pymisp - Tools¶

class pymisp.tools.ASNObject(parameters, strict=True, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.AbstractMISPObjectGenerator(name, strict=False, standalone=True, default_attributes_parameters={}, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.DomainIPObject(parameters, strict=True, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.ELFObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.ELFSectionObject(section, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.Fail2BanObject(parameters, strict=True, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.FileObject(filepath=None, pseudofile=None, filename=None, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.GenericObjectGenerator(name, strict=False, standalone=True, default_attributes_parameters={}, **kwargs)[source]¶

generate_attributes(attributes)[source]¶

Generates MISPObjectAttributes from a list of dictionaries. Each entry if the list must be in one of the two following formats: * {<object_relation>: <value>} * {<object_relation>: {‘value’=<value>, ‘type’=<type>, <and any other key/value accepted by a MISPAttribute>]}

Return type:: None

Note: Any missing parameter will default to the pre-defined value from the Object template.: If the object template isn’t known by PyMISP, you must pass a type key/value, or it will fail.
Example:: [{‘analysis_submitted_at’: ‘2018-06-15T06:40:27’}, {‘threat_score’: {value=95, to_ids=False}}, {‘permalink’: ‘https://panacea.threatgrid.com/mask/samples/2e445ef5389d8b’}, {‘heuristic_raw_score’: 7.8385159793597}, {‘heuristic_score’: 96}, {‘original_filename’: ‘juice.exe’}, {‘id’: ‘2e445ef5389d8b’}]

class pymisp.tools.GeolocationObject(parameters, strict=True, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.GitVulnFinderObject(parameters, strict=True, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.MachOObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.MachOSectionObject(section, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.PEObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.PESectionObject(section, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.SBSignatureObject(software, report, **kwargs)[source]¶

Sandbox Analyzer

generate_attributes()[source]¶

Parse the report for relevant attributes

Return type:: None

class pymisp.tools.SSHAuthorizedKeysObject(authorized_keys_path=None, authorized_keys_pseudofile=None, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.URLObject(url, generate_all=False, **kwargs)[source]¶

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

class pymisp.tools.VTReportObject(apikey, indicator, vt_proxies=None, **kwargs)[source]¶

VirusTotal Report

Apikey:: VirusTotal API key (private works, but only public features are supported right now)
Indicator:: IOC to search VirusTotal for

generate_attributes()[source]¶

Parse the VirusTotal report for relevant attributes

Return type:: None

class pymisp.tools.VehicleObject(country, registration, username, **kwargs)[source]¶

Vehicle object generator out of regcheck.org.uk

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

File Object¶

class pymisp.tools.FileObject(filepath=None, pseudofile=None, filename=None, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

ELF Object¶

class pymisp.tools.ELFObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

class pymisp.tools.ELFSectionObject(section, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

PE Object¶

class pymisp.tools.PEObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

class pymisp.tools.PESectionObject(section, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

Mach-O Object¶

class pymisp.tools.MachOObject(parsed=None, filepath=None, pseudofile=None, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

class pymisp.tools.MachOSectionObject(section, **kwargs)[source]¶

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Contains the logic where all the values of the object are gathered

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

VT Report Object¶

class pymisp.tools.VTReportObject(apikey, indicator, vt_proxies=None, **kwargs)[source]¶

VirusTotal Report

Apikey:: VirusTotal API key (private works, but only public features are supported right now)
Indicator:: IOC to search VirusTotal for

add_attribute(object_relation, simple_value=None, **value)¶

Add an attribute. :type object_relation: str :param object_relation: The object relation of the attribute you’re adding to the object :type simple_value: str | int | float | None :param simple_value: The value :type value: :param value: dictionary with all the keys supported by MISPAttribute

Return type:: MISPAttribute | None

Note: as long as PyMISP knows about the object template, only the object_relation and the simple_value are required.: If PyMISP doesn’t know the template, you also must pass a type. All the other options that can be passed along when creating an attribute (comment, IDS flag, …) will be either taked out of the template, or out of the default setting for the type as defined on the MISP instance.

add_attributes(object_relation, *attributes)¶

Add multiple attributes with the same object_relation. Helper for object_relation when multiple is True in the template. It is the same as calling multiple times add_attribute with the same object_relation.

Return type:: list[MISPAttribute | None]

add_reference(referenced_uuid, relationship_type, comment=None, **kwargs)¶

Add a link (uuid) to another object

Return type:: MISPObjectReference

clear() → None. Remove all items from D.¶

delete()¶

Mark the object as deleted (soft delete)

Return type:: None

property edited: bool¶: Recursively check if an object has been edited and update the flag accordingly to the parent objects

from_dict(**kwargs)¶

Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all the properties requiring a special treatment are processed. Note: This method is used when you initialize an object with existing data so by default, the class is flaged as not edited.

Return type:: None

from_json(json_string)¶

Load a JSON string

Return type:: None

generate_attributes()[source]¶

Parse the VirusTotal report for relevant attributes

Return type:: None

get(k[, d]) → D[k] if k in D, else d. d defaults to None.¶

get_attributes_by_relation(object_relation)¶

Returns the list of attributes with the given object relation in the object

Return type:: list[MISPAttribute]

has_attributes_by_relation(list_of_relations)¶

True if all the relations in the list are defined in the object

Return type:: bool

items() → a set-like object providing a view on D's items¶

jsonable()¶

This method is used by the JSON encoder

Return type:: dict[str, Any]

keys() → a set-like object providing a view on D's keys¶

pop(k[, d]) → v, remove specified key and return the corresponding value.¶: If key is not found, d is returned if given, otherwise KeyError is raised.

popitem() → (k, v), remove and return some (key, value) pair¶: as a 2-tuple; but raise KeyError if D is empty.

set_not_jsonable(args)¶

Set __not_jsonable to a new list

Return type:: None

setdefault(k[, d]) → D.get(k,d), also set D[k]=d if k not in D¶

to_dict(json_format=False, strict=False)¶

Dump the class to a dictionary. This method automatically removes the timestamp recursively in every object that has been edited is order to let MISP update the event accordingly.

Return type:: dict[str, Any]

to_json(sort_keys=False, indent=None, strict=False)¶

Dump recursively any class of type MISPAbstract to a json string

Return type:: str

update([E, ]**F) → None. Update D from mapping/iterable E and F.¶: If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method, does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v

update_not_jsonable(*args)¶

Add entries to the __not_jsonable list

Return type:: None

values() → an object providing a view on D's values¶

STIX¶

OpenIOC¶

tools.load_openioc()¶

tools.load_openioc_file()¶

pymisp - Tools¶

File Object¶

ELF Object¶

PE Object¶

Mach-O Object¶

VT Report Object¶

STIX¶

OpenIOC¶

PyMISP

Navigation

Related Topics