]¶

Search in the MISP instance

Parameters:

controller (str) –
Controller to search on, it can be events, objects, attributes. The response will either be a list of events, objects, or attributes. Reference documentation for each controller:
- events: https://www.misp-project.org/openapi/#tag/Events/operation/restSearchEvents
- attributes: https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes
- objects: N/A
return_format (str) – Set the return format of the search (Currently supported: json, xml, openioc, suricata, snort - more formats are being moved to restSearch with the goal being that all searches happen through this API). Can be passed as the first parameter after restSearch or via the JSON payload.
limit (int | None) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
value (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search for the given value in the attributes’ value field.
type_attribute (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – The attribute type, any valid MISP attribute type is accepted.
category (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – The attribute category, any valid MISP attribute category is accepted.
org (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search by the creator organisation by supplying the organisation identifier.
tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_query
event_tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude at the event level. You can pass a list, or the output of build_complex_query
quick_filter (str | None) – The string passed to this field will ignore all of the other arguments. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
eventid (Optional[TypeVar(SearchType, str, int)]) – The events that should be included / excluded from the search
with_attachments (bool | None) – If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute
metadata (bool | None) – Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.
uuid (str | None) – Restrict the results by uuid.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the last publish timestamp (newer than).
timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example [“14d”, “7d”]).
published (bool | None) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
enforce_warninglist (bool | None) – Remove any attributes from the result that would cause a hit on a warninglist entry.
to_ids (Union[TypeVar(ToIDSType, str, int, bool), list[TypeVar(ToIDSType, str, int, bool)], None]) – By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
deleted (str | None) – If this parameter is set to 1, it will only return soft-deleted attributes. [“0”, “1”] will return the active ones as well as the soft-deleted ones.
include_event_uuid (bool | None) – Instead of just including the event ID, also include the event UUID in each of the attributes.
include_event_tags (bool | None) – Include the event level tags in each of the attributes.
event_timestamp (datetime | date | int | str | float | None) – Only return attributes from events that have received a modification after the given timestamp.
sg_reference_only (bool | None) – If this flag is set, sharing group objects will not be included, instead only the sharing group ID is set.
eventinfo (str | None) – Filter on the event’s info field.
searchall (bool | None) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.
requested_attributes (str | None) – [CSV only] Select the fields that you wish to include in the CSV export. By setting event level fields additionally, includeContext is not required to get event metadata.
include_context (bool | None) – [Attribute only] Include the event data with each attribute. [CSV output] Add event level metadata in every line of the CSV.
headerless (bool | None) – [CSV Only] The CSV created when this setting is set to true will not contain the header row.
include_sightings (bool | None) – [JSON Only - Attribute] Include the sightings of the matching attributes.
include_decay_score (bool | None) – Include the decay score at attribute level.
include_correlations (bool | None) – [JSON Only - attribute] Include the correlations of the matching attributes.
object_name (str | None) – [objects controller only] Search for objects with that name
exclude_decayed (bool | None) – [attributes controller only] Exclude the decayed attributes from the response
sharinggroup (int | list[int] | None) – Filter by sharing group ID(s)
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

Deprecated:

Parameters:

quickFilter (str | None) – synonym for quick_filter
withAttachments (bool | None) – synonym for with_attachments
last (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – synonym for publish_timestamp
enforceWarninglist (bool | None) – synonym for enforce_warninglist
includeEventUuid (bool | None) – synonym for include_event_uuid
includeEventTags (bool | None) – synonym for include_event_tags
includeContext (bool | None) – synonym for include_context

search_feeds(value=None, pythonify=False)[source]¶

Search in the feeds cached on the servers

Return type:: dict[str, Any] | list[MISPFeed] | list[dict[str, Any]]

search_galaxy(value, withCluster=False, pythonify=False)[source]¶

Text search to find a matching galaxy name, namespace, description, or uuid.

Return type:: dict[str, Any] | list[MISPGalaxy] | list[dict[str, Any]]

search_galaxy_clusters(galaxy, context='all', searchall=None, pythonify=False)[source]¶

Searches the galaxy clusters within a specific galaxy: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusters and https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/getGalaxyClusterById

Parameters:

galaxy (MISPGalaxy | int | str | UUID) – The MISPGalaxy you wish to search in
context (str) – The context of how you want to search within the galaxy_
searchall (str | None) – The search you want to make against the galaxy and context
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | list[MISPGalaxyCluster] | list[dict[str, Any]]

search_index(all=None, attribute=None, email=None, published=None, hasproposal=None, eventid=None, tags=None, date_from=None, date_to=None, eventinfo=None, threatlevel=None, distribution=None, analysis=None, org=None, timestamp=None, publish_timestamp=None, sharinggroup=None, minimal=None, sort=None, desc=None, limit=None, page=None, pythonify=None)[source]¶

Search event metadata shown on the event index page. Using ! in front of a value means NOT, except for parameters date_from, date_to and timestamp which cannot be negated. Criteria are AND-ed together; values in lists are OR-ed together. Return matching events with metadata but no attributes or objects; also see minimal parameter.

Parameters:

all (str | None) – Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.
attribute (str | None) – Filter on attribute’s value.
email (str | None) – Filter on user’s email.
published (bool | None) – Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
hasproposal (bool | None) – Filter for events containing proposal(s).
eventid (Optional[TypeVar(SearchType, str, int)]) – The events that should be included / excluded from the search
tags (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Tags to search or to exclude. You can pass a list, or the output of build_complex_query
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
eventinfo (str | None) – Filter on the event’s info field.
threatlevel (list[TypeVar(SearchType, str, int)] | None) – Threat level(s) (1,2,3,4) | list
distribution (list[TypeVar(SearchType, str, int)] | None) – Distribution level(s) (0,1,2,3) | list
analysis (list[TypeVar(SearchType, str, int)] | None) – Analysis level(s) (0,1,2) | list
org (Optional[TypeVar(SearchParameterTypes, str, List[Union[str, int]], Dict[str, Union[str, int]])]) – Search by the creator organisation by supplying the organisation identifier.
timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp will be used for the lookup.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Filter on event’s publish timestamp.
sharinggroup (list[TypeVar(SearchType, str, int)] | None) – Restrict by a sharing group | list
minimal (bool | None) – Return only event ID, UUID, timestamp, sighting_timestamp and published.
sort (str | None) – The field to sort the events by, such as ‘id’, ‘date’, ‘attribute_count’.
desc (bool | None) – Whether to sort events ascending (default) or descending.
limit (int | None) – Limit the number of events returned
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPEvent] | list[dict[str, Any]]

search_logs(limit=None, page=None, log_id=None, title=None, created=None, model=None, action=None, user_id=None, change=None, email=None, org=None, description=None, ip=None, pythonify=False)[source]¶

Search in logs

Note: to run substring queries simply append/prepend/encapsulate the search term with %

Parameters:

limit (int | None) – Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).
page (int | None) – If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
log_id (int | None) – Log ID
title (str | None) – Log Title
created (datetime | date | int | str | float | None) – Creation timestamp
model (str | None) – Model name that generated the log entry
action (str | None) – The thing that was done
user_id (int | None) – ID of the user doing the action
change (str | None) – Change that occured
email (str | None) – Email of the user
org (str | None) – Organisation of the User doing the action
description (str | None) – Description of the action
ip (str | None) – Origination IP of the User doing the action
pythonify (bool | None) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPLog] | list[dict[str, Any]]

search_sightings(context=None, context_id=None, type_sighting=None, date_from=None, date_to=None, publish_timestamp=None, last=None, org=None, source=None, include_attribute=None, include_event_meta=None, pythonify=False)[source]¶

Search sightings

Parameters:

context (str | None) – The context of the search. Can be either “attribute”, “event”, or nothing (will then match on events and attributes).
context_id (Optional[TypeVar(SearchType, str, int)]) – Only relevant if context is either “attribute” or “event”. Then it is the relevant ID.
type_sighting (str | None) – Type of sighting
date_from (datetime | date | int | str | float | None) – Events with the date set to a date after the one specified. This filter will use the date of the event.
date_to (datetime | date | int | str | float | None) – Events with the date set to a date before the one specified. This filter will use the date of the event.
publish_timestamp (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – Restrict the results by the last publish timestamp (newer than).
org (Optional[TypeVar(SearchType, str, int)]) – Search by the creator organisation by supplying the organisation identifier.
source (str | None) – Source of the sighting
include_attribute (bool | None) – Include the attribute.
include_event_meta (bool | None) – Include the meta information of the event.

Return type:

dict[str, Any] | list[dict[str, MISPEvent | MISPAttribute | MISPSighting]]

Deprecated:

Parameters:: last (None | datetime | date | int | str | float | tuple[datetime | date | int | str | float | None, datetime | date | int | str | float | None]) – synonym for publish_timestamp
Example:

>>> misp.search_sightings(publish_timestamp='30d') # search sightings for the last 30 days on the instance
[ ... ]
>>> misp.search_sightings(context='attribute', context_id=6, include_attribute=True) # return list of sighting for attribute 6 along with the attribute itself
[ ... ]
>>> misp.search_sightings(context='event', context_id=17, include_event_meta=True, org=2) # return list of sighting for event 17 filtered with org id 2

search_tags(tagname, strict_tagname=False, pythonify=False)[source]¶

Search for tags by name: https://www.misp-project.org/openapi/#tag/Tags/operation/searchTag

Parameters:

tag_name – Name to search, use % for substrings matches.
strict_tagname (bool) – only return tags matching exactly the tag name (so skipping synonyms and cluster’s value)

Return type:

dict[str, Any] | list[MISPTag] | list[dict[str, Any]]

server_pull(server, event=None)[source]¶

Initialize a pull from a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pullServer

Parameters:

server (MISPServer | int | str | UUID) – sync server config
event (MISPEvent | int | str | UUID | None) – event

Return type:

dict[str, Any] | list[dict[str, Any]]

server_push(server, event=None)[source]¶

Initialize a push to a sync server, optionally limited to one event: https://www.misp-project.org/openapi/#tag/Servers/operation/pushServer

Parameters:

server (MISPServer | int | str | UUID) – sync server config
event (MISPEvent | int | str | UUID | None) – event

Return type:

dict[str, Any] | list[dict[str, Any]]

server_settings()[source]¶

Get all the settings from the server

Return type:: dict[str, Any] | list[dict[str, Any]]

servers(pythonify=False)[source]¶

Get the existing servers the MISP instance can synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPServer] | list[dict[str, Any]]

set_default_role(role)[source]¶

Set a default role for the new user accounts

Parameters:: role (MISPRole | int | str | UUID) – the default role to set
Return type:: dict[str, Any] | list[dict[str, Any]]

set_server_setting(setting, value, force=False)[source]¶

Set a setting on the MISP instance

Parameters:

setting (str) – server setting name
value (str | int | bool) – value to set
force (bool) – override value test

Return type:

dict[str, Any] | list[dict[str, Any]]

set_user_setting(user_setting, value, user=None, pythonify=False)[source]¶

Set a user setting: https://www.misp-project.org/openapi/#tag/UserSettings/operation/setUserSetting

Parameters:

user_setting (str) – name of user setting
value (str | dict[str, Any]) – value to set
user (MISPUser | int | str | UUID | None) – user
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

sharing_group_exists(sharing_group)[source]¶

Fast check if sharing group exists.

Parameters:: sharing_group (MISPSharingGroup | int | str | UUID) – Sharing group to check
Return type:: bool

sharing_groups(pythonify=False)[source]¶

Get the existing sharing groups: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/getSharingGroup

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPSharingGroup] | list[dict[str, Any]]

sightings(misp_entity=None, org=None, pythonify=False)[source]¶

Get the list of sightings related to a MISPEvent or a MISPAttribute (depending on type of misp_entity): https://www.misp-project.org/openapi/#tag/Sightings/operation/getSightingsByEventId

Parameters:

misp_entity (AbstractMISP | None) – MISP entity
org (MISPOrganisation | int | str | UUID | None) – MISP organization
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPSighting] | list[dict[str, Any]]

tag(misp_entity, tag, local=False, relationship_type=None)[source]¶

Tag an event or an attribute.

Parameters:

misp_entity (AbstractMISP | str | dict[str, Any]) – a MISPEvent, a MISP Attribute, or a UUID
tag (MISPTag | str) – tag to add
local (bool) – whether to tag locally
relationship_type (str | None) – Type of relationship between the tag and the attribute or event

Return type:

dict[str, Any] | list[dict[str, Any]]

tags(pythonify=False, **kw_params)[source]¶

Get the list of existing tags: https://www.misp-project.org/openapi/#tag/Tags/operation/getTags

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPTag]

tags_statistics(percentage=False, name_sort=False)[source]¶

Get tag statistics from the MISP instance

Parameters:

percentage (bool) – get percentages
name_sort (bool) – sort by name

Return type:

dict[str, Any] | list[dict[str, Any]]

taxonomies(pythonify=False)[source]¶

Get all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/getTaxonomies

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPTaxonomy] | list[dict[str, Any]]

test_server(server)[source]¶

Test if a sync link is working as expected

Parameters:: server (MISPServer | int | str | UUID) – sync server config
Return type:: dict[str, Any] | list[dict[str, Any]]

toggle_global_pythonify()[source]¶

Toggle the pythonify variable for the class

Return type:: None

toggle_warninglist(warninglist_id=None, warninglist_name=None, force_enable=None)[source]¶

Toggle (enable/disable) the status of a warninglist by id: https://www.misp-project.org/openapi/#tag/Warninglists/operation/toggleEnableWarninglist

Parameters:

warninglist_id (str | int | list[int] | None) – ID of the WarningList
warninglist_name (str | list[str] | None) – name of the WarningList
force_enable (bool | None) – Force the warning list in the enabled state (does nothing if already enabled) - None means toggle.

Return type:

dict[str, Any] | list[dict[str, Any]]

unpublish(event)[source]¶

Unpublish the event with one single HTTP POST: https://www.misp-project.org/openapi/#tag/Events/operation/unpublishEvent

Parameters:: event (MISPEvent | int | str | UUID) – event to unpublish
Return type:: dict[str, Any] | list[dict[str, Any]]

untag(misp_entity, tag)[source]¶

Untag an event or an attribute

Parameters:

misp_entity (AbstractMISP | str | dict[str, Any]) – misp_entity can be a UUID
tag (MISPTag | str) – tag to remove

Return type:

dict[str, Any] | list[dict[str, Any]]

update_attribute(attribute, attribute_id=None, pythonify=False)[source]¶

Update an attribute on a MISP instance: https://www.misp-project.org/openapi/#tag/Attributes/operation/editAttribute

Parameters:

attribute (MISPAttribute) – attribute to update
attribute_id (int | None) – attribute ID to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPAttribute | MISPShadowAttribute

update_attribute_proposal(initial_attribute, attribute, pythonify=False)[source]¶

Propose a change for an attribute

Parameters:

initial_attribute (MISPAttribute | int | str | UUID) – attribute to change
attribute (MISPAttribute) – attribute to propose
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_decaying_models()[source]¶

Update all the Decaying models

Return type:: dict[str, Any] | list[dict[str, Any]]

update_event(event, event_id=None, pythonify=False, metadata=False)[source]¶

Update an event on a MISP instance: https://www.misp-project.org/openapi/#tag/Events/operation/editEvent

Parameters:

event (MISPEvent) – event to update
event_id (int | None) – ID of event to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output
metadata (bool) – Return just event metadata after successful update

Return type:

update_event_blocklist(event_blocklist, event_blocklist_id=None, pythonify=False)[source]¶

Update an event in the blocklist

Parameters:

event_blocklist (MISPEventBlocklist) – event block list
event_blocklist_id (int | str | UUID | None) – event block lisd id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPEventBlocklist

update_event_report(event_report, event_report_id=None, pythonify=False)[source]¶

Update an event report on a MISP instance

Parameters:

event_report (MISPEventReport) – event report to update
event_report_id (int | None) – event report ID to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_feed(feed, feed_id=None, pythonify=False)[source]¶

Update a feed on a MISP instance

Parameters:

feed (MISPFeed) – feed to update
feed_id (int | None) – feed id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_galaxies()[source]¶

Update all the galaxies: https://www.misp-project.org/openapi/#tag/Galaxies/operation/updateGalaxies

Return type:: dict[str, Any] | list[dict[str, Any]]

update_galaxy_cluster(galaxy_cluster, pythonify=False)[source]¶

Update a custom galaxy cluster: https://www.misp-project.org/openapi/#tag/Galaxy-Clusters/operation/editGalaxyCluster

;param galaxy_cluster: The MISPGalaxyCluster you wish to update :type pythonify: bool :param pythonify: Returns a PyMISP Object instead of the plain json output

Return type:: dict[str, Any] | MISPGalaxyCluster

update_galaxy_cluster_relation(galaxy_cluster_relation)[source]¶

Update a galaxy cluster relation

Parameters:: galaxy_cluster_relation (MISPGalaxyClusterRelation) – The MISPGalaxyClusterRelation to update
Return type:: dict[str, Any] | list[dict[str, Any]]

update_misp()[source]¶

Trigger a server update

Return type:: dict[str, Any] | list[dict[str, Any]]

update_noticelists()[source]¶

Update all the noticelists: https://www.misp-project.org/openapi/#tag/Noticelists/operation/updateNoticelists

Return type:: dict[str, Any] | list[dict[str, Any]]

update_object(misp_object, object_id=None, pythonify=False)[source]¶

Update an object on a MISP instance

Parameters:

misp_object (MISPObject) – object to update
object_id (int | None) – ID of object to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_object_templates()[source]¶

Trigger an update of the object templates

Return type:: dict[str, Any] | list[dict[str, Any]]

update_organisation(organisation, organisation_id=None, pythonify=False)[source]¶

Update an organisation: https://www.misp-project.org/openapi/#tag/Organisations/operation/editOrganisation

Parameters:

organisation (MISPOrganisation) – organization to update
organisation_id (int | None) – id to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_organisation_blocklist(organisation_blocklist, organisation_blocklist_id=None, pythonify=False)[source]¶

Update an organisation in the blocklist

Parameters:

organisation_blocklist (MISPOrganisationBlocklist) – organization block list
organisation_blocklist_id (int | str | UUID | None) – organization block lisd id
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

dict[str, Any] | MISPOrganisationBlocklist

update_server(server, server_id=None, pythonify=False)[source]¶

Update a server to synchronise with: https://www.misp-project.org/openapi/#tag/Servers/operation/getServers

Parameters:

server (MISPServer) – sync server config
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_sharing_group(sharing_group, sharing_group_id=None, pythonify=False)[source]¶

Update sharing group parameters: https://www.misp-project.org/openapi/#tag/Sharing-Groups/operation/editSharingGroup :rtype: dict[str, Any] | MISPSharingGroup

Parameters:: sharing_group (MISPSharingGroup | dict[str, Any]) – MISP Sharing Group

:param sharing_group_id Sharing group ID :type pythonify: bool :param pythonify: Returns a PyMISP Object instead of the plain json output

update_tag(tag, tag_id=None, pythonify=False)[source]¶

Edit only the provided parameters of a tag: https://www.misp-project.org/openapi/#tag/Tags/operation/editTag

Parameters:

tag (MISPTag) – tag to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Aram tag_id:

tag ID to update

Return type:

update_taxonomies()[source]¶

Update all the taxonomies: https://www.misp-project.org/openapi/#tag/Taxonomies/operation/updateTaxonomies

Return type:: dict[str, Any] | list[dict[str, Any]]

update_user(user, user_id=None, pythonify=False)[source]¶

Update a user on a MISP instance: https://www.misp-project.org/openapi/#tag/Users/operation/editUser

Parameters:

user (MISPUser) – user to update
user_id (int | None) – id to update
pythonify (bool) – Returns a PyMISP Object instead of the plain json output

Return type:

update_warninglists()[source]¶

Update all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/updateWarninglists

Return type:: dict[str, Any] | list[dict[str, Any]]

upload_stix(path=None, data=None, version='2')[source]¶

Upload a STIX file to MISP.

Parameters:

path (str | Path | BytesIO | StringIO | None) – Path to the STIX on the disk (can be a path-like object, or a pseudofile)
data (str | bytes | None) – stix object
version (str) – Can be 1 or 2

Return type:

Response

user_registrations(pythonify=False)[source]¶

Get all the user registrations

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPInbox] | list[dict[str, Any]]

user_settings(pythonify=False)[source]¶

Get all the user settings: https://www.misp-project.org/openapi/#tag/UserSettings/operation/getUserSettings

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPUserSetting] | list[dict[str, Any]]

users(search=None, organisation=None, pythonify=False)[source]¶

Get all the users, or a filtered set of users: https://www.misp-project.org/openapi/#tag/Users/operation/getUsers

Parameters:

search (str | None) – The search to make against the list of users
organisation (int | None) – The ID of an organisation to filter against
pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM

Return type:

dict[str, Any] | list[MISPUser] | list[dict[str, Any]]

users_statistics(context='data')[source]¶

Get user statistics from the MISP instance

Parameters:: context (str) – one of ‘data’, ‘orgs’, ‘users’, ‘tags’, ‘attributehistogram’, ‘sightings’, ‘galaxyMatrix’
Return type:: dict[str, Any] | list[dict[str, Any]]

values_in_warninglist(value)[source]¶

Check if IOC values are in warninglist

Parameters:: value (Iterable[str]) – iterator with values to check
Return type:: dict[str, Any] | list[dict[str, Any]]

property version: dict[str, Any] | list[dict[str, Any]]¶: Returns the version of PyMISP you’re currently using

warninglists(pythonify=False)[source]¶

Get all the warninglists: https://www.misp-project.org/openapi/#tag/Warninglists/operation/getWarninglists

Parameters:: pythonify (bool) – Returns a list of PyMISP Objects instead of the plain json output. Warning: it might use a lot of RAM
Return type:: dict[str, Any] | list[MISPWarninglist]

MISPAbstract¶

class pymisp.AbstractMISP(**kwargs)[source]¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)[source]¶

Load a JSON string

Return type:: None

jsonable()[source]¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

set_not_jsonable(args)[source]¶

Set __not_jsonable to a new list

Return type:: None

to_dict(json_format=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)[source]¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update_not_jsonable(*args)[source]¶

Add entries to the __not_jsonable list

Return type:: None

MISPEncode¶

class pymisp.MISPEncode(*args, **kwargs)[source]¶

default(obj)[source]¶

Implement this method in a subclass such that it returns a serializable object for o, or calls the base implementation (to raise a TypeError).

For example, to support arbitrary iterators, you could implement default like this:

def default(self, o):
    try:
        iterable = iter(o)
    except TypeError:
        pass
    else:
        return list(iterable)
    # Let the base class default method raise the TypeError
    return JSONEncoder.default(self, o)

Return type:: dict[str, Any] | str

MISPEvent¶

class pymisp.MISPEvent(describe_types=None, strict_validation=False, **kwargs)[source]¶

add_attribute(type, value, **kwargs)[source]¶

Add an attribute. type and value are required but you can pass all other parameters supported by MISPAttribute

Return type:: MISPAttribute | list[MISPAttribute]

add_attribute_tag(tag, attribute_identifier)[source]¶

Add a tag to an existing attribute. Raise an Exception if the attribute doesn’t exist.

Parameters:

tag (MISPTag | str) – Tag name as a string, MISPTag instance, or dictionary
attribute_identifier (str) – can be an ID, UUID, or the value.

Return type:

list[MISPAttribute]

add_event_report(name, content, **kwargs)[source]¶

Add an event report. name and value are requred but you can pass all other parameters supported by MISPEventReport

Return type:: MISPEventReport

add_galaxy(galaxy=None, **kwargs)[source]¶

Add a galaxy and sub-clusters into an event, either by passing a MISPGalaxy or a dictionary. Supports all other parameters supported by MISPGalaxy

Return type:: MISPGalaxy

add_object(obj=None, **kwargs)[source]¶

Add an object to the Event, either by passing a MISPObject, or a dictionary

Return type:: MISPObject

add_proposal(shadow_attribute=None, **kwargs)[source]¶

Alias for add_shadow_attribute

Return type:: MISPShadowAttribute

add_shadow_attribute(shadow_attribute=None, **kwargs)[source]¶

Add a tag to the attribute (by name or a MISPTag object)

Return type:: MISPShadowAttribute

clear() → None. Remove all items from D.¶

delete_attribute(attribute_id)[source]¶

Delete an attribute

Parameters:: attribute_id (str) – ID or UUID
Return type:: None

delete_object(object_id)[source]¶

Delete an object

Parameters:: object_id (str) – ID or UUID
Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attribute_tag(attribute_identifier)[source]¶

Return the tags associated to an attribute or an object attribute.

Parameters:: attribute_identifier (str) – can be an ID, UUID, or the value.
Return type:: list[MISPTag]

get_object_by_id(object_id)[source]¶

Get an object by ID

Parameters:: object_id (str | int) – the ID is the one set by the server when creating the new object
Return type:: MISPObject

get_object_by_uuid(object_uuid)[source]¶

Get an object by UUID

Parameters:: object_uuid (str) – the UUID is set by the server when creating the new object
Return type:: MISPObject

get_objects_by_name(object_name)[source]¶

Get objects by name

Parameters:: object_name (str) – name is set by the server when creating the new object
Return type:: list[MISPObject]

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

load(json_event, validate=False, metadata_only=False)[source]¶

Load a JSON dump from a pseudo file or a JSON string

Return type:: None

load_file(event_path, validate=False, metadata_only=False)[source]¶

Load a JSON dump from a file on the disk

Return type:: None

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

publish()[source]¶

Mark the attribute as published

Return type:: None

set_date(d=None, ignore_invalid=False)[source]¶

Set a date for the event

Parameters:

d (str | int | float | datetime | date | None) – String, datetime, or date object
ignore_invalid (bool) – if True, assigns current date if d is not an expected type

Return type:

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

property tags: list[MISPTag]¶: Returns a list of tags associated to this Event

to_dict(json_format=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_feed(valid_distributions=[0, 1, 2, 3, 4, 5], with_meta=False, with_distribution=False, with_local_tags=True, with_event_reports=True)[source]¶

Generate a json output for MISP Feed.

Parameters:

valid_distributions (list[int]) – only makes sense if the distribution key is set; i.e., the event is exported from a MISP instance.
with_distribution (bool) – exports distribution and Sharing Group info; otherwise all SharingGroup information is discarded (protecting privacy)
with_local_tags (bool) – tag export includes local exportable tags along with global exportable tags
with_event_reports (bool) – include event reports in the returned MISP event

Return type:

dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

unpublish()[source]¶

Mark the attribute as un-published (set publish flag to false)

Return type:: None

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPEventBlocklist¶

class pymisp.MISPEventBlocklist(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPEventDelegation¶

class pymisp.MISPEventDelegation(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPAttribute¶

class pymisp.MISPAttribute(describe_types=None, strict=False)[source]¶

add_galaxy(galaxy=None, **kwargs)[source]¶

Add a galaxy to the Attribute, either by passing a MISPGalaxy or a dictionary

Return type:: MISPGalaxy

add_proposal(shadow_attribute=None, **kwargs)[source]¶

Alias for add_shadow_attribute

Return type:: MISPShadowAttribute

add_shadow_attribute(shadow_attribute=None, **kwargs)[source]¶

Add a shadow attribute to the attribute (by name or a MISPShadowAttribute object)

Return type:: MISPShadowAttribute

add_sighting(sighting=None, **kwargs)[source]¶

Add a sighting to the attribute (by name or a MISPSighting object)

Return type:: MISPSighting

clear() → None. Remove all items from D.¶

delete()[source]¶

Mark the attribute as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

property galaxies: list[MISPGalaxy]¶: Returns a list of galaxies associated to this Attribute

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

hash_values(algorithm='sha512')[source]¶

Compute the hash of every value for fast lookups

Return type:: list[str]

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

property known_types: list[str]¶: Returns a list of all the known MISP attributes types

property malware_binary: BytesIO | None¶: Returns a BytesIO of the malware, if the attribute has one. Decrypts, unpacks and caches the binary on the first invocation, which may require some time for large attachments (~1s/MB).

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

property tags: list[MISPTag]¶: Returns a list of tags associated to this Attribute

to_dict(json_format=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPObject¶

class pymisp.MISPObject(name, strict=False, standalone=True, default_attributes_parameters={}, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)[source]¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)[source]¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)[source]¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()[source]¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)[source]¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)[source]¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)[source]¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)[source]¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPObjectAttribute¶

class pymisp.MISPObjectAttribute(definition)[source]¶

add_galaxy(galaxy=None, **kwargs)¶

Add a galaxy to the Attribute, either by passing a MISPGalaxy or a dictionary

Return type:: MISPGalaxy

add_proposal(shadow_attribute=None, **kwargs)¶

Alias for add_shadow_attribute

Return type:: MISPShadowAttribute

add_shadow_attribute(shadow_attribute=None, **kwargs)¶

Add a shadow attribute to the attribute (by name or a MISPShadowAttribute object)

Return type:: MISPShadowAttribute

add_sighting(sighting=None, **kwargs)¶

Add a sighting to the attribute (by name or a MISPSighting object)

Return type:: MISPSighting

clear() → None. Remove all items from D.¶

delete()¶

Mark the attribute as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(object_relation, value, **kwargs)[source]¶: Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

from_json(json_string)¶

Load a JSON string

Return type:: None

property galaxies: list[MISPGalaxy]¶: Returns a list of galaxies associated to this Attribute

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

hash_values(algorithm='sha512')¶

Compute the hash of every value for fast lookups

Return type:: list[str]

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

property known_types: list[str]¶: Returns a list of all the known MISP attributes types

property malware_binary: BytesIO | None¶: Returns a BytesIO of the malware, if the attribute has one. Decrypts, unpacks and caches the binary on the first invocation, which may require some time for large attachments (~1s/MB).

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

property tags: list[MISPTag]¶: Returns a list of tags associated to this Attribute

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPObjectReference¶

class pymisp.MISPObjectReference[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPObjectTemplate¶

class pymisp.MISPObjectTemplate(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPTag¶

class pymisp.MISPTag(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPUser¶

class pymisp.MISPUser(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPUserSetting¶

class pymisp.MISPUserSetting(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPOrganisation¶

class pymisp.MISPOrganisation[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPOrganisationBlocklist¶

class pymisp.MISPOrganisationBlocklist(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPFeed¶

class pymisp.MISPFeed(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPInbox¶

class pymisp.MISPInbox(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPLog¶

class pymisp.MISPLog(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPNoticelist¶

class pymisp.MISPNoticelist(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPRole¶

class pymisp.MISPRole(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPServer¶

class pymisp.MISPServer(**kwargs)[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPShadowAttribute¶

class pymisp.MISPShadowAttribute[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPSharingGroup¶

class pymisp.MISPSharingGroup[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

MISPSighting¶

class pymisp.MISPSighting[source]¶

clear() → None. Remove all items from D.¶

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)[source]¶

Initialize the MISPSighting from a dictionary

Parameters:

value – Value of the attribute the sighting is related too. Pushing this object will update the sighting count of each attribute with this value on the instance.
uuid – UUID of the attribute to update
id – ID of the attriute to update
source – Source of the sighting
type – Type of the sighting
timestamp – Timestamp associated to the sighting

Return type: