# MISP

In [None]:
%pip install pymisp > /dev/null

In [None]:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

In [None]:
from dotenv import dotenv_values

In [None]:
from surianalytics.connectors import getGitRoot, check_str_bool

In [None]:
import os
import shutil

In [None]:
config = dotenv_values(os.path.join(getGitRoot(), ".env") if shutil.which("git") is not None else os.path.join(os.path.expanduser("~"), ".env"))

In [None]:
from pymisp import PyMISP

In [None]:
misp = PyMISP(config["MISP_HOST"],
              config["MISP_TOKEN"],
              check_str_bool(config["MISP_TLS_VERIFY"]),
              debug=False)

In [None]:
result = misp.search(controller='attributes', timestamp="1d", type_attribute="domain", category="Network activity", pythonify=False)

In [None]:
import pandas as pd

In [None]:
DF_ATTR = pd.json_normalize(result["Attribute"])
len(DF_ATTR)

In [None]:
DF_ATTR.groupby("type").agg({"value": "nunique",
                             "event_id": "nunique"})

In [None]:
DF_ATTR.groupby(["Event.info", "event_id", "type"]).agg({"value": ["unique", "nunique"]})

# Scan for IoC values via scirius

In [None]:
from surianalytics.connectors import RESTSciriusConnector

In [None]:
c = RESTSciriusConnector()

In [None]:
DAYS = 7

In [None]:
c.set_query_delta(hours=24 * DAYS)

In [None]:
c.set_page_size(10000)

In [None]:
DF_EVENTS = c.retrosearch(domains=list(DF_ATTR.value.unique()))
len(DF_EVENTS)

# Report domain matches

## Group by value

In [None]:
(
    DF_EVENTS
    .groupby(["ioc.value.match"])
    .agg({
        "timestamp": ["min", "max"],
        "src_ip": ["unique", "nunique"],
        "dest_ip": ["unique", "nunique"],
        "tls.ja3.hash": ["unique"],
        "tls.ja3s.hash": ["unique"],
        "http.status": ["unique"],
        "http.url": ["unique"]
    })
)

## Group by time

In [None]:
BIN_SIZE = "1h"

In [None]:
(
    DF_EVENTS
    .groupby([pd.Grouper(key="timestamp", freq=BIN_SIZE)])
    .agg({
        "timestamp": ["min", "max"],
        "ioc.value.match": ["unique", "nunique", "count"],
        "src_ip": ["unique", "nunique"],
        "dest_ip": ["unique", "nunique"],
        "tls.ja3.hash": ["unique"],
        "tls.ja3s.hash": ["unique"],
        "http.status": ["unique"],
        "http.url": ["unique"],
    })
)

# Plot results

## By event type

In [None]:
import hvplot.pandas

In [None]:
DF_AGG_TIME_PLOT = (
    DF_EVENTS
    .groupby([pd.Grouper(key="timestamp", freq=BIN_SIZE), "event_type"])
    .agg({
        "ioc.value.match": ["count"],
    })
    .reset_index()
)

In [None]:
DF_AGG_TIME_PLOT.columns = ["timestamp", "event_type", "count"]

In [None]:
(
    DF_AGG_TIME_PLOT
    .pivot(index="timestamp", columns=["event_type"], values="count")
    .hvplot
    .line(width=900, height=400)
)

## By Domain

In [None]:
DF_AGG_TIME_PLOT_CPX = (
    DF_EVENTS
    .groupby([pd.Grouper(key="timestamp", freq=BIN_SIZE), "ioc.value.match"])
    .agg({
        "ioc.value.match": ["count"]
    })
    .reset_index()
)

In [None]:
DF_AGG_TIME_PLOT_CPX

In [None]:
DF_AGG_TIME_PLOT_CPX.columns = ["timestamp", "domain", "count"]

In [None]:
(
    DF_AGG_TIME_PLOT_CPX
    .pivot(index="timestamp", columns="domain", values="count")
    .hvplot
    .scatter(width=900, height=400)
)