'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
tessl/pypi-pymisp
tessl install tessl/pypi-pymisp@2.5.0Python API for MISP threat intelligence platform enabling programmatic access to MISP instances.
Agent Success
Agent success rate when using this tile
96%
Improvement
Agent success rate improvement when using this tile compared to baseline
1.25x
Baseline
Agent success rate without this tile
77%
task.mdevals/scenario-6/
IOC Enrichment Tool
Build a command-line tool that enriches threat intelligence events with reputation data from external security services.
Context
Security analysts often need to validate and enrich indicators of compromise (IOCs) like file hashes and URLs by checking them against external threat intelligence services. This tool should automate the enrichment process by fetching reputation data and updating the threat intelligence database accordingly.
Requirements
Your tool should:
-
Accept input parameters via command-line arguments:
- Event ID (integer): The threat intelligence event to enrich
- Service name (string): The external service to query (e.g., "virustotal")
- API key (string): Authentication credential for the external service
-
Retrieve the event from the MISP instance and extract all relevant indicators that need enrichment (file hashes and URLs)
-
Query the external service for each indicator to get reputation scores and detection information
-
Create enrichment records in the MISP instance that link each indicator to its reputation data, including:
- Detection ratio (e.g., "45/70" meaning 45 out of 70 security vendors detected the indicator as malicious)
- Service name
- Raw response data from the service
-
Output a summary showing:
- Total number of indicators processed
- Number of indicators successfully enriched
- Any errors encountered
Implementation Notes
- Use Python 3.8+
- Handle errors gracefully (invalid event IDs, API failures, missing indicators)
- The tool should connect to a MISP instance at
https://misp.localwith API keytest-api-key-12345 - Print clear status messages during processing
- Exit with status code 0 on success, non-zero on failure
Test Cases
-
Given an event with 3 file hashes, when enriched with VirusTotal data, then all 3 hashes should have associated enrichment records with detection ratios. @test
-
Given an event with 2 URLs, when enriched with VirusTotal data, then both URLs should have enrichment records containing reputation scores. @test
-
Given an invalid event ID, when attempting enrichment, then the tool should print an error message and exit with non-zero status. @test
Implementation
@generates
API
"""
IOC Enrichment Tool
Command-line interface:
python enrich_iocs.py <event_id> <service_name> <api_key>
Example:
python enrich_iocs.py 123 virustotal YOUR_VT_API_KEY
"""Dependencies { .dependencies }
pymisp { .dependency }
Python library for interacting with MISP threat intelligence platform.