'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
tessl/pypi-pymisp
tessl install tessl/pypi-pymisp@2.5.0Python API for MISP threat intelligence platform enabling programmatic access to MISP instances.
Agent Success
Agent success rate when using this tile
96%
Improvement
Agent success rate improvement when using this tile compared to baseline
1.25x
Baseline
Agent success rate without this tile
77%
task.mdevals/scenario-7/
Threat Intelligence Analysis Enhancement System
Build a system that enriches threat intelligence events with analytical context and implements indicator decay tracking.
Context
Security analysts need to collaborate on threat intelligence events by adding their analysis notes, confidence ratings, and observations. Additionally, indicators of compromise (IOCs) lose relevance over time, so implementing decay scoring helps prioritize fresher intelligence.
Requirements
Your system must implement the following capabilities:
-
Add Analyst Notes
- Accept an event identifier and note text
- Attach the note to the specified event
- Each note should be stored as analyst data
-
Record Analyst Opinions
- Accept an event identifier and a confidence rating (0-100 scale)
- Attach the opinion to the specified event
- Higher ratings indicate higher confidence in the threat intelligence
-
Attach Narrative Reports
- Accept an event identifier and report content
- Create a structured report associated with the event
- Reports should contain the narrative text describing the threat analysis
-
Query with Decay Scoring
- Search for attributes with decay scores included
- Filter results to show only non-decayed indicators
- Return the decay score alongside each attribute
Implementation Notes
- All operations require a connection to a threat intelligence platform instance
- Event identifiers are integer IDs
- Notes and report content are plain text strings
- Opinion ratings must be integers between 0 and 100
- Decay scoring requires model configuration on the platform side
Dependencies { .dependencies }
pymisp { .dependency }
Python library for interacting with MISP threat intelligence platform.
Test Cases
Test 1: Add analyst note to event @test
Input:
- event_id: 42
- note_text: "Confirmed C2 server still active as of analysis date"
Expected behavior:
- Note is successfully attached to event 42
- Function returns success status or created note object
Test 2: Record analyst opinion with high confidence @test
Input:
- event_id: 42
- opinion_rating: 85
Expected behavior:
- Opinion with value 85 is attached to event 42
- Function returns success status or created opinion object
Test 3: Create narrative report for event @test
Input:
- event_id: 42
- report_content: "This campaign targets financial institutions using phishing emails with malicious attachments. The threat actor demonstrates intermediate capabilities."
Expected behavior:
- Report is created and associated with event 42
- Function returns success status or created report object
Test 4: Search attributes with decay scoring @test
Input:
- Search parameters indicating decay scores should be included
- Filter for attributes that have not decayed
Expected behavior:
- Results include decay score information for each attribute
- Only non-decayed attributes are returned
- Each result shows the decay score value