Basic Update Event Example¶
This sample creates a new event on a MISP server via the MISP Events
API.
The sample then performs several updates to the stored event:
- Via a request to the MISP
Attributes
API, adds an internal comment attribute to the event. - Via a request to the MISP
Tag
API, applies a tag to the internal comment attribute. - Via a request to the MISP
Sighting
API, adds a sighting to the internal comment attribute.
The sample then retrieves the contents of the stored event — including the
associated attribute, tag, and sighting — via a call to the MISP
Search
API.
The sample displays the results of the calls made to each of the MISP APIs.
For more information on the MISP APIs used by this sample, see the following links:
- New Event: PyMISP new_event API and MISP REST Event API documentation.
- Attribute: PyMISP add_named_attribute API and MISP REST Attribute API.
- Tag: PyMISP tag API and MISP REST Tag API.
- Sighting: PyMISP sighting API and MISP REST Sighting API.
- Search: PyMISP search API and MISP REST Search API.
Prerequisites¶
The samples configuration step has been completed (see Samples Configuration).
The MISP DXL service is running (see MISP DXL Service).
In order to enable the use of the various APIs that this sample uses, each of the API names need to be listed in the
apiNames
setting under the[General]
section in the "dxlmispservice.config" file that the service uses:[General] apiNames=new_event,add_named_attribute,tag,sighting,search,...
For more information on the configuration, see the MISP DXL Python Service configuration documentation.
Running¶
To run this sample execute the sample/basic/basic_update_event_example.py
script as follows:
python sample/basic/basic_update_event_example.py
The output should appear similar to the following:
Response to the new event request: { "Event": { "Attribute": [], "Galaxy": [], "Object": [], "Org": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "Orgc": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "RelatedEvent": [], "ShadowAttribute": [], "analysis": "1", "attribute_count": "0", "date": "2018-04-10", "disable_correlation": false, "distribution": "3", "event_creator_email": "admin@admin.test", "id": "189", "info": "OpenDXL MISP update event example", "locked": false, "org_id": "1", "orgc_id": "1", "proposal_email_lock": false, "publish_timestamp": "0", "published": false, "sharing_group_id": "0", "threat_level_id": "3", "timestamp": "1523377669", "uuid": "5acce605-f338-42d6-9f08-003aac110002" } } Response to the add internal comment request: [ { "Attribute": { "category": "Internal reference", "comment": "This is only a test", "deleted": false, "disable_correlation": false, "distribution": "5", "event_id": "189", "id": "53", "object_id": "0", "object_relation": null, "sharing_group_id": "0", "timestamp": "1523377669", "to_ids": false, "type": "comment", "uuid": "5acce605-dad8-4286-add3-0141ac110002", "value": "Added by the OpenDXL update event example", "value1": "Added by the OpenDXL update event example", "value2": "" } } ] Response to the tag request: { "message": "Tag Tagged by the OpenDXL MISP update event example(1) successfully attached to Attribute(53).", "name": "Tag Tagged by the OpenDXL MISP update event example(1) successfully attached to Attribute(53).", "url": "/tags/attachTagToObject" } Response to the sighting request: { "message": "1 sighting successfuly added.", "name": "1 sighting successfuly added.", "url": "/sightings/add/5acce605-dad8-4286-add3-0141ac110002" } Response to the search request for the new MISP event: { "response": [ { "Event": { "Attribute": [ { "ShadowAttribute": [], "Sighting": [ { "Organisation": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "attribute_id": "53", "date_sighting": "1523377670", "event_id": "189", "id": "39", "org_id": "1", "source": "Seen by the OpenDXL MISP update event example", "type": "0", "uuid": "5acce606-dfd0-4b77-8f37-0142ac110002" } ], "Tag": [ { "colour": "#75705b", "exportable": true, "hide_tag": false, "id": "1", "name": "Tagged by the OpenDXL MISP update event example", "user_id": false } ], "category": "Internal reference", "comment": "This is only a test", "deleted": false, "disable_correlation": false, "distribution": "5", "event_id": "189", "id": "53", "object_id": "0", "object_relation": null, "sharing_group_id": "0", "timestamp": "1523377669", "to_ids": false, "type": "comment", "uuid": "5acce605-dad8-4286-add3-0141ac110002", "value": "Added by the OpenDXL update event example" } ], "Galaxy": [], "Object": [], "Org": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "Orgc": { "id": "1", "name": "ORGNAME", "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003" }, "RelatedEvent": [], "ShadowAttribute": [], "analysis": "1", "attribute_count": "1", "date": "2018-04-10", "disable_correlation": false, "distribution": "3", "event_creator_email": "admin@admin.test", "id": "189", "info": "OpenDXL MISP update event example", "locked": false, "org_id": "1", "orgc_id": "1", "proposal_email_lock": false, "publish_timestamp": "0", "published": false, "sharing_group_id": "0", "threat_level_id": "3", "timestamp": "1523377669", "uuid": "5acce605-f338-42d6-9f08-003aac110002" } } ] }
Details¶
The majority of the sample code is shown below:
# Create the client with DxlClient(config) as dxl_client: # Connect to the fabric dxl_client.connect() logger.info("Connected to DXL fabric.") # Create client wrapper client = MispClient(dxl_client) # Invoke the new event method new_event_response_dict = client.new_event( distribution=3, info="OpenDXL MISP update event example", analysis=1, threat_level_id=3 ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the new event request:\n{0}".format( MessageUtils.dict_to_json(new_event_response_dict, pretty_print=True)))
Once a connection is established to the DXL fabric, a
dxlmispclient.client.MispClient
instance is created
which will be used to invoke remote commands on the MISP DXL service.
Next, the dxlmispclient.client.MispClient.new_event()
method is invoked
with some parameters to store for the new MISP event.
The next step is to display the contents of the returned dictionary (dict
)
which contains the results of the attempt to create the new MISP event.
# Extract the id of the new event from the results of the new event request misp_event_id = new_event_response_dict # Invoke the add named attribute method to add an internal comment to the # event add_internal_comment_response_dict = client.add_named_attribute( event=misp_event_id, type_value="comment", value="Added by the OpenDXL MISP update event example", category="Internal reference", comment="This is only a test" ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the add internal comment request:\n{0}".format( MessageUtils.dict_to_json(add_internal_comment_response_dict, pretty_print=True)))
Next, the dxlmispclient.client.MispClient.add_named_attribute()
method is invoked with some parameters to store in a new attribute for the MISP
event. Note that the event
id value is extracted from the response received
for the prior "new_event" request.
The next step is to display the contents of the returned dictionary (dict
)
which contains the results of the attempt to create the new attribute.
# Extract the id of the internal comment from the results of the add # internal comment request internal_comment_attribute_id = \ add_internal_comment_response_dict[0]["Attribute"]["uuid"] # Invoke the tag method to add a tag to the event tag_response_dict = client.tag( uuid=internal_comment_attribute_id, tag="Tagged by the OpenDXL MISP update event example" ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the tag request:\n{0}".format( MessageUtils.dict_to_json(tag_response_dict, pretty_print=True)))
Next, the dxlmispclient.client.MispClient.tag()
method is invoked with
some parameters to store in a new tag for the MISP event's attribute. Note that
the uuid
value is extracted from the response received for the prior
"add_named_attribute" request.
The next step is to display the contents of the returned dictionary (dict
)
which contains the results of the attempt to create the new tag.
# Invoke the sighting method to add a sighting to the event sighting_response_dict = client.sighting( uuid=internal_comment_attribute_id, type=0, source="Seen by the OpenDXL MISP update event example" ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the sighting request:\n{0}".format( MessageUtils.dict_to_json(sighting_response_dict, pretty_print=True)))
Next, the dxlmispclient.client.MispClient.sighting()
method is invoked
with some parameters to store in a new sighting for the MISP event's attribute.
Note that the uuid
id value is extracted from the response received for the
prior "add_named_attribute" request.
The next step is to display the contents of the returned dictionary (dict
)
which contains the results of the attempt to create the new tag.
# Invoke the search method to get the latest data for the event search_response_dict = client.search( eventid=new_event_response_dict["Event"]["id"] ) # Print out the response (convert dictionary to JSON for pretty printing) print("Response to the search request for the new MISP event:\n{0}".format( MessageUtils.dict_to_json(search_response_dict, pretty_print=True)))
To confirm that the event, add internal comment attribute, tag, and sighting
were all stored properly, the dxlmispclient.client.MispClient.search()
method is invoked to retrieve the information stored for the event.
The final step is to display the contents of the returned dictionary (dict
)
which contains information for the stored event.