API of the month: MISP

MISP is a very well known tool in the infosec community that enables individuals and teams to work and share indicators and other case relevant information.

The MISP API comes for free with every MISP installation of the free and open source software, so if you want to try it out, go for it. There are various install guides for MISP.

Once your MISP instance is up and running, you can head over to the MISP API documentation.

Search

Among all endpoints I did use the Search endpoint the most. This endpoint can be used to search all your MISP data. You can either just pass a string and search everything, or you filter by dedicates types. The query can be as complicated as you want it to be. Be careful with just value searches, depending on your data size, the requests might take a while to complete.

Get events

Another very useful thing after your searched is then pull the events that matched your search. This can be helpful to provide more context to analysts who started the search.

PyMisp

When writing about the MISP API, it is important to mention pyMISP, the Python library to access the MISP REST API. It is maintained by the same people behind MISP, so it is kind of a reference implementation of the API and is very easy to use.

Target audience

The target audience for the MISP API is researchers, students, DFIR professionals and everyone who has a need to store and query structured data around events.

More

Want to find more Security APIs? Go and visit my repository: https://github.com/jaegeral/security-apis

API of the month: api.first.org

Description

The Forum of Incident Response and Security teams (FIRST) offers an API to a subset of their database exposing teams.

„The Teams public information (available at http://www.first.org/members/teams) is available for querying using the method/data model /teams. This is the available endpoint for this data source:“

FIRST API screenshot

Pricing

The API is free and comes at no charge.

Signing up for the

Example 1

As an example, I have a script that can be a subroutine of an abuse handling process where the input is the name of the organisation an IP belongs to (based on Whois) the script is tasked to find a suitable responsible party who can deal with abuse handling.

Example 2

Second example, the input is a country, that might be revealed by using whois data for a particular IP, triaging the source to a specific country. The lookup should return a suitable national incident response team to assist in abuse handling.

Target audience

  • Incident responders who want to automate notification or lookup of peer teams
  • abuse handlers to lookup responsible CERT / CSIRTs or national Incident Response teams