-
Notifications
You must be signed in to change notification settings - Fork 1
/
misp.py
65 lines (55 loc) · 2.04 KB
/
misp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import requests
import requests
def get_misp_ips(misp_server, misp_auth_key, event_id, ioc_type, page=1, limit=100):
misp_url = f"https://{misp_server}/attributes/restSearch"
headers = {
'Authorization': misp_auth_key,
'Cache-Control': 'no-cache',
'Accept': 'application/json',
'Content-type': 'application/json'
}
# Constructing the search parameters
data = {
"request": {
"eventid": event_id,
"type": ioc_type,
"page": page,
"limit": limit
}
}
response = requests.post(misp_url, headers=headers, json=data, verify=False)
response.raise_for_status()
json_data = response.json()
ioc_list = []
for data in json_data["response"]["Attribute"]:
iocs = data['value']
ioc_list.append(iocs)
return ioc_list
def check_ref_set(qradar_server, qradar_auth_key, qradar_ref_set):
check_ref_set_url = f"https://{qradar_server}/api/reference_data/sets/{qradar_ref_set}"
headers = {
'sec': qradar_auth_key,
'Version': '13.0'
}
response = requests.get(check_ref_set_url, headers=headers, verify=False)
return response.status_code == 200
def create_ref_set(qradar_server, qradar_auth_key, qradar_ref_set):
url = f"https://{qradar_server}/api/reference_data/sets"
params = {"element_type": "ALNIC", "name": qradar_ref_set}
headers = {
"Version": "19.0",
"Accept": "application/json",
"SEC": qradar_auth_key
}
response = requests.post(url, headers=headers, params=params, verify=False)
response.raise_for_status()
return response.json()
def post_iocs_to_qradar(qradar_server, qradar_auth_key, qradar_ref_set, ioc_list):
post_url = f"https://{qradar_server}/api/reference_data/sets/bulk_load/{qradar_ref_set}"
headers = {
'sec': qradar_auth_key,
'content-type': "application/json",
'Version': '13.0'
}
response = requests.post(post_url, json=ioc_list, headers=headers, verify=False)
response.raise_for_status()