tessl/pypi-pymisp
Python API for MISP threat intelligence platform enabling programmatic access to MISP instances.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-pymisp@2.5.0index.mddocs/
PyMISP
A comprehensive Python library for programmatic access to MISP (Malware Information Sharing Platform) instances via their REST API. PyMISP enables cybersecurity professionals to automate threat intelligence sharing, manage events and attributes, perform complex searches, and integrate MISP functionality into security workflows.
Package Information
- Package Name: pymisp
- Language: Python
- Installation:
pip install pymisp - Optional Dependencies:
pip install pymisp[fileobjects,virustotal,email,pdfexport]
Core Imports
from pymisp import PyMISPFor specific components:
from pymisp import (
PyMISP, MISPEvent, MISPAttribute, MISPObject,
MISPUser, MISPOrganisation, MISPTag
)Basic Usage
from pymisp import PyMISP, MISPEvent, MISPAttribute
# Initialize PyMISP client
misp = PyMISP('https://your-misp-instance.com', 'your-api-key', ssl=True)
# Get recent events
events = misp.search(timestamp='5d', limit=10)
# Create a new event
event = MISPEvent()
event.info = "Suspicious Activity Detected"
event.distribution = 1 # Community only
event.threat_level_id = 2 # Medium
# Add event to MISP
response = misp.add_event(event)
# Add an attribute
attribute = MISPAttribute()
attribute.type = 'ip-dst'
attribute.value = '192.168.1.100'
attribute.comment = 'Malicious IP address'
misp.add_attribute(event_id, attribute)
# Search for specific indicators
results = misp.search(value='192.168.1.100', type_attribute='ip-dst')Architecture
PyMISP provides a multi-layered architecture for MISP interaction:
- PyMISP Client: Main API interface handling authentication and HTTP communication
- Data Model Objects: Rich Python objects representing MISP entities (events, attributes, objects, users)
- Object Generators: Specialized tools for creating structured threat intelligence objects
- Search & Filter System: Comprehensive querying capabilities across all MISP data types
- Synchronization Tools: Multi-server data sharing and federation support
This design enables both simple one-off queries and complex automated threat intelligence workflows.
Capabilities
Core API Client
The main PyMISP class providing comprehensive REST API access to MISP instances, including event management, searching, user administration, and server synchronization.
class PyMISP:
def __init__(self, url: str, key: str, ssl: bool = True, debug: bool = False) -> None: ...
# Properties
@property
def version(self) -> str: ...
@property
def misp_instance_version(self) -> dict: ...Event Management
Comprehensive event lifecycle management including creation, modification, publishing, and deletion of MISP events with full attribute and object support.
def events(self, **kwargs) -> list: ...
def get_event(self, event_id: int | str, **kwargs) -> dict: ...
def add_event(self, event: MISPEvent | dict, **kwargs) -> dict: ...
def update_event(self, event: MISPEvent | dict, **kwargs) -> dict: ...
def delete_event(self, event_id: int | str) -> dict: ...
def publish(self, event_id: int | str) -> dict: ...Attribute Management
Detailed attribute handling for managing indicators and observables within events, including attribute creation, updates, and validation.
def attributes(self, **kwargs) -> list: ...
def get_attribute(self, attribute_id: int | str) -> dict: ...
def add_attribute(self, event_id: int | str, attribute: MISPAttribute | dict, **kwargs) -> dict: ...
def update_attribute(self, attribute: MISPAttribute | dict, **kwargs) -> dict: ...
def delete_attribute(self, attribute_id: int | str) -> dict: ...Object Management
MISP object handling for structured threat intelligence data including file objects, network objects, and custom object types.
def get_object(self, object_id: int | str) -> dict: ...
def add_object(self, event_id: int | str, misp_object: MISPObject | dict, **kwargs) -> dict: ...
def update_object(self, misp_object: MISPObject | dict, **kwargs) -> dict: ...
def delete_object(self, object_id: int | str) -> dict: ...
def object_templates(self) -> list: ...Search & Query
Powerful search capabilities across events, attributes, sightings, and other MISP data with complex filtering and correlation support.
def search(self, **kwargs) -> list: ...
def search_index(self, **kwargs) -> list: ...
def search_sightings(self, **kwargs) -> list: ...
def search_logs(self, **kwargs) -> list: ...
def search_tags(self, **kwargs) -> list: ...Data Model Classes
Rich Python objects representing all MISP entities with validation, serialization, and relationship management capabilities.
class MISPEvent(AbstractMISP): ...
class MISPAttribute(AbstractMISP): ...
class MISPObject(AbstractMISP): ...
class MISPUser(AbstractMISP): ...
class MISPOrganisation(AbstractMISP): ...User & Organization Management
Complete user account and organization administration including roles, permissions, and settings management.
def users(self, **kwargs) -> list: ...
def get_user(self, user_id: int | str) -> dict: ...
def add_user(self, user: MISPUser | dict, **kwargs) -> dict: ...
def organisations(self, **kwargs) -> list: ...
def get_organisation(self, org_id: int | str) -> dict: ...User & Organization Management
Object Generators & Tools
Specialized object creation tools for generating structured threat intelligence objects from various data sources.
class FileObject(AbstractMISPObjectGenerator): ...
class URLObject(AbstractMISPObjectGenerator): ...
class EmailObject(AbstractMISPObjectGenerator): ...
class VTReportObject(AbstractMISPObjectGenerator): ...Server & Synchronization
Multi-server synchronization and federation capabilities for sharing threat intelligence across MISP instances.
def servers(self, **kwargs) -> list: ...
def add_server(self, server: MISPServer | dict) -> dict: ...
def server_pull(self, server_id: int | str, **kwargs) -> dict: ...
def server_push(self, server_id: int | str, **kwargs) -> dict: ...Tag & Taxonomy Management
Comprehensive tagging and classification system management including taxonomies, warning lists, and custom tags.
def tags(self, **kwargs) -> list: ...
def add_tag(self, tag: MISPTag | dict, **kwargs) -> dict: ...
def taxonomies(self, **kwargs) -> list: ...
def warninglists(self, **kwargs) -> list: ...