📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP LAB04: API
  • 1. Introduction
  • 2. Setup
  • 3. API Basics
  • 4. Create Authentication key
  • 5. Create Event via API
  • 6. Automation with python

Was this helpful?

  1. Threat Intelligence

MISP Exercise 4

PreviousMISP Exercise 3NextMISP Exercise 5

Last updated 3 years ago

Was this helpful?

MISP LAB04: API

1. Introduction

In this Lab you are going to interact with the REST API from your MISP instance. It is important to understand how this works, because many of the tools accessing MISP are doing it through the API. This would also allow you to automate certain steps or workflows in MISP.

The goal is to see what the MISP REST API has to offer and develop some queries.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

LAB URL: http://misp.localhost

User: investigator@misp-lab4.com Password: compass

3. API Basics

An API stands for Application Programming Interface. This interface allows different application to communicate with each other. They can share data and execute actions over an API. As an example a monitoring system could get the 10 most recent event from MISP via it's API and then display this information in the monitoring system for the user.

This is just one examples, there are so many more. APIs are also often used to automate a workflow that is boring to to manually by hand.

The MISP API Documentatio can be found here: https://www.misp-project.org/documentation/openapi.html#operation/addEvent

4. Create Authentication key

The API does not let just anyone create events on your MISP instance. As you may have seen in the OpenAPI documentation, you need an AuthKey to confirm that you are indeed permitted to do this call.

Open your profile by clicking Global Actions -> My Profile

We have to generate a new authentication key, because the key that was created on initial install can no longer be viewed by the user. Therefore we will now create a new key.

Click on Auth keys, then Add authentication key and select the user investigator@misp-lab4.com. You can optionally add a comment, allowed IPs and an expiration data. Empty fields also work. Click submit to generate the key.

Authkey: Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie

5. Create Event via API

Paste the following command into your shell:

curl -X POST  \
    --header "Authorization: Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie" \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" http://localhost:10000/events/add \
    -d '{ "date": "2022-01-01", "distribution": "0", "threat_level_id": "1", "analysis": "1", "info": "event is created from terminal via API"}'

JSON Output:

The command above did create a new Event in our MISP Instance:

6. Automation with python

cd /home/hacker/Desktop/ take misp-python pipenv --python 3 shell pipenv install pymisp touch misp-script.py code . pip3 install pymisp

Python code:

from pymisp import PyMISP, MISPEvent

misp_url = "http://localhost:10000/"
misp_key = "Qn0YLxykel69UDOEFL3bChiQ9vqfRzvpx7Vj4Oie"
misp_verifycert = False

myMispInstance = PyMISP(misp_url, misp_key, misp_verifycert)

firstEvent = MISPEvent()

firstEvent.info = 'event is created from VSCode via PyMISP'  # Required
firstEvent.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
firstEvent.threat_level_id = 2  # Optional, defaults to MISP.default_event_threat_level in MISP config
firstEvent.analysis = 1  # Optional, defaults to 0 (initial analysis)

firstEvent.add_tag('tlp:white')

print(firstEvent.to_json())

myMispInstance.add_event(firstEvent)

Check the newly created MISP Event: