SBM Labs

Cyber Security Collaboration Project

MISP - Threat Sharing Platform. API.
01 Mar 2017

Let's look at MISP API and its usage.

You can download and use PyMISP (Python library) in order to access MISP via REST API. Using PyMISP you can create/edit/delete events and its attributes. For more information visit official page on GitHub.

1. Installation.

Use Python version 3 and install package manager pip3.

$ sudo apt-get install python3-pip

Install Virtual Environments (optionally).

$ pip3 install virtualenv
$ pip3 install virtualenvwrapper
$ export WORKON_HOME=~/Envs
$ source /usr/local/bin/virtualenvwrapper.sh
$ mkvirtualenv misp

In order to work with created virttual environment use commands workon misp / deactivate.

Install PyMISP.

$ pip3 install pymisp

You should use PyMISP and MISP instance of the same versions.

2. PyMISP usage.

Login to MISP instance. Go to Events Action -> Automation. You will find your API key (it can be reseted at any time).

Add new event:
PyMISP.new_event(distribution=None, threat_level_id=None, analysis=None, info=None, date=None, published=False, orgc_id=None, org_id=None, sharing_group_id=None)

Add new attribute:
add_ipsrc(event, ipsrc, category=’Network activity’, to_ids=True, comment=None, distribution=None, proposal=False)

Python script example.

#!/home/cyber_analyst/Envs/misp/bin/python3
# -*- coding: utf-8 -*-

from pymisp import PyMISP

api = PyMISP('https://misp.local', 'iLdZAxJofk4qQ6hiFjvFTqSTfULYV2gqZsNUD2P9', ssl=False, out_type='json')
event = api.new_event(0, 1, 0, info="Network Scanning", published=True)
event = api.add_ipsrc(event, 'SOME_IP', category='Network activity', to_ids=True, comment='IDS Detection', distribution=None, proposal=False)

We can use this script in order to add network scanning event to MISP instance. For example, IPS/IDS has detected network scanning, SIEM has proceed this event and run the script.

Then we can use information stored in MISP during log analysis. For example, sshd service on Linux host has registered new session from some IP address, SIEM has proceed this event and checked IP address in MISP. As result we should receive the alert about possible host compromise in case of this IP address is in list of MISP events.

Python script example.

#!/home/cyber_analyst/Envs/misp/bin/python3
# -*- coding: utf-8 -*-

from pymisp import PyMISP
import json

api = PyMISP('https://misp.local', 'iLdZAxJofk4qQ6hiFjvFTqSTfULYV2gqZsNUD2P9', ssl=False, out_type='json')
event = api.search_all('SOME_IP')
print(json.dumps(event))

There are a lot use cases of using MISP API. We review only one of them in order to understand how it works.

MISP - Threat Sharing Platform. Events.
MISP - Threat Sharing Platform. Installation.