Package Documentation
Storm Package: synapse-misp
The following Commands are available from this package. This documentation is generated for version 3.8.0 of the package.
Storm Commands
This package implements the following Storm Commands.
misp.event.add
Add Synapse nodes to a MISP server.
Note: This command may be slow due to the many roundtrip API calls to the MISP server.
The ``--name`` option defaults to "<view name> YYYY-MM-DD". If the current view does not have a name, it will
fallback to the view iden.
The ``--typemap`` option takes a dict that can override the default values in the built-in typemap. Note
that users cannot specify new forms/props using this option. The ``--print-typemap`` option will print the entire
built-in typemap. Users can override single values or the entire map. For reference, object and attribute types
and valid attribute categories can be found at https://www.misp-project.org/datamodels/#misp-objects. Note that it
may not be possible to change the MISP type on some forms due to the way the form is repr()'d. For example,
``inet:client`` and ``inet:server`` are both exported as "url" types because the repr() value is a URI format.
The ``--distribution`` option takes an integer argument with a value from 0 to 4. These values have the following
meaning within MISP:
- 0: Your organization only.
- 1: This community only.
- 2: Connected communities.
- 3: All communities.
- 4: Sharing group.
The ``--include-tags`` option can be used to specify which tags to export to the MISP server. By default, no tags
are exported. To export all tags, specify ``--include-tags **``. Only leaf tags are exported (not the parent tags
in the hierarchy). The argument to ``--include-tags`` may be a glob as a string or a list of globs.
Examples:
// Add nodes tagged with #cno.threat.redtree to a new event on the MISP server named "myserver".
#cno.threat.redtree | misp.event.add myserver
// Add nodes tagged with #cno.threat.redtree to event ID 12345 on the MISP server named "myserver".
#cno.threat.redtree | misp.event.add myserver --eventid 12345
// Override the default typemap for inet:ipv4 forms to use the "ip-dst" attribute type and the "Network
// activity" category.
#cno.threat.redtree | misp.event.add myserver --typemap ({'inet:ipv4': [['attribute', 'ip-dst'], 'Network activity']})
// Add nodes tagged with #cno.threat.redtree, export any cno.threat tags, and name the new event "RedTree 20240105".
#cno.threat.redtree | misp.event.add myserver --name "RedTree 20240105" --include-tags cno.threat.**
Usage: misp.event.add [options] <server>
Options:
--help : Display the command usage.
--print-typemap : Print the default typemap.
--debug : Run the command with more verbose/debug output.
--ssl-noverify : Disable SSL verfication of the MISP server (INSECURE!).
--eventid <eventid> : The MISP event ID number or UUID. (default: None)
--name <name> : Specify the MISP event name when creating a new event. (default: None)
--typemap <typemap> : Specify a mapping of Synapse forms to MISP event types. (default: None)
--set-ids-flag : Set the IDS flag on the attributes when adding them to the event.
--distribution <distribution>: Set the distribution value for the event. (default: 0, choices: 0, 1, 2, 3, 4)
--sharing-group-id <sharing_group_id>: Specify the sharing group ID for this event to be shared with. (default: None)
--threat-level-id <threat_level_id>: Specify the threat level ID for this event. (default: 4, choices: 1, 2, 3, 4)
--include-tags <include_tags>: Only include the specified tags when exporting. (default: None)
Arguments:
[server] : The MISP server name to sync the event to. Use misp.setup.server.list to list server names.
misp.feed.sync
Sync events from a published MISP feed.
Only the "misp" MISP feed format is supported by this command. This format
is generally a directory on a web server with many .json files and a
manifest.json file.
This command creates a ``meta:source`` node with the URL of the feed and
creates ``seen`` edges to all the nodes created from ingesting the feed.
Examples:
// Sync all the events published at the Malware Bazaar MISP feed
misp.feed.sync https://bazaar.abuse.ch/downloads/misp/
// Sync all the events published at the CIRCL OSINT Feed since the last sync
$url="https://www.circl.lu/doc/misp/feed-osint/" inet:url:base^=$url -> meta:source ($min, $max)=.seen | misp.feed.sync $url --since $max
Usage: misp.feed.sync [options] <url>
Options:
--help : Display the command usage.
--debug : Run the command with more verbose/debug output.
--resync : Reload the entire feed contents from the beginning or from the --since time.
--save-raw : Save the potentially LARGE raw MISP event JSON to the node data key misp:event.
--since <since> : Only process events newer than this time. (default: None)
--ssl-noverify : Disable SSL verfication of the MISP feed (INSECURE!).
Arguments:
<url> : The URL to the MISP feed.
misp.setup.server.add
Add a MISP server configuration.
Note:
Adding a configuration to the global default server list using
``--global`` requires the ``power-ups.misp.admin`` permission.
Examples:
// Add a server configuration
misp.setup.server.add fooserver https://foo.com fookey
// Add a server configuration to the global default server list
misp.setup.server.add fooserver https://foo.com fookey --global
Usage: misp.setup.server.add [options] <name> <url> <apikey>
Options:
--help : Display the command usage.
--global : Add this server to the list of default MISP servers. Requires the power-ups.misp.admin
permission.
--ssl-noverify : Disable SSL verfication of the MISP server (INSECURE!).
Arguments:
<name> : A unique name for the MISP server configuration.
<url> : The MISP URL string.
<apikey> : The MISP API key string.
misp.setup.server.del
Delete a MISP server configuration.
Examples:
// Delete the "fooserver" configuration
misp.setup.server.del fooserver
Usage: misp.setup.server.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the MISP server configuration.
misp.setup.server.list
Display the list of MISP server configurations you have access to.
Examples:
// List server configurations the current user has access to
misp.setup.server.list
Usage: misp.setup.server.list [options]
Options:
--help : Display the command usage.
misp.setup.server.rename
Rename a MISP server configuration.
Examples:
// Change the name of the "fooserver" server configuration to "barserver"
misp.setup.server.rename fooserver barserver
Usage: misp.setup.server.rename [options] <name> <newname>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the MISP server configuration.
<newname> : A new name for the MISP server configuration.
misp.setup.server.setglobal
Set whether the MISP server should be included in the default list of servers to sync.
Examples:
// Include "fooserver" in the default list of servers to sync
misp.setup.server.setglobal fooserver $lib.true
Usage: misp.setup.server.setglobal [options] <name> <global>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the MISP server configuration to modify.
<global> : True to include the MISP server in the default list of servers, False to exclude it.
misp.setup.server.setperm
Set the permission level for a user or role on a MISP server configuration.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooserver"
// configuration
misp.setup.server.setperm fooserver users myuser $lib.auth.easyperm.level.admin
// Set the permission level for the "all" role to "deny" on the
// "fooserver" configuration
misp.setup.server.setperm fooserver roles all $lib.auth.easyperm.level.deny
Usage: misp.setup.server.setperm [options] <server> <scope> <name> <level>
Options:
--help : Display the command usage.
Arguments:
<server> : The name of the MISP server configuration to modify permissions on.
<scope> : The scope for the permission, either "users" or "roles".
<name> : The user/role name depending on scope.
<level> : The permission level number, or None to remove the permission.
misp.setup.server.update
Update the configuration of a defined MISP server.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooserver"
// configuration
misp.setup.server.update fooserver --perm users myuser $lib.auth.easyperm.level.admin
// Set the permission level for the "all" role to "deny" on the
// "fooserver" configuration
misp.setup.server.update fooserver --perm roles all $lib.auth.easyperm.level.deny
// Include "fooserver" in the default list of servers to sync
misp.setup.server.update fooserver --global $lib.true
// Do not verify the SSL certificate when connecting to "myserver"
misp.setup.server.update fooserver --ssl-verify $lib.false
// Change the name of the "fooserver" server configuration to "barserver"
misp.setup.server.update fooserver --name barserver
Usage: misp.setup.server.update [options] <server>
Options:
--help : Display the command usage.
--perm <perm> : Set the permission level for a user or role on this MISP server configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "users" or "roles".
<name>: The user/role name depending on scope.
<level>: The permission level number, or None to remove the permission.
(default: None)
--global <global> : Set whether the MISP server should be included in the default list of servers to sync.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the MISP server. (default: None)
--name <name> : Rename the MISP server configuration. (default: None)
Arguments:
<server> : The name of the MISP server configuration to modify.
misp.sync
Sync events from MISP servers.
By default, this will sync events from all of the configured global servers
which the user has read permissions for.
Organization names in --include-reporters and --exclude-reporters are case-sensitive.
Only one of these arguments may be specified, and if a string is provided it is
treated as a single organization name.
Examples:
misp.sync --last 2d
// Include events only published by CIRCL and CUDESO
misp.sync --last 2d --include-reporters (CIRCL, CUDESO)
// Exclude events published by CIRCL and CUDESO
misp.sync --last 2d --exclude-reporters (CIRCL, CUDESO)
// Include events only published by CIRCL
misp.sync --last 2d --include-reporters CIRCL
Usage: misp.sync [options]
Options:
--help : Display the command usage.
--last <last> : Load events published in the last time period (MISP last syntax). (default: 24h)
--debug : Run the command with more verbose/debug output.
--resync : Reload the entire server contents from the beginning.
--ssl-noverify : Disable SSL verfication of the MISP server (INSECURE!).
--save-raw : Save the potentially LARGE raw MISP event JSON to the node data key misp:event.
--servers [<servers> ...] : Specify MISP servers to sync events from.
--include-reporters <include_reporters>: Load events only published by a single organization (as a string) or multiple (as a
list).
--exclude-reporters <exclude_reporters>: Load events not published by a single organization (as a string) or multiple (as a
list).
misp.sync.byid
Sync specified event by ID from the configured MISP server.
Examples:
misp.sync.byid 12345
misp.sync.byid c99506a6-1255-4b71-afa5-7b8ba48c3b1b
Usage: misp.sync.byid [options] <eventid>
Options:
--help : Display the command usage.
--debug : Run the command with more verbose/debug output.
--ssl-noverify : Disable SSL verfication of the MISP server (INSECURE!).
--save-raw : Save the potentially LARGE raw MISP event JSON to the node data key misp:event.
--server <server> : Specify MISP server to sync the event from.
Arguments:
<eventid> : The MISP event ID number or UUID.
Storm Modules
This package does not export any Storm APIs.