MISP playbook title¶

  • UUID: 42fdc8d0-eab6-4497-8a42-c051316cc211
  • State: Draft
  • Purpose: This notebook is used to demonstrate the general structure of a MISP playbook.
  • External resources: Hashlookup, CVE
  • Graphical workflow playbook-structure-graphical-workflow.drawio.png

Playbook ¶

  • IN:1 Initialise environment
  • SR:1 Search for MISP events
  • MP:1 Manipulate MISP events
  • EN:1 Send a report via chat
  • Result
  • External references
  • Technical details

IN:1 Initialise environment¶

This section initialises our environment and loads the required Python libraries.

In [1]:
import json

SR:1 Search for MISP events¶

In this start step we search for MISP events. You need to supply the list of organisations and / or tags that you are interested in. We will then use this result in our next execution steps.

In [2]:
required_orgs = [ "MyCSIRT", "MySOC"]
required_tags = [ "workflow:state=\"draft\"", "PAP:GREEN"]
In [3]:
# Do Python things

MP:1: Manipulate MISP events¶

In this steps we use the result from searching for MISP events and manipulate the events. We can change the workflow state and publish the event.

In [4]:
change_workflow: True
publish_event: True
In [5]:
# Do Python things

EN:1 Send a report via chat¶

In this end step we send the result of our actions to a chat channel.

In [6]:
# Do Python things

Result¶

In the closure of our playbook we print the result of our actions. This can also just be a "success" / "failure" status.

In [7]:
print("\033[92m Success")

 Success

External references¶

  • The MISP Project

Technical details ¶

  • Requires PyMISP
  • Requires network access to your MISP server via HTTPS (tcp/443)
  • Requires a MISP API key with write permissions