# MISP Exercise 4

## MISP LAB04: API

### 1. Introduction

In this Lab you are going to interact with the REST API from your MISP instance. It is important to understand how this works, because many of the tools accessing MISP are doing it through the API. This would also allow you to automate certain steps or workflows in MISP.

The goal is to see what the MISP REST API has to offer and develop some queries.

### 2. Setup

Start docker image

> cd /home/hacker/misp-docker-image\
> docker-compose up

Login with the following credentials:

LAB URL: <http://misp.localhost>

> User: <investigator@misp-lab4.com>\
> Password: compass

<div align="left"><img src="/files/zvbEVT7ArHNglcyXvtHY" alt=""></div>

### 3. API Basics

> An API stands for Application Programming Interface. This interface allows different application to communicate with each other. They can share data and execute actions over an API. As an example a monitoring system could get the 10 most recent event from MISP via it's API and then display this information in the monitoring system for the user.

This is just one examples, there are so many more. APIs are also often used to automate a workflow that is boring to to manually by hand.

The MISP API Documentatio can be found here: <https://www.misp-project.org/documentation/openapi.html#operation/addEvent>

### 4. Create Authentication key

The API does not let just anyone create events on your MISP instance. As you may have seen in the OpenAPI documentation, you need an AuthKey to confirm that you are indeed permitted to do this call.

Open your profile by clicking Global Actions -> My Profile

![](/files/z3iH8es4e2F1P0PgVA1Y)

We have to generate a new authentication key, because the key that was created on initial install can no longer be viewed by the user. Therefore we will now create a new key.

Click on `Auth keys`, then `Add authentication key` and select the user <investigator@misp-lab4.com>. You can optionally add a comment, allowed IPs and an expiration data. Empty fields also work. Click submit to generate the key.

Authkey: `Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie`

<div align="left"><img src="/files/JhKkbGohjOhg26QQ4nbl" alt=""></div>

### 5. Create Event via API

Paste the following command into your shell:

```
curl -X POST  \
    --header "Authorization: Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie" \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" http://localhost:10000/events/add \
    -d '{ "date": "2022-01-01", "distribution": "0", "threat_level_id": "1", "analysis": "1", "info": "event is created from terminal via API"}' 
```

JSON Output:

![](/files/ejjZEpS5YqLpIwx2SQbl)

The command above did create a new Event in our MISP Instance:

![](/files/qhOLoXFRL20v0adVHsnj)

### 6. Automation with python

> cd /home/hacker/Desktop/\
> take misp-python\
> pipenv --python 3 shell\
> pipenv install pymisp\
> touch misp-script.py\
> code .\
> pip3 install pymisp

Python code:

```
from pymisp import PyMISP, MISPEvent

misp_url = "http://localhost:10000/"
misp_key = "Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie"
misp_verifycert = False

myMispInstance = PyMISP(misp_url, misp_key, misp_verifycert)

firstEvent = MISPEvent()

firstEvent.info = 'event is created from VSCode via PyMISP'  # Required
firstEvent.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
firstEvent.threat_level_id = 2  # Optional, defaults to MISP.default_event_threat_level in MISP config
firstEvent.analysis = 1  # Optional, defaults to 0 (initial analysis)

firstEvent.add_tag('tlp:white')

print(firstEvent.to_json())

myMispInstance.add_event(firstEvent)
```

![](/files/aSq9NO6jdpDJVoExlOVf)

Check the newly created MISP Event:

![](/files/fdEfSS46jLfjdFDFIF8M)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/threat-intelligence/misp-exercise-4.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.