pymisp 2.5.4__py3-none-any.whl → 2.5.7__py3-none-any.whl

examples/cytomic_orion.py

@@ -0,0 +1,549 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+'''
+Koen Van Impe
+
+Cytomic Automation
+Put this script in crontab to run every /15 or /60
+    */15 *    * * *   mispuser   /usr/bin/python3 /home/mispuser/PyMISP/examples/cytomic_orion.py
+
+
+Fetches the configuration set in the Cytomic Orion enrichment module
+- events : upload events tagged with the 'upload' tag, all the attributes supported by Cytomic Orion
+- upload : upload attributes flagged with the 'upload' tag (only attributes supported by Cytomic Orion)
+- delete : delete attributes flagged with the 'upload' tag (only attributes supported by Cytomic Orion)
+
+'''
+
+from pymisp import ExpandedPyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+import os
+import re
+import sys
+import requests
+import json
+import urllib3
+
+
+def get_token(token_url, clientid, clientsecret, scope, grant_type, username, password):
+    '''
+    Get oAuth2 token
+    Configuration settings are fetched first from the MISP module configu
+    '''
+
+    try:
+        if scope and grant_type and username and password:
+            data = {'scope': scope, 'grant_type': grant_type, 'username': username, 'password': password}
+
+            if token_url and clientid and clientsecret:
+                access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(clientid, clientsecret))
+                tokens = json.loads(access_token_response.text)
+                if 'access_token' in tokens:
+                    access_token = tokens['access_token']
+                    return access_token
+                else:
+                    sys.exit('No token received')
+            else:
+                sys.exit('No token_url, clientid or clientsecret supplied')
+        else:
+            sys.exit('No scope, grant_type, username or password supplied')
+    except Exception:
+        sys.exit('Unable to connect to token_url')
+
+
+def get_config(url, key, misp_verifycert):
+    '''
+    Get the module config and the settings needed to access the API
+    Also contains the settings to do the query
+    '''
+    try:
+        misp_headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': key}
+        req = requests.get(url + 'servers/serverSettings.json', verify=misp_verifycert, headers=misp_headers)
+        if req.status_code == 200:
+            req_json = req.json()
+            if 'finalSettings' in req_json:
+                finalSettings = req_json['finalSettings']
+
+                clientid = clientsecret = scope = username = password = grant_type = api_url = token_url = ''
+                module_enabled = False
+                scope = 'orion.api'
+                grant_type = 'password'
+                limit_upload_events = 50
+                limit_upload_attributes = 50
+                ttlDays = "1"
+                last_attributes = '5d'
+                post_threat_level_id = 2
+                for el in finalSettings:
+                    # Is the module enabled?
+                    if el['setting'] == 'Plugin.Enrichment_cytomic_orion_enabled':
+                        module_enabled = el['value']
+                        if module_enabled is False:
+                            break
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_clientid':
+                        clientid = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_clientsecret':
+                        clientsecret = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_username':
+                        username = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_password':
+                        password = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_api_url':
+                        api_url = el['value'].replace('\\/', '/')
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_token_url':
+                        token_url = el['value'].replace('\\/', '/')
+                    elif el['setting'] == 'MISP.baseurl':
+                        misp_baseurl = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_upload_threat_level_id':
+                        if el['value']:
+                            try:
+                                post_threat_level_id = int(el['value'])
+                            except:
+                                continue
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_upload_ttlDays':
+                        if el['value']:
+                            try:
+                                ttlDays = "{last_days}".format(last_days=int(el['value']))
+                            except:
+                                continue
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_upload_timeframe':
+                        if el['value']:
+                            try:
+                                last_attributes = "{last_days}d".format(last_days=int(el['value']))
+                            except:
+                                continue
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_upload_tag':
+                        upload_tag = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_cytomic_orion_delete_tag':
+                        delete_tag = el['value']
+                    elif el['setting'] == 'Plugin.Enrichment_limit_upload_events':
+                        if el['value']:
+                            try:
+                                limit_upload_events = "{limit_upload_events}".format(limit_upload_events=int(el['value']))
+                            except:
+                                continue
+                    elif el['setting'] == 'Plugin.Enrichment_limit_upload_attributes':
+                        if el['value']:
+                            try:
+                                limit_upload_attributes = "{limit_upload_attributes}".format(limit_upload_attributes=int(el['value']))
+                            except:
+                                continue
+        else:
+            sys.exit('Did not receive a 200 code from MISP')
+
+        if module_enabled and api_url and token_url and clientid and clientsecret and username and password and grant_type:
+
+            return {'cytomic_policy': 'Detect',
+                    'upload_timeframe': last_attributes,
+                    'upload_tag': upload_tag,
+                    'delete_tag': delete_tag,
+                    'upload_ttlDays': ttlDays,
+                    'post_threat_level_id': post_threat_level_id,
+                    'clientid': clientid,
+                    'clientsecret': clientsecret,
+                    'scope': scope,
+                    'username': username,
+                    'password': password,
+                    'grant_type': grant_type,
+                    'api_url': api_url,
+                    'token_url': token_url,
+                    'misp_baseurl': misp_baseurl,
+                    'limit_upload_events': limit_upload_events,
+                    'limit_upload_attributes': limit_upload_attributes}
+        else:
+            sys.exit('Did not receive all the necessary configuration information from MISP')
+
+    except Exception as e:
+        sys.exit('Unable to get module config from MISP')
+
+
+class cytomicobject:
+    misp = None
+    lst_evtid = None
+    lst_attuuid = None
+    lst_attuuid_error = None
+    endpoint_ioc = None
+    api_call_headers = None
+    post_data = None
+    args = None
+    tag = None
+    limit_events = None
+    limit_attributes = None
+    atttype_misp = None
+    atttype_cytomic = None
+    attlabel_cytomic = None
+    att_types = {
+       "ip-dst": {"ip": "ipioc"},
+       "ip-src": {"ip": "ipioc"},
+       "url": {"url": "urlioc"},
+       "md5": {"hash": "filehashioc"},
+       "domain": {"domain": "domainioc"},
+       "hostname": {"domain": "domainioc"},
+       "domain|ip": {"domain": "domainioc"},
+       "hostname|port": {"domain": "domainioc"}
+    }
+    debug = True
+    error = False
+    res = False
+    res_msg = None
+
+
+def collect_events_ids(cytomicobj, moduleconfig):
+    # Get events that contain Cytomic tag.
+    try:
+        evt_result = cytomicobj.misp.search(controller='events', limit=cytomicobj.limit_events, tags=cytomicobj.tag, last=moduleconfig['upload_timeframe'], published=True, deleted=False, pythonify=True)
+        cytomicobj.lst_evtid = ['x', 'y']
+        for evt in evt_result:
+            evt = cytomicobj.misp.get_event(event=evt['id'], pythonify=True)
+            if len(evt.tags) > 0:
+                for tg in evt.tags:
+                    if tg.name == cytomicobj.tag:
+                        if not cytomicobj.lst_evtid:
+                            cytomicobj.lst_evtid = str(evt['id'])
+                        else:
+                            if not evt['id'] in cytomicobj.lst_evtid:
+                                cytomicobj.lst_evtid.append(str(evt['id']))
+                        break
+        cytomicobj.lst_evtid.remove('x')
+        cytomicobj.lst_evtid.remove('y')
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to collect events ids')
+
+
+def find_eventid(cytomicobj, evtid):
+    # Get events that contain Cytomic tag.
+    try:
+        cytomicobj.res = False
+        for id in cytomicobj.lst_evtid:
+            if id == evtid:
+                cytomicobj.res = True
+                break
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to collect events ids')
+
+
+def print_result_events(cytomicobj):
+    try:
+        if cytomicobj.res_msg is not None:
+            for key, msg in cytomicobj.res_msg.items():
+                if msg is not None:
+                    print(key, msg)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to print result')
+
+
+def set_postdata(cytomicobj, moduleconfig, attribute):
+    # Set JSON to send to the API.
+    try:
+
+        if cytomicobj.args.upload or cytomicobj.args.events:
+            event = attribute['Event']
+            event_title = event['info']
+            event_id = event['id']
+            threat_level_id = int(event['threat_level_id'])
+            if moduleconfig['post_threat_level_id'] <= threat_level_id:
+
+                if cytomicobj.atttype_misp == 'domain|ip' or cytomicobj.atttype_misp == 'hostname|port':
+                    post_value = attribute['value'].split('|')[0]
+                else:
+                    post_value = attribute['value']
+
+                if cytomicobj.atttype_misp == 'url' and 'http' not in post_value:
+                    pass
+                else:
+                    if cytomicobj.post_data is None:
+                        cytomicobj.post_data = [{cytomicobj.attlabel_cytomic: post_value, 'AdditionalData': '{} {}'.format(cytomicobj.atttype_misp, attribute['comment']).strip(), 'Source': 'Uploaded from MISP', 'Policy': moduleconfig['cytomic_policy'], 'Description': '{} - {}'.format(event_id, event_title).strip()}]
+                    else:
+                        if post_value not in str(cytomicobj.post_data):
+                            cytomicobj.post_data.append({cytomicobj.attlabel_cytomic: post_value, 'AdditionalData': '{} {}'.format(cytomicobj.atttype_misp, attribute['comment']).strip(), 'Source': 'Uploaded from MISP', 'Policy': moduleconfig['cytomic_policy'], 'Description': '{} - {}'.format(event_id, event_title).strip()})
+            else:
+                if cytomicobject.debug:
+                    print('Event %s skipped because of lower threat level' % event_id)
+        else:
+            event = attribute['Event']
+            threat_level_id = int(event['threat_level_id'])
+            if moduleconfig['post_threat_level_id'] <= threat_level_id:
+                if cytomicobj.atttype_misp == 'domain|ip' or cytomicobj.atttype_misp == 'hostname|port':
+                    post_value = attribute['value'].split('|')[0]
+                else:
+                    post_value = attribute['value']
+
+                if cytomicobj.atttype_misp == 'url' and 'http' not in post_value:
+                    pass
+                else:
+                    if cytomicobj.post_data is None:
+                        cytomicobj.post_data = [{cytomicobj.attlabel_cytomic: post_value}]
+                    else:
+                        cytomicobj.post_data.append({cytomicobj.attlabel_cytomic: post_value})
+            else:
+                if cytomicobject.debug:
+                    print('Event %s skipped because of lower threat level' % event_id)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to process post-data')
+
+
+def send_postdata(cytomicobj, evtid=None):
+    # Batch post to upload event attributes.
+    try:
+        if cytomicobj.post_data is not None:
+            if cytomicobj.debug:
+                print('POST: {} {}'.format(cytomicobj.endpoint_ioc, cytomicobj.post_data))
+            result_post_endpoint_ioc = requests.post(cytomicobj.endpoint_ioc, headers=cytomicobj.api_call_headers, json=cytomicobj.post_data, verify=False)
+            json_result_post_endpoint_ioc = json.loads(result_post_endpoint_ioc.text)
+            print(result_post_endpoint_ioc)
+            if 'true' not in (result_post_endpoint_ioc.text):
+                cytomicobj.error = True
+                if evtid is not None:
+                    if cytomicobj.res_msg['Event: ' + str(evtid)] is None:
+                        cytomicobj.res_msg['Event: ' + str(evtid)] = '(Send POST data: errors uploading attributes, event NOT untagged). If the problem persists, please review the format of the value of the attributes is correct.'
+                    else:
+                        cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.res_msg['Event: ' + str(evtid)] + ' (Send POST data -else: errors uploading attributes, event NOT untagged). If the problem persists, please review the format of the value of the attributes is correct.'
+            if cytomicobj.debug:
+                print('RESULT: {}'.format(json_result_post_endpoint_ioc))
+        else:
+            if evtid is None:
+                cytomicobj.error = True
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to post attributes')
+
+
+def process_attributes(cytomicobj, moduleconfig, evtid=None):
+    # Get attributes to process.
+    try:
+        for misptype, cytomictypes in cytomicobject.att_types.items():
+            cytomicobj.atttype_misp = misptype
+            for cytomiclabel, cytomictype in cytomictypes.items():
+                cytomicobj.attlabel_cytomic = cytomiclabel
+                cytomicobj.atttype_cytomic = cytomictype
+                cytomicobj.post_data = None
+                icont = 0
+                if cytomicobj.args.upload or cytomicobj.args.events:
+                    cytomicobj.endpoint_ioc = moduleconfig['api_url'] + '/iocs/' + cytomicobj.atttype_cytomic + '?ttlDays=' + str(moduleconfig['upload_ttlDays'])
+                else:
+                    cytomicobj.endpoint_ioc = moduleconfig['api_url'] + '/iocs/eraser/' + cytomicobj.atttype_cytomic
+
+                # Get attributes to upload/delete and prepare JSON
+                # If evtid is set; we're called from --events
+                if cytomicobject.debug:
+                    print("\nSearching for attributes of type %s" % cytomicobj.atttype_misp)
+
+                if evtid is None:
+                    cytomicobj.error = False
+                    attr_result = cytomicobj.misp.search(controller='attributes', last=moduleconfig['upload_timeframe'], limit=cytomicobj.limit_attributes, type_attribute=cytomicobj.atttype_misp, tag=cytomicobj.tag, published=True, deleted=False, includeProposals=False, include_context=True, to_ids=True)
+                else:
+                    if cytomicobj.error:
+                        break
+                    # We don't search with tags; we have an event for which we want to upload all events
+                    attr_result = cytomicobj.misp.search(controller='attributes', eventid=evtid, last=moduleconfig['upload_timeframe'], limit=cytomicobj.limit_attributes, type_attribute=cytomicobj.atttype_misp, published=True, deleted=False, includeProposals=False, include_context=True, to_ids=True)
+
+                cytomicobj.lst_attuuid = ['x', 'y']
+
+                if len(attr_result['Attribute']) > 0:
+                    for attribute in attr_result['Attribute']:
+                        if evtid is not None:
+                            if cytomicobj.error:
+                                cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.res_msg['Event: ' + str(evtid)] + ' (errors uploading attributes, event NOT untagged). If the problem persists, please review the format of the value of the attributes is correct.'
+                                break
+                        if icont >= cytomicobj.limit_attributes:
+                            if not cytomicobj.error and cytomicobj.post_data is not None:
+                                # Send data to Cytomic
+                                send_postdata(cytomicobj, evtid)
+                            if not cytomicobj.error:
+                                if 'Event: ' + str(evtid) in cytomicobj.res_msg:
+                                    if cytomicobj.res_msg['Event: ' + str(evtid)] is None:
+                                        cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.attlabel_cytomic + 's: ' + str(icont)
+                                    else:
+                                        cytomicobj.res_msg['Event: ' + str(evtid)] += ' | ' + cytomicobj.attlabel_cytomic + 's: ' + str(icont)
+                                else:
+                                    if cytomicobject.debug:
+                                        print('Data sent (' + cytomicobj.attlabel_cytomic + '): ' + str(icont))
+
+                                cytomicobj.post_data = None
+                            if cytomicobj.error:
+                                if evtid is not None:
+                                    cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.res_msg['Event: ' + str(evtid)] + ' (errors uploading attributes, event NOT untagged). If the problem persists, please review the format of the value of the attributes is correct.'
+                                break
+                            icont = 0
+
+                        if evtid is None:
+                            event = attribute['Event']
+                            event_id = event['id']
+                            find_eventid(cytomicobj, str(event_id))
+                            if not cytomicobj.res:
+                                if not cytomicobj.lst_attuuid:
+                                    cytomicobj.lst_attuuid = attribute['uuid']
+                                else:
+                                    if not attribute['uuid'] in cytomicobj.lst_attuuid:
+                                        cytomicobj.lst_attuuid.append(attribute['uuid'])
+                                icont += 1
+                                # Prepare data to send
+                                set_postdata(cytomicobj, moduleconfig, attribute)
+                        else:
+                            icont += 1
+                            # Prepare data to send
+                            set_postdata(cytomicobj, moduleconfig, attribute)
+
+                    if not cytomicobj.error:
+                        # Send data to Cytomic
+                        send_postdata(cytomicobj, evtid)
+
+                    if not cytomicobj.error and cytomicobj.post_data is not None and icont > 0:
+                        # Data sent; process response
+                        if cytomicobj.res_msg is not None and 'Event: ' + str(evtid) in cytomicobj.res_msg:
+                            if cytomicobj.res_msg['Event: ' + str(evtid)] is None:
+                                cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.attlabel_cytomic + 's: ' + str(icont)
+                            else:
+                                cytomicobj.res_msg['Event: ' + str(evtid)] += ' | ' + cytomicobj.attlabel_cytomic + 's: ' + str(icont)
+                        else:
+                            if cytomicobject.debug:
+                                print('Data sent (' + cytomicobj.attlabel_cytomic + '): ' + str(icont))
+
+                    if not cytomicobj.error:
+                        cytomicobj.lst_attuuid.remove('x')
+                        cytomicobj.lst_attuuid.remove('y')
+                        # Untag attributes
+                        untag_attributes(cytomicobj)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to get attributes')
+
+
+def untag_event(evtid):
+    # Remove tag of the event being processed.
+    try:
+        cytomicobj.records = 0
+        evt = cytomicobj.misp.get_event(event=evtid, pythonify=True)
+        if len(evt.tags) > 0:
+            for tg in evt.tags:
+                if tg.name == cytomicobj.tag:
+                    cytomicobj.misp.untag(evt['uuid'], cytomicobj.tag)
+                    cytomicobj.records += 1
+                    cytomicobj.res_msg['Event: ' + str(evtid)] = cytomicobj.res_msg['Event: ' + str(evtid)] + ' (event untagged)'
+                    break
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to untag events')
+
+
+def process_events(cytomicobj, moduleconfig):
+    # Get events that contain Cytomic tag.
+    try:
+        collect_events_ids(cytomicobj, moduleconfig)
+        total_attributes_sent = 0
+        for evtid in cytomicobj.lst_evtid:
+            cytomicobj.error = False
+            if cytomicobj.res_msg is None:
+                cytomicobj.res_msg = {'Event: ' + str(evtid): None}
+            else:
+                cytomicobj.res_msg['Event: ' + str(evtid)] = None
+            if cytomicobject.debug:
+                print('Event id: ' + str(evtid))
+
+            # get attributes of each known type of the event / prepare data to send / send data to Cytomic
+            process_attributes(cytomicobj, moduleconfig, evtid)
+            if not cytomicobj.error:
+                untag_event(evtid)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to process events ids')
+
+
+def untag_attributes(cytomicobj):
+    # Remove tag of attributes sent.
+    try:
+        icont = 0
+        if len(cytomicobj.lst_attuuid) > 0:
+            for uuid in cytomicobj.lst_attuuid:
+                attr = cytomicobj.misp.get_attribute(attribute=uuid, pythonify=True)
+                if len(attr.tags) > 0:
+                    for tg in attr.tags:
+                        if tg.name == cytomicobj.tag:
+                            cytomicobj.misp.untag(uuid, cytomicobj.tag)
+                            icont += 1
+                            break
+            print('Attributes untagged (' + str(icont) + ')')
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to untag attributes')
+
+
+def process_attributes_upload(cytomicobj, moduleconfig):
+    # get attributes of each known type / prepare data to send / send data to Cytomic
+    try:
+        collect_events_ids(cytomicobj, moduleconfig)
+        process_attributes(cytomicobj, moduleconfig)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to upload attributes to Cytomic')
+
+
+def process_attributes_delete(cytomicobj, moduleconfig):
+    # get attributes of each known type / prepare data to send / send data to Cytomic
+    try:
+        collect_events_ids(cytomicobj, moduleconfig)
+        process_attributes(cytomicobj, moduleconfig)
+    except Exception:
+        cytomicobj.error = True
+        if cytomicobj.debug:
+            sys.exit('Unable to delete attributes in Cytomic')
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Upload or delete indicators to Cytomic API')
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument('--events', action='store_true', help='Upload events indicators')
+    group.add_argument('--upload', action='store_true', help='Upload indicators')
+    group.add_argument('--delete', action='store_true', help='Delete indicators')
+    args = parser.parse_args()
+    if not args.upload and not args.delete and not args.events:
+        sys.exit("No valid action for the API")
+
+    if misp_verifycert is False:
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+    module_config = get_config(misp_url, misp_key, misp_verifycert)
+    cytomicobj = cytomicobject
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=cytomicobject.debug)
+
+    cytomicobj.misp = misp
+    cytomicobj.args = args
+
+    access_token = get_token(module_config['token_url'], module_config['clientid'], module_config['clientsecret'], module_config['scope'], module_config['grant_type'], module_config['username'], module_config['password'])
+    cytomicobj.api_call_headers = {'Authorization': 'Bearer ' + access_token}
+    if cytomicobj.debug:
+        print('Received access token')
+
+    if cytomicobj.args.events:
+        cytomicobj.tag = module_config['upload_tag']
+        cytomicobj.limit_events = module_config['limit_upload_events']
+        cytomicobj.limit_attributes = module_config['limit_upload_attributes']
+        process_events(cytomicobj, module_config)
+        print_result_events(cytomicobj)
+
+    elif cytomicobj.args.upload:
+        cytomicobj.tag = module_config['upload_tag']
+        cytomicobj.limit_events = 0
+        cytomicobj.limit_attributes = module_config['limit_upload_attributes']
+        process_attributes_upload(cytomicobj, module_config)
+
+    else:
+        cytomicobj.tag = module_config['delete_tag']
+        cytomicobj.limit_events = 0
+        cytomicobj.limit_attributes = module_config['limit_upload_attributes']
+        process_attributes_delete(cytomicobj, module_config)

examples/del.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import ExpandedPyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Delete an event from a MISP instance.')
+    parser.add_argument("-e", "--event", help="Event ID to delete.")
+    parser.add_argument("-a", "--attribute", help="Attribute ID to delete.")
+
+    args = parser.parse_args()
+
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+
+    if args.event:
+        result = misp.delete_event(args.event)
+    else:
+        result = misp.delete_attribute(args.attribute)
+    print(result)

examples/delete_user.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import ExpandedPyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always preferred to keep user associations to events intact.')
+    parser.add_argument("-i", "--user_id", help="The id of the user you want to delete.")
+    args = parser.parse_args()
+
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+
+    print(misp.delete_user(args.user_id))

examples/edit_organisation.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import ExpandedPyMISP, MISPOrganisation
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Edit the email of the organisation designed by the organisation_id.')
+    parser.add_argument("-i", "--organisation_id", required=True, help="The name of the json file describing the organisation you want to modify.")
+    parser.add_argument("-e", "--email", help="Email linked to the organisation.")
+    args = parser.parse_args()
+
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+
+    org = MISPOrganisation()
+    org.id = args.organisation_id
+    org.email = args.email
+
+    print(misp.update_organisation(org, pythonify=True))

examples/edit_user.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import ExpandedPyMISP, MISPUser
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Edit the email of the user designed by the user_id.')
+    parser.add_argument("-i", "--user_id", required=True, help="The name of the json file describing the user you want to modify.")
+    parser.add_argument("-e", "--email", help="Email linked to the account.")
+    args = parser.parse_args()
+
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+    user = MISPUser
+    user.id = args.user_id
+    user.email = args.email
+
+    print(misp.edit_user(user, pythonify=True))