# Introduction

## Koen Van Impe

- **Freelancer**, work in incident response, threat intelligence and security operations
- **Open source** contribtions (MISP, DFIR automation tools, ...) [github.com/cudeso](https://github.com/cudeso)
- OSINT **threat feed** [botvrij.eu](https://botvrij.eu)
- [www.cudeso.be](https://www.cudeso.be) and [vanimpe.eu](https://www.vanimpe.eu)
- [@cudeso](https://twitter.com/cudeso)

# MISP playbooks

MISP playbooks address common use-cases encountered by **SOCs, CSIRTs or CTI teams**, specifically when working with information or intelligence received by **MISP**.

## Building blocks 

### Jupyter notebooks

The MISP playbooks are built with **Jupyter notebooks** which are used to *glue* together **documentation** (why? where? when? who? - *IR procedures / CTI investigation guidelines*) with **commands and services** (what? - *queries, use of correlation/enrichment services*) to solve a use case.

The playbooks (or the *output* of the notebook) can be kept for **reporting** purposes but also to **update MISP** (threat events created or modified,...), sent a notification to Mattermost (inform your colleagues of your work) or create an alert in TheHive or any other case handling platform.

### MISP

A open source **threat intelligence and sharing platform** ([www.misp-project.org](https://www.misp-project.org/) and [github.com/MISP/MISP](https://github.com/MISP/MISP)) used by a large number of SOCs, CSIRTs and CTI teams.

![MISP](helpers/jupyterthon-misp.png)

### PyMISP

[PyMISP](https://github.com/MISP/PyMISP) is a Python library that interacts with MISP via its REST API to add, modify or query data in a MISP instance. Important to know is that everything you do in the MISP web interface, is also available via its REST API. This makes PyMISP a very powerful tool to build automation or setup integrations.

### MISP modules

The [MISP modules](https://github.com/MISP/misp-modules) are modules to extend MISP with new (*external*) services, such as querying data from [Hashlookup](https://www.circl.lu/services/hashlookup/) or VirusTotal, submit malware samples to a sandbox or lookup network information. It allows you to add functionality to MISP (**correlation**, **enrichment**), without having to change the core code of the platform.

## MISP playbooks

### GitHub

MISP playbooks are published on GitHub [github.com/MISP/misp-playbooks](https://github.com/MISP/misp-playbooks). Since the start of the project there have been **35 commits**, resulting in **16 MISP playbooks**. There is also **guidance** and **technical** documentation on how to setup an environment for MISP playbooks.

![Commits](helpers/jupyterthon-commits.png)

### Playbooks for MISP users

- Deal with **malware investigations**
  - **Malware** triage with MISP with **static** malware analysis ([2](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_malware_triage-with_output.ipynb))
      - *MISP, Mattermost, VirusTotal, Hashlookup, MalwareBazaar, MWDB*
  - **Malware** triage with MISP with **dynamic** malware analysis ([3](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_malware_triage_upload_sample-with_output.ipynb))
      - *MISP, Mattermost, VMRay, Hybrid-Analysis, VirusTotal*
  - Query for **hash** information ([15](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_hash_information-with_output.ipynb))
      - *MISP, Mattermost, VirusTotal, Hashlookup, MalwareBazaar*
- Do **OSINT investigations**
  - Query for **CVE** information ([25](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_cve_information.ipynb))
      - *MISP, Mattermost, TheHive, cvesearch, vulners, XForceExchange, exploitdb*
  - Query for **IP** reputation ([12](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_ip_reputation-with_output.ipynb))
      - *MISP, Mattermost, TheHive, abuse_finder, DNS, MMDB, Shodan, Greynoise, VirusTotal, AbuseIPDB*
  - Query for **domain** reputation ([13](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_domain_reputation-with_output.ipynb))
      - *MISP, Mattermost, TheHive, URLscan, abuse_finder, DNS, URLhaus, Shodan, VirusTotal*
- Use the playbooks to deal with **phishing** incidents
  - Create or update a MISP event with information from a phishing incident with a link ([1](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_create_or_update_a_MISP_event_with_information_from_a_phishing_incident_with_a_link-with_output.ipynb))
      - *MISP, Mattermost, TheHive, URLscan, Lookyloo, TheHive, Google Safe Browsing, Microsoft Security Intelligence, Phishtank*
- Use MISP for **CTI work**
  - **Curate** threat events ([21](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_curate_misp_events.ipynb))
      - *MISP, Mattermost, Hashlookup, MMDB*
  - Query for **inconsistencies** in MISP events ([22](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_for_inconsistencies_misp_events.ipynb))
  - **Threat actor** profiling ([26](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_threat_actor_profiling-with_output.ipynb))
      - *MISP, Mattermost, MITRE*
  - Do a retroscan with a MISP **warninglist** (*check for false positives and alike in your platform*) ([8](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_retroscan_with_MISP_warninglist-with_output.ipynb))
- Become better acquainted with the **MISP features**
  - Create MISP **objects** and relationships ([11](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_create_MISP_objects_and_relationship-with_output.ipynb))
  - Work with the different MISP **timestamps** ([42](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_using_timestamps_in_MISP-with_output.ipynb))
  - Create a custom MISP warninglist ([7](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_create_custom_MISP_warninglist-with_output.ipynb))
      - *MISP, Mattermost, TheHive, VirusTotal, Shodan*
  
### Playbooks for MISP administrators

- Provision **users** and **organisations** ([43](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_provision_users_organisations-with_output.ipynb))
    - *MISP, Mattermost*
- Do bulk **deletes** of MISP events ([29](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_bulk_delete_events-with_output.ipynb))
    - *MISP, Mattermost*
    
### Documentation

The technical documentation explains you how to get started and setup your own environment, includes guidelines on the playbook structure and tips on how to develop the playbooks. There's also a guide to quickly set it up on a [Kali VM](https://github.com/MISP/misp-playbooks/blob/main/documentation/MISP%20playbook%20on%20Kali.md) (or any Linux VM). There is [technical documentation](https://github.com/MISP/misp-playbooks/blob/main/documentation/MISP%20playbook%20technical%20documentation.md) with step-by-step guide on how to setup your environment, a [configuration](https://github.com/MISP/misp-playbooks/blob/main/config/misp-playbook-jupyter.py) file for JupyterLab, a [systemd](https://github.com/MISP/misp-playbooks/blob/main/config/misp-playbook-jupyter.service) startup script and an [NGINX](https://github.com/MISP/misp-playbooks/blob/main/config/nginx-notebook.conf) configuration file to put notebooks behind a reverse proxy.

The GitHub repository also includes a [skeleton](https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_skeleton.ipynb) playbook that is used to start a new playbook, with the basic elements for its structure included.

# Getting started

## What do you need?

![what do you need](helpers/jupyterthon-whatdoyouneed.png)

- Web browser
- **Jupyter notebook** environment
    - Have **PyMISP** and other Python libraries installed
- A connection to a **MISP server**
    - Use your own MISP server, or connect to a MISP server run by a community ([https://www.misp-project.org/communities/](https://www.misp-project.org/communities/))
    - A **MISP api key**
    - MISP modules (need to be accessible by the notebook)
- Accounts at other external services if you do enrichment or correlation
    - VirusTotal, URLscan.io, ...

## Structure of playbooks

- Introduction
    - Describe what the playbook is about
    - Intended audience
- Playbook
    - Initialise environment
    - Steps of the playbook
- Closure
    - External resources
    - Technical details

[MISP playbook structure](https://github.com/MISP/misp-playbooks/blob/main/documentation/assets/playbook-structure-playbook-structure.drawio.png)

![Structure](helpers/jupyterthon-structure.png) 

# Demo MISP playbook

## Playbooks published on GitHub

The MISP playbooks on GitHub are available in a version that you can run (*clean*) and a version with **output** (named *playbook-with_output.ipynb*). The latter allows you to 
- Review the general flow
- Have an idea how the output should look like

## Introduction

- UUID: **4de35561-23df-4f4b-95f9-11910ed30b91**
- Started from [issue 51](https://github.com/MISP/misp-playbooks/issues/51)
- State: **Published**
- Purpose: A playbook to demonstrate MISP playbooks at Jupyterthon 2024
- Tags: [ "demo", "jupyterthon"]
- External resources: **Hashlookup** **Mattermost**
- Target audience: **Jupyterthon 2024**

## Preparation

### PR:1 Initialise environment

This section **initialises the playbook environment** and loads the required Python libraries. 

The credentials for MISP (**API key**) and other services are loaded from the file `keys.py` in the directory **vault**. A [PyMISP](https://github.com/MISP/PyMISP) object is created to interact with MISP and the active MISP server is displayed. By printing out the server name you know that it's possible to connect to MISP. In case of a problem PyMISP will indicate the error with `PyMISPError: Unable to connect to MISP`.

In [None]:
# Initialise Python environment
import sys
import json
import uuid
from datetime import date
from prettytable import PrettyTable, MARKDOWN
import requests
from IPython.display import Image, display, display_markdown, HTML

# Load the credentials
sys.path.insert(0, "../vault/")
from keys import *
if misp_verifycert is False:
    import urllib3
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("The \033[92mPython libraries\033[90m are loaded and the \033[92mcredentials\033[90m are read from the keys file.")

# Create the PyMISP object
from pymisp import *
misp = PyMISP(misp_url, misp_key, misp_verifycert)
print("I will use the MISP server \033[92m{}\033[90m for this playbook.".format(misp_url))

### PR:2 Verify MISP modules

This playbook uses the MISP modules to obtain additional correlation or enrichment information. [MISP modules](https://github.com/MISP/misp-modules) are autonomous modules that can be used to extend MISP for new services such as expansion, import and export. The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

In the next cell we check if we have access to the **MISP module** server and if the required modules are enabled.

In [None]:
# Where can we find the local MISP Module server? You can leave this to the default setting in most cases.
misp_modules_url = "http://127.0.0.1:6666"

# Which modules are we using in this playbook?
misp_modules_in_use = ["hashlookup"]



# How long do we wait between queries when using the MISP modules (API rate limiting of external service such as VirusTotal)
misp_modules_wait = 3

# Initiliasation
misp_modules = {}
misp_modules_headers = {"Content-Type": "application/json", "Accept": "application/json"}

# Code block to query the MISP module server and check if our modules are enabled
res = requests.get("{}/modules".format(misp_modules_url), headers=misp_modules_headers)
for module in res.json():
    for module_requested in misp_modules_in_use:
        if module.get("name", False) == module_requested:
            misp_modules[module_requested] = {"enabled": True, "input": module.get("mispattributes").get("input")}
            print("Found the \033[92m{}\033[90m MISP module (Accepted input: {}).".format(module_requested, misp_modules[module_requested]["input"]))
print("\n")

### PR:3 Load helper functions

The next cell contains **helper functions** that are used in this playbook. 

Instead of distributing helper functions as separate Python files this playbook includes all the required code as one code cell. This makes portability of playbooks between instances easier. The downside is that functions defined in this playbook need to be defined again in other playbooks, which is not optimal for code re-use. For this iteration of playbooks it is chosen to include the code in the playbook (more portability), but you can easily create one "helper" file that contains all the helper code and then import that file in each playbook (for example by adding to the previous cell `from helpers import *`).

In [None]:
def __includeFlattenedAttributes(attributes, objects):
    # Function to merge attributes from 'single' attributes and objects into one set
    object_attributes = []
    for misp_object in objects:
        for object_attribute in misp_object.Attribute:
            object_attributes.append(object_attribute)
    event_attributes = object_attributes + attributes
    return event_attributes

### PR:4 Set helper variables

This cell contains **helper variables** that are used in this playbook.

In [None]:
event_details = {"header": "", "context": "", "attributes": "", "links": ""}
ir_findings = {}
indicator_match = ""
related_events = ""

## Run the playbook

### RP:1 Query for indicators in MISP

Once the preparation is done, the *core* steps of the playbook are executed.

A typical *use case* is where your organisation identifies certain indicators that are part of unusual behaviour. How can you quickly get to know what your MISP **community** knows about these indicators?

The guidelines of the MISP playbook recommends to define **playbook variables ('input')** outside code blocks. This makes the playbook more accessible for users without coding skills. In this section, the **indicators** are defined in the variable `indicators`.

In [None]:
# Search for indicators
#    IP: 94.131.98.14
#    Filenames: "compcheckresult.cgi", "Nwsapagent.sys"
indicators=["94.131.98.14", "%compcheckresult.cgi"]

Some additional options that are available when querying MISP:
- `to_ids`: Is the indicator *actionable* (useful for detection/alerting purposes) or primarily for *informationable* purposes?
- `published`: Only include Published (*shared with others*) events
- `pythonify`: Return as Python objects

In [None]:
# MISP search
search_results = misp.search("attributes", value=indicators, to_ids=None, published=None, pythonify=True)

print("Found {} results".format(len(search_results)))
if len(search_results) > 0:
    table = PrettyTable()
    table.field_names = ["Indicator", "Event ID", "Event Title", "Organisation"]
    table._max_width = {"Event Title": 30}
    table.align["Indicator"] = "l"
    table.align["Event Title"] = "l"
    table.align["Organisation"] = "l"
    for hit in search_results:
        table.add_row([hit.value, hit.Event.id, hit.Event.info, misp.get_organisation(hit.Event.orgc_id, pythonify=True).name])
    print(table.get_string(sortby="Indicator"))
    indicator_match = table

### RP:2 Get indicators for a specific MISP threat event

One of the results in the previous query looks interesting to us. Get all indicators for the threat event **Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa**.

In [None]:
# Specify the MISP event ID as a filter
eventid = "3345"

Use the `get_event` function from PyMISP to get all information available on this threat event. You can specify a MISP event ID, but also a unique UUID.

In [None]:
# Get all information related to a specific MISP event
misp_event = misp.get_event(eventid, pythonify=True)

if not "errors" in misp_event:
    # The metadata of an event
    event_details["header"] = """### Event: {}
- Organisation: **{}**
- ID/UUID: {} / {}
- Date: {}
- Distribution: **{}**
- Analysis: **{}**
- Threat level: **{}**
""".format(misp_event.info, misp_event.Orgc.name, misp_event.id, misp_event.uuid, misp_event.date, 
           Distribution(misp_event.distribution), Analysis(misp_event.analysis), ThreatLevel(misp_event.threat_level_id))
    
    # Display the contextual elements
    event_details["context"] = "#### Context\n"
    for tag in misp_event.Tag:
        event_details["context"] = "{}- {}\n".format(event_details["context"], tag.name)
        
        
    # External links that can be useful to consult
    event_details["links"] = "#### Useful reading material\n"    
    attributes = __includeFlattenedAttributes(misp_event.Attribute, misp_event.Object)
    
    
    # The indicators/attributes in this event
    table = PrettyTable()
    table.field_names = ["Indicator", "In feeds", "Type", "Category"]
    table.align["Indicator"] = "l"
    table.align["Type"] = "l"
    table.align["Category"] = "l"
    for attribute in attributes:
        if attribute.type == "link":
            event_details["links"] = "{}- {}\n".format(event_details["links"], attribute.value)
        if attribute.to_ids:
            if hasattr(attribute, 'Feed'):
                table.add_row([attribute.value, "*", attribute.type, attribute.category])
            else:
                table.add_row([attribute.value, " ", attribute.type, attribute.category])
    table.set_style(MARKDOWN)
    event_details["attributes"] = "#### Attributes\n{}".format(table.get_string())
              
# Print out everything in MarkDown, we will also send this to Mattermost
display_markdown(event_details["header"], raw=True)
display_markdown(event_details["context"], raw=True)
display_markdown(event_details["attributes"], raw=True)
display_markdown(event_details["links"], raw=True)

### RP:3 Get all events related to a specific intrusion set

MISP has an extensive list of elements that provide contextual information to threat events. It's called MISP [Galaxy Clusters](https://www.misp-project.org/galaxy.html) and, among other elements, includes the information from MITRE, such as the Intrusion Sets (or *threat actors*). 

In this example we want to know more about the threat actor **MuddyWater**, identified with **G0069**.

In [None]:
# Specify the filter for the threat actor
context_filter = "MuddyWater - G0069"

In [None]:
tag_filter = "misp-galaxy:mitre-intrusion-set=\"{}\"".format(context_filter)

# Search for events that are tagged with the "tag_filter"
search_results = misp.search("events", tags=tag_filter, pythonify=True)
print("Found {} results".format(len(search_results)))
if len(search_results) > 0:
    
    # Print out the results in an easy to read table
    table = PrettyTable()
    table.field_names = ["Event ID", "Event Title", "Date", "Organisation"]
    table._max_width = {"Event Title": 30}
    table.align["Event ID"] = "l"
    table.align["Event Title"] = "l"
    table.align["Organisation"] = "l"    
    for hit in search_results:
        table.add_row([hit.id, hit.info, hit.date, hit.Orgc.name])
    print(table.get_string(sortby="Date"))
    related_events = table

### RP:4 Send a summary to Mattermost

So far we have
- Queried MISP for **indicators**
- Identified **actionable** indicators for a threat event related to our investigation
- Searched for events related to a **threat actor** we're interested in.

We can notify our colleagus of these findings via Mattermost.

In [None]:
summary = event_details["header"] + "\n" + event_details["context"] + "\n" + event_details["attributes"] + "\n" + event_details["links"]
message = {"username": mattermost_playbook_user, "text": summary}
r = requests.post(mattermost_hook, data=json.dumps(message))
r.raise_for_status()
if r.status_code == 200:
    print("Summary is \033[92msent to Mattermost.\n")
else:
    print("\033[91mFailed to sent summary\033[90m to Mattermost.\n")

## Create a MISP threat event

### CR:1 Set the event details

Put the event details in variables that can be easily edited.

In [None]:
event_title = "MISP playbook demo event"
event_threat_level_id = ThreatLevel.low
event_analysis = Analysis.ongoing
event_distribution = Distribution.your_organisation_only
event_date = date.today()       

### CR:2 Create the event

Adding threat events to MISP is easy with [PyMISP](https://github.com/MISP/PyMISP).

- First, **create a MISP event**,
- Add context elements, such as TLP and TTPs.

In [None]:
# Link the previously set variables with MISPEvent()
event = MISPEvent()
event.info = event_title
event.distribution = event_distribution
event.threat_level_id = event_threat_level_id
event.analysis = event_analysis
event.set_date(event_date)

# Create the MISP event on the server side
ir_findings["event"] = misp.add_event(event, pythonify=True)
ir_findings["attributes"] = {}
ir_findings["misp_attributes"] = {}
print("Result: Event ID: {} UUID: {}".format(ir_findings["event"].id, ir_findings["event"].uuid))
      
# Add context to our event
global_tags = ["tlp:amber", 
               "misp-galaxy:mitre-intrusion-set=\"MuddyWater - G0069\"",
               "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
               "misp-galaxy:malpedia=\"MuddyC2Go\""]
local_tags = ["workflow:todo=\"preserve-evidence\"", "workflow:state=\"incomplete\""]
for tag in global_tags:
    misp.tag(ir_findings["event"].uuid, tag)
for tag in local_tags:
    misp.tag(ir_findings["event"].uuid, tag, True)

### CR:3 Add attributes to MISP

We add attributes defined in `ir_findings["indicators"]` to the newly created event.

In [None]:
ir_findings["indicators"] = [
    {"value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "to_ids": 1, "comment": "IR findings"},
    {"value": "5.6.7.8", "type": "ip-src", "category": "Network activity", "to_ids": 1, "comment": "IR findings"},
    {"value": "94.131.98.14", "type": "ip-src", "category": "Network activity", "to_ids": 1, "comment": "IR findings",
        "tags": ["course-of-action:active=\"deceive\""]},
    {"value": "5da8c98136d98dfec4716edd79c7145f", "type": "md5", "category": "Payload delivery", "to_ids": 1, "comment": "IR findings"},
    {"value": "2ec505088b942c234f39a37188e80d7a", "type": "md5", "category": "Payload delivery", "to_ids": 1, "comment": "IR findings"},
    {"value": "compcheckresult.cgi", "type": "filename", "category": "Payload delivery", "to_ids": 0, "comment": "IR findings",
        "tags": ["probably-not-related"]},
]

In [None]:
for indicator in ir_findings["indicators"]:
    misp_attribute = misp.add_attribute(ir_findings["event"].uuid, indicator, pythonify=True)
    ir_findings["misp_attributes"][indicator["value"]] = misp_attribute
    print("Add {} - {}".format(indicator["value"], misp_attribute.uuid))

### CR:4 Lookup hashes in Hashlookup - Disable to_ids for known legitimate file hashes

We added one hash to our threat event. In order to avoid working with a false lead it's good to check first if this hash is linked to a "known good" software. To accomplish this we use one of the MISP modules, the [CIRCL Hashlookup](https://www.circl.lu/services/hashlookup/) service.

In [None]:
for indicator in ir_findings["indicators"]:
    if indicator["type"] in ["sha1", "md5", "sha256"]:
        indicator_type = indicator["type"]
        indicator_value = indicator["value"]
        data = {"attribute": {"type": f"{indicator_type}", "uuid": str(uuid.uuid4()), "value": f"{indicator_value}"},
                "module": "hashlookup", "config": {"custom_API": False}
                }
        result = requests.post("{}/query".format(misp_modules_url), headers=misp_modules_headers, json=data)
        if "results" in result.json() and len(result.json()["results"]) > 0:
            result_json = result.json()["results"]
            for misp_object in result_json.get("Object", []):
                filename = "Unknown"
                created_object = misp.add_object(ir_findings["event"].uuid, misp_object, pythonify=True)
                for misp_object_attribute in misp_object["Attribute"]:
                    if misp_object_attribute["object_relation"] == "FileName":
                        filename = misp_object_attribute["value"]
                if not "errors" in created_object:
                    print(" Got \033[92m{}\033[90m ".format(misp_object["name"]))
                    misp.add_object_reference(created_object.add_reference(ir_findings["misp_attributes"][indicator_value].uuid, "related-to"))
                    misp.tag(ir_findings["misp_attributes"][indicator_value].uuid, "cudeso.be:curated=\"disable_ids_circl_hashlookup\"", True)
                    misp.update_attribute({"uuid": ir_findings["misp_attributes"][indicator_value].uuid, "to_ids": 0})
                    print(" Disabled to_ids for \033[92m{}\033[90m - filename: {}".format(indicator_value, filename))

### CR:4 Get related threat events

A good practice before diving into all the indicators you explored during IR is to sketch a picture of what's already known about them. The MISP **related events** is a good start for this.

We first query MISP for our newly created event, it will then return all the identifiers for the related evens and feeds.

In [None]:
misp_event = misp.get_event(ir_findings["event"].uuid, pythonify=True)
print("Related events:")
for event_related in misp_event.RelatedEvent:
    print(event_related)
print("\nOverlap with MISP feeds:")
for event_overlap in misp_event.Feed:
    print(event_overlap)

### CR:5 Add a MISP report

A report in MISP allows to combine documentation (in Markdown) with attributes/indicators. In this case we just add our previously created summary as a MISP report.

In [None]:
event_title = "Information related to our incident response investigation"
print("Creating MISP report \033[92m{}\033[90m".format(event_title))
chunk_size = 61500
for i in range(0, len(summary), chunk_size):
    chunk = summary[i:i + chunk_size]
    event_report = MISPEventReport()
    event_title_edit = event_title
    if i > 0:
        event_title_edit = "{} ({} > {})".format(event_title, i, i + chunk_size)
    event_report.name = event_title_edit
    event_report.content = chunk
    result = misp.add_event_report(ir_findings["event"].id, event_report)
    if "EventReport" in result:
        print(" Report ID: \033[92m{}\033[90m".format(result.get("EventReport", []).get("id", 0)))
    else:
        print("Failed to create report for \033[91m{}\033[90m.".format(event_title))

### CR:6 Publish the MISP event

And finally, the last step is to remove the incomplete workflow tag and **publish** the event. This makes it available to our community.

In [None]:
misp.untag(ir_findings["event"].uuid, "workflow:state=\"incomplete\"")
misp.untag(ir_findings["event"].uuid, "workflow:todo=\"preserve-evidence\"")
misp.tag(ir_findings["event"].uuid, "workflow:state=\"complete\"", True)
print(misp.publish(ir_findings["event"].uuid))
print("Event \033[92mpublished\033[90m")

## Closure

### External references

- [MISP playbooks](https://github.com/MISP/misp-playbooks)
- [MISP](https://www.misp-project.org/)
- [PyMISP](https://github.com/MISP/PyMISP)
- [MISP modules](https://github.com/MISP/misp-modules)
- [Hashlookup](https://www.circl.lu/services/hashlookup/)