# Access a MISP instance using pymisp

Before running this, you'll need:

* Pip install pymisp
* Access token for a MISP instance

More help at
* https://pypi.org/project/pymisp/
* Pymisp notebooks: https://github.com/MISP/PyMISP/tree/master/docs/tutorial 

In [50]:
from pymisp import ExpandedPyMISP


# Get MISP creds
cscsecret = open('/Users/sara/cscmisp.txt', 'r')
(cscurl,csckey) = [x.strip() for x in cscsecret.readline().split(',')]
cscsecret.close()
misp = ExpandedPyMISP(cscurl, csckey, False)



In [51]:
help(misp)

Help on ExpandedPyMISP in module pymisp.aping object:

class ExpandedPyMISP(pymisp.api.PyMISP)
 |  ExpandedPyMISP(url: str, key: str, ssl=True, debug: bool = False, proxies: dict = {}, cert: Tuple[str, tuple] = None, auth: requests.auth.AuthBase = None, tool: str = '')
 |  
 |  Python API for MISP
 |  
 |  :param url: URL of the MISP instance you want to connect to
 |  :param key: API key of the user you want to use
 |  :param ssl: can be True or False (to check ot not the validity of the certificate. Or a CA_BUNDLE in case of self signed certificate (the concatenation of all the *.crt of the chain)
 |  :param debug: Write all the debug information to stderr
 |  :param proxies: Proxy dict as describes here: http://docs.python-requests.org/en/master/user/advanced/#proxies
 |  :param cert: Client certificate, as described there: http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates
 |  :param auth: The auth parameter is passed directly to requests, as describe

# Read in an incident and its details

What we'd like to do is 1) see all the MISP events that we have for our group
* Get a list of events for our group - or all connected groups
* Filter that list by topics of interest (e.g. COVID-19 tags)
* See the event ids that correspond to the incident names we use in our other systems

We'd like to read data on a specific event, so we can use it in analysis
* Get data for a named incident

We'd also like to know about the data that's connected to a specific event, so we can analyse that too
* Get objects connected to a named incident

In [52]:
# Look at the Covid19 results we have in the MISP
results = misp.search("events", tags="COVID-19")
[(result['Event']['id'], result['Event']['info']) for result in results]



[('31', 'US Piracy'), ('8090', 'Covid5G')]

In [48]:
results[1]['Event']

{'id': '8090',
 'orgc_id': '1',
 'org_id': '1',
 'date': '2020-04-29',
 'threat_level_id': '4',
 'info': 'Covid5G',
 'published': False,
 'uuid': '5ea8ded8-c790-457e-ba18-04e8ac150006',
 'attribute_count': '5',
 'analysis': '0',
 'timestamp': '1588126766',
 'distribution': '2',
 'proposal_email_lock': False,
 'locked': False,
 'publish_timestamp': '0',
 'sharing_group_id': '0',
 'disable_correlation': False,
 'extends_uuid': '',
 'event_creator_email': 'sarajterp@gmail.com',
 'Org': {'id': '1',
  'name': 'CogSec Collab',
  'uuid': '5e2dd31a-3bcc-45e8-ba7e-2ab890d945c8',
  'local': True},
 'Orgc': {'id': '1',
  'name': 'CogSec Collab',
  'uuid': '5e2dd31a-3bcc-45e8-ba7e-2ab890d945c8',
  'local': True},
 'Attribute': [],
 'ShadowAttribute': [],
 'RelatedEvent': [],
 'Galaxy': [{'id': '21',
   'uuid': '4d381145-9a5e-4778-918c-fbf23d78544e',
   'name': 'Misinformation Pattern',
   'type': 'amitt-misinformation-pattern',
   'description': 'AM!TT Tactic',
   'version': '4',
   'icon': 'map',

In [45]:
misp.get_event(8090)



{'Event': {'id': '8090',
  'orgc_id': '1',
  'org_id': '1',
  'date': '2020-04-29',
  'threat_level_id': '4',
  'info': 'Covid5G',
  'published': False,
  'uuid': '5ea8ded8-c790-457e-ba18-04e8ac150006',
  'attribute_count': '5',
  'analysis': '0',
  'timestamp': '1588126766',
  'distribution': '2',
  'proposal_email_lock': False,
  'locked': False,
  'publish_timestamp': '0',
  'sharing_group_id': '0',
  'disable_correlation': False,
  'extends_uuid': '',
  'event_creator_email': 'sarajterp@gmail.com',
  'Org': {'id': '1',
   'name': 'CogSec Collab',
   'uuid': '5e2dd31a-3bcc-45e8-ba7e-2ab890d945c8',
   'local': True},
  'Orgc': {'id': '1',
   'name': 'CogSec Collab',
   'uuid': '5e2dd31a-3bcc-45e8-ba7e-2ab890d945c8',
   'local': True},
  'Attribute': [],
  'ShadowAttribute': [],
  'RelatedEvent': [],
  'Galaxy': [{'id': '21',
    'uuid': '4d381145-9a5e-4778-918c-fbf23d78544e',
    'name': 'Misinformation Pattern',
    'type': 'amitt-misinformation-pattern',
    'description': 'AM!TT T

# Create an incident in MISP

What we'd like to do is 1) add a new incident to MISP
* set distribution to "connected communities"
* set threat level to undefined
* set event info to the name of the incident
* set tags to e.g. "Covid-19"
* (maybe) add the misinformation pattern - although that's probably better done by hand
* get the event id for this incident

What we'd like to do is also 2) add mass incident data to this event from a spreadsheet
* Add an object to the event for every microblog (tweet or facebook post)
* Add an object for every facebook group
* Add an object for every URL
* Fill out as many details as we can for each type of object

What we'd also like to do is 3) add incident data to this event from slack, via bot
* as above, but using bot commands

In [53]:
from datetime import date
from pymisp import MISPEvent

#fill out these things
incidentstart = '2020-04-14' #date.today() 
incidentname = 'operationgridlock'
tags = ['tlp:white', 'COVID-19', 'lockdown']

# Create event object
event = MISPEvent()

event.info = incidentname
event.distribution = 2
event.threat_level_id = 4
event.analysis = 0 #initial analysis
event.set_date(incidentstart)
for tag in tags:
    event.add_tag(tag)

newevent = misp.add_event(event, pythonify=True)

print(event.to_json())

{
  "Tag": [
    {
      "name": "tlp:white"
    },
    {
      "name": "COVID-19"
    },
    {
      "name": "lockdown"
    }
  ],
  "analysis": "0",
  "date": "2020-04-14",
  "distribution": "2",
  "info": "operationgridlock",
  "threat_level_id": "4"
}




# Add an object to a MISP incident

In [54]:
newevent

<MISPEvent(info=operationgridlock)

In [56]:
from pymisp import MISPObject
from microblogobject import MicroblogObject

object_properties = {'url': 'https://twitter.com/josh_emerson/status/1250539109246001152?s=19'}
misp_object = MicroblogObject(parameters=object_properties)
newevent.add_object(misp_object)

ModuleNotFoundError: No module named 'microblogobject'

In [None]:
from pymisp import MISPObject
from microblogobject import MicroblogObject

# Build an attribute dictionary containing the properties of the misp object.
object_properties = {‘url’: 'https://twitter.com/josh_emerson/status/1250539109246001152?s=19'}
# Instantiate the MISP object
misp_object = MicroblogObject(parameters=object_properties)
# Append the object to the MISP Event
response = newevent.Object.append(misp_object)
# Update the original MISP Event
response = misp.update_event(“1”, newevent)
