MISP

the misp connector facilitates the interaction with the misp platform, enabling automated threat intelligence management and event handling misp (malware information sharing platform & threat sharing) is a comprehensive threat intelligence platform that facilitates the sharing of structured threat information among security professionals the misp turbine connector enables users to automate the ingestion, enrichment, and management of threat indicators within swimlane turbine by integrating with misp, security teams can streamline threat analysis, enhance incident response, and foster collaboration across the security community, leveraging misp's rich dataset of indicators and events prerequisites to effectively utilize the misp connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the base url of your misp instance api key your personal access key for the misp api capabilities the connector for misp needs to support the following capabilities add attribute add event add event tag add tag to attribute delete attribute delete event edit attribute get a filtered and paginated list of attributes get a filtered and paginated list of objects get attribute get attribute by id get count of attributes by category get event by id get events get list of attribute types and so on configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add attribute adds a new attribute to an existing event in misp using the provided event id endpoint url attributes/add/{{eventid}} method post input argument name type required description eventid string required unique identifier event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for add attribute category string optional parameter for add attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for add attribute distribution string optional parameter for add attribute sharing group id string optional unique identifier comment string optional parameter for add attribute deleted boolean optional parameter for add attribute disable correlation boolean optional parameter for add attribute first seen string optional parameter for add attribute last seen string optional parameter for add attribute headers object required http headers for the request accept string required parameter for add attribute content type string required type of the resource output parameter type description attribute object output field attribute id string unique identifier event id string unique identifier object id string unique identifier object relation string output field object relation category string output field category type string type of the resource value string value for the parameter to ids boolean unique identifier uuid string unique identifier timestamp string output field timestamp distribution string output field distribution sharing group id string unique identifier comment string output field comment deleted boolean output field deleted disable correlation boolean output field disable correlation first seen string output field first seen last seen string output field last seen example \[ { "attribute" { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false } } ] add event adds a new event to the misp platform, utilizing provided headers for authentication and configuration endpoint url /events/add method post input argument name type required description org id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers distribution string optional distribution level id who will be able to see this event once it becomes published and eventually when it becomes pulled 0 your organization only, 1 this community only, 2 connected communities, 3 all communities, 4 sharing group, 5 inherit event info string optional event info length of the string must be less than or equal to 1065535 characters orgc id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers uuid string optional uuid length of the string must be less than or equal to 36 characters date string optional date value published boolean optional published flag analysis string optional analysis level id represents the analysis maturity level 0 initial, 1 ongoing, 2 complete attribute count string optional event attribute count all the characters of the string must be numbers timestamp string optional nullable timestamp all the characters of the string must be numbers or null value also sharing group id string optional sharing group id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers or null value also proposal email lock boolean optional event proposal email lock locked boolean optional is locked threat level id string optional threat level id represents the threat level 1 high, 2 medium, 3 low, 4 undefined publish timestamp string optional timestamp all the characters of the string must be numbers sighting timestamp string optional timestamp all the characters of the string must be numbers disable correlation boolean optional disable correlation flag extends uuid string optional extends uuid length of the string must be less than or equal to 36 characters or null value also event creator email string optional email headers object required http headers for the request accept string required parameter for add event content type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase event object output field event id string unique identifier org id string unique identifier distribution string output field distribution info string output field info orgc id string unique identifier uuid string unique identifier date string date value published boolean output field published analysis string output field analysis attribute count string count value timestamp string output field timestamp sharing group id string unique identifier proposal email lock boolean output field proposal email lock locked boolean output field locked threat level id string unique identifier publish timestamp string output field publish timestamp sighting timestamp string output field sighting timestamp disable correlation boolean output field disable correlation extends uuid string unique identifier event creator email string output field event creator email feed object output field feed id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "event" {} } } ] add event tag associates a tag with an event in misp using the event id, tag id, and locality parameter endpoint url events/addtag/{{eventid}}/{{tagid}}/local {{local}} method post input argument name type required description eventid string required unique identifier tagid string required unique identifier local number required parameter for add event tag headers object required http headers for the request accept string required parameter for add event tag content type string required type of the resource output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any example \[ { "saved" true, "success" "tag added ", "check publish" true, "errors" "tag could not be added " } ] add tag to attribute associates a specified tag with an attribute in misp, requiring the attribute's id, tag's id, and locality endpoint url attributes/addtag/{{attributeid}}/{{tagid}}/local {{local}} method post input argument name type required description attributeid string required unique identifier tagid string required unique identifier local number required parameter for add tag to attribute headers object required http headers for the request accept string required parameter for add tag to attribute content type string required type of the resource output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any example \[ { "saved" true, "success" "tag added ", "check publish" true, "errors" "tag could not be added " } ] delete attribute removes a specified attribute from misp using the provided attribute id, requiring path parameters and headers endpoint url attributes/delete/{{attributeid}} method delete input argument name type required description attributeid string required unique identifier headers object required http headers for the request accept string required parameter for delete attribute content type string required type of the resource output parameter type description message string response message example \[ { "message" "attribute deleted " } ] delete event removes a specified event from misp using the event id provided in path parameters, with necessary headers endpoint url events/delete/{{eventid}} method delete input argument name type required description eventid string required unique identifier headers object required http headers for the request accept string required parameter for delete event content type string required type of the resource output parameter type description saved boolean output field saved success boolean whether the operation was successful name string name of the resource message string response message url string url endpoint for the request errors string error message if any example \[ { "saved" true, "success" true, "name" "event deleted ", "message" "could not delete event", "url" "/events/delete/1", "errors" "event was not deleted " } ] edit attribute modify an existing attribute in misp using the specified attribute id and updated details provided in the request endpoint url attributes/edit/{{attributeid}} method put input argument name type required description attributeid string required unique identifier id string optional unique identifier event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for edit attribute category string optional parameter for edit attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for edit attribute distribution string optional parameter for edit attribute sharing group id string optional unique identifier comment string optional parameter for edit attribute deleted boolean optional parameter for edit attribute disable correlation boolean optional parameter for edit attribute first seen string optional parameter for edit attribute last seen string optional parameter for edit attribute headers object required http headers for the request accept string required parameter for edit attribute content type string required type of the resource output parameter type description attribute object output field attribute id string unique identifier event id string unique identifier object id string unique identifier object relation string output field object relation category string output field category type string type of the resource value string value for the parameter to ids boolean unique identifier uuid string unique identifier timestamp string output field timestamp distribution string output field distribution sharing group id string unique identifier comment string output field comment deleted boolean output field deleted disable correlation boolean output field disable correlation first seen string output field first seen last seen string output field last seen example \[ { "attribute" { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false } } ] get a filtered and paginated list of attributes retrieve a filtered and paginated list of attributes from misp, including specified request headers endpoint url attributes/restsearch method post input argument name type required description page number optional parameter for get a filtered and paginated list of attributes limit number optional parameter for get a filtered and paginated list of attributes value string optional value for the parameter value1 string optional value for the parameter value2 string optional value for the parameter type string optional type of the resource category string optional parameter for get a filtered and paginated list of attributes org string optional parameter for get a filtered and paginated list of attributes tags array optional parameter for get a filtered and paginated list of attributes from string optional parameter for get a filtered and paginated list of attributes to string optional parameter for get a filtered and paginated list of attributes last number optional parameter for get a filtered and paginated list of attributes eventid string optional unique identifier withattachments boolean optional parameter for get a filtered and paginated list of attributes uuid string optional unique identifier publish timestamp string optional parameter for get a filtered and paginated list of attributes published boolean optional parameter for get a filtered and paginated list of attributes timestamp string optional parameter for get a filtered and paginated list of attributes attribute timestamp string optional parameter for get a filtered and paginated list of attributes enforcewarninglist boolean optional parameter for get a filtered and paginated list of attributes to ids boolean optional unique identifier deleted boolean optional parameter for get a filtered and paginated list of attributes event timestamp string optional parameter for get a filtered and paginated list of attributes threat level id string optional unique identifier eventinfo string optional parameter for get a filtered and paginated list of attributes output parameter type description response object output field response attribute array output field attribute id string unique identifier event id string unique identifier object id string unique identifier object relation string output field object relation category string output field category type string type of the resource value string value for the parameter to ids boolean unique identifier uuid string unique identifier timestamp string output field timestamp distribution string output field distribution sharing group id string unique identifier comment string output field comment deleted boolean output field deleted disable correlation boolean output field disable correlation first seen string output field first seen last seen string output field last seen data string response data event uuid string unique identifier decay score array score value score number score value base score number score value decayed boolean output field decayed example \[ { "response" { "attribute" \[] } } ] get a filtered and paginated list of objects retrieve a filtered and paginated list of objects from misp based on specified criteria in headers and json body endpoint url /objects/restsearch method post input argument name type required description headers object required http headers for the request accept string required parameter for get a filtered and paginated list of objects content type string required type of the resource page number optional integer or null (pagesearchfilter) >= 1 limit number optional integer or null (limitsearchfilter) >= 0 quickfilter string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) searchall string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) timestamp string optional timestamp format is in ^\d+$ object name string optional object name to search for less than or equal to 131071 characters object template uuid string optional object template uuid to search for object template version string optional object template version to search for format is in ^\d+$ eventid string optional event id to search for format is in ^\d+$ less than or equal to 10 characters eventinfo string optional less than or equal to 65535 characters ignore boolean optional default is false if true matches both true and false values for to ids and published from string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) to string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) date string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) tags array optional array of strings (tagrestsearchfilter) last number optional events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), iso 8601 datetime format or timestamp (lastrestsearchfilter) event timestamp string optional event timestamp format is in ^\d+$ default is '0' publish timestamp string optional event timestamp format is in ^\d+$ default is '0' org string optional either organisation id or organisation name if organisation id is used, less than or equal to 10 characters if organisation name is used, less than or equal to 255 characters uuid string optional uuid to search for value string optional value to search for less than or equal to 131071 characters (attributevalue) type string optional type to search for less than or equal to 100 characters (attributetype) output parameter type description status code number http status code of the response reason string response reason phrase response array output field response object object output field object id string unique identifier name string name of the resource meta category string output field meta category description string output field description template uuid string unique identifier template version string output field template version event id string unique identifier uuid string unique identifier timestamp string output field timestamp distribution string output field distribution sharing group id string unique identifier comment string output field comment deleted boolean output field deleted first seen string output field first seen last seen string output field last seen attribute array output field attribute id string unique identifier event id string unique identifier object id string unique identifier object relation string output field object relation category string output field category example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "response" \[] } } ] get attribute fetches a specific attribute from misp for threat analysis and intelligence, using provided headers endpoint url attributes method get input argument name type required description headers object required http headers for the request accept string required parameter for get attribute content type string required type of the resource example \[ \[ { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false } ] ] get attribute by id retrieve details for a specific attribute in misp by providing the unique attribute id endpoint url attributes/view/{{attributeid}} method get input argument name type required description attributeid string required unique identifier headers object required http headers for the request accept string required parameter for get attribute by id content type string required type of the resource output parameter type description attribute object output field attribute id string unique identifier event id string unique identifier object id string unique identifier object relation string output field object relation category string output field category type string type of the resource value string value for the parameter to ids boolean unique identifier uuid string unique identifier timestamp string output field timestamp distribution string output field distribution sharing group id string unique identifier comment string output field comment deleted boolean output field deleted disable correlation boolean output field disable correlation first seen string output field first seen last seen string output field last seen example \[ { "attribute" { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false } } ] get count of attributes by category retrieve the count of misp attributes by category, using context and percentage as path parameters endpoint url attributes/attributestatistics/{{context}}/{{percentage}} method get input argument name type required description context string required parameter for get count of attributes by category percentage number required parameter for get count of attributes by category headers object required http headers for the request accept string required parameter for get count of attributes by category content type string required type of the resource example \[ \[ { "antivirus detection" "10" }, { "artifacts dropped" "20" } ] ] get event by id retrieve detailed information for a specific event in misp by providing the unique event id endpoint url events/view/{{eventid}} method get input argument name type required description eventid string required unique identifier headers object required http headers for the request accept string required parameter for get event by id content type string required type of the resource output parameter type description event object output field event id string unique identifier org id string unique identifier distribution string output field distribution info string output field info orgc id string unique identifier uuid string unique identifier date string date value published boolean output field published analysis string output field analysis attribute count string count value timestamp string output field timestamp sharing group id string unique identifier proposal email lock boolean output field proposal email lock locked boolean output field locked threat level id string unique identifier publish timestamp string output field publish timestamp sighting timestamp string output field sighting timestamp disable correlation boolean output field disable correlation extends uuid string unique identifier event creator email string output field event creator email feed object output field feed id string unique identifier name string name of the resource provider string unique identifier example \[ { "event" { "id" "12345", "org id" "12345", "distribution" "0", "info" "logged source ip", "orgc id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "date" "1991 01 15", "published" false, "analysis" "0", "attribute count" "321", "timestamp" "1617875568", "sharing group id" "1", "proposal email lock" true, "locked" true, "threat level id" "1" } } ] get events retrieves a list of threat intelligence events from misp using specified headers for an informed security overview endpoint url events method get input argument name type required description headers object required http headers for the request accept string required parameter for get events content type string required type of the resource example \[ \[ { "id" "12345", "org id" "12345", "distribution" "0", "info" "logged source ip", "orgc id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "date" "1991 01 15", "published" false, "analysis" "0", "attribute count" "321", "timestamp" "1617875568", "sharing group id" "1", "proposal email lock" true, "locked" true, "threat level id" "1" } ] ] get list of attribute types retrieves a list of available attribute types from misp, with authentication headers required endpoint url attributes/describetypes method get input argument name type required description headers object required http headers for the request accept string required parameter for get list of attribute types content type string required type of the resource output parameter type description sane defaults object output field sane defaults md5 object output field md5 default category string output field default category to ids number unique identifier pdb object output field pdb default category string output field default category to ids number unique identifier types array type of the resource categories array output field categories category type mappings object type of the resource internal reference array output field internal reference antivirus detection array output field antivirus detection example \[ { "sane defaults" { "md5" {}, "pdb" {} }, "types" \[ "md5" ], "categories" \[ "internal reference" ], "category type mappings" { "internal reference" \[], "antivirus detection" \[] } } ] publish event publishes a specified event in misp using the provided eventid, requiring headers and path parameters endpoint url events/publish/{{eventid}} method post input argument name type required description eventid string required unique identifier headers object required http headers for the request accept string required parameter for publish event content type string required type of the resource output parameter type description name string name of the resource message string response message url string url endpoint for the request id string unique identifier example \[ { "name" "publish", "message" "job queued", "url" "https //misp local/events/alert/1", "id" "string" } ] remove event tag removes a specified tag from an event in misp using the provided event and tag ids, requiring headers and path parameters endpoint url events/removetag/{{eventid}}/{{tagid}} method post input argument name type required description eventid string required unique identifier tagid string required unique identifier headers object required http headers for the request accept string required parameter for remove event tag content type string required type of the resource output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any example \[ { "saved" true, "success" "tag removed ", "check publish" true, "errors" "tag could not be added " } ] remove tag from attribute removes a specified tag from an attribute in misp by utilizing the provided attributeid and tagid endpoint url attributes/removetag/{{attributeid}}/{{tagid}} method post input argument name type required description attributeid string required unique identifier tagid string required unique identifier headers object required http headers for the request accept string required parameter for remove tag from attribute content type string required type of the resource output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any example \[ { "saved" true, "success" "tag removed ", "check publish" true, "errors" "tag could not be added " } ] search events performs a search for events in misp using specified headers to quickly locate relevant event data endpoint url events/index method post input argument name type required description page number optional parameter for search events limit number optional parameter for search events sort string optional parameter for search events direction string optional parameter for search events minimal boolean optional parameter for search events attribute string optional parameter for search events eventid string optional unique identifier datefrom string optional parameter for search events dateuntil string optional parameter for search events org string optional parameter for search events eventinfo string optional parameter for search events tag string optional parameter for search events tags array optional parameter for search events distribution string optional parameter for search events sharinggroup string optional parameter for search events analysis string optional parameter for search events threatlevel string optional parameter for search events email string optional parameter for search events hasproposal string optional parameter for search events timestamp string optional parameter for search events publish timestamp string optional parameter for search events searchdatefrom string optional parameter for search events searchdateuntil string optional parameter for search events headers object required http headers for the request accept string required parameter for search events example \[ \[ { "id" "12345", "org id" "12345", "distribution" "0", "info" "logged source ip", "orgc id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "date" "1991 01 15", "published" false, "analysis" "0", "attribute count" "321", "timestamp" "1617875568", "sharing group id" "1", "proposal email lock" true, "locked" true, "threat level id" "1" } ] ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt notes https //www misp project org/openapi/ https //www misp project org/openapi/