Basic New Event - jbarlow-mcafee/opendxl-misp-service-python GitHub Wiki

This sample creates a new event on a MISP server via the MISP Events API. The sample then retrieves the contents of the stored event via a call to the MISP Search API. The sample displays the results of the calls to the Events and Search APIs.

For more information on the MISP Events API, see the PyMISP new_event API and MISP REST Event API documentation.

Sample Code

The majority of the sample code is shown below:

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    logger.info("Connected to DXL fabric.")

    # Create the new event request
    request_topic = "/opendxl-misp/service/misp-api/new_event"
    new_event_request = Request(request_topic)

    # Set the payload for the new event request
    MessageUtils.dict_to_json_payload(new_event_request, {
        "distribution": 3,
        "info": "OpenDXL MISP new event example",
        "analysis": 1,
        "threat_level_id": 3
    })

    # Send the new event request
    new_event_response = client.sync_request(new_event_request, timeout=30)

    if new_event_response.message_type != Message.MESSAGE_TYPE_ERROR:
        # Display results for the new event request
        new_event_response_dict = MessageUtils.json_payload_to_dict(
            new_event_response)
        print("Response to the new event request:\n{}".format(
            MessageUtils.dict_to_json(new_event_response_dict,
                                      pretty_print=True)))
    else:
        print("Error invoking service with topic '{}': {} ({})".format(
            request_topic, new_event_response.error_message,
            new_event_response.error_code))
        exit(1)

After connecting to the DXL fabric, a request message is created with a topic that targets the "new_event" method of the MISP API DXL service.

The next step is to set the payload of the request message. The contents of the payload include information to store in the MISP event.

The next step is to perform a synchronous request via the DXL fabric. If the response message is not an error, its contents are displayed.

# Create the new search request
request_topic = "/opendxl-misp/service/misp-api/search"
search_request = Request(request_topic)

# Set the payload for the search request
MessageUtils.dict_to_json_payload(search_request, {
    "eventid": new_event_response_dict["Event"]["id"],
})

# Send the search request
search_response = client.sync_request(search_request, timeout=30)

if search_response.message_type != Message.MESSAGE_TYPE_ERROR:
    # Display results for the search request
    search_response_dict = MessageUtils.json_payload_to_dict(
        search_response)
    print("Response to the search request for the new MISP event:\n{}".format(
        MessageUtils.dict_to_json(search_response_dict,
                                  pretty_print=True)))
else:
    print("Error invoking service with topic '{}': {} ({})".format(
        request_topic, search_response.error_message,
        search_response.error_code))

Output

The output should appear similar to the following:

Response to the new event request:
{
    "Event": {
        "Attribute": [],
        "Galaxy": [],
        "Object": [],
        "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003"
        },
        "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003"
        },
        "RelatedEvent": [],
        "ShadowAttribute": [],
        "analysis": "1",
        "attribute_count": "0",
        "date": "2018-04-09",
        "disable_correlation": false,
        "distribution": "3",
        "event_creator_email": "[email protected]",
        "id": "169",
        "info": "OpenDXL MISP new event example",
        "locked": false,
        "org_id": "1",
        "orgc_id": "1",
        "proposal_email_lock": false,
        "publish_timestamp": "0",
        "published": false,
        "sharing_group_id": "0",
        "threat_level_id": "3",
        "timestamp": "1523287869",
        "uuid": "5acb873d-a914-4f9f-92b9-196cac110002"
    }
}
Response to the search request for the new MISP event:
{
    "response": [
        {
            "Event": {
                "Attribute": [],
                "Galaxy": [],
                "Object": [],
                "Org": {
                    "id": "1",
                    "name": "ORGNAME",
                    "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003"
                },
                "Orgc": {
                    "id": "1",
                    "name": "ORGNAME",
                    "uuid": "5ac3c55a-41a4-4294-adf3-00f8ac110003"
                },
                "RelatedEvent": [],
                "ShadowAttribute": [],
                "analysis": "1",
                "attribute_count": "0",
                "date": "2018-04-09",
                "disable_correlation": false,
                "distribution": "3",
                "event_creator_email": "[email protected]",
                "id": "169",
                "info": "OpenDXL MISP new event example",
                "locked": false,
                "org_id": "1",
                "orgc_id": "1",
                "proposal_email_lock": false,
                "publish_timestamp": "0",
                "published": false,
                "sharing_group_id": "0",
                "threat_level_id": "3",
                "timestamp": "1523287869",
                "uuid": "5acb873d-a914-4f9f-92b9-196cac110002"
            }
        }
    ]
}