Pymisp Documentation: Release Master
Pymisp Documentation: Release Master
Release master
Raphaël Vinot
1 README 3
3 pymisp 9
3.1 PyMISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 PyMISPExpanded (Python 3.6+ only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 MISPAbstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 MISPEncode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 MISPEvent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.6 MISPAttribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.7 MISPObject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.8 MISPObjectAttribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.9 MISPObjectReference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.10 MISPTag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.11 MISPUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.12 MISPOrganisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4 pymisp - Tools 37
4.1 File Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 ELF Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.3 PE Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.4 Mach-O Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5 VT Report Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.6 STIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.7 OpenIOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
i
Index 45
ii
PyMISP Documentation, Release master
Contents:
IMPORTANT NOTE: This library will require at least python 3.6 starting the 1st of January 2020. If you have to
legacy versions of python, please use PyMISP v2.4.119.1, and consider updating your system(s). Anything released
within the last 2 years will do, starting with Ubuntu 18.04.
CONTENTS 1
PyMISP Documentation, Release master
2 CONTENTS
CHAPTER
ONE
README
3
PyMISP Documentation, Release master
4 Chapter 1. README
CHAPTER
TWO
PyMISP is a Python library to access MISP platforms via their REST API.
PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes.
2.2 Install the latest version from repo from development purposes
If you have a MISP instance to test against, you can also run the live ones:
Note: You need to update the key in tests/testlive_comprehensive.py to the automation key of your
admin account.
5
PyMISP Documentation, Release master
cd examples
cp keys.py.sample keys.py
vim keys.py
The API key of MISP is available in the Automation section of the MISP web interface.
To test if your URL and API keys are correct, you can test with examples/last.py to fetch the events published in the
last x amount of time (supported time indicators: days (d), hours (h) and minutes (m)). last.py
cd examples
python3 last.py -l 10h # 10 hours
python3 last.py -l 5d # 5 days
python3 last.py -l 45m # 45 minutes
2.4 Debugging
import logging
logger = logging.getLogger('pymisp')
import pymisp
import logging
logger = logging.getLogger('pymisp')
logging.basicConfig(level=logging.DEBUG, filename="debug.log", filemode='w',
˓→format=pymisp.FORMAT)
# From poetry
2.6 Documentation
A series of Jupyter notebooks for PyMISP tutorial are available in the repository.
Creating a new MISP object generator should be done using a pre-defined template and inherit
AbstractMISPObjectGenerator.
Your new MISPObject generator need to generate attributes, and add them as class properties using
add_attribute.
When the object is sent to MISP, all the class properties will be exported to the JSON export.
2.6. Documentation 7
PyMISP Documentation, Release master
THREE
PYMISP
3.1 PyMISP
9
PyMISP Documentation, Release master
add_feed(feed, pythonify=False)
Add a new feed on a MISP instance
Return type Union[dict, MISPFeed]
add_object(event, misp_object, pythonify=False)
Add a MISP Object to an existing MISP event
Return type Union[dict, MISPObject]
add_object_reference(misp_object_reference, pythonify=False)
Add a reference to an object
Return type Union[dict, MISPObjectReference]
add_org_to_sharing_group(sharing_group, organisation, extend=False)
Add an organisation to a sharing group. :sharing_group: Sharing group’s local instance ID, or Sharing
group’s global UUID :organisation: Organisation’s local instance ID, or Organisation’s global UUID, or
Organisation’s name as known to the curent instance :extend: Allow the organisation to extend the group
Return type dict
add_organisation(organisation, pythonify=False)
Add an organisation
Return type Union[dict, MISPOrganisation]
add_server(server, pythonify=False)
Add a server to synchronise with. Note: You probably want to use ExpandedPyMISP.get_sync_config and
ExpandedPyMISP.import_server instead
Return type Union[dict, MISPServer]
add_server_to_sharing_group(sharing_group, server, all_orgs=False)
Add a server to a sharing group. :sharing_group: Sharing group’s local instance ID, or Sharing group’s
global UUID :server: Server’s local instance ID, or URL of the Server, or Server’s name as known to the
curent instance :all_orgs: Add all the organisations of the server to the group
Return type dict
add_sharing_group(sharing_group, pythonify=False)
Add a new sharing group
Return type Union[dict, MISPSharingGroup]
add_sighting(sighting, attribute=None, pythonify=False)
Add a new sighting (globally, or to a specific attribute)
Return type Union[dict, MISPSighting]
add_tag(tag, pythonify=False)
Add a new tag on a MISP instance Notes:
• The user calling this method needs the Tag Editor permission
• It doesn’t add a tag to an event, simply create it on a MISP instance.
add_user(user, pythonify=False)
Add a new user
Return type Union[dict, MISPUser]
10 Chapter 3. pymisp
PyMISP Documentation, Release master
attributes_statistics(context='type', percentage=False)
Get attributes statistics from the MISP instance.
Return type dict
build_complex_query(or_parameters=None, and_parameters=None, not_parameters=None)
Build a complex search query. MISP expects a dictionary with AND, OR and NOT keys.
Return type dict
cache_all_feeds()
Cache all the feeds
Return type dict
cache_feed(feed)
Cache a specific feed
Return type dict
cache_freetext_feeds()
Cache all the freetext feeds
Return type dict
cache_misp_feeds()
Cache all the MISP feeds
Return type dict
change_sharing_group_on_entity(misp_entity, sharing_group_id, pythonify=False)
Change the sharing group of an event, an attribute, or an object
Return type Union[dict, MISPEvent, MISPObject, MISPAttribute,
MISPShadowAttribute]
communities(pythonify=False)
Get all the communities.
Return type Union[dict, List[MISPCommunity]]
compare_feeds()
Generate the comparison matrix for all the MISP feeds
Return type dict
contact_event_reporter(event, message)
Send a message to the reporter of an event
Return type dict
delegate_event(event=None, organisation=None, event_delegation=None, distribution=-1, mes-
sage='', pythonify=False)
Note: distribution == -1 means recipient decides
Return type Union[dict, MISPEventDelegation]
delete_attribute(attribute, hard=False)
Delete an attribute from a MISP instance
Return type dict
delete_attribute_proposal(attribute)
Propose the deletion of an attribute
Return type dict
3.1. PyMISP 11
PyMISP Documentation, Release master
delete_event(event)
Delete an event from a MISP instance
Return type dict
delete_feed(feed)
Delete a feed from a MISP instance
Return type dict
delete_object(misp_object)
Delete an object from a MISP instance
Return type dict
delete_object_reference(object_reference)
Delete a reference to an object
Return type dict
delete_organisation(organisation)
Delete an organisation
Return type dict
delete_server(server)
Delete a sync server
Return type dict
delete_sharing_group(sharing_group)
Delete a sharing group
Return type dict
delete_sighting(sighting)
Delete a sighting from a MISP instance
Return type dict
delete_tag(tag)
Delete an attribute from a MISP instance
Return type dict
delete_user(user)
Delete a user
Return type dict
delete_user_setting(user_setting, user=None)
Delete a user setting
Return type dict
property describe_types_local
Returns the content of describe types from the package
Return type dict
property describe_types_remote
Returns the content of describe types from the remote instance
Return type dict
direct_call(url, data=None, params={}, kw_params={})
Very lightweight call that posts a data blob (python dictionary or json string) on the URL
12 Chapter 3. pymisp
PyMISP Documentation, Release master
3.1. PyMISP 13
PyMISP Documentation, Release master
enable_taxonomy_tags(taxonomy)
Enable all the tags of a taxonomy. NOTE: this automatically done when you call enable_taxonomy.
Return type dict
enable_warninglist(warninglist)
Enable a warninglist.
Return type dict
event_delegations(pythonify=False)
Get all the event delegations.
Return type Union[dict, List[MISPEventDelegation]]
feeds(pythonify=False)
Get the list of existing feeds.
Return type Union[dict, List[MISPFeed]]
fetch_feed(feed)
Fetch one single feed
Return type dict
freetext(event, string, adhereToWarninglists=False, distribution=None, returnMetaAttributes=False,
pythonify=False, **kwargs)
Pass a text to the freetext importer
Return type Union[dict, List[MISPAttribute]]
galaxies(pythonify=False)
Get all the galaxies.
Return type Union[dict, List[MISPGalaxy]]
get_attribute(attribute, pythonify=False)
Get an attribute from a MISP instance
Return type Union[dict, MISPAttribute]
get_community(community, pythonify=False)
Get an community from a MISP instance
Return type Union[dict, MISPCommunity]
get_event(event, deleted=False, pythonify=False)
Get an event from a MISP instance
Return type Union[dict, MISPEvent]
get_feed(feed, pythonify=False)
Get a feed by id.
Return type Union[dict, MISPFeed]
get_galaxy(galaxy, pythonify=False)
Get a galaxy by id.
Return type Union[dict, MISPGalaxy]
get_noticelist(noticelist, pythonify=False)
Get a noticelist by id.
Return type Union[dict, MISPNoticelist]
14 Chapter 3. pymisp
PyMISP Documentation, Release master
get_object(misp_object, pythonify=False)
Get an object from the remote MISP instance
Return type Union[dict, MISPObject]
get_object_template(object_template, pythonify=False)
Gets the full object template corresponting the UUID passed as parameter
Return type Union[dict, MISPObjectTemplate]
get_organisation(organisation, pythonify=False)
Get an organisation.
Return type Union[dict, MISPOrganisation]
get_sync_config(pythonify=False)
WARNING: This method only works if the user calling it is a sync user
Return type Union[dict, MISPServer]
get_tag(tag, pythonify=False)
Get a tag by id.
Return type Union[dict, MISPTag]
get_taxonomy(taxonomy, pythonify=False)
Get a taxonomy from a MISP instance.
Return type Union[dict, MISPTaxonomy]
get_user(user='me', pythonify=False, expanded=False)
Get a user. me means the owner of the API key doing the query. expanded also returns a MISPRole and a
MISPUserSetting
Return type Union[dict, MISPUser, Tuple[MISPUser, MISPRole,
List[MISPUserSetting]]]
get_user_setting(user_setting, user=None, pythonify=False)
Get an user setting
Return type Union[dict, MISPUserSetting]
get_warninglist(warninglist, pythonify=False)
Get a warninglist.
Return type Union[dict, MISPWarninglist]
import_server(server, pythonify=False)
Import a sync server config received from get_sync_config
Return type Union[dict, MISPServer]
property misp_instance_version
Returns the version of the instance.
Return type dict
property misp_instance_version_master
Get the most recent version from github
Return type dict
noticelists(pythonify=False)
Get all the noticelists.
Return type Union[dict, List[MISPNoticelist]]
3.1. PyMISP 15
PyMISP Documentation, Release master
object_templates(pythonify=False)
Get all the object templates.
Return type Union[dict, List[MISPObjectTemplate]]
organisations(scope='local', pythonify=False)
Get all the organisations.
Return type Union[dict, List[MISPOrganisation]]
publish(event, alert=False)
Publish the event with one single HTTP POST. The default is to not send a mail as it is assumed this
method is called on update.
Return type dict
push_event_to_ZMQ(event)
Force push an event on ZMQ
Return type dict
property pymisp_version_master
Get the most recent version of PyMISP from github
Return type dict
property recommended_pymisp_version
Returns the recommended API version from the server
Return type dict
remote_acl(debug_type='findMissingFunctionNames')
This should return an empty list, unless the ACL is outdated. debug_type can only be printAllFunction-
Names, findMissingFunctionNames, or printRoleAccess
Return type dict
remove_org_from_sharing_group(sharing_group, organisation)
Remove an organisation from a sharing group. :sharing_group: Sharing group’s local instance ID, or
Sharing group’s global UUID :organisation: Organisation’s local instance ID, or Organisation’s global
UUID, or Organisation’s name as known to the curent instance
Return type dict
remove_server_from_sharing_group(sharing_group, server)
Remove a server from a sharing group. :sharing_group: Sharing group’s local instance ID, or Sharing
group’s global UUID :server: Server’s local instance ID, or URL of the Server, or Server’s name as known
to the curent instance
Return type dict
roles(pythonify=False)
Get the existing roles
Return type Union[dict, List[MISPRole]]
16 Chapter 3. pymisp
PyMISP Documentation, Release master
3.1. PyMISP 17
PyMISP Documentation, Release master
18 Chapter 3. pymisp
PyMISP Documentation, Release master
3.1. PyMISP 19
PyMISP Documentation, Release master
will be returned. In case you are dealing with /attributes as scope, the attribute’s timestamp
will be used for the lookup.
• pythonify (Optional[bool]) – Returns a list of PyMISP Objects instead or the plain
json output. Warning: it might use a lot of RAM
Return type Union[dict, List[MISPEvent]]
search_logs(limit=None, page=None, log_id=None, title=None, created=None, model=None, ac-
tion=None, user_id=None, change=None, email=None, org=None, description=None,
ip=None, pythonify=False)
Search in logs
Note: to run substring queries simply append/prepend/encapsulate the search term with %
Parameters
• limit (Optional[int]) – Limit the number of results returned, depending on the
scope (for example 10 attributes or 10 full events).
• page (Optional[int]) – If a limit is set, sets the page to be returned. page 3, limit 100
will return records 201->300).
• log_id (Optional[int]) – Log ID
• title (Optional[str]) – Log Title
• created (Union[date, int, str, float, None]) – Creation timestamp
• model (Optional[str]) – Model name that generated the log entry
• action (Optional[str]) – The thing that was done
• user_id (Optional[int]) – ID of the user doing the action
• change (Optional[str]) – Change that occured
• email (Optional[str]) – Email of the user
• org (Optional[str]) – Organisation of the User doing the action
• description (Optional[str]) – Description of the action
• ip (Optional[str]) – Origination IP of the User doing the action
• pythonify (Optional[bool]) – Returns a list of PyMISP Objects instead or the plain
json output. Warning: it might use a lot of RAM
Return type Union[dict, List[MISPLog]]
search_sightings(context=None, context_id=None, type_sighting=None, date_from=None,
date_to=None, publish_timestamp=None, last=None, org=None, source=None,
include_attribute=None, include_event_meta=None, pythonify=False)
Search sightings
Parameters
• context (Optional[str]) – The context of the search. Can be either “attribute”,
“event”, or nothing (will then match on events and attributes).
• context_id (Optional[~SearchType]) – Only relevant if context is either “attribute”
or “event”. Then it is the relevant ID.
• type_sighting (Optional[str]) – Type of sighting
• date_from (Union[date, int, str, float, None]) – Events with the date set to a
date after the one specified. This filter will use the date of the event.
20 Chapter 3. pymisp
PyMISP Documentation, Release master
• date_to (Union[date, int, str, float, None]) – Events with the date set to a date
before the one specified. This filter will use the date of the event.
• publish_timestamp (Union[date, int, str, float, None,
Tuple[Union[date, int, str, float, None], Union[date, int, str, float,
None]]]) – Restrict the results by the last publish timestamp (newer than).
• org (Optional[~SearchType]) – Search by the creator organisation by supplying the
organisation identifier.
• source (Optional[str]) – Source of the sighting
• include_attribute (Optional[bool]) – Include the attribute.
• include_event_meta (Optional[bool]) – Include the meta information of the
event.
Deprecated:
Parameters last (Union[date, int, str, float, None, Tuple[Union[date, int,
str, float, None], Union[date, int, str, float, None]]]) – synonym for pub-
lish_timestamp
Example
[ ... ]
>>> misp.search_sightings(context='attribute', context_id=6, include_
˓→attribute=True) # return list of sighting for attribute 6 along with the
˓→attribute itself
[ ... ]
>>> misp.search_sightings(context='event', context_id=17, include_event_
˓→meta=True, org=2) # return list of sighting for event 17 filtered with org
˓→id 2
server_pull(server, event=None)
Initialize a pull from a sync server
Return type dict
server_push(server, event=None)
Initialize a push to a sync server
Return type dict
servers(pythonify=False)
Get the existing servers the MISP instance can synchronise with
Return type Union[dict, List[MISPServer]]
set_user_setting(user_setting, value, user=None, pythonify=False)
Get an user setting
Return type Union[dict, MISPUserSetting]
sharing_groups(pythonify=False)
Get the existing sharing groups
Return type Union[dict, List[MISPSharingGroup]]
3.1. PyMISP 21
PyMISP Documentation, Release master
22 Chapter 3. pymisp
PyMISP Documentation, Release master
3.1. PyMISP 23
PyMISP Documentation, Release master
3.3 MISPAbstract
class pymisp.AbstractMISP(**kwargs)
property edited
Recursively check if an object has been edited and update the flag accordingly to the parent objects
Return type bool
from_dict(**kwargs)
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all
the properties requiring a special treatment are processed. Note: This method is used when you initialize
an object with existing data so by default, the class is flaged as not edited.
Return type None
from_json(json_string)
Load a JSON string
Return type None
jsonable()
This method is used by the JSON encoder
Return type dict
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
24 Chapter 3. pymisp
PyMISP Documentation, Release master
3.4 MISPEncode
default(obj)
Implement this method in a subclass such that it returns a serializable object for o, or calls the base
implementation (to raise a TypeError).
For example, to support arbitrary iterators, you could implement default like this:
3.5 MISPEvent
3.4. MISPEncode 25
PyMISP Documentation, Release master
property edited
Recursively check if an object has been edited and update the flag accordingly to the parent objects
Return type bool
from_dict(**kwargs)
Loading all the parameters as class properties, if they aren’t None. This method aims to be called when all
the properties requiring a special treatment are processed. Note: This method is used when you initialize
an object with existing data so by default, the class is flaged as not edited.
from_json(json_string)
Load a JSON string
Return type None
get(k[, d ]) → D[k] if k in D, else d. d defaults to None.
get_attribute_tag(attribute_identifier)
Return the tags associated to an attribute or an object attribute. :attribute_identifier: can be an ID, UUID,
or the value.
Return type List[MISPTag]
get_object_by_id(object_id)
Get an object by ID (the ID is the one set by the server when creating the new object)
Return type MISPObject
get_object_by_uuid(object_uuid)
Get an object by UUID (UUID is set by the server when creating the new object)
Return type MISPObject
get_objects_by_name(object_name)
Get an object by UUID (UUID is set by the server when creating the new object)
Return type List[MISPObject]
items() → a set-like object providing a view on D's items
jsonable()
This method is used by the JSON encoder
Return type dict
keys() → a set-like object providing a view on D's keys
load(json_event, validate=False, metadata_only=False)
Load a JSON dump from a pseudo file or a JSON string
load_file(event_path, validate=False, metadata_only=False)
Load a JSON dump from a file on the disk
pop(k[, d ]) → v, remove specified key and return the corresponding value.
If key is not found, d is returned if given, otherwise KeyError is raised.
popitem() → (k, v), remove and return some (key, value) pair
as a 2-tuple; but raise KeyError if D is empty.
publish()
Mark the attribute as published
set_date(d=None, ignore_invalid=False)
Set a date for the event (string, datetime, or date object)
26 Chapter 3. pymisp
PyMISP Documentation, Release master
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
setdefault(k[, d ]) → D.get(k,d), also set D[k]=d if k not in D
property tags
Returns a lost of tags associated to this Event
Return type List[MISPTag]
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_feed(valid_distributions=[0, 1, 2, 3, 4, 5], with_meta=False)
Generate a json output for MISP Feed. Notes:
• valid_distributions only makes sense if the distribution key is set (i.e. the event is exported from a
MISP instance)
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
unpublish()
Mark the attribute as un-published (set publish flag to false)
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.6 MISPAttribute
add_proposal(shadow_attribute=None, **kwargs)
Alias for add_shadow_attribute
Return type MISPShadowAttribute
add_shadow_attribute(shadow_attribute=None, **kwargs)
Add a shadow attribute to the attribute (by name or a MISPShadowAttribute object)
Return type MISPShadowAttribute
add_sighting(sighting=None, **kwargs)
Add a sighting to the attribute (by name or a MISPSighting object)
Return type MISPSighting
3.6. MISPAttribute 27
PyMISP Documentation, Release master
28 Chapter 3. pymisp
PyMISP Documentation, Release master
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.7 MISPObject
3.7. MISPObject 29
PyMISP Documentation, Release master
get_attributes_by_relation(object_relation)
Returns the list of attributes with the given object relation in the object
Return type List[MISPAttribute]
has_attributes_by_relation(list_of_relations)
True if all the relations in the list are defined in the object
items() → a set-like object providing a view on D's items
jsonable()
This method is used by the JSON encoder
Return type dict
keys() → a set-like object providing a view on D's keys
pop(k[, d ]) → v, remove specified key and return the corresponding value.
If key is not found, d is returned if given, otherwise KeyError is raised.
popitem() → (k, v), remove and return some (key, value) pair
as a 2-tuple; but raise KeyError if D is empty.
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
setdefault(k[, d ]) → D.get(k,d), also set D[k]=d if k not in D
to_dict(strict=False)
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None, strict=False)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.8 MISPObjectAttribute
class pymisp.MISPObjectAttribute(definition)
add_proposal(shadow_attribute=None, **kwargs)
Alias for add_shadow_attribute
Return type MISPShadowAttribute
add_shadow_attribute(shadow_attribute=None, **kwargs)
Add a shadow attribute to the attribute (by name or a MISPShadowAttribute object)
30 Chapter 3. pymisp
PyMISP Documentation, Release master
3.8. MISPObjectAttribute 31
PyMISP Documentation, Release master
property tags
Returns a lost of tags associated to this Attribute
Return type List[MISPTag]
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.9 MISPObjectReference
class pymisp.MISPObjectReference
32 Chapter 3. pymisp
PyMISP Documentation, Release master
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
setdefault(k[, d ]) → D.get(k,d), also set D[k]=d if k not in D
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.10 MISPTag
class pymisp.MISPTag(**kwargs)
3.10. MISPTag 33
PyMISP Documentation, Release master
popitem() → (k, v), remove and return some (key, value) pair
as a 2-tuple; but raise KeyError if D is empty.
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
setdefault(k[, d ]) → D.get(k,d), also set D[k]=d if k not in D
to_dict()
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
3.11 MISPUser
class pymisp.MISPUser(**kwargs)
34 Chapter 3. pymisp
PyMISP Documentation, Release master
3.12 MISPOrganisation
class pymisp.MISPOrganisation(**kwargs)
3.12. MISPOrganisation 35
PyMISP Documentation, Release master
36 Chapter 3. pymisp
CHAPTER
FOUR
PYMISP - TOOLS
37
PyMISP Documentation, Release master
has_attributes_by_relation(list_of_relations)
True if all the relations in the list are defined in the object
items() → a set-like object providing a view on D's items
jsonable()
This method is used by the JSON encoder
Return type dict
keys() → a set-like object providing a view on D's keys
pop(k[, d ]) → v, remove specified key and return the corresponding value.
If key is not found, d is returned if given, otherwise KeyError is raised.
popitem() → (k, v), remove and return some (key, value) pair
as a 2-tuple; but raise KeyError if D is empty.
set_not_jsonable(args)
Set __not_jsonable to a new list
Return type None
setdefault(k[, d ]) → D.get(k,d), also set D[k]=d if k not in D
to_dict(strict=False)
Dump the class to a dictionary. This method automatically removes the timestamp recursively in every
object that has been edited is order to let MISP update the event accordingly.
Return type dict
to_json(sort_keys=False, indent=None, strict=False)
Dump recursively any class of type MISPAbstract to a json string
update([E ], **F) → None. Update D from mapping/iterable E and F.
If E present and has a .keys() method, does: for k in E: D[k] = E[k] If E present and lacks .keys() method,
does: for (k, v) in E: D[k] = v In either case, this is followed by: for k, v in F.items(): D[k] = v
update_not_jsonable(*args)
Add entries to the __not_jsonable list
Return type None
values() → an object providing a view on D's values
4.3 PE Object
4.6 STIX
4.7 OpenIOC
tools.load_openioc()
tools.load_openioc_file()
FIVE
• genindex
• modindex
• search
41
PyMISP Documentation, Release master
p
pymisp, 9
pymisp.tools, 37
pymisp.tools.stix, 40
43
PyMISP Documentation, Release master
A add_shadow_attribute() (pymisp.MISPAttribute
AbstractMISP (class in pymisp), 24 method), 27
accept_attribute_proposal() add_shadow_attribute() (pymisp.MISPEvent
(pymisp.PyMISP method), 9 method), 25
add_attribute() (pymisp.MISPEvent method), 25 add_shadow_attribute()
add_attribute() (pymisp.MISPObject method), 29 (pymisp.MISPObjectAttribute method), 30
add_attribute() (pymisp.PyMISP method), 9 add_sharing_group() (pymisp.PyMISP method),
add_attribute() (pymisp.tools.FileObject method), 10
37 add_sighting() (pymisp.MISPAttribute method), 27
add_attribute() (pymisp.tools.VTReportObject add_sighting() (pymisp.MISPObjectAttribute
method), 39 method), 31
add_attribute_proposal() (pymisp.PyMISP add_sighting() (pymisp.PyMISP method), 10
method), 9 add_tag() (pymisp.PyMISP method), 10
add_attribute_tag() (pymisp.MISPEvent add_user() (pymisp.PyMISP method), 10
method), 25 attributes_statistics() (pymisp.PyMISP
add_attributes() (pymisp.MISPObject method), method), 10
29
add_attributes() (pymisp.tools.FileObject B
method), 37 build_complex_query() (pymisp.PyMISP
add_attributes() (pymisp.tools.VTReportObject method), 11
method), 39
add_event() (pymisp.PyMISP method), 9 C
add_feed() (pymisp.PyMISP method), 9 cache_all_feeds() (pymisp.PyMISP method), 11
add_object() (pymisp.MISPEvent method), 25 cache_feed() (pymisp.PyMISP method), 11
add_object() (pymisp.PyMISP method), 10 cache_freetext_feeds() (pymisp.PyMISP
add_object_reference() (pymisp.PyMISP method), 11
method), 10 cache_misp_feeds() (pymisp.PyMISP method), 11
add_org_to_sharing_group() (pymisp.PyMISP change_sharing_group_on_entity()
method), 10 (pymisp.PyMISP method), 11
add_organisation() (pymisp.PyMISP method), 10 clear() (pymisp.MISPAttribute method), 27
add_proposal() (pymisp.MISPAttribute method), 27 clear() (pymisp.MISPEvent method), 25
add_proposal() (pymisp.MISPEvent method), 25 clear() (pymisp.MISPObject method), 29
add_proposal() (pymisp.MISPObjectAttribute clear() (pymisp.MISPObjectAttribute method), 31
method), 30 clear() (pymisp.MISPObjectReference method), 32
add_reference() (pymisp.MISPObject method), 29 clear() (pymisp.MISPOrganisation method), 35
add_reference() (pymisp.tools.FileObject method), clear() (pymisp.MISPTag method), 33
37 clear() (pymisp.MISPUser method), 34
add_reference() (pymisp.tools.VTReportObject clear() (pymisp.tools.FileObject method), 37
method), 39 clear() (pymisp.tools.VTReportObject method), 39
add_server() (pymisp.PyMISP method), 10 communities() (pymisp.PyMISP method), 11
add_server_to_sharing_group() compare_feeds() (pymisp.PyMISP method), 11
(pymisp.PyMISP method), 10
45
PyMISP Documentation, Release master
46 Index
PyMISP Documentation, Release master
G has_attributes_by_relation()
galaxies() (pymisp.PyMISP method), 14 (pymisp.tools.VTReportObject method),
generate_attributes() (pymisp.tools.FileObject 39
method), 37 hash_values() (pymisp.MISPAttribute method), 28
generate_attributes() hash_values() (pymisp.MISPObjectAttribute
(pymisp.tools.VTReportObject method), method), 31
39
get() (pymisp.MISPAttribute method), 28
I
get() (pymisp.MISPEvent method), 26 import_server() (pymisp.PyMISP method), 15
get() (pymisp.MISPObject method), 29 items() (pymisp.MISPAttribute method), 28
get() (pymisp.MISPObjectAttribute method), 31 items() (pymisp.MISPEvent method), 26
get() (pymisp.MISPObjectReference method), 32 items() (pymisp.MISPObject method), 30
get() (pymisp.MISPOrganisation method), 35 items() (pymisp.MISPObjectAttribute method), 31
get() (pymisp.MISPTag method), 33 items() (pymisp.MISPObjectReference method), 32
get() (pymisp.MISPUser method), 34 items() (pymisp.MISPOrganisation method), 35
get() (pymisp.tools.FileObject method), 37 items() (pymisp.MISPTag method), 33
get() (pymisp.tools.VTReportObject method), 39 items() (pymisp.MISPUser method), 34
get_attribute() (pymisp.PyMISP method), 14 items() (pymisp.tools.FileObject method), 38
get_attribute_tag() (pymisp.MISPEvent items() (pymisp.tools.VTReportObject method), 39
method), 26
get_attributes_by_relation() J
(pymisp.MISPObject method), 29 jsonable() (pymisp.AbstractMISP method), 24
get_attributes_by_relation() jsonable() (pymisp.MISPAttribute method), 28
(pymisp.tools.FileObject method), 37 jsonable() (pymisp.MISPEvent method), 26
get_attributes_by_relation() jsonable() (pymisp.MISPObject method), 30
(pymisp.tools.VTReportObject method), jsonable() (pymisp.MISPObjectAttribute method),
39 31
get_community() (pymisp.PyMISP method), 14 jsonable() (pymisp.MISPObjectReference method),
get_event() (pymisp.PyMISP method), 14 32
get_feed() (pymisp.PyMISP method), 14 jsonable() (pymisp.MISPOrganisation method), 35
get_galaxy() (pymisp.PyMISP method), 14 jsonable() (pymisp.MISPTag method), 33
get_noticelist() (pymisp.PyMISP method), 14 jsonable() (pymisp.MISPUser method), 34
get_object() (pymisp.PyMISP method), 14 jsonable() (pymisp.tools.FileObject method), 38
get_object_by_id() (pymisp.MISPEvent method), jsonable() (pymisp.tools.VTReportObject method),
26 39
get_object_by_uuid() (pymisp.MISPEvent
method), 26 K
get_object_template() (pymisp.PyMISP keys() (pymisp.MISPAttribute method), 28
method), 15 keys() (pymisp.MISPEvent method), 26
get_objects_by_name() (pymisp.MISPEvent keys() (pymisp.MISPObject method), 30
method), 26 keys() (pymisp.MISPObjectAttribute method), 31
get_organisation() (pymisp.PyMISP method), 15 keys() (pymisp.MISPObjectReference method), 32
get_sync_config() (pymisp.PyMISP method), 15 keys() (pymisp.MISPOrganisation method), 35
get_tag() (pymisp.PyMISP method), 15 keys() (pymisp.MISPTag method), 33
get_taxonomy() (pymisp.PyMISP method), 15 keys() (pymisp.MISPUser method), 34
get_user() (pymisp.PyMISP method), 15 keys() (pymisp.tools.FileObject method), 38
get_user_setting() (pymisp.PyMISP method), 15 keys() (pymisp.tools.VTReportObject method), 39
get_warninglist() (pymisp.PyMISP method), 15 known_types() (pymisp.MISPAttribute property), 28
known_types() (pymisp.MISPObjectAttribute prop-
H erty), 31
has_attributes_by_relation()
(pymisp.MISPObject method), 30 L
has_attributes_by_relation() load() (pymisp.MISPEvent method), 26
(pymisp.tools.FileObject method), 37 load_file() (pymisp.MISPEvent method), 26
Index 47
PyMISP Documentation, Release master
48 Index
PyMISP Documentation, Release master
39 U
set_user_setting() (pymisp.PyMISP method), 21 unpublish() (pymisp.MISPEvent method), 27
setdefault() (pymisp.MISPAttribute method), 28 untag() (pymisp.PyMISP method), 22
setdefault() (pymisp.MISPEvent method), 27 update() (pymisp.MISPAttribute method), 29
setdefault() (pymisp.MISPObject method), 30 update() (pymisp.MISPEvent method), 27
setdefault() (pymisp.MISPObjectAttribute update() (pymisp.MISPObject method), 30
method), 31 update() (pymisp.MISPObjectAttribute method), 32
setdefault() (pymisp.MISPObjectReference update() (pymisp.MISPObjectReference method), 33
method), 33 update() (pymisp.MISPOrganisation method), 36
setdefault() (pymisp.MISPOrganisation method), update() (pymisp.MISPTag method), 34
36 update() (pymisp.MISPUser method), 35
setdefault() (pymisp.MISPTag method), 34 update() (pymisp.tools.FileObject method), 38
setdefault() (pymisp.MISPUser method), 35 update() (pymisp.tools.VTReportObject method), 40
setdefault() (pymisp.tools.FileObject method), 38 update_attribute() (pymisp.PyMISP method), 22
setdefault() (pymisp.tools.VTReportObject update_attribute_proposal()
method), 40 (pymisp.PyMISP method), 22
sharing_groups() (pymisp.PyMISP method), 21 update_event() (pymisp.PyMISP method), 22
sightings() (pymisp.PyMISP method), 21 update_feed() (pymisp.PyMISP method), 22
update_galaxies() (pymisp.PyMISP method), 22
T update_not_jsonable() (pymisp.AbstractMISP
tag() (pymisp.PyMISP method), 22 method), 24
tags() (pymisp.MISPAttribute property), 28 update_not_jsonable() (pymisp.MISPAttribute
tags() (pymisp.MISPEvent property), 27 method), 29
tags() (pymisp.MISPObjectAttribute property), 31 update_not_jsonable() (pymisp.MISPEvent
tags() (pymisp.PyMISP method), 22 method), 27
tags_statistics() (pymisp.PyMISP method), 22 update_not_jsonable() (pymisp.MISPObject
taxonomies() (pymisp.PyMISP method), 22 method), 30
to_dict() (pymisp.AbstractMISP method), 24 update_not_jsonable()
to_dict() (pymisp.MISPAttribute method), 28 (pymisp.MISPObjectAttribute method), 32
to_dict() (pymisp.MISPEvent method), 27 update_not_jsonable()
to_dict() (pymisp.MISPObject method), 30 (pymisp.MISPObjectReference method),
to_dict() (pymisp.MISPObjectAttribute method), 32 33
to_dict() (pymisp.MISPObjectReference method), 33 update_not_jsonable()
to_dict() (pymisp.MISPOrganisation method), 36 (pymisp.MISPOrganisation method), 36
to_dict() (pymisp.MISPTag method), 34 update_not_jsonable() (pymisp.MISPTag
to_dict() (pymisp.MISPUser method), 35 method), 34
to_dict() (pymisp.tools.FileObject method), 38 update_not_jsonable() (pymisp.MISPUser
to_dict() (pymisp.tools.VTReportObject method), 40 method), 35
to_feed() (pymisp.MISPEvent method), 27 update_not_jsonable() (pymisp.tools.FileObject
to_json() (pymisp.AbstractMISP method), 24 method), 38
to_json() (pymisp.MISPAttribute method), 29 update_not_jsonable()
to_json() (pymisp.MISPEvent method), 27 (pymisp.tools.VTReportObject method),
to_json() (pymisp.MISPObject method), 30 40
to_json() (pymisp.MISPObjectAttribute method), 32 update_noticelists() (pymisp.PyMISP method),
to_json() (pymisp.MISPObjectReference method), 33 22
to_json() (pymisp.MISPOrganisation method), 36 update_object() (pymisp.PyMISP method), 22
to_json() (pymisp.MISPTag method), 34 update_object_templates() (pymisp.PyMISP
to_json() (pymisp.MISPUser method), 35 method), 23
to_json() (pymisp.tools.FileObject method), 38 update_organisation() (pymisp.PyMISP
to_json() (pymisp.tools.VTReportObject method), 40 method), 23
toggle_warninglist() (pymisp.PyMISP method), update_server() (pymisp.PyMISP method), 23
22 update_tag() (pymisp.PyMISP method), 23
update_taxonomies() (pymisp.PyMISP method),
23
Index 49
PyMISP Documentation, Release master
V
values() (pymisp.MISPAttribute method), 29
values() (pymisp.MISPEvent method), 27
values() (pymisp.MISPObject method), 30
values() (pymisp.MISPObjectAttribute method), 32
values() (pymisp.MISPObjectReference method), 33
values() (pymisp.MISPOrganisation method), 36
values() (pymisp.MISPTag method), 34
values() (pymisp.MISPUser method), 35
values() (pymisp.tools.FileObject method), 38
values() (pymisp.tools.VTReportObject method), 40
values_in_warninglist() (pymisp.PyMISP
method), 23
version() (pymisp.PyMISP property), 23
VTReportObject (class in pymisp.tools), 38
W
warninglists() (pymisp.PyMISP method), 24
50 Index