Notebook trainer cheatsheet: API and CLI¶
- Automation page
- Recovering the API KEY (Automation page, User page, RestClient)
Important notice¶
This notebook various usage of the MISP restAPI.
It should be noted that PyMISP is not required to use the MISP restAPI. We are using PyMISP only to parse the response and inspect the data. So any HTTP client such as curl could do the job a described below.
This command:
misp_url = URL + '/events/add'
relative_path = ''
body = {
"info": "Event"
}
misp = ExpandedPyMISP(misp_url, AUTHKEY, False)
res = misp.direct_call(relative_path, body)
print_result(res)
Will yield the same result as this command:
!curl \
-d '{"info": "Event"}' \
-H "Authorization: ptU1OggdiLLWlwHPO9B3lzpwEND3hL7gH0uEsyYL" \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-X POST 127.0.0.1:8080/events/restSearch
In [2]:
from pymisp import PyMISP
from pprint import pprint
AUTHKEY = "_YOUR_AUTHENTICATION_KEY_"
URL = "https://training6.misp-community.org/"
import urllib3
urllib3.disable_warnings()
misp = PyMISP(URL, AUTHKEY, False)
def print_result(result):
flag_printed = False
if isinstance(result, list):
print("Count: %s" % len(result))
flag_printed = True
for i in res:
if 'Event' in i and 'Attribute' in i['Event']:
print(" - Attribute count: %s" % len(i['Event']['Attribute']))
elif isinstance(result, dict):
if 'Attribute' in result:
print("Count: %s" % len(result['Attribute']))
flag_printed = True
elif 'Event' in result and 'Attribute' in result['Event']:
print("Attribute count: %s" % len(result['Event']['Attribute']))
flag_printed = True
if flag_printed:
print('----------')
pprint(result)
Events¶
Creation and Edition¶
In [3]:
# Creation
endpoint = '/events/add'
body = {
"info": "Event created via the API as an example",
"threat_level_id": 1,
"distribution": 0
}
res = misp.direct_call(endpoint, body)
print_result(res)
Attribute count: 0
----------
{'Event': {'Attribute': [],
'CryptographicKey': [],
'EventReport': [],
'Galaxy': [],
'Object': [],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [],
'ShadowAttribute': [],
'analysis': '0',
'attribute_count': '0',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736934586',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}
In [5]:
# Edition 1
endpoint = '/events/edit/'
relative_path = '59'
body = {
"distribution": 3,
# "sharing_group_id": 1
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Attribute count: 0
----------
{'Event': {'Attribute': [],
'CryptographicKey': [],
'EventReport': [],
'Galaxy': [],
'Object': [],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [],
'ShadowAttribute': [],
'analysis': '0',
'attribute_count': '0',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '3',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736934624',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}
In [6]:
# Edition 2 - Adding Attribute
endpoint = '/events/edit/'
body = {
"distribution": 0,
"Attribute": [
{
"value": "9.9.9.9",
"type": "ip-src"
}
]
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Attribute count: 1
----------
{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934649',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'}],
'CryptographicKey': [],
'EventReport': [],
'Galaxy': [],
'Object': [],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [],
'ShadowAttribute': [],
'analysis': '0',
'attribute_count': '1',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736934649',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}
In [8]:
# Edition 2 - tagging 1
endpoint = '/tags/attachTagToObject'
body = {
"uuid": "08a84483-5796-42b5-aa6b-d4bed7dabb19", # can be anything: event or attribute
"tag": "tlp:red"
}
res = misp.direct_call(endpoint, body)
print_result(res)
{'message': 'Global tag tlp:red(22) successfully attached to '
'Attribute(203181).',
'name': 'Global tag tlp:red(22) successfully attached to Attribute(203181).',
'saved': True,
'success': True,
'url': '/tags/attachTagToObject'}
Attributes¶
Creation and edition¶
In [9]:
event_id = 59
In [10]:
# Adding
endpoint = '/attributes/add/'
relative_path = str(event_id)
body = {
"value": "8.8.8.9",
"type": "ip-dst"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 19
----------
{'Attribute': {'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934817',
'to_ids': True,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '8.8.8.9',
'value1': '8.8.8.9',
'value2': ''},
'AttributeTag': []}
In [11]:
# Adding invalid attribute type
endpoint = '/attributes/add/'
relative_path = str(event_id)
body = {
"value": "8.8.8.9",
"type": "md5"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['Checksum has an invalid length or format (expected: 32 hexadecimal characters). Please double check the value or select type "other".']}}
{'errors': (403,
{'errors': {'value': ['Checksum has an invalid length or format '
'(expected: 32 hexadecimal characters). '
'Please double check the value or select '
'type "other".']},
'message': 'Could not add Attribute',
'name': 'Could not add Attribute',
'saved': False,
'url': '/attributes/add'})}
In [12]:
# Editing
endpoint = '/attributes/edit/' # /attributes/edit/[attribute_id]
relative_path = '203182'
body = {
"value": "127.0.0.1",
"to_ids": 0,
"comment": "Comment added via the API",
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 17
----------
{'Attribute': {'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934896',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.0.0.1'}}
In [13]:
# Editing with data taken from JSON views.
# <!> (timestamp) contrast the difference with *PyMISP*
endpoint = '/attributes/edit/'
relative_path = '203182'
body = {
"id": "56143",
"type": "ip-dst",
"category": "Network activity",
"to_ids": False,
"uuid": "8153fcad-cd37-45d9-a1d1-a509942116f8",
"event_id": "126",
"distribution": "5",
"comment": "Comment added via the API",
"sharing_group_id": "0",
"deleted": False,
"disable_correlation": False,
"object_id": "0",
"object_relation": None,
"first_seen": None,
"last_seen": None,
"value": "127.1.1.1",
"Galaxy": [],
"ShadowAttribute": []
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 17
----------
{'Attribute': {'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}}
Objects¶
In [14]:
endpoint = '/objects/add/'
relative_path = str(event_id)
body = {
"name": "microblog",
"meta-category": "misc",
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
"template_version": "5",
"event_id": event_id,
"timestamp": "1558702173",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": False,
"ObjectReference": [],
"Attribute": [
{
"type": "text",
"category": "Other",
"to_ids": False,
"event_id": event_id,
"distribution": "5",
"timestamp": "1558702173",
"comment": "",
"sharing_group_id": "0",
"deleted": False,
"disable_correlation": False,
"object_relation": "post",
"value": "post",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'Object': {'Attribute': [{'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post',
'value1': 'post',
'value2': ''}],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or a post on a '
'Facebook wall.',
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '26193',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '7e681dd6-69ab-4573-bdf2-99c4bd5b6af8'}}
In [15]:
# Edition 2 - tagging 2
endpoint = '/events/edit/'
relative_path = str(event_id)
body = {
"distribution": 0,
"Tag": [
{"name":"tlp:green"}
]
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Attribute count: 2
----------
{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'Tag': [{'colour': '#FF2B2B',
'exportable': True,
'hide_tag': False,
'id': '22',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:red',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}],
'CryptographicKey': [],
'EventReport': [],
'Galaxy': [],
'Object': [{'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}],
'ObjectReference': [],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or '
'a post on a Facebook wall.',
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '26193',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '7e681dd6-69ab-4573-bdf2-99c4bd5b6af8'}],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [{'Event': {'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'date': '2024-10-04',
'distribution': '0',
'id': '31',
'info': 'Event created via the API as '
'an example',
'org_id': '8',
'orgc_id': '8',
'published': True,
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'}}],
'ShadowAttribute': [],
'Tag': [{'colour': '#33FF00',
'exportable': True,
'hide_tag': False,
'id': '16',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:green',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'analysis': '0',
'attribute_count': '3',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736935009',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}
Event reports¶
In [16]:
endpoint = '/eventReports/add/'
relative_path = str(event_id)
body = {
"name": "Report from API",
"distribution": 5,
"sharing_group_id": 0,
"content": "@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)"
}
res = misp.direct_call(endpoint + relative_path, body)
event_report_id = res['EventReport']['id']
print_result(res)
{'Event': {'Org': {'id': '13', 'name': 'CIRCL'},
'Orgc': {'id': '13', 'name': 'CIRCL'},
'date': '2025-01-15',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'user_id': '154'},
'EventReport': {'content': 'Body',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '15',
'name': 'Report from API',
'sharing_group_id': '0',
'timestamp': '1736935032',
'uuid': 'b07e0eef-137b-4ccc-b41f-41ddf96b36f7'},
'SharingGroup': {'id': None, 'name': None, 'uuid': None}}
In [17]:
# Download HTML, convert it into markdown then save it as Event Report.
endpoint = '/eventReports/importReportFromUrl/'
relative_path = str(event_id)
body = {
"url": "https://www.circl.lu/pub/tr-84/"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'Event': {'Org': {'id': '13', 'name': 'CIRCL'},
'Orgc': {'id': '13', 'name': 'CIRCL'},
'date': '2025-01-15',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'user_id': '154'},
'EventReport': {'content': '\n'
'# TR-84 - PAN-OS (Palo Alto Networks) OS Command '
'Injection Vulnerability in GlobalProtect Gateway '
'- CVE-2024-3400\n'
'\n'
'\n'
'\n'
'### TR-84 - PAN-OS (Palo Alto Networks) OS '
'Command Injection Vulnerability in GlobalProtect '
'Gateway - CVE-2024-3400\n'
'\n'
'â\x86\x91 Back to Publications and Presentations\n'
'\n'
'1. Fixes\n'
'2. Detection\n'
'3. Known affected software\n'
'4. References\n'
'5. Classification of this document\n'
'6. Revision\n'
'\n'
'You can report incidents via our official contact '
'including e-mail, phone\n'
'or use the Anonymous reporting form.\n'
'\n'
'\n'
'Search\n'
'\n'
'\n'
'\n'
' \n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'A command injection vulnerability in the '
'GlobalProtect feature of Palo Alto Networks '
'PAN-OS software for specific PAN-OS versions and '
'distinct feature configurations may enable an '
'unauthenticated attacker to execute arbitrary '
'code with root privileges on the firewall. Fixes '
'for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are '
'in development and are expected to be released by '
'April 14, 2024. Cloud NGFW, Panorama appliances, '
'and Prisma Access are not impacted by this '
'vulnerability. All other versions of PAN-OS are '
'also not impacted.\n'
'\n'
'The vulnerability is currently exploited in the '
'wild as mentioned by Volexity and itâ\x80\x99s '
'referenced as CVE-2024-3400.\n'
'\n'
'## Fixes\n'
'\n'
'This issue is fixed in hotfix releases of PAN-OS '
'10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, '
'and in all later PAN-OS versions. Hotfixes for '
'other commonly deployed maintenance releases will '
'also be made available to address this issue. '
'Please see details below for ETAs regarding the '
'upcoming hotfixes.\n'
'\n'
'```\n'
'PAN-OS 10.2:\n'
'- 10.2.9-h1 (Released 4/14/24)\n'
'- 10.2.8-h3 (ETA: 4/15/24)\n'
'- 10.2.7-h8 (ETA: 4/15/24)\n'
'- 10.2.6-h3 (ETA: 4/15/24)\n'
'- 10.2.5-h6 (ETA: 4/16/24)\n'
'- 10.2.3-h13 (ETA: 4/17/24)\n'
'- 10.2.1-h2 (ETA: 4/17/24)\n'
'- 10.2.2-h5 (ETA: 4/18/24)\n'
'- 10.2.0-h3 (ETA: 4/18/24)\n'
'- 10.2.4-h16 (ETA: 4/19/24)\n'
'\n'
'PAN-OS 11.0:\n'
'- 11.0.4-h1 (Released 4/14/24)\n'
'- 11.0.3-h10 (ETA: 4/15/24)\n'
'- 11.0.2-h4 (ETA: 4/16/24)\n'
'- 11.0.1-h4 (ETA: 4/17/24)\n'
'- 11.0.0-h3 (ETA: 4/18/24)\n'
'\n'
'PAN-OS 11.1:\n'
'- 11.1.2-h3 (Released 4/14/24)\n'
'- 11.1.1-h1 (ETA: 4/16/24)\n'
'- 11.1.0-h3 (ETA: 4/17/24)\n'
'\n'
'```\n'
'\n'
'**As of April 16th, the previously suggested '
'workarounds have been confirmed ineffective. We '
'recommend initiating an incident response '
'procedure in all cases.** There are also '
'workarounds proposed by the vendor to fix the '
'vulnerability before the hotfix will be '
'released.\n'
'\n'
'## Detection\n'
'\n'
'* Indicators shared by Volexity are available in '
'a MISP event with UUID '
'9802116c-3ec3-4a8e-8b39-5c69b08df5ab, shared in '
'the OSINT feed and the MISP private sector '
'community.\n'
'\n'
'## Known affected software\n'
'\n'
'* PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 used '
'as GlobalProtect gateway with device telemetry '
'enabled. (other versions are not impacted).\n'
'\n'
'## References\n'
'\n'
'* Palo Alto Networks - CVE-2024-3400 PAN-OS: OS '
'Command Injection Vulnerability in GlobalProtect '
'Gateway.\n'
'* Volexity - 0day exploited in the wild..\n'
'* Volexity - []Zero-Day Exploitation of '
'Unauthenticated Remote Code Execution '
'Vulnerability in GlobalProtect '
'(CVE-2024-3400)(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/)\n'
'\n'
'## Classification of this document\n'
'\n'
'TLP:CLEAR information may be distributed without '
'restriction, subject to copyright controls.\n'
'\n'
'## Revision\n'
'\n'
'* Version 1.0 - TLP:CLEAR - First version - 12th '
'April 2024\n'
'* Version 1.1 - TLP:CLEAR - Second version - 13rd '
'April 2024 - IoCs added\n'
'* version 1.2 - TLP:CLEAR - Third version - 15th '
'April 2024 - fixes added\n'
'* Version 1.3 - TLP:CLEAR - Fourth version - 17th '
'April 2024 - workarounds are now ineffective\n'
'\n'
'\n'
'\n'
'\n'
'\n',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '16',
'name': 'Report from - https://www.circl.lu/pub/tr-84/ '
'(1736935070)',
'sharing_group_id': '0',
'timestamp': '1736935070',
'uuid': '023df945-8ea4-4719-9fab-a82a57fecf85'},
'SharingGroup': {'id': None, 'name': None, 'uuid': None}}
Analyst Data¶
Analyst Note¶
In [24]:
analystType = 'Note'
objectUUID = '2a81407b-34a5-4fad-a99e-1641dbd5a411'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
# "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'
body = {
"note": "Ceci est une note",
"language": "fr-BE",
"authors": "john.doe@admin.test",
"distribution": 1
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'Note': {'Org': {'contacts': None,
'created_by': '0',
'date_created': '2023-09-28 09:57:34',
'date_modified': '2023-09-28 09:57:34',
'description': 'CIRCL is the CERT (Computer Emergency '
'Response Team/Computer Security Incident '
'Response Team) for the private sector, '
'communes and non-governmental entities in '
'Luxembourg.',
'id': '13',
'landingpage': None,
'local': True,
'name': 'CIRCL',
'nationality': '',
'restricted_to_domain': [],
'sector': '',
'type': '',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'contacts': None,
'created_by': '0',
'date_created': '2023-09-28 09:57:34',
'date_modified': '2023-09-28 09:57:34',
'description': 'CIRCL is the CERT (Computer Emergency '
'Response Team/Computer Security Incident '
'Response Team) for the private sector, '
'communes and non-governmental entities in '
'Luxembourg.',
'id': '13',
'landingpage': None,
'local': True,
'name': 'CIRCL',
'nationality': '',
'restricted_to_domain': [],
'sector': '',
'type': '',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'_canEdit': True,
'authors': 'john.doe@admin.test',
'created': '2025-01-15 10:06:25',
'distribution': '1',
'id': '11',
'language': 'fr-BE',
'locked': False,
'modified': '2025-01-15 10:06:25',
'note': 'Ceci est une note',
'note_type': 0,
'note_type_name': 'Note',
'object_type': 'Event15',
'object_uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411',
'org_uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f',
'orgc_uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f',
'sharing_group_id': None,
'uuid': 'ce3f2a73-91c0-498f-8b5e-257e158665a3'}}
Analyst Opinion¶
In [25]:
analystType = 'Opinion'
objectUUID = 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
# "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'
body = {
"opinion": 75,
"comment": "This is an opinion",
"authors": "john.doe@admin.test",
"distribution": 1
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'Opinion': {'Org': {'contacts': None,
'created_by': '0',
'date_created': '2023-09-28 09:57:34',
'date_modified': '2023-09-28 09:57:34',
'description': 'CIRCL is the CERT (Computer Emergency '
'Response Team/Computer Security Incident '
'Response Team) for the private sector, '
'communes and non-governmental entities in '
'Luxembourg.',
'id': '13',
'landingpage': None,
'local': True,
'name': 'CIRCL',
'nationality': '',
'restricted_to_domain': [],
'sector': '',
'type': '',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'contacts': None,
'created_by': '0',
'date_created': '2023-09-28 09:57:34',
'date_modified': '2023-09-28 09:57:34',
'description': 'CIRCL is the CERT (Computer Emergency '
'Response Team/Computer Security Incident '
'Response Team) for the private sector, '
'communes and non-governmental entities '
'in Luxembourg.',
'id': '13',
'landingpage': None,
'local': True,
'name': 'CIRCL',
'nationality': '',
'restricted_to_domain': [],
'sector': '',
'type': '',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'_canEdit': True,
'authors': 'john.doe@admin.test',
'comment': 'This is an opinion',
'created': '2025-01-15 10:07:11',
'distribution': '1',
'id': '5',
'locked': False,
'modified': '2025-01-15 10:07:11',
'note_type': 1,
'note_type_name': 'Opinion',
'object_type': 'Event15',
'object_uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'opinion': '75',
'org_uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f',
'orgc_uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f',
'sharing_group_id': None,
'uuid': '3f7b89b6-ec91-4b85-8d0a-77a524b8db02'}}
Searches¶
In [26]:
# Searching the Event index (Move it to the search topic)
endpoint = '/events/index'
relative_path = ''
body = {
"eventinfo": "Event created via the API as an example",
# "publish_timestamp": "2024-04-15",
# "org": "ORGNAME"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 3
----------
[{'EventTag': [],
'Org': {'id': '6',
'name': 'ORG_4',
'uuid': '9e913344-3e2d-4cd2-8403-8888dfe0ad1e'},
'Orgc': {'id': '14',
'name': 'ORGNAME_7544',
'uuid': '6e14838a-8e55-400b-a3ef-c552750394c6'},
'analysis': '0',
'attribute_count': '0',
'date': '2024-10-02',
'disable_correlation': False,
'distribution': '3',
'extends_uuid': '',
'id': '30',
'info': 'Event created via the API as an example',
'locked': True,
'org_id': '6',
'orgc_id': '14',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '1727879371',
'published': False,
'sharing_group_id': '0',
'sighting_timestamp': '0',
'threat_level_id': '1',
'timestamp': '1728285332',
'uuid': '939dae03-21a1-424b-890c-4447ffee28c1'},
{'EventTag': [{'Tag': {'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'name': 'tlp:red'},
'event_id': '31',
'id': '32',
'local': False,
'relationship_type': '',
'tag_id': '22'},
{'Tag': {'colour': '#33FF00',
'id': '16',
'is_galaxy': False,
'name': 'tlp:green'},
'event_id': '31',
'id': '33',
'local': False,
'relationship_type': None,
'tag_id': '16'}],
'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'attribute_count': '3',
'date': '2024-10-04',
'disable_correlation': False,
'distribution': '0',
'extends_uuid': '',
'id': '31',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '8',
'orgc_id': '8',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '1736459174',
'published': True,
'sharing_group_id': '0',
'sighting_timestamp': '0',
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'},
{'EventTag': [{'Tag': {'colour': '#33FF00',
'id': '16',
'is_galaxy': False,
'name': 'tlp:green'},
'event_id': '59',
'id': '144',
'local': False,
'relationship_type': None,
'tag_id': '16'}],
'Org': {'id': '13',
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'analysis': '0',
'attribute_count': '3',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'sighting_timestamp': '0',
'threat_level_id': '1',
'timestamp': '1736935399',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}]
In [27]:
# Searching the Event index
misp_url = '/events/index'
relative_path = ''
body = {
# "hasproposal": 1,
"tag": ["tlp:amber"]
}
res = misp.direct_call(endpoint + relative_path, body)
print('Event number: %s' % len(res))
print_result(res)
Event number: 2
Count: 2
----------
[{'EventTag': [{'Tag': {'colour': '#f00082',
'id': '84',
'is_galaxy': False,
'name': 'workflow:state="draft"'},
'event_id': '48',
'id': '103',
'local': False,
'relationship_type': '',
'tag_id': '84'},
{'Tag': {'colour': '#FFC000',
'id': '23',
'is_galaxy': False,
'name': 'tlp:amber'},
'event_id': '48',
'id': '104',
'local': False,
'relationship_type': '',
'tag_id': '23'},
{'Tag': {'colour': '#ff0000',
'id': '85',
'is_galaxy': False,
'name': 'PAP:RED'},
'event_id': '48',
'id': '105',
'local': False,
'relationship_type': '',
'tag_id': '85'},
{'Tag': {'colour': '#002140',
'id': '44',
'is_galaxy': False,
'name': 'phishing:techniques="email-spoofing"'},
'event_id': '48',
'id': '106',
'local': False,
'relationship_type': '',
'tag_id': '44'},
{'Tag': {'colour': '#003668',
'id': '86',
'is_galaxy': False,
'name': 'phishing:distribution="spear-phishing"'},
'event_id': '48',
'id': '107',
'local': False,
'relationship_type': '',
'tag_id': '86'},
{'Tag': {'colour': '#0fc000',
'id': '77',
'is_galaxy': False,
'name': 'admiralty-scale:information-credibility="2"'},
'event_id': '48',
'id': '108',
'local': False,
'relationship_type': '',
'tag_id': '77'},
{'Tag': {'colour': '#001cad',
'id': '2',
'is_galaxy': False,
'name': 'estimative-language:likelihood-probability="very-likely"'},
'event_id': '48',
'id': '109',
'local': False,
'relationship_type': '',
'tag_id': '2'},
{'Tag': {'colour': '#0088cc',
'id': '21',
'is_galaxy': True,
'name': 'misp-galaxy:country="luxembourg"'},
'event_id': '48',
'id': '110',
'local': False,
'relationship_type': '',
'tag_id': '21'},
{'Tag': {'colour': '#0088cc',
'id': '87',
'is_galaxy': True,
'name': 'misp-galaxy:sector="Telecoms"'},
'event_id': '48',
'id': '111',
'local': False,
'relationship_type': '',
'tag_id': '87'},
{'Tag': {'colour': '#0088cc',
'id': '88',
'is_galaxy': True,
'name': 'misp-galaxy:mitre-attack-pattern="Spearphishing '
'Attachment - T1566.001"'},
'event_id': '48',
'id': '112',
'local': False,
'relationship_type': '',
'tag_id': '88'},
{'Tag': {'colour': '#0088cc',
'id': '89',
'is_galaxy': True,
'name': 'misp-galaxy:mitre-attack-pattern="Phishing - '
'T1566"'},
'event_id': '48',
'id': '113',
'local': False,
'relationship_type': '',
'tag_id': '89'}],
'GalaxyCluster': [{'Galaxy': {'created': '0000-00-00 00:00:00',
'default': True,
'description': 'Country meta information based '
'on the database provided by '
'geonames.org.',
'distribution': '3',
'enabled': True,
'icon': 'globe',
'id': '14',
'local_only': False,
'modified': '0000-00-00 00:00:00',
'name': 'Country',
'namespace': 'misp',
'org_id': '0',
'orgc_id': '0',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'version': '1'},
'authors': ['geonames.org'],
'collection_uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'default': True,
'deleted': False,
'description': 'Luxembourg',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '14',
'id': '11929',
'local': False,
'locked': False,
'meta': {'Capital': ['Luxembourg'],
'Continent': ['EU'],
'CurrencyCode': ['EUR'],
'CurrencyName': ['Euro'],
'ISO': ['LU'],
'ISO3': ['LUX'],
'Languages': ['lb,de-LU,fr-LU'],
'Population': ['497538'],
'budapest-convention': ['parties'],
'tld': ['.lu']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': '',
'sharing_group_id': None,
'source': 'MISP Project',
'tag_id': '21',
'tag_name': 'misp-galaxy:country="luxembourg"',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b24c5558',
'value': 'luxembourg',
'version': '2'},
{'Galaxy': {'created': '0000-00-00 00:00:00',
'default': True,
'description': 'Activity sectors',
'distribution': '3',
'enabled': True,
'icon': 'industry',
'id': '51',
'local_only': False,
'modified': '0000-00-00 00:00:00',
'name': 'Sector',
'namespace': 'misp',
'org_id': '0',
'orgc_id': '0',
'type': 'sector',
'uuid': 'e1bb134c-ae4d-11e7-8aa9-f78a37325439',
'version': '2'},
'authors': ['Various'],
'collection_uuid': '1401c704-7dfb-41f6-a6d3-e751b270843b',
'default': True,
'deleted': False,
'description': '',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '51',
'id': '23338',
'local': False,
'locked': False,
'meta': {'synonyms': ['Telecommunications']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': '',
'sharing_group_id': None,
'source': 'CERT-EU',
'tag_id': '87',
'tag_name': 'misp-galaxy:sector="Telecoms"',
'type': 'sector',
'uuid': '0de938bd-4efa-4c7a-9244-71a79317d142',
'value': 'Telecoms',
'version': '5'},
{'Galaxy': {'created': '2025-01-10 08:22:05',
'default': True,
'description': 'ATT&CK Tactic',
'distribution': '3',
'enabled': True,
'icon': 'map',
'id': '22',
'kill_chain_order': {'attack-Containers': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'impact'],
'attack-IaaS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-Identity-Provider': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement'],
'attack-Linux': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-Network': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-Office-365': ['initial-access',
'defense-evasion',
'lateral-movement'],
'attack-Office-Suite': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-PRE': ['reconnaissance',
'resource-development'],
'attack-SaaS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-Windows': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-macOS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'mobile-attack-Android': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact',
'network-effects',
'remote-service-effects'],
'mobile-attack-iOS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact',
'network-effects',
'remote-service-effects'],
'pre-attack': ['priority-definition-planning',
'priority-definition-direction',
'target-selection',
'technical-information-gathering',
'people-information-gathering',
'organizational-information-gathering',
'technical-weakness-identification',
'people-weakness-identification',
'organizational-weakness-identification',
'adversary-opsec',
'establish-&-maintain-infrastructure',
'persona-development',
'build-capabilities',
'test-capabilities',
'stage-capabilities',
'launch',
'compromise']},
'local_only': False,
'modified': '2025-01-10 08:22:05',
'name': 'Attack Pattern',
'namespace': 'mitre-attack',
'org_id': '0',
'orgc_id': '0',
'type': 'mitre-attack-pattern',
'uuid': 'c4e851fa-775f-11e7-8163-b774922098cd',
'version': '11'},
'authors': ['MITRE'],
'collection_uuid': 'dcb864dc-775f-11e7-9fbb-1f41b4996683',
'default': True,
'deleted': False,
'description': 'Adversaries may send spearphishing emails '
'with a malicious attachment in an attempt '
'to gain access to victim systems. '
'Spearphishing attachment is a specific '
'variant of spearphishing. Spearphishing '
'attachment is different from other forms '
'of spearphishing in that it employs the '
'use of malware attached to an email. All '
'forms of spearphishing are electronically '
'delivered social engineering targeted at '
'a specific individual, company, or '
'industry. In this scenario, adversaries '
'attach a file to the spearphishing email '
'and usually rely upon [User '
'Execution](https://attack.mitre.org/techniques/T1204) '
'to gain execution.(Citation: Unit 42 '
'DarkHydrus July 2018) Spearphishing may '
'also involve social engineering '
'techniques, such as posing as a trusted '
'source.\n'
'\n'
'There are many options for the attachment '
'such as Microsoft Office documents, '
'executables, PDFs, or archived files. '
'Upon opening the attachment (and '
'potentially clicking past protections), '
"the adversary's payload exploits a "
'vulnerability or directly executes on the '
"user's system. The text of the "
'spearphishing email usually tries to give '
'a plausible reason why the file should be '
'opened, and may explain how to bypass '
'system protections in order to do so. The '
'email may also contain instructions on '
'how to decrypt an attachment, such as a '
'zip file password, in order to evade '
'email boundary defenses. Adversaries '
'frequently manipulate file extensions and '
'icons in order to make attached '
'executables appear to be document files, '
'or files exploiting one application '
'appear to be a file for a different one. ',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '22',
'id': '35985',
'local': False,
'locked': False,
'meta': {'external_id': ['T1566.001'],
'kill_chain': ['attack-macOS:initial-access',
'attack-Windows:initial-access',
'attack-Linux:initial-access'],
'mitre_data_sources': ['Application Log: '
'Application Log Content',
'File: File Creation',
'Network Traffic: Network '
'Traffic Content',
'Network Traffic: Network '
'Traffic Flow'],
'mitre_platforms': ['macOS', 'Windows', 'Linux'],
'refs': ['https://attack.mitre.org/techniques/T1566/001',
'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide',
'https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/',
'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf',
'https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': '',
'sharing_group_id': None,
'source': 'https://github.com/mitre/cti',
'tag_id': '88',
'tag_name': 'misp-galaxy:mitre-attack-pattern="Spearphishing '
'Attachment - T1566.001"',
'type': 'mitre-attack-pattern',
'uuid': '2e34237d-8574-43f6-aace-ae2915de8597',
'value': 'Spearphishing Attachment - T1566.001',
'version': '31'},
{'Galaxy': {'created': '2025-01-10 08:22:05',
'default': True,
'description': 'ATT&CK Tactic',
'distribution': '3',
'enabled': True,
'icon': 'map',
'id': '22',
'kill_chain_order': {'attack-Containers': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'impact'],
'attack-IaaS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-Identity-Provider': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement'],
'attack-Linux': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-Network': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-Office-365': ['initial-access',
'defense-evasion',
'lateral-movement'],
'attack-Office-Suite': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-PRE': ['reconnaissance',
'resource-development'],
'attack-SaaS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'impact'],
'attack-Windows': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'attack-macOS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact'],
'mobile-attack-Android': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact',
'network-effects',
'remote-service-effects'],
'mobile-attack-iOS': ['initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'command-and-control',
'exfiltration',
'impact',
'network-effects',
'remote-service-effects'],
'pre-attack': ['priority-definition-planning',
'priority-definition-direction',
'target-selection',
'technical-information-gathering',
'people-information-gathering',
'organizational-information-gathering',
'technical-weakness-identification',
'people-weakness-identification',
'organizational-weakness-identification',
'adversary-opsec',
'establish-&-maintain-infrastructure',
'persona-development',
'build-capabilities',
'test-capabilities',
'stage-capabilities',
'launch',
'compromise']},
'local_only': False,
'modified': '2025-01-10 08:22:05',
'name': 'Attack Pattern',
'namespace': 'mitre-attack',
'org_id': '0',
'orgc_id': '0',
'type': 'mitre-attack-pattern',
'uuid': 'c4e851fa-775f-11e7-8163-b774922098cd',
'version': '11'},
'authors': ['MITRE'],
'collection_uuid': 'dcb864dc-775f-11e7-9fbb-1f41b4996683',
'default': True,
'deleted': False,
'description': 'Adversaries may send phishing messages to '
'gain access to victim systems. All forms '
'of phishing are electronically delivered '
'social engineering. Phishing can be '
'targeted, known as spearphishing. In '
'spearphishing, a specific individual, '
'company, or industry will be targeted by '
'the adversary. More generally, '
'adversaries can conduct non-targeted '
'phishing, such as in mass malware spam '
'campaigns.\n'
'\n'
'Adversaries may send victims emails '
'containing malicious attachments or '
'links, typically to execute malicious '
'code on victim systems. Phishing may also '
'be conducted via third-party services, '
'like social media platforms. Phishing may '
'also involve social engineering '
'techniques, such as posing as a trusted '
'source, as well as evasive techniques '
'such as removing or manipulating emails '
'or metadata/headers from compromised '
'accounts being abused to send messages '
'(e.g., [Email Hiding '
'Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: '
'Microsoft OAuth Spam 2022)(Citation: Palo '
'Alto Unit 42 VBA Infostealer 2014) '
'Another way to accomplish this is by '
'forging or spoofing(Citation: '
'Proofpoint-spoof) the identity of the '
'sender which can be used to fool both the '
'human recipient as well as automated '
'security tools,(Citation: '
'cyberproof-double-bounce) or by including '
'the intended target as a party to an '
'existing email thread that includes '
'malicious files or links (i.e., "thread '
'hijacking").(Citation: phishing-krebs)\n'
'\n'
'Victims may also receive phishing '
'messages that instruct them to call a '
'phone number where they are directed to '
'visit a malicious URL, download '
'malware,(Citation: sygnia Luna '
'Month)(Citation: CISA Remote Monitoring '
'and Management Software) or install '
'adversary-accessible remote management '
'tools onto their computer (i.e., [User '
'Execution](https://attack.mitre.org/techniques/T1204)).(Citation: '
'Unit42 Luna Moth)',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '22',
'id': '36353',
'local': False,
'locked': False,
'meta': {'external_id': ['T1566'],
'kill_chain': ['attack-Linux:initial-access',
'attack-macOS:initial-access',
'attack-Windows:initial-access',
'attack-SaaS:initial-access',
'attack-Identity-Provider:initial-access',
'attack-Office-Suite:initial-access'],
'mitre_data_sources': ['Application Log: '
'Application Log Content',
'File: File Creation',
'Network Traffic: Network '
'Traffic Content',
'Network Traffic: Network '
'Traffic Flow'],
'mitre_platforms': ['Linux',
'macOS',
'Windows',
'SaaS',
'Identity Provider',
'Office Suite'],
'refs': ['https://attack.mitre.org/techniques/T1566',
'https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends',
'https://blog.sygnia.co/luna-moth-false-subscription-scams',
'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide',
'https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/',
'https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/',
'https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/',
'https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf',
'https://www.cisa.gov/uscert/ncas/alerts/aa23-025a',
'https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/',
'https://www.proofpoint.com/us/threat-reference/email-spoofing']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': '',
'sharing_group_id': None,
'source': 'https://github.com/mitre/cti',
'tag_id': '89',
'tag_name': 'misp-galaxy:mitre-attack-pattern="Phishing - '
'T1566"',
'type': 'mitre-attack-pattern',
'uuid': 'a62a8db3-f23a-4d8f-afd6-9dbc77e7813b',
'value': 'Phishing - T1566',
'version': '31'}],
'Org': {'id': '13',
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '18',
'name': 'Training',
'uuid': '5d6d3b30-9db0-44b9-8869-7f56a5e38e14'},
'analysis': '0',
'attribute_count': '44',
'date': '2022-02-23',
'disable_correlation': False,
'distribution': '2',
'extends_uuid': '',
'id': '48',
'info': 'Spear-phishing attempt targeting telco sector',
'locked': True,
'org_id': '13',
'orgc_id': '18',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '1736459828',
'published': True,
'sharing_group_id': '0',
'sighting_timestamp': '0',
'threat_level_id': '3',
'timestamp': '1646822496',
'uuid': '99ba2641-5093-491b-96c1-1d09de8c390a'},
{'EventTag': [{'Tag': {'colour': '#FFC000',
'id': '23',
'is_galaxy': False,
'name': 'tlp:amber'},
'event_id': '56',
'id': '131',
'local': False,
'relationship_type': '',
'tag_id': '23'},
{'Tag': {'colour': '#0088cc',
'id': '103',
'is_galaxy': True,
'name': 'misp-galaxy:country="netherlands"'},
'event_id': '56',
'id': '134',
'local': False,
'relationship_type': 'targets',
'tag_id': '103'},
{'Tag': {'colour': '#0088cc',
'id': '29',
'is_galaxy': True,
'name': 'misp-galaxy:country="russia"'},
'event_id': '56',
'id': '135',
'local': False,
'relationship_type': 'targeted-by',
'tag_id': '29'}],
'GalaxyCluster': [{'Galaxy': {'created': '0000-00-00 00:00:00',
'default': True,
'description': 'Country meta information based '
'on the database provided by '
'geonames.org.',
'distribution': '3',
'enabled': True,
'icon': 'globe',
'id': '14',
'local_only': False,
'modified': '0000-00-00 00:00:00',
'name': 'Country',
'namespace': 'misp',
'org_id': '0',
'orgc_id': '0',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'version': '1'},
'authors': ['geonames.org'],
'collection_uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'default': True,
'deleted': False,
'description': 'Netherlands',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '14',
'id': '11961',
'local': False,
'locked': False,
'meta': {'Capital': ['Amsterdam'],
'Continent': ['EU'],
'CurrencyCode': ['EUR'],
'CurrencyName': ['Euro'],
'ISO': ['NL'],
'ISO3': ['NLD'],
'Languages': ['nl-NL,fy-NL'],
'Population': ['16645000'],
'budapest-convention': ['parties'],
'tld': ['.nl']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': 'targets',
'sharing_group_id': None,
'source': 'MISP Project',
'tag_id': '103',
'tag_name': 'misp-galaxy:country="netherlands"',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b24e4c44',
'value': 'netherlands',
'version': '2'},
{'Galaxy': {'created': '0000-00-00 00:00:00',
'default': True,
'description': 'Country meta information based '
'on the database provided by '
'geonames.org.',
'distribution': '3',
'enabled': True,
'icon': 'globe',
'id': '14',
'local_only': False,
'modified': '0000-00-00 00:00:00',
'name': 'Country',
'namespace': 'misp',
'org_id': '0',
'orgc_id': '0',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'version': '1'},
'authors': ['geonames.org'],
'collection_uuid': '84668357-5a8c-4bdd-9f0f-6b50b2aee4c1',
'default': True,
'deleted': False,
'description': 'Russia',
'distribution': '3',
'extends_uuid': '',
'extends_version': '0',
'galaxy_id': '14',
'id': '11986',
'local': False,
'locked': False,
'meta': {'Capital': ['Moscow'],
'Continent': ['EU'],
'CurrencyCode': ['RUB'],
'CurrencyName': ['Ruble'],
'ISO': ['RU'],
'ISO3': ['RUS'],
'Languages': ['ru,tt,xal,cau,ady,kv,ce,tyv,cv,udm,tut,mns,bua,myv,mdf,chm,ba,inh,tut,kbd,krc,av,sah,nog'],
'Population': ['140702000'],
'tld': ['.ru']},
'org_id': '0',
'orgc_id': '0',
'published': False,
'relationship_type': 'targeted-by',
'sharing_group_id': None,
'source': 'MISP Project',
'tag_id': '29',
'tag_name': 'misp-galaxy:country="russia"',
'type': 'country',
'uuid': '84668357-5a8c-4bdd-9f0f-6b50b2525553',
'value': 'russia',
'version': '2'}],
'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'attribute_count': '12',
'date': '2025-01-11',
'disable_correlation': False,
'distribution': '0',
'extends_uuid': '',
'id': '56',
'info': 'GRU close access cyber operation against OPCW',
'locked': False,
'org_id': '8',
'orgc_id': '8',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'sighting_timestamp': '0',
'threat_level_id': '4',
'timestamp': '1736592746',
'uuid': '1277fe04-f6be-428d-a098-56ccbb3f2dd7'}]
RestSearch¶
Aka: Most powerful search tool in MISP
RestSearch - Attributes¶
In [28]:
endpoint = '/attributes/restSearch/'
relative_path = ''
body = {
"returnFormat": "json",
"eventid": event_id
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Tag': [{'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'local': False,
'name': 'tlp:red',
'numerical_value': None}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Object': {'distribution': '5',
'id': '26193',
'sharing_group_id': '0'},
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}]}
In [29]:
# Searches on Attribute's data
misp_url = '/attributes/restSearch/'
relative_path = ''
body = {
"returnFormat": "json",
"eventid": event_id,
"type": "ip-dst",
# "value": "127.0.%"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}]}
In [30]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'
relative_path = ''
body = {
"returnFormat": "json",
"eventid": event_id,
"deleted": [0, 1] # Consider both deleted AND not deleted
}
# [] == {"OR": []}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Tag': [{'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'local': False,
'name': 'tlp:red',
'numerical_value': None}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Object': {'distribution': '5',
'id': '26193',
'sharing_group_id': '0'},
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}]}
In [32]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'
relative_path = ''
body = {
"returnFormat": "json",
"eventid": event_id,
# "tags": "tlp:white",
# "tags": ["tlp:white", "tlp:green"]
"tags": ["!tlp:red"]
# "tags": "tlp:%",
# "includeEventTags": 1
# BRAND NEW (only tag)! Prefered way (Most accurate): Distinction between OR and AND!
# "tags": {"AND": ["tlp:green", "Malware"], "NOT": ["%ransomware%"]}
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Object': {'distribution': '5',
'id': '26193',
'sharing_group_id': '0'},
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}]}
In [34]:
# Paginating
endpoint = '/attributes/restSearch/'
body = {
"returnFormat": "json",
"eventid": event_id,
"page": 0,
"limit": 1
}
res = misp.direct_call(endpoint, body)
print_result(res)
Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Tag': [{'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'local': False,
'name': 'tlp:red',
'numerical_value': None}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'}]}
In [35]:
# Searches based on time: Absolute
endpoint = '/attributes/restSearch/'
body = {
"returnFormat": "json",
"from": "2025/01/15" # or "2019-05-21"
# from and to NOT REALLY USEFUL..
}
res = misp.direct_call(endpoint, body)
print_result(res)
Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Tag': [{'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'local': False,
'name': 'tlp:red',
'numerical_value': None}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'},
{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Object': {'distribution': '5',
'id': '26193',
'sharing_group_id': '0'},
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}]}
In [37]:
# Searches based on time: Relative
endpoint = '/attributes/restSearch/'
# /!\ Last: works on the publish_timestamp -> may be confusing
# Units: days, hours, minutes and secondes
body = {
"returnFormat": "json",
"eventid": event_id,
"to_ids": 1,
# "publish_timestamp": "2024-04-15"
}
res = misp.direct_call(endpoint, body)
print_result(res)
Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'Tag': [{'colour': '#FF2B2B',
'id': '22',
'is_galaxy': False,
'local': False,
'name': 'tlp:red',
'numerical_value': None}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'}]}
Precision regarding the different timestamps¶
publish_timestamp= Time at which the event was published- Usage: get data that arrived in my system since x
- E.g.: New data from a feed
timestamp= Time of the last modification on the data- data was modified in the last x hours
- E.g.: Last updated data from a feed
event_timestamp: Used in the Attribute scope- Event modified in the last x hours
In [ ]:
# Searches with attachments
endpoint = '/attributes/restSearch/'
body = {
"returnFormat": "json",
"type": "attachment",
"withAttachments": 1
}
res = misp.direct_call(endpoint, body)
print_result(res)
In [41]:
# Searches - Others
endpoint = '/attributes/restSearch/'
body = {
"returnFormat": "json",
"eventid": event_id,
"type": ["ip-src", "ip-dst"],
"enforceWarninglist": 1
}
res = misp.direct_call(endpoint, body)
print_result(res)
Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
'id': '59',
'info': 'Event created via the API as an example',
'org_id': '13',
'orgc_id': '13',
'publish_timestamp': '0',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'},
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}]}
RestSearch - Events¶
In [42]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
body = {
"returnFormat": "json",
"eventid": 59,
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 1
- Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'Tag': [{'colour': '#FF2B2B',
'exportable': True,
'hide_tag': False,
'id': '22',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:red',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}],
'CryptographicKey': [],
'EventReport': [{'content': '@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '15',
'name': 'Report from API',
'sharing_group_id': '0',
'timestamp': '1736935399',
'uuid': 'b07e0eef-137b-4ccc-b41f-41ddf96b36f7'},
{'content': '\n'
'# TR-84 - PAN-OS (Palo Alto Networks) '
'OS Command Injection Vulnerability in '
'GlobalProtect Gateway - '
'CVE-2024-3400\n'
'\n'
'\n'
'\n'
'### TR-84 - PAN-OS (Palo Alto '
'Networks) OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway - CVE-2024-3400\n'
'\n'
'â\x86\x91 Back to Publications and '
'Presentations\n'
'\n'
'1. Fixes\n'
'2. Detection\n'
'3. Known affected software\n'
'4. References\n'
'5. Classification of this document\n'
'6. Revision\n'
'\n'
'You can report incidents via our '
'official contact including e-mail, '
'phone\n'
'or use the Anonymous reporting form.\n'
'\n'
'\n'
'Search\n'
'\n'
'\n'
'\n'
' \n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'A command injection vulnerability in '
'the GlobalProtect feature of Palo '
'Alto Networks PAN-OS software for '
'specific PAN-OS versions and distinct '
'feature configurations may enable an '
'unauthenticated attacker to execute '
'arbitrary code with root privileges '
'on the firewall. Fixes for PAN-OS '
'10.2, PAN-OS 11.0, and PAN-OS 11.1 '
'are in development and are expected '
'to be released by April 14, 2024. '
'Cloud NGFW, Panorama appliances, and '
'Prisma Access are not impacted by '
'this vulnerability. All other '
'versions of PAN-OS are also not '
'impacted.\n'
'\n'
'The vulnerability is currently '
'exploited in the wild as mentioned by '
'Volexity and itâ\x80\x99s referenced '
'as CVE-2024-3400.\n'
'\n'
'## Fixes\n'
'\n'
'This issue is fixed in hotfix '
'releases of PAN-OS 10.2.9-h1, PAN-OS '
'11.0.4-h1, PAN-OS 11.1.2-h3, and in '
'all later PAN-OS versions. Hotfixes '
'for other commonly deployed '
'maintenance releases will also be '
'made available to address this issue. '
'Please see details below for ETAs '
'regarding the upcoming hotfixes.\n'
'\n'
'```\n'
'PAN-OS 10.2:\n'
'- 10.2.9-h1 (Released 4/14/24)\n'
'- 10.2.8-h3 (ETA: 4/15/24)\n'
'- 10.2.7-h8 (ETA: 4/15/24)\n'
'- 10.2.6-h3 (ETA: 4/15/24)\n'
'- 10.2.5-h6 (ETA: 4/16/24)\n'
'- 10.2.3-h13 (ETA: 4/17/24)\n'
'- 10.2.1-h2 (ETA: 4/17/24)\n'
'- 10.2.2-h5 (ETA: 4/18/24)\n'
'- 10.2.0-h3 (ETA: 4/18/24)\n'
'- 10.2.4-h16 (ETA: 4/19/24)\n'
'\n'
'PAN-OS 11.0:\n'
'- 11.0.4-h1 (Released 4/14/24)\n'
'- 11.0.3-h10 (ETA: 4/15/24)\n'
'- 11.0.2-h4 (ETA: 4/16/24)\n'
'- 11.0.1-h4 (ETA: 4/17/24)\n'
'- 11.0.0-h3 (ETA: 4/18/24)\n'
'\n'
'PAN-OS 11.1:\n'
'- 11.1.2-h3 (Released 4/14/24)\n'
'- 11.1.1-h1 (ETA: 4/16/24)\n'
'- 11.1.0-h3 (ETA: 4/17/24)\n'
'\n'
'```\n'
'\n'
'**As of April 16th, the previously '
'suggested workarounds have been '
'confirmed ineffective. We recommend '
'initiating an incident response '
'procedure in all cases.** There are '
'also workarounds proposed by the '
'vendor to fix the vulnerability '
'before the hotfix will be released.\n'
'\n'
'## Detection\n'
'\n'
'* Indicators shared by Volexity are '
'available in a MISP event with UUID '
'9802116c-3ec3-4a8e-8b39-5c69b08df5ab, '
'shared in the OSINT feed and the MISP '
'private sector community.\n'
'\n'
'## Known affected software\n'
'\n'
'* PAN-OS 10.2, PAN-OS 11.0, and '
'PAN-OS 11.1 used as GlobalProtect '
'gateway with device telemetry '
'enabled. (other versions are not '
'impacted).\n'
'\n'
'## References\n'
'\n'
'* Palo Alto Networks - CVE-2024-3400 '
'PAN-OS: OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway.\n'
'* Volexity - 0day exploited in the '
'wild..\n'
'* Volexity - []Zero-Day Exploitation '
'of Unauthenticated Remote Code '
'Execution Vulnerability in '
'GlobalProtect '
'(CVE-2024-3400)(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/)\n'
'\n'
'## Classification of this document\n'
'\n'
'TLP:CLEAR information may be '
'distributed without restriction, '
'subject to copyright controls.\n'
'\n'
'## Revision\n'
'\n'
'* Version 1.0 - TLP:CLEAR - First '
'version - 12th April 2024\n'
'* Version 1.1 - TLP:CLEAR - Second '
'version - 13rd April 2024 - IoCs '
'added\n'
'* version 1.2 - TLP:CLEAR - Third '
'version - 15th April 2024 - fixes '
'added\n'
'* Version 1.3 - TLP:CLEAR - Fourth '
'version - 17th April 2024 - '
'workarounds are now ineffective\n'
'\n'
'\n'
'\n'
'\n'
'\n',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '16',
'name': 'Report from - '
'https://www.circl.lu/pub/tr-84/ '
'(1736935070)',
'sharing_group_id': '0',
'timestamp': '1736935070',
'uuid': '023df945-8ea4-4719-9fab-a82a57fecf85'}],
'Galaxy': [],
'Object': [{'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}],
'ObjectReference': [],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or '
'a post on a Facebook wall.',
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '26193',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '7e681dd6-69ab-4573-bdf2-99c4bd5b6af8'}],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [{'Event': {'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'date': '2024-10-04',
'distribution': '0',
'id': '31',
'info': 'Event created via the API as '
'an example',
'org_id': '8',
'orgc_id': '8',
'published': True,
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'}}],
'ShadowAttribute': [],
'Tag': [{'colour': '#33FF00',
'exportable': True,
'hide_tag': False,
'id': '16',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:green',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'analysis': '0',
'attribute_count': '3',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736935399',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}]
In [60]:
# Searching using the RestSearch - Other return format
!curl \
-d '{"returnFormat":"csv","eventid":59}' \
-H "Authorization: LAdqViFiaR38AWGHk17jYz3JTbI09Wfyc6Rmd7NA" \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-X POST https://training6.misp-community.org/events/restSearch
uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category "08a84483-5796-42b5-aa6b-d4bed7dabb19",59,"Network activity","ip-src","9.9.9.9","",1,1736934788,"","tlp:red","","","" "bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5",59,"Network activity","ip-dst","127.1.1.1","Comment added via the API",0,1736934979,"","","","","" "c057a453-76ec-4406-81d6-b99e789b4c98",59,"Other","text","post","",0,1558702173,"post","","7e681dd6-69ab-4573-bdf2-99c4bd5b6af8","microblog","misc"
In [63]:
# Searching using the RestSearch - Filtering
endpoint = '/events/restSearch'
relative_path = ''
body = {
"returnFormat": "json",
"value": "9.9.9.9"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 1
- Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'Tag': [{'colour': '#FF2B2B',
'exportable': True,
'hide_tag': False,
'id': '22',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:red',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}],
'CryptographicKey': [],
'EventReport': [{'content': '@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '15',
'name': 'Report from API',
'sharing_group_id': '0',
'timestamp': '1736935399',
'uuid': 'b07e0eef-137b-4ccc-b41f-41ddf96b36f7'},
{'content': '\n'
'# TR-84 - PAN-OS (Palo Alto Networks) '
'OS Command Injection Vulnerability in '
'GlobalProtect Gateway - '
'CVE-2024-3400\n'
'\n'
'\n'
'\n'
'### TR-84 - PAN-OS (Palo Alto '
'Networks) OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway - CVE-2024-3400\n'
'\n'
'â\x86\x91 Back to Publications and '
'Presentations\n'
'\n'
'1. Fixes\n'
'2. Detection\n'
'3. Known affected software\n'
'4. References\n'
'5. Classification of this document\n'
'6. Revision\n'
'\n'
'You can report incidents via our '
'official contact including e-mail, '
'phone\n'
'or use the Anonymous reporting form.\n'
'\n'
'\n'
'Search\n'
'\n'
'\n'
'\n'
' \n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'A command injection vulnerability in '
'the GlobalProtect feature of Palo '
'Alto Networks PAN-OS software for '
'specific PAN-OS versions and distinct '
'feature configurations may enable an '
'unauthenticated attacker to execute '
'arbitrary code with root privileges '
'on the firewall. Fixes for PAN-OS '
'10.2, PAN-OS 11.0, and PAN-OS 11.1 '
'are in development and are expected '
'to be released by April 14, 2024. '
'Cloud NGFW, Panorama appliances, and '
'Prisma Access are not impacted by '
'this vulnerability. All other '
'versions of PAN-OS are also not '
'impacted.\n'
'\n'
'The vulnerability is currently '
'exploited in the wild as mentioned by '
'Volexity and itâ\x80\x99s referenced '
'as CVE-2024-3400.\n'
'\n'
'## Fixes\n'
'\n'
'This issue is fixed in hotfix '
'releases of PAN-OS 10.2.9-h1, PAN-OS '
'11.0.4-h1, PAN-OS 11.1.2-h3, and in '
'all later PAN-OS versions. Hotfixes '
'for other commonly deployed '
'maintenance releases will also be '
'made available to address this issue. '
'Please see details below for ETAs '
'regarding the upcoming hotfixes.\n'
'\n'
'```\n'
'PAN-OS 10.2:\n'
'- 10.2.9-h1 (Released 4/14/24)\n'
'- 10.2.8-h3 (ETA: 4/15/24)\n'
'- 10.2.7-h8 (ETA: 4/15/24)\n'
'- 10.2.6-h3 (ETA: 4/15/24)\n'
'- 10.2.5-h6 (ETA: 4/16/24)\n'
'- 10.2.3-h13 (ETA: 4/17/24)\n'
'- 10.2.1-h2 (ETA: 4/17/24)\n'
'- 10.2.2-h5 (ETA: 4/18/24)\n'
'- 10.2.0-h3 (ETA: 4/18/24)\n'
'- 10.2.4-h16 (ETA: 4/19/24)\n'
'\n'
'PAN-OS 11.0:\n'
'- 11.0.4-h1 (Released 4/14/24)\n'
'- 11.0.3-h10 (ETA: 4/15/24)\n'
'- 11.0.2-h4 (ETA: 4/16/24)\n'
'- 11.0.1-h4 (ETA: 4/17/24)\n'
'- 11.0.0-h3 (ETA: 4/18/24)\n'
'\n'
'PAN-OS 11.1:\n'
'- 11.1.2-h3 (Released 4/14/24)\n'
'- 11.1.1-h1 (ETA: 4/16/24)\n'
'- 11.1.0-h3 (ETA: 4/17/24)\n'
'\n'
'```\n'
'\n'
'**As of April 16th, the previously '
'suggested workarounds have been '
'confirmed ineffective. We recommend '
'initiating an incident response '
'procedure in all cases.** There are '
'also workarounds proposed by the '
'vendor to fix the vulnerability '
'before the hotfix will be released.\n'
'\n'
'## Detection\n'
'\n'
'* Indicators shared by Volexity are '
'available in a MISP event with UUID '
'9802116c-3ec3-4a8e-8b39-5c69b08df5ab, '
'shared in the OSINT feed and the MISP '
'private sector community.\n'
'\n'
'## Known affected software\n'
'\n'
'* PAN-OS 10.2, PAN-OS 11.0, and '
'PAN-OS 11.1 used as GlobalProtect '
'gateway with device telemetry '
'enabled. (other versions are not '
'impacted).\n'
'\n'
'## References\n'
'\n'
'* Palo Alto Networks - CVE-2024-3400 '
'PAN-OS: OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway.\n'
'* Volexity - 0day exploited in the '
'wild..\n'
'* Volexity - []Zero-Day Exploitation '
'of Unauthenticated Remote Code '
'Execution Vulnerability in '
'GlobalProtect '
'(CVE-2024-3400)(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/)\n'
'\n'
'## Classification of this document\n'
'\n'
'TLP:CLEAR information may be '
'distributed without restriction, '
'subject to copyright controls.\n'
'\n'
'## Revision\n'
'\n'
'* Version 1.0 - TLP:CLEAR - First '
'version - 12th April 2024\n'
'* Version 1.1 - TLP:CLEAR - Second '
'version - 13rd April 2024 - IoCs '
'added\n'
'* version 1.2 - TLP:CLEAR - Third '
'version - 15th April 2024 - fixes '
'added\n'
'* Version 1.3 - TLP:CLEAR - Fourth '
'version - 17th April 2024 - '
'workarounds are now ineffective\n'
'\n'
'\n'
'\n'
'\n'
'\n',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '16',
'name': 'Report from - '
'https://www.circl.lu/pub/tr-84/ '
'(1736935070)',
'sharing_group_id': '0',
'timestamp': '1736935070',
'uuid': '023df945-8ea4-4719-9fab-a82a57fecf85'}],
'Galaxy': [],
'Object': [{'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}],
'ObjectReference': [],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or '
'a post on a Facebook wall.',
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '26193',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '7e681dd6-69ab-4573-bdf2-99c4bd5b6af8'}],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [{'Event': {'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'date': '2024-10-04',
'distribution': '0',
'id': '31',
'info': 'Event created via the API as '
'an example',
'org_id': '8',
'orgc_id': '8',
'published': True,
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'}}],
'ShadowAttribute': [],
'Tag': [{'colour': '#33FF00',
'exportable': True,
'hide_tag': False,
'id': '16',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:green',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'analysis': '0',
'attribute_count': '3',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736935399',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}]
In [64]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
relative_path = ''
body = {
"returnFormat": "json",
"org": "CIRCL",
# "id": 33,
"metadata": 1
}
res = misp.direct_call(endpoint + relative_path, body)
print(len(res))
8
In [65]:
# Searching using the RestSearch
endpoint = '/events/restSearch'
relative_path = ''
body = {
"returnFormat": "json",
"eventinfo": "%via the API%",
# "published": 1
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
Count: 3
- Attribute count: 1
- Attribute count: 2
- Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '3',
'event_id': '30',
'first_seen': None,
'id': '199385',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1728285118',
'to_ids': False,
'type': 'ip-dst',
'uuid': '72bb7d16-61b3-4089-8a23-dd6d9d972f62',
'value': '3.3.3.3'}],
'CryptographicKey': [],
'EventReport': [],
'Galaxy': [],
'Object': [],
'Org': {'id': '6',
'local': True,
'name': 'ORG_4',
'uuid': '9e913344-3e2d-4cd2-8403-8888dfe0ad1e'},
'Orgc': {'id': '14',
'local': False,
'name': 'ORGNAME_7544',
'uuid': '6e14838a-8e55-400b-a3ef-c552750394c6'},
'RelatedEvent': [{'Event': {'Org': {'id': '6',
'name': 'ORG_4',
'uuid': '9e913344-3e2d-4cd2-8403-8888dfe0ad1e'},
'Orgc': {'id': '16',
'name': 'ADMIN_6098',
'uuid': 'c8ccc07d-5b4a-4182-8b1f-6f21e112cc9e'},
'analysis': '0',
'date': '2024-11-14',
'distribution': '3',
'id': '41',
'info': 'Test',
'org_id': '6',
'orgc_id': '16',
'published': True,
'threat_level_id': '4',
'timestamp': '1736333344',
'uuid': 'e6902564-ed8c-4831-b9b0-9580942367df'}}],
'ShadowAttribute': [],
'analysis': '0',
'attribute_count': '0',
'date': '2024-10-02',
'disable_correlation': False,
'distribution': '3',
'event_creator_email': 'user1@sync-user.4.test',
'extends_uuid': '',
'id': '30',
'info': 'Event created via the API as an example',
'locked': True,
'org_id': '6',
'orgc_id': '14',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '1727879371',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1728285332',
'uuid': '939dae03-21a1-424b-890c-4447ffee28c1'}},
{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'Sighting': [{'Organisation': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'attribute_id': '199351',
'attribute_uuid': '0bf65f60-d43f-4fde-8601-2fb45616e153',
'date_sighting': '1728029470',
'event_id': '31',
'id': '3',
'org_id': '8',
'source': '',
'type': '0',
'uuid': '82085137-e5aa-4edf-a95c-f78a5ef9f3cc'}],
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '31',
'first_seen': None,
'id': '199351',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1728029326',
'to_ids': False,
'type': 'ip-dst',
'uuid': '0bf65f60-d43f-4fde-8601-2fb45616e153',
'value': '127.1.1.1'},
{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '31',
'first_seen': None,
'id': '199352',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1728029303',
'to_ids': True,
'type': 'ip-dst',
'uuid': 'b3eedfc4-8ffa-41a2-875b-6c3d0e4602b8',
'value': '8.8.8.9'}],
'CryptographicKey': [],
'EventReport': [{'content': 'Body',
'deleted': False,
'distribution': '5',
'event_id': '31',
'id': '7',
'name': 'Report from API',
'sharing_group_id': '0',
'timestamp': '1728029364',
'uuid': 'f7a83fc7-2100-4601-8bb9-ab13927d1a7c'}],
'Galaxy': [],
'Object': [{'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '31',
'first_seen': None,
'id': '199353',
'last_seen': None,
'object_id': '26063',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': '1d2d14f0-a23e-4452-b049-8c427f18b8b0',
'value': 'post'}],
'ObjectReference': [],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or '
'a post on a Facebook wall.',
'distribution': '5',
'event_id': '31',
'first_seen': None,
'id': '26063',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '8e25747f-7c62-486a-9495-ed188a957da4'}],
'Org': {'id': '8',
'local': True,
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'local': True,
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'RelatedEvent': [{'Event': {'Org': {'id': '13',
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'analysis': '0',
'date': '2025-01-15',
'distribution': '0',
'id': '59',
'info': 'Event created via the API as '
'an example',
'org_id': '13',
'orgc_id': '13',
'published': False,
'threat_level_id': '1',
'timestamp': '1736935399',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}],
'ShadowAttribute': [],
'Tag': [{'colour': '#FF2B2B',
'exportable': True,
'hide_tag': False,
'id': '22',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:red',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'},
{'colour': '#33FF00',
'exportable': True,
'hide_tag': False,
'id': '16',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:green',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'analysis': '0',
'attribute_count': '3',
'date': '2024-10-04',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'user1@org-admin.6.test',
'extends_uuid': '',
'id': '31',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '8',
'orgc_id': '8',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '1736459174',
'published': True,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'}},
{'Event': {'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'Tag': [{'colour': '#FF2B2B',
'exportable': True,
'hide_tag': False,
'id': '22',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:red',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'category': 'Network activity',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203181',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934788',
'to_ids': True,
'type': 'ip-src',
'uuid': '08a84483-5796-42b5-aa6b-d4bed7dabb19',
'value': '9.9.9.9'},
{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Network activity',
'comment': 'Comment added via the API',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203182',
'last_seen': None,
'object_id': '0',
'object_relation': None,
'sharing_group_id': '0',
'timestamp': '1736934979',
'to_ids': False,
'type': 'ip-dst',
'uuid': 'bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5',
'value': '127.1.1.1'}],
'CryptographicKey': [],
'EventReport': [{'content': '@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '15',
'name': 'Report from API',
'sharing_group_id': '0',
'timestamp': '1736935399',
'uuid': 'b07e0eef-137b-4ccc-b41f-41ddf96b36f7'},
{'content': '\n'
'# TR-84 - PAN-OS (Palo Alto Networks) '
'OS Command Injection Vulnerability in '
'GlobalProtect Gateway - '
'CVE-2024-3400\n'
'\n'
'\n'
'\n'
'### TR-84 - PAN-OS (Palo Alto '
'Networks) OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway - CVE-2024-3400\n'
'\n'
'â\x86\x91 Back to Publications and '
'Presentations\n'
'\n'
'1. Fixes\n'
'2. Detection\n'
'3. Known affected software\n'
'4. References\n'
'5. Classification of this document\n'
'6. Revision\n'
'\n'
'You can report incidents via our '
'official contact including e-mail, '
'phone\n'
'or use the Anonymous reporting form.\n'
'\n'
'\n'
'Search\n'
'\n'
'\n'
'\n'
' \n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'A command injection vulnerability in '
'the GlobalProtect feature of Palo '
'Alto Networks PAN-OS software for '
'specific PAN-OS versions and distinct '
'feature configurations may enable an '
'unauthenticated attacker to execute '
'arbitrary code with root privileges '
'on the firewall. Fixes for PAN-OS '
'10.2, PAN-OS 11.0, and PAN-OS 11.1 '
'are in development and are expected '
'to be released by April 14, 2024. '
'Cloud NGFW, Panorama appliances, and '
'Prisma Access are not impacted by '
'this vulnerability. All other '
'versions of PAN-OS are also not '
'impacted.\n'
'\n'
'The vulnerability is currently '
'exploited in the wild as mentioned by '
'Volexity and itâ\x80\x99s referenced '
'as CVE-2024-3400.\n'
'\n'
'## Fixes\n'
'\n'
'This issue is fixed in hotfix '
'releases of PAN-OS 10.2.9-h1, PAN-OS '
'11.0.4-h1, PAN-OS 11.1.2-h3, and in '
'all later PAN-OS versions. Hotfixes '
'for other commonly deployed '
'maintenance releases will also be '
'made available to address this issue. '
'Please see details below for ETAs '
'regarding the upcoming hotfixes.\n'
'\n'
'```\n'
'PAN-OS 10.2:\n'
'- 10.2.9-h1 (Released 4/14/24)\n'
'- 10.2.8-h3 (ETA: 4/15/24)\n'
'- 10.2.7-h8 (ETA: 4/15/24)\n'
'- 10.2.6-h3 (ETA: 4/15/24)\n'
'- 10.2.5-h6 (ETA: 4/16/24)\n'
'- 10.2.3-h13 (ETA: 4/17/24)\n'
'- 10.2.1-h2 (ETA: 4/17/24)\n'
'- 10.2.2-h5 (ETA: 4/18/24)\n'
'- 10.2.0-h3 (ETA: 4/18/24)\n'
'- 10.2.4-h16 (ETA: 4/19/24)\n'
'\n'
'PAN-OS 11.0:\n'
'- 11.0.4-h1 (Released 4/14/24)\n'
'- 11.0.3-h10 (ETA: 4/15/24)\n'
'- 11.0.2-h4 (ETA: 4/16/24)\n'
'- 11.0.1-h4 (ETA: 4/17/24)\n'
'- 11.0.0-h3 (ETA: 4/18/24)\n'
'\n'
'PAN-OS 11.1:\n'
'- 11.1.2-h3 (Released 4/14/24)\n'
'- 11.1.1-h1 (ETA: 4/16/24)\n'
'- 11.1.0-h3 (ETA: 4/17/24)\n'
'\n'
'```\n'
'\n'
'**As of April 16th, the previously '
'suggested workarounds have been '
'confirmed ineffective. We recommend '
'initiating an incident response '
'procedure in all cases.** There are '
'also workarounds proposed by the '
'vendor to fix the vulnerability '
'before the hotfix will be released.\n'
'\n'
'## Detection\n'
'\n'
'* Indicators shared by Volexity are '
'available in a MISP event with UUID '
'9802116c-3ec3-4a8e-8b39-5c69b08df5ab, '
'shared in the OSINT feed and the MISP '
'private sector community.\n'
'\n'
'## Known affected software\n'
'\n'
'* PAN-OS 10.2, PAN-OS 11.0, and '
'PAN-OS 11.1 used as GlobalProtect '
'gateway with device telemetry '
'enabled. (other versions are not '
'impacted).\n'
'\n'
'## References\n'
'\n'
'* Palo Alto Networks - CVE-2024-3400 '
'PAN-OS: OS Command Injection '
'Vulnerability in GlobalProtect '
'Gateway.\n'
'* Volexity - 0day exploited in the '
'wild..\n'
'* Volexity - []Zero-Day Exploitation '
'of Unauthenticated Remote Code '
'Execution Vulnerability in '
'GlobalProtect '
'(CVE-2024-3400)(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/)\n'
'\n'
'## Classification of this document\n'
'\n'
'TLP:CLEAR information may be '
'distributed without restriction, '
'subject to copyright controls.\n'
'\n'
'## Revision\n'
'\n'
'* Version 1.0 - TLP:CLEAR - First '
'version - 12th April 2024\n'
'* Version 1.1 - TLP:CLEAR - Second '
'version - 13rd April 2024 - IoCs '
'added\n'
'* version 1.2 - TLP:CLEAR - Third '
'version - 15th April 2024 - fixes '
'added\n'
'* Version 1.3 - TLP:CLEAR - Fourth '
'version - 17th April 2024 - '
'workarounds are now ineffective\n'
'\n'
'\n'
'\n'
'\n'
'\n',
'deleted': False,
'distribution': '5',
'event_id': '59',
'id': '16',
'name': 'Report from - '
'https://www.circl.lu/pub/tr-84/ '
'(1736935070)',
'sharing_group_id': '0',
'timestamp': '1736935070',
'uuid': '023df945-8ea4-4719-9fab-a82a57fecf85'}],
'Galaxy': [],
'Object': [{'Attribute': [{'Galaxy': [],
'ShadowAttribute': [],
'category': 'Other',
'comment': '',
'deleted': False,
'disable_correlation': False,
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '203183',
'last_seen': None,
'object_id': '26193',
'object_relation': 'post',
'sharing_group_id': '0',
'timestamp': '1558702173',
'to_ids': False,
'type': 'text',
'uuid': 'c057a453-76ec-4406-81d6-b99e789b4c98',
'value': 'post'}],
'ObjectReference': [],
'comment': '',
'deleted': False,
'description': 'Microblog post like a Twitter tweet or '
'a post on a Facebook wall.',
'distribution': '5',
'event_id': '59',
'first_seen': None,
'id': '26193',
'last_seen': None,
'meta-category': 'misc',
'name': 'microblog',
'sharing_group_id': '0',
'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',
'template_version': '5',
'timestamp': '1558702173',
'uuid': '7e681dd6-69ab-4573-bdf2-99c4bd5b6af8'}],
'Org': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'Orgc': {'id': '13',
'local': True,
'name': 'CIRCL',
'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
'RelatedEvent': [{'Event': {'Org': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'Orgc': {'id': '8',
'name': 'ORG_6',
'uuid': '591c3fb6-4abe-4d47-b2ea-22e2299819e9'},
'analysis': '0',
'date': '2024-10-04',
'distribution': '0',
'id': '31',
'info': 'Event created via the API as '
'an example',
'org_id': '8',
'orgc_id': '8',
'published': True,
'threat_level_id': '1',
'timestamp': '1728029364',
'uuid': 'dcb2fde7-d53f-47c8-b71d-6731819593d2'}}],
'ShadowAttribute': [],
'Tag': [{'colour': '#33FF00',
'exportable': True,
'hide_tag': False,
'id': '16',
'is_custom_galaxy': False,
'is_galaxy': False,
'local': False,
'local_only': False,
'name': 'tlp:green',
'numerical_value': None,
'relationship_type': None,
'user_id': '0'}],
'analysis': '0',
'attribute_count': '3',
'date': '2025-01-15',
'disable_correlation': False,
'distribution': '0',
'event_creator_email': 'christian.studer@circl.lu',
'extends_uuid': '',
'id': '59',
'info': 'Event created via the API as an example',
'locked': False,
'org_id': '13',
'orgc_id': '13',
'proposal_email_lock': False,
'protected': None,
'publish_timestamp': '0',
'published': False,
'sharing_group_id': '0',
'threat_level_id': '1',
'timestamp': '1736935399',
'uuid': '2a81407b-34a5-4fad-a99e-1641dbd5a411'}}]
Warning lists¶
In [66]:
# Checking values against the warining list
endpoint = '/warninglists/checkValue'
relative_path = ''
body = ["8.8.8.8", "yolo", "test"]
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'8.8.8.8': [{'id': '49',
'matched': '8.8.8.8/32',
'name': 'List of known IPv4 public DNS resolvers'}]}
Instance management¶
In [65]:
# Creating Organisation
endpoint = '/admin/organisations/add'
relative_path = ''
body = {
"name": "TEMP_ORG2"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'Organisation': {'contacts': None,
'created_by': '626',
'date_created': '2024-04-15 04:34:16',
'date_modified': '2024-04-15 04:34:16',
'description': None,
'id': '17',
'landingpage': None,
'local': True,
'name': 'TEMP_ORG2',
'nationality': '',
'restricted_to_domain': None,
'sector': '',
'type': '',
'uuid': 'c9a0a3d6-2698-4535-9bf3-782667e8779b'}}
In [ ]:
# Creating Users
endpoint = '/admin/users/add'
relative_path = ''
body = {
"email": "from_api2@admin.test",
"org_id": 1009,
"role_id": 3,
"termsaccepted": 1,
"change_pw": 0, # User prompted to change the psswd once logged in
"password": "~~UlTrA_SeCuRe_PaSsWoRd~~"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
In [ ]:
# Creating Sharing Groups
endpoint = '/sharing_groups/add'
relative_path = ''
body = {
"name": "TEMP_SG2",
"releasability": "To nobody",
"SharingGroupOrg": [
{
"name": "ORGNAME",
"extend": 1
},
{
"name": "CIRCL",
"extend": 1
}
]
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
In [ ]:
# Server
endpoint = '/servers/add'
relative_path = ''
body = {
"url": "http://127.0.0.1:80/",
"name": "Myself",
"remote_org_id": "2",
"authkey": "UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9"
}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
In [ ]:
# Server settings
endpoint = '/servers/serverSettings'
relative_path = ''
body = {}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
In [99]:
# Statistics
endpoint = '/users/statistics'
relative_path = ''
body = {}
res = misp.direct_call(endpoint + relative_path, body)
print_result(res)
{'stats': {'attribute_count': 51848,
'attribute_count_month': 11,
'attributes_per_event': 701,
'average_user_per_org': 2.6,
'contributing_org_count': 6,
'correlation_count': 63,
'event_count': 74,
'event_count_month': 7,
'local_org_count': 7,
'org_count': 16,
'post_count': 14,
'post_count_month': 0,
'proposal_count': 1,
'thread_count': 2,
'thread_count_month': 0,
'user_count': 18,
'user_count_pgp': 0}}
Not Available:
- misp-module