0
# Data Model Classes
1
2
Rich Python objects representing all MISP entities with validation, serialization, relationship management, and comprehensive attribute handling.
3
4
## Capabilities
5
6
### Core Data Models
7
8
Primary MISP entity classes with full object lifecycle support.
9
10
```python { .api }
11
class MISPEvent(AbstractMISP):
12
"""
13
MISP event representation with attributes, objects, and metadata.
14
15
Key Properties:
16
- info: Event title/description
17
- threat_level_id: Threat level (1-4)
18
- analysis: Analysis status (0-2)
19
- distribution: Sharing distribution level (0-5)
20
- published: Publication status
21
- uuid: Unique event identifier
22
- timestamp: Last modification time
23
- publish_timestamp: Publication time
24
- orgc_id: Creator organization ID
25
- org_id: Owner organization ID
26
"""
27
28
def __init__(self) -> None: ...
29
30
def add_attribute(
31
self,
32
type: str,
33
value: str,
34
category: str = None,
35
**kwargs
36
) -> 'MISPAttribute': ...
37
38
def add_object(self, obj: 'MISPObject') -> None: ...
39
40
def add_tag(self, tag: Union[str, 'MISPTag']) -> None: ...
41
42
def publish(self) -> None: ...
43
44
def unpublish(self) -> None: ...
45
46
class MISPAttribute(AbstractMISP):
47
"""
48
MISP attribute representing indicators and observables.
49
50
Key Properties:
51
- type: Attribute type (ip-dst, domain, md5, etc.)
52
- value: Attribute value
53
- category: Attribute category
54
- to_ids: IDS export flag
55
- distribution: Sharing distribution level
56
- comment: Descriptive comment
57
- uuid: Unique attribute identifier
58
- timestamp: Last modification time
59
- event_id: Parent event ID
60
"""
61
62
def __init__(self) -> None: ...
63
64
def add_tag(self, tag: Union[str, 'MISPTag']) -> None: ...
65
66
def add_sighting(self, sighting: 'MISPSighting') -> None: ...
67
68
class MISPObject(AbstractMISP):
69
"""
70
MISP object for structured threat intelligence data.
71
72
Key Properties:
73
- name: Object template name
74
- meta_category: Object meta category
75
- description: Object description
76
- template_uuid: Template UUID
77
- template_version: Template version
78
- distribution: Sharing distribution level
79
- uuid: Unique object identifier
80
"""
81
82
def __init__(self, name: str, **kwargs) -> None: ...
83
84
def add_attribute(
85
self,
86
object_relation: str,
87
value: str,
88
**kwargs
89
) -> 'MISPObjectAttribute': ...
90
91
def add_reference(
92
self,
93
referenced_uuid: str,
94
relationship_type: str
95
) -> 'MISPObjectReference': ...
96
97
def has_attributes_by_relation(self, object_relation: str) -> bool: ...
98
99
def get_attributes_by_relation(self, object_relation: str) -> List['MISPObjectAttribute']: ...
100
```
101
102
### User & Organization Models
103
104
Models for user management and organizational structure.
105
106
```python { .api }
107
class MISPUser(AbstractMISP):
108
"""
109
MISP user account representation.
110
111
Key Properties:
112
- email: User email address
113
- org_id: Organization ID
114
- role_id: User role ID
115
- authkey: API authentication key
116
- newsread: News read timestamp
117
- termsaccepted: Terms acceptance status
118
- disabled: Account disabled status
119
"""
120
121
def __init__(self) -> None: ...
122
123
class MISPOrganisation(AbstractMISP):
124
"""
125
MISP organization representation.
126
127
Key Properties:
128
- name: Organization name
129
- description: Organization description
130
- type: Organization type
131
- nationality: Organization nationality
132
- sector: Organization sector
133
- created_by: Creator user ID
134
- uuid: Unique organization identifier
135
- local: Local organization flag
136
"""
137
138
def __init__(self) -> None: ...
139
140
class MISPRole(AbstractMISP):
141
"""
142
User role definition with permissions.
143
144
Key Properties:
145
- name: Role name
146
- created: Creation timestamp
147
- modified: Modification timestamp
148
- perm_admin: Admin permissions
149
- perm_site_admin: Site admin permissions
150
- perm_sync: Sync permissions
151
- perm_audit: Audit permissions
152
"""
153
154
def __init__(self) -> None: ...
155
```
156
157
### Threat Intelligence Models
158
159
Specialized models for threat intelligence data and analysis.
160
161
```python { .api }
162
class MISPSighting(AbstractMISP):
163
"""
164
Sighting data for threat intelligence observations.
165
166
Key Properties:
167
- type: Sighting type (0=sighting, 1=false positive, 2=expiration)
168
- date_sighting: Sighting timestamp
169
- organisation_id: Reporting organization
170
- source: Sighting source
171
- uuid: Unique sighting identifier
172
"""
173
174
def __init__(self) -> None: ...
175
176
class MISPGalaxy(AbstractMISP):
177
"""
178
Galaxy threat intelligence knowledge base.
179
180
Key Properties:
181
- name: Galaxy name
182
- type: Galaxy type
183
- description: Galaxy description
184
- version: Galaxy version
185
- uuid: Unique galaxy identifier
186
- namespace: Galaxy namespace
187
"""
188
189
def __init__(self) -> None: ...
190
191
class MISPGalaxyCluster(AbstractMISP):
192
"""
193
Galaxy cluster representing threat patterns.
194
195
Key Properties:
196
- type: Cluster type
197
- value: Cluster value
198
- description: Cluster description
199
- galaxy_id: Parent galaxy ID
200
- source: Information source
201
- authors: Cluster authors
202
- uuid: Unique cluster identifier
203
"""
204
205
def __init__(self) -> None: ...
206
207
class MISPTag(AbstractMISP):
208
"""
209
Tag for classification and labeling.
210
211
Key Properties:
212
- name: Tag name
213
- colour: Tag color (hex code)
214
- exportable: Export flag
215
- hide_tag: Visibility flag
216
- user_id: Creator user ID
217
- numerical_value: Numeric weight
218
"""
219
220
def __init__(self) -> None: ...
221
```
222
223
### Administrative Models
224
225
Models for system administration and configuration.
226
227
```python { .api }
228
class MISPServer(AbstractMISP):
229
"""
230
Remote MISP server configuration.
231
232
Key Properties:
233
- name: Server name
234
- url: Server URL
235
- authkey: Authentication key
236
- org_id: Organization ID
237
- push: Push enabled flag
238
- pull: Pull enabled flag
239
- json_connection: JSON connection flag
240
"""
241
242
def __init__(self) -> None: ...
243
244
class MISPSharingGroup(AbstractMISP):
245
"""
246
Sharing group for access control.
247
248
Key Properties:
249
- name: Sharing group name
250
- description: Group description
251
- releasability: Release information
252
- organisation_id: Owner organization
253
- created_by: Creator user ID
254
- local: Local group flag
255
"""
256
257
def __init__(self) -> None: ...
258
259
class MISPFeed(AbstractMISP):
260
"""
261
External data feed configuration.
262
263
Key Properties:
264
- name: Feed name
265
- provider: Feed provider
266
- url: Feed URL
267
- rules: Processing rules
268
- enabled: Feed enabled status
269
- distribution: Default distribution
270
- sharing_group_id: Default sharing group
271
"""
272
273
def __init__(self) -> None: ...
274
```
275
276
### Analytical Models
277
278
Models for analytical data and expert assessments.
279
280
```python { .api }
281
class MISPNote(AbstractMISP):
282
"""
283
Analyst contextual notes.
284
285
Key Properties:
286
- note: Note content
287
- language: Note language
288
- object_type: Referenced object type
289
- object_uuid: Referenced object UUID
290
- authors: Note authors
291
- distribution: Sharing distribution
292
"""
293
294
def __init__(self) -> None: ...
295
296
class MISPOpinion(AbstractMISP):
297
"""
298
Expert threat assessments.
299
300
Key Properties:
301
- opinion: Opinion value (0-100)
302
- comment: Opinion comment
303
- object_type: Referenced object type
304
- object_uuid: Referenced object UUID
305
- authors: Opinion authors
306
- distribution: Sharing distribution
307
"""
308
309
def __init__(self) -> None: ...
310
311
class MISPRelationship(AbstractMISP):
312
"""
313
Entity relationship definitions.
314
315
Key Properties:
316
- relationship_type: Relationship type
317
- object_uuid: Source object UUID
318
- related_object_uuid: Target object UUID
319
- distribution: Sharing distribution
320
"""
321
322
def __init__(self) -> None: ...
323
```
324
325
### Base Classes & Enumerations
326
327
Foundation classes and enumerated values.
328
329
```python { .api }
330
class AbstractMISP:
331
"""
332
Base class for all MISP objects with common functionality.
333
334
Methods:
335
- from_dict(): Create object from dictionary
336
- to_dict(): Convert object to dictionary
337
- to_json(): Convert object to JSON string
338
- load_file(): Load object from file
339
- save(): Save object to file
340
- jsonable(): Get JSON-serializable representation
341
"""
342
343
def from_dict(self, **kwargs) -> None: ...
344
def to_dict(self) -> Dict: ...
345
def to_json(self) -> str: ...
346
def jsonable(self) -> Dict: ...
347
348
from enum import Enum
349
350
class Distribution(Enum):
351
"""Sharing distribution levels."""
352
your_organisation_only = 0
353
this_community_only = 1
354
connected_communities = 2
355
all_communities = 3
356
sharing_group = 4
357
inherit = 5
358
359
class ThreatLevel(Enum):
360
"""Threat level classifications."""
361
high = 1
362
medium = 2
363
low = 3
364
undefined = 4
365
366
class Analysis(Enum):
367
"""Analysis status levels."""
368
initial = 0
369
ongoing = 1
370
completed = 2
371
```
372
373
## Usage Examples
374
375
### Creating Events & Attributes
376
377
```python
378
from pymisp import MISPEvent, MISPAttribute, Distribution, ThreatLevel
379
380
# Create new event
381
event = MISPEvent()
382
event.info = "Malware Campaign Analysis"
383
event.distribution = Distribution.this_community_only.value
384
event.threat_level_id = ThreatLevel.high.value
385
event.analysis = 1 # Ongoing
386
387
# Add attributes directly
388
ip_attr = event.add_attribute('ip-dst', '192.168.1.100', category='Network activity')
389
ip_attr.comment = 'C2 server IP'
390
391
# Create standalone attribute
392
domain_attr = MISPAttribute()
393
domain_attr.type = 'domain'
394
domain_attr.value = 'malware.example.com'
395
domain_attr.category = 'Network activity'
396
domain_attr.to_ids = True
397
398
# Add to event
399
event.attributes.append(domain_attr)
400
```
401
402
### Working with Objects
403
404
```python
405
from pymisp import MISPObject
406
407
# Create file object
408
file_obj = MISPObject('file')
409
file_obj.add_attribute('filename', 'malware.exe')
410
file_obj.add_attribute('md5', 'd41d8cd98f00b204e9800998ecf8427e')
411
file_obj.add_attribute('sha1', 'da39a3ee5e6b4b0d3255bfef95601890afd80709')
412
file_obj.add_attribute('size-in-bytes', 1024)
413
414
# Add object to event
415
event.add_object(file_obj)
416
417
# Create network connection object
418
conn_obj = MISPObject('network-connection')
419
conn_obj.add_attribute('src-ip', '192.168.1.100')
420
conn_obj.add_attribute('dst-ip', '203.0.113.10')
421
conn_obj.add_attribute('src-port', 8080)
422
conn_obj.add_attribute('dst-port', 443)
423
conn_obj.add_attribute('protocol', 'tcp')
424
425
event.add_object(conn_obj)
426
```
427
428
### Object Serialization
429
430
```python
431
from pymisp import MISPEvent
432
433
# Create and populate event
434
event = MISPEvent()
435
event.info = "Test Event"
436
event.add_attribute('ip-dst', '192.168.1.1')
437
438
# Convert to dictionary
439
event_dict = event.to_dict()
440
441
# Convert to JSON
442
event_json = event.to_json()
443
444
# Create from dictionary
445
new_event = MISPEvent()
446
new_event.from_dict(**event_dict)
447
448
# Save to file
449
event.save('event.json')
450
451
# Load from file
452
loaded_event = MISPEvent()
453
loaded_event.load_file('event.json')
454
```
455
456
### Tags & Classification
457
458
```python
459
from pymisp import MISPTag
460
461
# Create custom tag
462
tag = MISPTag()
463
tag.name = 'custom:campaign-x'
464
tag.colour = '#ff0000'
465
tag.exportable = True
466
467
# Add tags to event
468
event.add_tag('apt')
469
event.add_tag('malware')
470
event.add_tag(tag)
471
472
# Add tags to attributes
473
attribute.add_tag('high-confidence')
474
attribute.add_tag('ioc')
475
```
476
477
### User & Organization Management
478
479
```python
480
from pymisp import MISPUser, MISPOrganisation
481
482
# Create organization
483
org = MISPOrganisation()
484
org.name = "Security Company"
485
org.description = "Cybersecurity organization"
486
org.type = "CSIRT"
487
org.nationality = "US"
488
org.sector = "Security"
489
490
# Create user
491
user = MISPUser()
492
user.email = "analyst@security.com"
493
user.org_id = 1
494
user.role_id = 3 # User role
495
```
496
497
## Types
498
499
```python { .api }
500
from typing import Union, List, Dict, Optional, Any
501
from datetime import datetime
502
from enum import Enum
503
504
MISPEntity = Union[MISPEvent, MISPAttribute, MISPObject, MISPUser, MISPOrganisation]
505
AttributeType = str
506
AttributeValue = Union[str, int, float]
507
UUID = str
508
Timestamp = Union[str, int, datetime]
509
DistributionLevel = int # 0-5
510
ThreatLevelID = int # 1-4
511
AnalysisLevel = int # 0-2
512
```