Misp

misp is an open source threat intelligence platform that facilitates the sharing of structured threat information among organizations misp (malware information sharing platform & threat sharing) is an open source threat intelligence platform designed to improve the sharing of structured threat information the misp turbine connector enables seamless integration with swimlane turbine, allowing users to automate the management of threat intelligence data this integration enhances security operations by enabling automated actions such as adding, editing, and deleting threat attributes and events, enriching threat data, and executing custom scripts for advanced threat analysis prerequisites before you can use the misp connector for swimlane, you'll need access to the misp api this requires the following an api key authentication using the following parameters url the endpoint url for accessing the misp api api key a unique key provided by misp for authenticating api requests capabilities the connector for misp needs to support the following capabilities add attribute add event add event tag add tag to attribute delete attribute delete event edit attribute get a filtered and paginated list of attributes get a filtered and paginated list of objects get attribute get attribute by id get count of attributes by category get event by id get events get list of attribute types and so on notes https //www misp project org/openapi/ https //www misp project org/openapi/ configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add attribute add a new attribute to an existing event in misp using the provided event id, path parameters, and headers endpoint url attributes/add/{{eventid}} method post input argument name type required description path parameters eventid string required parameters for the add attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for add attribute category string optional parameter for add attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for add attribute distribution string optional parameter for add attribute sharing group id string optional unique identifier comment string optional parameter for add attribute deleted boolean optional parameter for add attribute disable correlation boolean optional parameter for add attribute first seen string optional parameter for add attribute last seen string optional parameter for add attribute input example {"json body" {"event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false,"first seen" "1581984000000000","last seen" "1581984000000000"},"path parameters" {"eventid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} add domain ip object to event add a domain ip object to a misp event using event id requires at least one of domain, hostname, or ips supports single domain and arrays for ips and ports, with per attribute tags endpoint method get input argument name type required description event id string required the misp event id (or uuid) to add the domain ip object to domain string optional domain name (single value) ips array optional list of ip addresses to add as ip attributes ports array optional list of tcp ports to add as port attributes hostname string optional hostname related to the ip(s) first seen string optional first time the domain ip tuple has been seen (datetime) last seen string optional last time the domain ip tuple has been seen (datetime) registration date string optional registration date of the domain (datetime) text string optional a description of the domain ip tuple attribute tags array optional optional list of { "attribute" " ", "tag" " ", } to add a tag to domain ip object attributes "attribute" is the misp attribute name (e g domain, hostname, ip, port, first seen, last seen, registration date, text) "tag" is the tag name (e g tlp \ white ) for domain, ip, or port you can target a specific instance with "value" (e g "1 2 3 4") or "index" (0 based) without value/index, the tag is applied to all attributes of that type attribute tags attribute string optional misp attribute name (e g domain, hostname, ip, port, first seen, last seen, registration date, text) attribute tags tag string optional tag name to add to this attribute attribute tags value string optional for domain/ip/port; tag only the attribute with this value attribute tags index integer optional tag only the attribute at this 0 based index among attributes of the same type input example {"event id" "string","domain" "string","ips" \["string"],"ports" \[],"hostname" "example name","first seen" "string","last seen" "string","registration date" "string","text" "string","attribute tags" \[{"attribute" "string","tag" "string","value" "string","index" 123}]} add email object to event using eml file convert each eml attachment into a misp email object and append it to the specified event using event id and email eml endpoint method get input argument name type required description event id string required the misp event id (or uuid) to add each email object to email eml array required the eml file(s) to convert to email object(s) email eml file string optional parameter for add email object to event using eml file email eml file name string optional name of the resource email eml description string optional parameter for add email object to event using eml file input example {"event id" "string","email eml" \[{"file" "string","file name" "example name","description" "string"}]} add event add a new event to the misp platform using provided headers for authentication and configuration endpoint url /events/add method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request org id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers distribution string optional distribution level id who will be able to see this event once it becomes published and eventually when it becomes pulled 0 your organization only, 1 this community only, 2 connected communities, 3 all communities, 4 sharing group, 5 inherit event info string optional event info length of the string must be less than or equal to 1065535 characters orgc id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers uuid string optional uuid length of the string must be less than or equal to 36 characters date string optional date value published boolean optional published flag analysis string optional analysis level id represents the analysis maturity level 0 initial, 1 ongoing, 2 complete attribute count string optional event attribute count all the characters of the string must be numbers timestamp string optional nullable timestamp all the characters of the string must be numbers or null value also sharing group id string optional sharing group id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers or null value also proposal email lock boolean optional event proposal email lock locked boolean optional is locked threat level id string optional threat level id represents the threat level 1 high, 2 medium, 3 low, 4 undefined publish timestamp string optional timestamp all the characters of the string must be numbers sighting timestamp string optional timestamp all the characters of the string must be numbers disable correlation boolean optional disable correlation flag extends uuid string optional extends uuid length of the string must be less than or equal to 36 characters or null value also event creator email string optional email input example {"headers" {"accept" "application/json","content type" "application/json"},"org id" "string","distribution" "string","info" "string","orgc id" "string","uuid" "12345678 1234 1234 1234 123456789abc","date" "2024 01 01t00 00 00z","published"\ true,"analysis" "string","attribute count" "string","timestamp" "2024 01 01t00 00 00z","sharing group id" "string","proposal email lock"\ true,"locked"\ true,"threat level id" "string","publish timestamp" "0","sighting timestamp" "0","disable correlation"\ true,"extends uuid" "string","event creator email" "string"} output parameter type description status code number http status code of the response reason string response reason phrase event object output field event event id string unique identifier event org id string unique identifier event distribution string output field event distribution event info string output field event info event orgc id string unique identifier event uuid string unique identifier event date string date value event published boolean output field event published event analysis string output field event analysis event attribute count string count value event timestamp string output field event timestamp event sharing group id string unique identifier event proposal email lock boolean output field event proposal email lock event locked boolean output field event locked event threat level id string unique identifier event publish timestamp string output field event publish timestamp event sighting timestamp string output field event sighting timestamp event disable correlation boolean output field event disable correlation event extends uuid string unique identifier event event creator email string output field event event creator email event feed object output field event feed event feed id string unique identifier output example {"event" {"id" "12345678 1234 1234 1234 123456789abc","org id" "string","distribution" "string","info" "string","orgc id" "string","uuid" "12345678 1234 1234 1234 123456789abc","date" "2024 01 01t00 00 00z","published"\ true,"analysis" "string","attribute count" "string","timestamp" "2024 01 01t00 00 00z","sharing group id" "string","proposal email lock"\ true,"locked"\ true,"threat level id" "string"}} add event tag associate a tag with an event in misp using the event id, tag id, and locality parameter endpoint url events/addtag/{{eventid}}/{{tagid}}/local {{local}} method post input argument name type required description path parameters eventid string required parameters for the add event tag action path parameters tagid string required parameters for the add event tag action path parameters local number required parameters for the add event tag action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string","tagid" "string","local" 1}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag added ","check publish"\ true,"errors" "tag could not be added "} add file object to event add a misp file object to an event using metadata like full path and hashes no file attachment is required optionally add tags to specific object attributes endpoint method get input argument name type required description event id string required the misp event id (or uuid) to add the file object to full path string optional full path of the file (e g /path/to/file exe) filename string optional file name (e g file exe) if omitted, can be derived from full path path string optional path of the file (complete or partial) md5 string optional md5 hash of the file sha1 string optional sha 1 hash of the file sha256 string optional sha 256 hash of the file attribute tags array optional optional list of { "attribute" " ", "tag" " " } to add a tag to specific file object attributes "attribute" is the misp attribute name (e g md5, sha256, filename, fullpath) "tag" is the tag name (e g tlp \ white ) attribute tags attribute string optional misp attribute name (e g md5, sha256, filename) attribute tags tag string optional tag name to add to this attribute input example {"event id" "string","full path" "string","filename" "example name","path" "string","md5" "string","sha1" "string","sha256" "string","attribute tags" \[{"attribute" "string","tag" "string"}]} add process object to event add a misp process object to an event using details like pid, name, image, command line, and parent info requires the event id endpoint method get input argument name type required description event id string required the misp event id (or uuid) to add the process object to name string optional name of the process pid string optional process id of the process parent pid string optional process id of the parent process image string optional path of process image command line string optional command line of the process parent command line string optional command line of the parent process parent image string optional path of parent process image parent process name string optional process name of the parent parent process path string optional parent process path current directory string optional current working directory of the process args string optional arguments of the process creation time string optional local date/time at which the process was created (e g iso 8601) start time string optional local date/time at which the process was started (e g iso 8601) child pid string optional process id(s) of child process(es); comma separated or array guid string optional globally unique identifier assigned by the vendor product parent guid string optional globally unique identifier of the parent process pgid string optional identifier of the process group port string optional port(s) owned by the process; comma separated or array process state string optional state of process (e g r=running, s=sleeping, d=uninterruptible sleep) user process string optional user who is running the process at the time of analysis user creator string optional user who created the process integrity level string optional integrity level (e g system, high, medium, low, untrusted) environment variables string optional environment variables associated with the process hidden boolean optional whether the process is hidden (true/false or 1/0) input example {"event id" "string","name" "example name","pid" "string","parent pid" "string","image" "string","command line" "string","parent command line" "string","parent image" "string","parent process name" "example name","parent process path" "string","current directory" "string","args" "string","creation time" "string","start time" "string","child pid" "string","guid" "string","parent guid" "string","pgid" "string","port" "string","process state" "string","user process" "string","user creator" "string","integrity level" "string","environment variables" "string","hidden"\ true,"fake process name"\ true} add tag to attribute associate a specified tag with an attribute in misp using the attribute's id, tag's id, and locality endpoint url attributes/addtag/{{attributeid}}/{{tagid}}/local {{local}} method post input argument name type required description path parameters attributeid string required parameters for the add tag to attribute action path parameters tagid string required parameters for the add tag to attribute action path parameters local number required parameters for the add tag to attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string","tagid" "string","local" 1}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag added ","check publish"\ true,"errors" "tag could not be added "} add url object to event add a url object to a misp event using the event id and url value scheme, host, domain, port, path, query string, fragment, and related fields are derived from the url endpoint method get input argument name type required description event id string required the misp event id (or uuid) to add the url object to url value string required the full url (e g https //example com/path?q=1#section https //example com/path?q=1#section ) all url object attributes are derived from it ip addresses array optional list of ips to add as ip attributes to the url object attribute tags array optional optional list of { "attribute" " ", "tag" " ", } to add a tag to url object attributes "attribute" is the misp attribute name (e g url, host, domain, scheme, port, ip, resource path) "tag" is the tag name (e g tlp \ white ) for ip attributes you can target a specific ip with "value" (e g "1 2 3 4") or "index" (0 based) without value/index, the tag is applied to all attributes of that type attribute tags attribute string optional misp attribute name (e g url, host, domain, scheme, ip) attribute tags tag string optional tag name to add to this attribute attribute tags value string optional for ip; tag only the attribute with this value (e g "1 2 3 4") attribute tags index integer optional tag only the attribute at this 0 based index among attributes of the same type input example {"event id" "string","url value" "string","ip addresses" \["string"],"attribute tags" \[{"attribute" "string","tag" "string","value" "string","index" 123}]} delete attribute remove a specified attribute from misp using the provided attribute id, requiring path parameters and headers endpoint url attributes/delete/{{attributeid}} method delete input argument name type required description path parameters attributeid string required parameters for the delete attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string"}} output parameter type description message string response message output example {"message" "attribute deleted "} delete event remove a specified event from misp using the provided event id in path parameters, with necessary headers endpoint url events/delete/{{eventid}} method delete input argument name type required description path parameters eventid string required parameters for the delete event action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description saved boolean output field saved success boolean whether the operation was successful name string name of the resource message string response message url string url endpoint for the request errors string error message if any output example {"saved"\ true,"success"\ true,"name" "event deleted ","message" "could not delete event","url" "/events/delete/1","errors" "event was not deleted "} edit attribute modify an existing attribute in misp using the specified attribute id and updated details provided in the request endpoint url attributes/edit/{{attributeid}} method put input argument name type required description path parameters attributeid string required parameters for the edit attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request id string optional unique identifier event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for edit attribute category string optional parameter for edit attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for edit attribute distribution string optional parameter for edit attribute sharing group id string optional unique identifier comment string optional parameter for edit attribute deleted boolean optional parameter for edit attribute disable correlation boolean optional parameter for edit attribute first seen string optional parameter for edit attribute last seen string optional parameter for edit attribute input example {"json body" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false,"first seen" "1581984000000000","last seen" "1581984000000000"},"path parameters" {"attributeid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} execute script execute a python script using pymisp and bundled dependencies in misp endpoint method get input argument name type required description script string required multi line python code to run use "action inputs" for input data set "action outputs" to return a value (e g action outputs = {"attachment" , "name" }) dict keys are also exposed at top level for mapping action inputs object optional optional free form object passed into the script as "action inputs" use any keys you need; they are available inside the script input example {"script" "string","action inputs" {}} get a filtered and paginated list of attributes retrieve a filtered and paginated list of attributes from misp, including specified request headers endpoint url attributes/restsearch method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional parameter for get a filtered and paginated list of attributes limit number optional parameter for get a filtered and paginated list of attributes value string optional value for the parameter value1 string optional value for the parameter value2 string optional value for the parameter type string optional type of the resource category string optional parameter for get a filtered and paginated list of attributes org string optional parameter for get a filtered and paginated list of attributes tags array optional parameter for get a filtered and paginated list of attributes from string optional parameter for get a filtered and paginated list of attributes to string optional parameter for get a filtered and paginated list of attributes last number optional parameter for get a filtered and paginated list of attributes eventid string optional unique identifier withattachments boolean optional parameter for get a filtered and paginated list of attributes uuid string optional unique identifier publish timestamp string optional parameter for get a filtered and paginated list of attributes published boolean optional parameter for get a filtered and paginated list of attributes timestamp string optional parameter for get a filtered and paginated list of attributes attribute timestamp string optional parameter for get a filtered and paginated list of attributes enforcewarninglist boolean optional parameter for get a filtered and paginated list of attributes to ids boolean optional unique identifier deleted boolean optional parameter for get a filtered and paginated list of attributes input example {"json body" {"page" 0,"limit" 1,"value" "127 0 0 1","value1" "127 0 0 1","value2" "127 0 0 1","type" "md5","category" "internal reference","org" "12345","tags" \["tlp\ amber"],"from" "string","to" "string","last" 0,"eventid" "12345","withattachments"\ false,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","publish timestamp" "1617875568","published"\ false,"timestamp" "1617875568","attribute timestamp" "1617875568","enforcewarninglist"\ true,"to ids"\ true,"deleted"\ false,"event timestamp" "1617875568","threat level id" "1","eventinfo" "string","sharinggroup" \["1"],"decayingmodel" "string","score" "string","first seen" "string","last seen" "string","includeeventuuid"\ false,"includeeventtags"\ false,"includeproposals"\ false,"requested attributes" \["id"],"includecontext"\ true,"headerless"\ true,"includewarninglisthits"\ true,"attackgalaxy" "mitre attack","object relation" "filepath","includesightings"\ true,"includecorrelations"\ true,"modeloverrides" {"lifetime" 3,"decay speed" 2 3,"threshold" 30,"default base score" 80,"base score config" {"estimative language\ confidence in analytic judgment" 0 25,"estimative language\ likelihood probability" 0 25,"phishing\ psychological acceptability" 0 25,"phishing\ state" 0 2}},"includedecayscore"\ false,"includefullmodel"\ false,"excludedecayed"\ false,"returnformat" "json"}} output parameter type description response object output field response response attribute array output field response attribute response attribute id string unique identifier response attribute event id string unique identifier response attribute object id string unique identifier response attribute object relation string output field response attribute object relation response attribute category string output field response attribute category response attribute type string type of the resource response attribute value string value for the parameter response attribute to ids boolean unique identifier response attribute uuid string unique identifier response attribute timestamp string output field response attribute timestamp response attribute distribution string output field response attribute distribution response attribute sharing group id string unique identifier response attribute comment string output field response attribute comment response attribute deleted boolean output field response attribute deleted response attribute disable correlation boolean output field response attribute disable correlation response attribute first seen string output field response attribute first seen response attribute last seen string output field response attribute last seen response attribute data string response data response attribute event uuid string unique identifier response attribute decay score array score value response attribute decay score score number score value response attribute decay score base score number score value response attribute decay score decayed boolean output field response attribute decay score decayed output example {"response" {"attribute" \[{}]}} get a filtered and paginated list of objects retrieve a filtered and paginated list of objects from misp based on specified criteria in headers and json body endpoint url /objects/restsearch method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional integer or null (pagesearchfilter) >= 1 limit number optional integer or null (limitsearchfilter) >= 0 quickfilter string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) searchall string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) timestamp string optional timestamp format is in ^\d+$ object name string optional object name to search for less than or equal to 131071 characters object template uuid string optional object template uuid to search for object template version string optional object template version to search for format is in ^\d+$ eventid string optional event id to search for format is in ^\d+$ less than or equal to 10 characters eventinfo string optional less than or equal to 65535 characters ignore boolean optional default is false if true matches both true and false values for to ids and published from string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) to string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) date string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) tags array optional array of strings (tagrestsearchfilter) last number optional events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), iso 8601 datetime format or timestamp (lastrestsearchfilter) event timestamp string optional event timestamp format is in ^\d+$ default is '0' publish timestamp string optional event timestamp format is in ^\d+$ default is '0' org string optional either organisation id or organisation name if organisation id is used, less than or equal to 10 characters if organisation name is used, less than or equal to 255 characters uuid string optional uuid to search for value string optional value to search for less than or equal to 131071 characters (attributevalue) type string optional type to search for less than or equal to 100 characters (attributetype) input example {"headers" {"accept" "application/json","content type" "application/json"}} output parameter type description status code number http status code of the response reason string response reason phrase response array output field response response object object output field response object response object id string unique identifier response object name string name of the resource response object meta category string output field response object meta category response object description string output field response object description response object template uuid string unique identifier response object template version string output field response object template version response object event id string unique identifier response object uuid string unique identifier response object timestamp string output field response object timestamp response object distribution string output field response object distribution response object sharing group id string unique identifier response object comment string output field response object comment response object deleted boolean output field response object deleted response object first seen string output field response object first seen response object last seen string output field response object last seen response object attribute array output field response object attribute response object attribute id string unique identifier response object attribute event id string unique identifier response object attribute object id string unique identifier response object attribute object relation string output field response object attribute object relation response object attribute category string output field response object attribute category output example {"response" \[{"object" {}}]} get attribute fetch a specific attribute from misp for threat analysis and intelligence using provided headers endpoint url attributes method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output example {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false} get attribute by id retrieve details for a specific attribute in misp by providing the unique attribute id requires headers and path parameters endpoint url attributes/view/{{attributeid}} method get input argument name type required description path parameters attributeid string required parameters for the get attribute by id action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} get count of attributes by category retrieve the count of misp attributes by category using context and percentage as path parameters endpoint url attributes/attributestatistics/{{context}}/{{percentage}} method get input argument name type required description path parameters context string required parameters for the get count of attributes by category action path parameters percentage number required parameters for the get count of attributes by category action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"context" "type","percentage" 1}} output example {"antivirus detection" "10"} get event by id retrieve detailed information for a specific event in misp by providing the unique event id as a path parameter and necessary headers endpoint url events/view/{{eventid}} method get input argument name type required description path parameters eventid string required parameters for the get event by id action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description event object output field event event id string unique identifier event org id string unique identifier event distribution string output field event distribution event info string output field event info event orgc id string unique identifier event uuid string unique identifier event date string date value event published boolean output field event published event analysis string output field event analysis event attribute count string count value event timestamp string output field event timestamp event sharing group id string unique identifier event proposal email lock boolean output field event proposal email lock event locked boolean output field event locked event threat level id string unique identifier event publish timestamp string output field event publish timestamp event sighting timestamp string output field event sighting timestamp event disable correlation boolean output field event disable correlation event extends uuid string unique identifier event event creator email string output field event event creator email event feed object output field event feed event feed id string unique identifier event feed name string name of the resource event feed provider string unique identifier output example {"event" {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"}} get events retrieves a list of threat intelligence events from misp using specified headers for an informed security overview endpoint url events method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output example {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"} get list of attribute types retrieve a list of available attribute types from misp authentication headers are required endpoint url attributes/describetypes method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output parameter type description sane defaults object output field sane defaults sane defaults md5 object output field sane defaults md5 sane defaults md5 default category string output field sane defaults md5 default category sane defaults md5 to ids number unique identifier sane defaults pdb object output field sane defaults pdb sane defaults pdb default category string output field sane defaults pdb default category sane defaults pdb to ids number unique identifier types array type of the resource categories array output field categories category type mappings object type of the resource category type mappings internal reference array type of the resource category type mappings antivirus detection array type of the resource output example {"sane defaults" {"md5" {"default category" "payload delivery","to ids" 1},"pdb" {"default category" "artifacts dropped","to ids" 0}},"types" \["md5"],"categories" \["internal reference"],"category type mappings" {"internal reference" \["text","link","comment"],"antivirus detection" \["link","comment","text"]}} publish event publish a specified event in misp using the provided eventid, requiring headers and path parameters endpoint url events/publish/{{eventid}} method post input argument name type required description path parameters eventid string required parameters for the publish event action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description name string name of the resource message string response message url string url endpoint for the request id string unique identifier output example {"name" "publish","message" "job queued","url" "https //misp local/events/alert/1","id" "string"} remove event tag remove a specified tag from an event in misp using the provided event and tag ids requires headers and path parameters endpoint url events/removetag/{{eventid}}/{{tagid}} method post input argument name type required description path parameters eventid string required parameters for the remove event tag action path parameters tagid string required parameters for the remove event tag action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string","tagid" "string"}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag removed ","check publish"\ true,"errors" "tag could not be added "} remove tag from attribute remove a specified tag from an attribute in misp using the provided attributeid and tagid endpoint url attributes/removetag/{{attributeid}}/{{tagid}} method post input argument name type required description path parameters attributeid string required parameters for the remove tag from attribute action path parameters tagid string required parameters for the remove tag from attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string","tagid" "string"}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag removed ","check publish"\ true,"errors" "tag could not be added "} search events perform a search for events in misp using specified headers to quickly locate relevant event data endpoint url events/index method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional parameter for search events limit number optional parameter for search events sort string optional parameter for search events direction string optional parameter for search events minimal boolean optional parameter for search events attribute string optional parameter for search events eventid string optional unique identifier datefrom string optional parameter for search events dateuntil string optional parameter for search events org string optional parameter for search events eventinfo string optional parameter for search events tag string optional parameter for search events tags array optional parameter for search events distribution string optional parameter for search events sharinggroup string optional parameter for search events analysis string optional parameter for search events threatlevel string optional parameter for search events email string optional parameter for search events hasproposal string optional parameter for search events timestamp string optional parameter for search events publish timestamp string optional parameter for search events searchdatefrom string optional parameter for search events input example {"json body" {"page" 0,"limit" 1,"sort" "timestamp","direction" "asc","minimal"\ false,"attribute" "covert channel","eventid" "12345","datefrom" "2021 03 05","dateuntil" "2021 03 05","org" "circl","eventinfo" "phishing campaing","tag" "tlp\ white","tags" \["tlp\ amber","cycat\ scope=\\"exploit\\""],"distribution" "0","sharinggroup" "1","analysis" "0","threatlevel" "1","email" "admin\@admin test","hasproposal" "1","timestamp" "1","publish timestamp" "1","searchdatefrom" "2020 01 20","searchdateuntil" "2020 01 20"}} output example {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt