Basic New Event Example¶
This sample creates a new event on a MISP server via the MISP Events
API.
The sample then retrieves the contents of the stored event via a call to the
MISP Search
API. The sample displays the results of the calls to the
Events
and Search
APIs.
For more information on the MISP Events
API, see the
PyMISP new_event API
and MISP REST Event API
documentation.
Prerequisites¶
The samples configuration step has been completed (see Samples Configuration).
The MISP DXL service is running (see MISP DXL Service).
In order to enable the use of the
new_event
andsearch
APIs, both API names need to be listed in theapiNames
setting under the[General]
section in the "dxlmispservice.config" file that the service uses:[General] apiNames=new_event,search,...
For more information on the configuration, see the MISP DXL Python Service configuration documentation.
Running¶
To run this sample execute the sample/basic/basic_new_event_example.py
script as follows:
python sample/basic/basic_new_event_example.py
The output should appear similar to the following:
Response to the new event request: { "Event": { "Attribute": [], "Galaxy": [], "Object": [], "Org": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "Orgc": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "RelatedEvent": [], "ShadowAttribute": [], "analysis": "1", "attribute_count": "0", "date": "2018-04-10", "disable_correlation": false, "distribution": "3", "event_creator_email": "admin@admin.test", "id": "188", "info": "OpenDXL MISP new event example", "locked": false, "org_id": "1", "orgc_id": "1", "proposal_email_lock": false, "publish_timestamp": "0", "published": false, "sharing_group_id": "0", "threat_level_id": "3", "timestamp": "1523377618", "uuid": "5acce5d2-2258-41cf-a1e3-0039ac110002" } } Response to the search request for the new MISP event: { "response": [ { "Event": { "Attribute": [], "Galaxy": [], "Object": [], "Org": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "Orgc": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "RelatedEvent": [], "ShadowAttribute": [], "analysis": "1", "attribute_count": "0", "date": "2018-04-10", "disable_correlation": false, "distribution": "3", "event_creator_email": "admin@admin.test", "id": "188", "info": "OpenDXL MISP new event example", "locked": false, "org_id": "1", "orgc_id": "1", "proposal_email_lock": false, "publish_timestamp": "0", "published": false, "sharing_group_id": "0", "threat_level_id": "3", "timestamp": "1523377618", "uuid": "5acce5d2-2258-41cf-a1e3-0039ac110002" } } ] }
Details¶
The majority of the sample code is shown below:
# Create the client with DxlClient(config) as dxl_client: # Connect to the fabric dxl_client.connect() logger.info("Connected to DXL fabric.") # Create client wrapper client = MispClient(dxl_client) # Invoke the new event method new_event_response_dict = client.new_event( distribution=3, info="OpenDXL MISP new event example", analysis=1, threat_level_id=3 ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the new event request:\n{0}".format( MessageUtils.dict_to_json(new_event_response_dict, pretty_print=True)))
Once a connection is established to the DXL fabric, a
dxlmispclient.client.MispClient
instance is created
which will be used to invoke remote commands on the MISP DXL service.
Next, the dxlmispclient.client.MispClient.new_event()
method is invoked
with some parameters to store for the new MISP event.
The next step is to display the contents of the returned dictionary (dict
)
which contains the results of the attempt to create the new MISP event.
# Invoke the search method to get the latest data for the event search_response_dict = client.search( eventid=new_event_response_dict["Event"]["id"] ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the search request for the new MISP event:\n{0}".format( MessageUtils.dict_to_json(search_response_dict, pretty_print=True)))
To confirm that the event was stored properly, the
dxlmispclient.client.MispClient.search()
method is invoked to retrieve the
information stored for the event. The method is invoked with the eventid
of
the event to retrieve. Note that the eventid
used in the search request is
extracted from the response received for the prior "new_event" request.
The final step is to display the contents of the returned dictionary (dict
)
which contains information for the stored event.