PyMISP

2.5.33.1 · active · verified Sun Apr 12

PyMISP is a Python library designed to interact with MISP (Malware Information Sharing Platform) instances via their REST API. It provides comprehensive functionalities to fetch, add, update, and search for events, attributes, objects, samples, and more, facilitating automated threat intelligence sharing and analysis. The library is actively maintained with frequent releases, ensuring compatibility with the latest MISP features.

Warnings

breaking Version 2.5.33.1 introduced backward incompatible changes related to `pyfaup-rs` (and implicitly `faup-rs`). If you rely on URL object parsing, review your code and potentially update `pyfaup-rs` or pin an older PyMISP version if issues arise.
Fix: Update `pyfaup-rs` to its latest compatible version, or adapt code to new `pyfaup-rs` expectations. Alternatively, if compatibility is critical, pin `pymisp<2.5.33.1`.
gotcha SSL certificate verification is `True` by default (`misp_verifycert=True`). In development environments or with self-signed certificates, this often leads to `SSLError` exceptions.
Fix: Set `misp_verifycert=False` during PyMISP object initialization when necessary. For production, ensure proper SSL certificate setup and verification.
gotcha PyMISP requires an 'automation key' from your MISP user profile. Regular user API keys may not have sufficient permissions for automated tasks, leading to authorization errors (e.g., 'Not available: you don't have "Auth key access" role').
Fix: Ensure the API key used for PyMISP is an automation key, which can be generated or found in the 'Automation' section of the MISP web interface or your user profile.
breaking With MISP v2.5.35, the default ordering for `restsearch` (e.g., when searching for attributes or events) has changed due to a transition to cursor-based pagination. If your application relies on a specific default order, your search results might appear different.
Fix: Explicitly specify the desired ordering using the `order_by` and `direction` parameters in your `misp.search()` calls to maintain consistent result ordering.

Install

pip install pymisp Basic Installation
pip install 'pymisp[fileobjects,url,email,brotli]' Installation with common optional dependencies

Imports

PyMISP
```
from pymisp import PyMISP
```
MISPEvent
```
from pymisp import MISPEvent
```
MISPAttribute
```
from pymisp import MISPAttribute
```

Quickstart

This quickstart demonstrates how to initialize the PyMISP object using environment variables for the MISP URL and API key, and then how to fetch the last 5 published events. It includes basic error handling for connection issues.

import os
from pymisp import PyMISP

# Configure MISP connection from environment variables
misp_url = os.environ.get('MISP_URL', 'https://your.misp.instance')
misp_key = os.environ.get('MISP_KEY', 'YOUR_MISP_AUTOMATION_KEY') # Your MISP automation key
misp_verifycert = os.environ.get('MISP_VERIFYCERT', 'True').lower() == 'true'

# Initialize PyMISP object
try:
    misp = PyMISP(misp_url, misp_key, misp_verifycert)
    print(f"Successfully connected to MISP instance at {misp_url}.")

    # Example: Fetch last 5 published events
    last_events = misp.search(limit=5, controller='events', published=True)
    if last_events:
        print(f"Found {len(last_events)} published events:")
        for event in last_events:
            print(f"  Event ID: {event['Event']['id']}, Info: {event['Event']['info']}")
    else:
        print("No published events found in the last search.")

except Exception as e:
    print(f"Error connecting to MISP or fetching events: {e}")
    print("Please ensure MISP_URL, MISP_KEY, and MISP_VERIFYCERT are correctly set.")

view raw JSON →