MISP Exercise 4

MISP LAB04: API

1. Introduction

In this Lab you are going to interact with the REST API from your MISP instance. It is important to understand how this works, because many of the tools accessing MISP are doing it through the API. This would also allow you to automate certain steps or workflows in MISP.

The goal is to see what the MISP REST API has to offer and develop some queries.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

LAB URL: http://misp.localhost

User: investigator@misp-lab4.com Password: compass

3. API Basics

An API stands for Application Programming Interface. This interface allows different application to communicate with each other. They can share data and execute actions over an API. As an example a monitoring system could get the 10 most recent event from MISP via it's API and then display this information in the monitoring system for the user.

This is just one examples, there are so many more. APIs are also often used to automate a workflow that is boring to to manually by hand.

The MISP API Documentatio can be found here: https://www.misp-project.org/documentation/openapi.html#operation/addEvent

4. Create Authentication key

The API does not let just anyone create events on your MISP instance. As you may have seen in the OpenAPI documentation, you need an AuthKey to confirm that you are indeed permitted to do this call.

Open your profile by clicking Global Actions -> My Profile

We have to generate a new authentication key, because the key that was created on initial install can no longer be viewed by the user. Therefore we will now create a new key.

Click on Auth keys, then Add authentication key and select the user investigator@misp-lab4.com. You can optionally add a comment, allowed IPs and an expiration data. Empty fields also work. Click submit to generate the key.

Authkey: Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie

5. Create Event via API

Paste the following command into your shell:

curl -X POST  \
    --header "Authorization: Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie" \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" http://localhost:10000/events/add \
    -d '{ "date": "2022-01-01", "distribution": "0", "threat_level_id": "1", "analysis": "1", "info": "event is created from terminal via API"}'

JSON Output:

The command above did create a new Event in our MISP Instance:

6. Automation with python

cd /home/hacker/Desktop/ take misp-python pipenv --python 3 shell pipenv install pymisp touch misp-script.py code . pip3 install pymisp

Python code:

from pymisp import PyMISP, MISPEvent

misp_url = "http://localhost:10000/"
misp_key = "Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie"
misp_verifycert = False

myMispInstance = PyMISP(misp_url, misp_key, misp_verifycert)

firstEvent = MISPEvent()

firstEvent.info = 'event is created from VSCode via PyMISP'  # Required
firstEvent.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
firstEvent.threat_level_id = 2  # Optional, defaults to MISP.default_event_threat_level in MISP config
firstEvent.analysis = 1  # Optional, defaults to 0 (initial analysis)

firstEvent.add_tag('tlp:white')

print(firstEvent.to_json())

myMispInstance.add_event(firstEvent)

Check the newly created MISP Event:

PreviousMISP Exercise 3NextMISP Exercise 5

Last updated