# Initializing your environment

## Setting up a virtual environment
(Optional but recommended)

```bash
virtualenv -p python3 venv
source venv/bin/activate
```
(Use `deactivate` to exit from `source` once you are done)

Alternatively you can also prefix all your `python` and `pip` commands with `./venv/bin/` (e.g: `./venv/bin/pip3 install -U pip`)



## Setting up Jupyter

In order to follow along on your computer:

```bash
pip3 install notebook
jupyter-notebook
```

## Installation of PyMISP

#### Make sure the submodules are up-to-date and cloned

```bash
git submodule update --init --recursive PyMISP/
```

#### Install PyMISP with the developer options

```bash
cd PyMISP
pip3 install -e .
```

# Interacting with your MISP instance

### Recovering your API key

- Go to `Global Actions` then `My profile`
- Alternatively, access the `/users/view/me` URL of your MISP instance

## Initializing the variables

We need to set a few variables:
- The URL of the MISP instance
- Your API key

In [None]:
from pymisp import PyMISP
from pprint import pprint
AUTHKEY = "_YOUR_AUTHENTICATION_KEY_"
URL = "https://training5.misp-community.org/"
import urllib3
urllib3.disable_warnings()
misp = PyMISP(URL, AUTHKEY, False)

def print_result(result):
    flag_printed = False
    if isinstance(result, list):
        print("Count: %s" % len(result))
        flag_printed = True
        for i in result:
            if 'Event' in i and 'Attribute' in i['Event']:
                print("  - Attribute count: %s" % len(i['Event']['Attribute']))
    elif isinstance(result, dict):
        if 'Attribute' in result:
            print("Count: %s" % len(result['Attribute']))
            flag_printed = True
        elif 'Event' in result and 'Attribute' in result['Event']:
            print("Attribute count: %s" % len(result['Event']['Attribute']))
            flag_printed = True
    if flag_printed:
        print('----------')
    pprint(result)

# Events

## Creation and Edition

In [2]:
# Creation
endpoint = '/events/add'

body = {
    "info": "Event created via the API as an example",
    "threat_level_id": 1,
    "distribution": 0
}

res = misp.direct_call(endpoint, body)
print_result(res)
event_id = res['Event']['id']

Attribute count: 0
----------
{'Event': {'Attribute': [],
           'CryptographicKey': [],
           'EventReport': [],
           'Galaxy': [],
           'Object': [],
           'Org': {'id': '13',
                   'local': True,
                   'name': 'CIRCL',
                   'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'Orgc': {'id': '13',
                    'local': True,
                    'name': 'CIRCL',
                    'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'RelatedEvent': [],
           'ShadowAttribute': [],
           'analysis': '0',
           'attribute_count': '0',
           'date': '2025-04-03',
           'disable_correlation': False,
           'distribution': '0',
           'event_creator_email': 'christian.studer@circl.lu',
           'extends_uuid': '',
           'id': '53',
           'info': 'Event created via the API as an example',
           'locked': False,
           'org_id': '13',
           'orgc_

In [3]:
# Edition 1
endpoint = '/events/edit/'

body = {
    "distribution": 3,
#     "sharing_group_id": 1
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)

Attribute count: 0
----------
{'Event': {'Attribute': [],
           'CryptographicKey': [],
           'EventReport': [],
           'Galaxy': [],
           'Object': [],
           'Org': {'id': '13',
                   'local': True,
                   'name': 'CIRCL',
                   'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'Orgc': {'id': '13',
                    'local': True,
                    'name': 'CIRCL',
                    'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
           'RelatedEvent': [],
           'ShadowAttribute': [],
           'analysis': '0',
           'attribute_count': '0',
           'date': '2025-04-03',
           'disable_correlation': False,
           'distribution': '3',
           'event_creator_email': 'christian.studer@circl.lu',
           'extends_uuid': '',
           'id': '53',
           'info': 'Event created via the API as an example',
           'locked': False,
           'org_id': '13',
           'orgc_

In [4]:
# Edition 2 - Adding Attribute
endpoint = '/events/edit/'

body = {
    "distribution": 0,
    "Attribute": [
        {
            "value": "9.9.9.9",
            "type": "ip-src"
        }
    ]
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)
event_uuid = res['Event']['uuid']

Attribute count: 1
----------
{'Event': {'Attribute': [{'Galaxy': [],
                          'ShadowAttribute': [],
                          'category': 'Network activity',
                          'comment': '',
                          'deleted': False,
                          'disable_correlation': False,
                          'distribution': '5',
                          'event_id': '53',
                          'first_seen': None,
                          'id': '200027',
                          'last_seen': None,
                          'object_id': '0',
                          'object_relation': None,
                          'sharing_group_id': '0',
                          'timestamp': '1743683879',
                          'to_ids': True,
                          'type': 'ip-src',
                          'uuid': '63e93acf-71da-44e8-a48d-8f949e5ebc66',
                          'value': '9.9.9.9'}],
           'CryptographicKey': [],
           'Even

In [5]:
# Edition 2 - tagging 1
endpoint = '/tags/attachTagToObject'

body = {
    "uuid": event_uuid, # can be anything: event or attribute
    "tag": "tlp:amber"
}

res = misp.direct_call(endpoint, body)
print_result(res)

{'message': 'Global tag tlp:amber(93) successfully attached to Event(53).',
 'name': 'Global tag tlp:amber(93) successfully attached to Event(53).',
 'saved': True,
 'success': True,
 'url': '/tags/attachTagToObject'}


# Attributes

## Creation and edition

In [6]:
# Adding
endpoint = '/attributes/add/'

body = {
    "value": "8.8.8.9",
    "type": "ip-dst"
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)
attribute_id = res['Attribute']['id']

Count: 19
----------
{'Attribute': {'category': 'Network activity',
               'comment': '',
               'deleted': False,
               'disable_correlation': False,
               'distribution': '5',
               'event_id': '53',
               'first_seen': None,
               'id': '200028',
               'last_seen': None,
               'object_id': '0',
               'object_relation': None,
               'sharing_group_id': '0',
               'timestamp': '1743683890',
               'to_ids': True,
               'type': 'ip-dst',
               'uuid': '7d8625c8-0d42-4bb3-9251-4d670bb3aac6',
               'value': '8.8.8.9',
               'value1': '8.8.8.9',
               'value2': ''},
 'AttributeTag': []}


In [7]:
# Adding invalid attribute type
endpoint = '/attributes/add/'

body = {
    "value": "8.8.8.9",
    "type": "md5"
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)

Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['Checksum has an invalid length or format (expected: 32 hexadecimal characters). Please double check the value or select type "other".']}}


{'errors': (403,
            {'errors': {'value': ['Checksum has an invalid length or format '
                                  '(expected: 32 hexadecimal characters). '
                                  'Please double check the value or select '
                                  'type "other".']},
             'message': 'Could not add Attribute',
             'name': 'Could not add Attribute',
             'saved': False,
             'url': '/attributes/add'})}


In [8]:
# Editing
endpoint = '/attributes/edit/' # /attributes/edit/[attribute_id]

body = {
    "value": "8.8.8.8",
    "to_ids": 0,
    "comment": "Comment added via the API",
}

res = misp.direct_call(endpoint + attribute_id, body)
print_result(res)

Count: 17
----------
{'Attribute': {'category': 'Network activity',
               'comment': 'Comment added via the API',
               'deleted': False,
               'disable_correlation': False,
               'distribution': '5',
               'event_id': '53',
               'first_seen': None,
               'id': '200028',
               'last_seen': None,
               'object_id': '0',
               'object_relation': None,
               'sharing_group_id': '0',
               'timestamp': '1743683893',
               'to_ids': False,
               'type': 'ip-dst',
               'uuid': '7d8625c8-0d42-4bb3-9251-4d670bb3aac6',
               'value': '8.8.8.8'}}


# Objects

In [9]:
endpoint = '/objects/add/'

body = {
    "name": "microblog",
    "meta-category": "misc",
    "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
    "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
    "template_version": "5",
    "event_id": event_id,
    "timestamp": "1558702173",
    "distribution": "5",
    "sharing_group_id": "0",
    "comment": "",
    "deleted": False,
    "ObjectReference": [],
    "Attribute": [
        {
            "type": "text",
            "category": "Other",
            "to_ids": False,
            "event_id": event_id,
            "distribution": "5",
            "timestamp": "1558702173",
            "comment": "",
            "sharing_group_id": "0",
            "deleted": False,
            "disable_correlation": False,
            "object_relation": "post",
            "value": "post",
            "Galaxy": [],
            "ShadowAttribute": []
        }
    ]
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)

{'Object': {'Attribute': [{'category': 'Other',
                           'comment': '',
                           'deleted': False,
                           'disable_correlation': False,
                           'distribution': '5',
                           'event_id': '53',
                           'first_seen': None,
                           'id': '200029',
                           'last_seen': None,
                           'object_id': '26182',
                           'object_relation': 'post',
                           'sharing_group_id': '0',
                           'timestamp': '1558702173',
                           'to_ids': False,
                           'type': 'text',
                           'uuid': '1c7d6b68-8d61-4f6e-8880-b51f657f3283',
                           'value': 'post',
                           'value1': 'post',
                           'value2': ''}],
            'comment': '',
            'deleted': False,
            'descri

# Event reports

In [10]:
endpoint = '/eventReports/add/'

body = {
    "name": "Report from API",
    "distribution": 5,
    "sharing_group_id": 0,
    "content": "@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)"
}

res = misp.direct_call(endpoint + event_id, body)
event_report_id = res['EventReport']['id']

print_result(res)

{'Event': {'Org': {'id': '13', 'name': 'CIRCL'},
           'Orgc': {'id': '13', 'name': 'CIRCL'},
           'date': '2025-04-03',
           'id': '53',
           'info': 'Event created via the API as an example',
           'org_id': '13',
           'orgc_id': '13',
           'user_id': '152'},
 'EventReport': {'content': '@[attribute](bf5ccf85-0270-4d7e-b1a2-4ab636ca8ca5)',
                 'deleted': False,
                 'distribution': '5',
                 'event_id': '53',
                 'id': '19',
                 'name': 'Report from API',
                 'sharing_group_id': '0',
                 'timestamp': '1743683899',
                 'uuid': '52f7aaec-fc10-46cc-b090-d41f1b43a787'},
 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}


In [11]:
# Download HTML, convert it into markdown then save it as Event Report.
endpoint = '/eventReports/importReportFromUrl/'

body = {
    "url": "https://www.circl.lu/pub/tr-84/"
}

res = misp.direct_call(endpoint + event_id, body)
print_result(res)

{'Event': {'Org': {'id': '13', 'name': 'CIRCL'},
           'Orgc': {'id': '13', 'name': 'CIRCL'},
           'date': '2025-04-03',
           'id': '53',
           'info': 'Event created via the API as an example',
           'org_id': '13',
           'orgc_id': '13',
           'user_id': '152'},
 'EventReport': {'content': 'html     # TR-84 - PAN-OS (Palo Alto Networks) OS '
                            'Command Injection Vulnerability in GlobalProtect '
                            'Gateway - CVE-2024-3400\n'
                            '\n'
                            '       ### TR-84 - PAN-OS (Palo Alto Networks) OS '
                            'Command Injection Vulnerability in GlobalProtect '
                            'Gateway - CVE-2024-3400\n'
                            '\n'
                            ' â\x86\x91 Back to Publications and '
                            'Presentations\n'
                            '\n'
                            ' \n'
                  

# Analyst Data

## Analyst Note

In [12]:
analystType = 'Note'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
#                   "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{event_uuid}/{objectType}'

body = {
    "note": "Ceci est une note",
    "language": "fr-BE",
    "authors": "john.doe@admin.test",
    "distribution": 1
}

res = misp.direct_call(endpoint, body)
print_result(res)

{'Note': {'Org': {'contacts': None,
                  'created_by': '0',
                  'date_created': '2023-09-28 09:56:27',
                  'date_modified': '2023-09-28 09:56:27',
                  'description': 'CIRCL is the CERT (Computer Emergency '
                                 'Response Team/Computer Security Incident '
                                 'Response Team) for the private sector, '
                                 'communes and non-governmental entities in '
                                 'Luxembourg.',
                  'id': '13',
                  'landingpage': None,
                  'local': True,
                  'name': 'CIRCL',
                  'nationality': '',
                  'restricted_to_domain': [],
                  'sector': '',
                  'type': '',
                  'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
          'Orgc': {'contacts': None,
                   'created_by': '0',
                   'date_created': '

## Analyst Opinion

In [13]:
analystType = 'Opinion'
# objectType[Enum]: "Attribute" "Event" "EventReport" "GalaxyCluster" "Galaxy"
#                   "Object" "Note" "Opinion" "Relationship" "Organisation" "SharingGroup"
objectType = 'Event'
endpoint = f'/analystData/add/{analystType}/{event_uuid}/{objectType}'

body = {
    "opinion": 75,
    "comment": "This is an opinion",
    "authors": "john.doe@admin.test",
    "distribution": 1
}

res = misp.direct_call(endpoint, body)
print_result(res)

{'Opinion': {'Org': {'contacts': None,
                     'created_by': '0',
                     'date_created': '2023-09-28 09:56:27',
                     'date_modified': '2023-09-28 09:56:27',
                     'description': 'CIRCL is the CERT (Computer Emergency '
                                    'Response Team/Computer Security Incident '
                                    'Response Team) for the private sector, '
                                    'communes and non-governmental entities in '
                                    'Luxembourg.',
                     'id': '13',
                     'landingpage': None,
                     'local': True,
                     'name': 'CIRCL',
                     'nationality': '',
                     'restricted_to_domain': [],
                     'sector': '',
                     'type': '',
                     'uuid': '55f6ea5e-2c60-40e5-964f-47a8950d210f'},
             'Orgc': {'contacts': None,
                 

# Searches

In [14]:
# Searching the Event index (Move it to the search topic)
endpoint = '/events/index'

body = {
    "eventinfo": "Event created via the API as an example",
#    "publish_timestamp": "2024-04-15",
#    "org": "ORGNAME"
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 3
----------
[{'EventTag': [{'Tag': {'colour': '#ffffff',
                        'id': '16',
                        'is_galaxy': False,
                        'name': 'tlp:clear'},
                'event_id': '28',
                'id': '20',
                'local': False,
                'relationship_type': '',
                'tag_id': '16'}],
  'Org': {'id': '5',
          'name': 'ORG_3',
          'uuid': '2b37b76b-b538-4a10-a1ef-9afe0a2a89a6'},
  'Orgc': {'id': '14',
           'name': 'ORGNAME_2141',
           'uuid': '6e14838a-8e55-400b-a3ef-c552750394c6'},
  'analysis': '0',
  'attribute_count': '2',
  'date': '2025-03-19',
  'disable_correlation': False,
  'distribution': '3',
  'extends_uuid': '',
  'id': '28',
  'info': 'Event created via the API as an example',
  'locked': True,
  'org_id': '5',
  'orgc_id': '14',
  'proposal_email_lock': False,
  'protected': None,
  'publish_timestamp': '1742395724',
  'published': True,
  'sharing_group_id': '0',
  'sightin

In [15]:
# Searching the Event index
endpoint = '/events/index'

body = {
    "tags": ["tlp:amber"]
}

res = misp.direct_call(endpoint, body)

print_result(res)

Count: 3
----------
[{'EventTag': [{'Tag': {'colour': '#ec007f',
                        'id': '27',
                        'is_galaxy': False,
                        'name': 'workflow:state="draft"'},
                'event_id': '37',
                'id': '105',
                'local': False,
                'relationship_type': '',
                'tag_id': '27'},
               {'Tag': {'colour': '#FFC000',
                        'id': '93',
                        'is_galaxy': False,
                        'name': 'tlp:amber'},
                'event_id': '37',
                'id': '106',
                'local': False,
                'relationship_type': '',
                'tag_id': '93'},
               {'Tag': {'colour': '#ff2b2b',
                        'id': '24',
                        'is_galaxy': False,
                        'name': 'PAP:RED'},
                'event_id': '37',
                'id': '107',
                'local': False,
                'relati

## RestSearch
**Aka: Most powerful search tool in MISP**

### RestSearch - Attributes

In [16]:
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

In [17]:
# Searches on Attribute's data
misp_url = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "type": "ip-dst",
#     "value": "127.0.%"
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': 'Comment added via the API',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200028',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683893',
                'to_ids': False,
                'type': 'ip-dst',
                'uuid'

In [18]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "deleted": [0, 1]    # Consider both deleted AND not deleted
}

# [] == {"OR": []}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

In [19]:
# Searches on Attribute's data
endpoint = '/attributes/restSearch/'
relative_path = ''

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "tags": ["!tlp:red"]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

In [20]:
# Paginating
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "page": 0,
    "limit": 1
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 1
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

In [21]:
from datetime import date

# Searches based on time
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "timestamp": date.today()
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 4
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '52',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': '7f340a43-3bc8-43e1-a119-7897597273eb'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '52',
                'first_seen': None,
                'id': '200024',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683075',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '8f3deed4-d1a8-4f86-a727

## Precision regarding the different timestamps
- ``publish_timestamp`` = Time at which the event was published
    - Usage: get data that arrived in my system since x
    - E.g.: New data from a feed
- ``timestamp`` = Time of the last modification on the data
    - data was modified in the last x hours
    - E.g.: Last updated data from a feed
- ``event_timestamp``: Used in the Attribute scope
    - Event modified in the last x hours

In [22]:
# Searches based on time: Relative
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "from": "1d"
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 3
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

In [23]:
# Searches with attachments
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "type": "attachment",
    # "withAttachments": 1
    "withAttachments": 0
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 24
----------
{'Attribute': [{'Event': {'distribution': '3',
                          'id': '29',
                          'info': 'CryptoLocker ransomware with Bitcoin ransom '
                                  'on accountant phishing email',
                          'org_id': '5',
                          'orgc_id': '2',
                          'publish_timestamp': '1742471581',
                          'uuid': '4c8e87bb-1a96-4a91-b634-1106f11dcd75'},
                'category': 'Payload installation',
                'comment': 'Screenshot of splash message shown by the '
                           'ransomware, which informs the user where to pay '
                           'ransom',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '29',
                'first_seen': None,
                'id': '199318',
                'last_seen': None,
                'object_id': '0',
 

In [24]:
# Searches - Others
endpoint = '/attributes/restSearch/'

body = {
    "returnFormat": "json",
    "eventid": event_id,
    "type": ["ip-src", "ip-dst"],
    "enforceWarninglist": 1
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 2
----------
{'Attribute': [{'Event': {'distribution': '0',
                          'id': '53',
                          'info': 'Event created via the API as an example',
                          'org_id': '13',
                          'orgc_id': '13',
                          'publish_timestamp': '0',
                          'uuid': 'd6f61a3e-c5e6-4542-a1c4-2fc15b8809df'},
                'category': 'Network activity',
                'comment': '',
                'deleted': False,
                'disable_correlation': False,
                'distribution': '5',
                'event_id': '53',
                'first_seen': None,
                'id': '200027',
                'last_seen': None,
                'object_id': '0',
                'object_relation': None,
                'sharing_group_id': '0',
                'timestamp': '1743683879',
                'to_ids': True,
                'type': 'ip-src',
                'uuid': '63e93acf-71da-44e8-a48d

### RestSearch - Events

In [25]:
# Searching using the RestSearch
endpoint = '/events/restSearch'

body = {
    "returnFormat": "json",
    "eventid": event_id,
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 1
  - Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
                           'ShadowAttribute': [],
                           'category': 'Network activity',
                           'comment': '',
                           'deleted': False,
                           'disable_correlation': False,
                           'distribution': '5',
                           'event_id': '53',
                           'first_seen': None,
                           'id': '200027',
                           'last_seen': None,
                           'object_id': '0',
                           'object_relation': None,
                           'sharing_group_id': '0',
                           'timestamp': '1743683879',
                           'to_ids': True,
                           'type': 'ip-src',
                           'uuid': '63e93acf-71da-44e8-a48d-8f949e5ebc66',
                           'value': '9.9.9.9'},
                    

In [None]:
# Searching using the RestSearch - Other return format
!curl \
 -d '{"returnFormat":"csv","eventid":53}' \
 -H "Authorization: _YOUR_AUTOMATION_KEY_" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -X POST https://training5.misp-community.org/events/restSearch

uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category
"63e93acf-71da-44e8-a48d-8f949e5ebc66",53,"Network activity","ip-src","9.9.9.9","",1,1743683879,"","","","",""
"7d8625c8-0d42-4bb3-9251-4d670bb3aac6",53,"Network activity","ip-dst","8.8.8.8","Comment added via the API",0,1743683893,"","","","",""
"1c7d6b68-8d61-4f6e-8880-b51f657f3283",53,"Other","text","post","",0,1558702173,"post","","f04a9b17-3763-4906-b467-5d2a9a1aa43f","microblog","misc"



In [27]:
# Searching using the RestSearch - Filtering
endpoint = '/events/restSearch'

body = {
    "returnFormat": "json",
    "value": "9.9.9.9"
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 2
  - Attribute count: 2
  - Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
                           'ShadowAttribute': [],
                           'category': 'Network activity',
                           'comment': '',
                           'deleted': False,
                           'disable_correlation': False,
                           'distribution': '5',
                           'event_id': '52',
                           'first_seen': None,
                           'id': '200024',
                           'last_seen': None,
                           'object_id': '0',
                           'object_relation': None,
                           'sharing_group_id': '0',
                           'timestamp': '1743683075',
                           'to_ids': True,
                           'type': 'ip-src',
                           'uuid': '8f3deed4-d1a8-4f86-a727-a68180fc4519',
                           'value': '9.9.9.9'

In [28]:
# Searching using the RestSearch
endpoint = '/events/restSearch'

body = {
    "returnFormat": "json",
    "org": "CIRCL",
    "metadata": 1
}

res = misp.direct_call(endpoint, body)
print(len(res))

9


In [29]:
# Searching using the RestSearch
endpoint = '/events/restSearch'

body = {
    "returnFormat": "json",
    "eventinfo": "%via the API%",
#    "published": 1
}

res = misp.direct_call(endpoint, body)
print_result(res)

Count: 3
  - Attribute count: 1
  - Attribute count: 2
  - Attribute count: 2
----------
[{'Event': {'Attribute': [{'Galaxy': [],
                           'ShadowAttribute': [],
                           'Tag': [{'colour': '#FF2B2B',
                                    'exportable': True,
                                    'hide_tag': False,
                                    'id': '17',
                                    'is_custom_galaxy': False,
                                    'is_galaxy': False,
                                    'local': False,
                                    'local_only': False,
                                    'name': 'tlp:red',
                                    'numerical_value': None,
                                    'relationship_type': None,
                                    'user_id': '0'}],
                           'category': 'Network activity',
                           'comment': 'Comment added via the API',
                 

# Instance management

In [None]:
# Creating Organisation
endpoint = '/admin/organisations/add'
relative_path = ''

body = {
    "name": "TEMP_ORG2"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Creating Users
endpoint = '/admin/users/add'
relative_path = ''

body = {
    "email": "from_api2@admin.test",
    "org_id": 1009,
    "role_id": 3,
    "termsaccepted": 1,
    "change_pw": 0, # User prompted to change the psswd once logged in
    "password": "~~UlTrA_SeCuRe_PaSsWoRd~~"
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Creating Sharing Groups
endpoint = '/sharing_groups/add'
relative_path = ''

body = {
    "name": "TEMP_SG2",
    "releasability": "To nobody",
    "SharingGroupOrg": [
        {
            "name": "ORGNAME",
            "extend": 1
        },
        {
            "name": "CIRCL",
            "extend": 1
        }
    ]
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Server
endpoint = '/servers/add'
relative_path = ''

body = {
    "url": "http://127.0.0.1:80/",
    "name": "Myself",
    "remote_org_id": "2",
    "authkey": "UHwmZCH4QdSKqPVunxTzfSes8n7ibBhUlsd0dmx9"
    
}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Server settings
endpoint = '/servers/serverSettings'
relative_path = ''

body = {}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

In [None]:
# Statistics
endpoint = '/users/statistics'
relative_path = ''

body = {}

res = misp.direct_call(endpoint + relative_path, body)
print_result(res)

Not Available:
- misp-module