MISP

the misp connector facilitates the interaction with the misp platform, enabling automated threat intelligence management and event handling misp (malware information sharing platform & threat sharing) is a comprehensive threat intelligence platform that facilitates the sharing of structured threat information among security professionals the misp turbine connector enables users to automate the ingestion, enrichment, and management of threat indicators within swimlane turbine by integrating with misp, security teams can streamline threat analysis, enhance incident response, and foster collaboration across the security community, leveraging misp's rich dataset of indicators and events prerequisites to effectively utilize the misp connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the base url of your misp instance api key your personal access key for the misp api capabilities the connector for misp needs to support the following capabilities add attribute add event add event tag add tag to attribute delete attribute delete event edit attribute get a filtered and paginated list of attributes get a filtered and paginated list of objects get attribute get attribute by id get count of attributes by category get event by id get events get list of attribute types and so on notes https //www misp project org/openapi/ configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add attribute adds a new attribute to an existing event in misp using the provided event id endpoint url attributes/add/{{eventid}} method post input argument name type required description path parameters eventid string required parameters for the add attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for add attribute category string optional parameter for add attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for add attribute distribution string optional parameter for add attribute sharing group id string optional unique identifier comment string optional parameter for add attribute deleted boolean optional parameter for add attribute disable correlation boolean optional parameter for add attribute first seen string optional parameter for add attribute last seen string optional parameter for add attribute input example {"json body" {"event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false,"first seen" "1581984000000000","last seen" "1581984000000000"},"path parameters" {"eventid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} add event adds a new event to the misp platform, utilizing provided headers for authentication and configuration endpoint url /events/add method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request org id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers distribution string optional distribution level id who will be able to see this event once it becomes published and eventually when it becomes pulled 0 your organization only, 1 this community only, 2 connected communities, 3 all communities, 4 sharing group, 5 inherit event info string optional event info length of the string must be less than or equal to 1065535 characters orgc id string optional organisation id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers uuid string optional uuid length of the string must be less than or equal to 36 characters date string optional date value published boolean optional published flag analysis string optional analysis level id represents the analysis maturity level 0 initial, 1 ongoing, 2 complete attribute count string optional event attribute count all the characters of the string must be numbers timestamp string optional nullable timestamp all the characters of the string must be numbers or null value also sharing group id string optional sharing group id length of the string must be less than or equal to 10 characters and all the characters of the string must be numbers or null value also proposal email lock boolean optional event proposal email lock locked boolean optional is locked threat level id string optional threat level id represents the threat level 1 high, 2 medium, 3 low, 4 undefined publish timestamp string optional timestamp all the characters of the string must be numbers sighting timestamp string optional timestamp all the characters of the string must be numbers disable correlation boolean optional disable correlation flag extends uuid string optional extends uuid length of the string must be less than or equal to 36 characters or null value also event creator email string optional email input example {"headers" {"accept" "application/json","content type" "application/json"},"org id" "string","distribution" "string","info" "string","orgc id" "string","uuid" "12345678 1234 1234 1234 123456789abc","date" "2024 01 01t00 00 00z","published"\ true,"analysis" "string","attribute count" "string","timestamp" "2024 01 01t00 00 00z","sharing group id" "string","proposal email lock"\ true,"locked"\ true,"threat level id" "string","publish timestamp" "0","sighting timestamp" "0","disable correlation"\ true,"extends uuid" "string","event creator email" "string"} output parameter type description status code number http status code of the response reason string response reason phrase event object output field event event id string unique identifier event org id string unique identifier event distribution string output field event distribution event info string output field event info event orgc id string unique identifier event uuid string unique identifier event date string date value event published boolean output field event published event analysis string output field event analysis event attribute count string count value event timestamp string output field event timestamp event sharing group id string unique identifier event proposal email lock boolean output field event proposal email lock event locked boolean output field event locked event threat level id string unique identifier event publish timestamp string output field event publish timestamp event sighting timestamp string output field event sighting timestamp event disable correlation boolean output field event disable correlation event extends uuid string unique identifier event event creator email string output field event event creator email event feed object output field event feed event feed id string unique identifier output example {"event" {"id" "12345678 1234 1234 1234 123456789abc","org id" "string","distribution" "string","info" "string","orgc id" "string","uuid" "12345678 1234 1234 1234 123456789abc","date" "2024 01 01t00 00 00z","published"\ true,"analysis" "string","attribute count" "string","timestamp" "2024 01 01t00 00 00z","sharing group id" "string","proposal email lock"\ true,"locked"\ true,"threat level id" "string"}} add event tag associates a tag with an event in misp using the event id, tag id, and locality parameter endpoint url events/addtag/{{eventid}}/{{tagid}}/local {{local}} method post input argument name type required description path parameters eventid string required parameters for the add event tag action path parameters tagid string required parameters for the add event tag action path parameters local number required parameters for the add event tag action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string","tagid" "string","local" 1}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag added ","check publish"\ true,"errors" "tag could not be added "} add tag to attribute associates a specified tag with an attribute in misp, requiring the attribute's id, tag's id, and locality endpoint url attributes/addtag/{{attributeid}}/{{tagid}}/local {{local}} method post input argument name type required description path parameters attributeid string required parameters for the add tag to attribute action path parameters tagid string required parameters for the add tag to attribute action path parameters local number required parameters for the add tag to attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string","tagid" "string","local" 1}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag added ","check publish"\ true,"errors" "tag could not be added "} delete attribute removes a specified attribute from misp using the provided attribute id, requiring path parameters and headers endpoint url attributes/delete/{{attributeid}} method delete input argument name type required description path parameters attributeid string required parameters for the delete attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string"}} output parameter type description message string response message output example {"message" "attribute deleted "} delete event removes a specified event from misp using the event id provided in path parameters, with necessary headers endpoint url events/delete/{{eventid}} method delete input argument name type required description path parameters eventid string required parameters for the delete event action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description saved boolean output field saved success boolean whether the operation was successful name string name of the resource message string response message url string url endpoint for the request errors string error message if any output example {"saved"\ true,"success"\ true,"name" "event deleted ","message" "could not delete event","url" "/events/delete/1","errors" "event was not deleted "} edit attribute modify an existing attribute in misp using the specified attribute id and updated details provided in the request endpoint url attributes/edit/{{attributeid}} method put input argument name type required description path parameters attributeid string required parameters for the edit attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request id string optional unique identifier event id string optional unique identifier object id string optional unique identifier object relation string optional parameter for edit attribute category string optional parameter for edit attribute type string optional type of the resource value string optional value for the parameter to ids boolean optional unique identifier uuid string optional unique identifier timestamp string optional parameter for edit attribute distribution string optional parameter for edit attribute sharing group id string optional unique identifier comment string optional parameter for edit attribute deleted boolean optional parameter for edit attribute disable correlation boolean optional parameter for edit attribute first seen string optional parameter for edit attribute last seen string optional parameter for edit attribute input example {"json body" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false,"first seen" "1581984000000000","last seen" "1581984000000000"},"path parameters" {"attributeid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} get a filtered and paginated list of attributes retrieve a filtered and paginated list of attributes from misp, including specified request headers endpoint url attributes/restsearch method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional parameter for get a filtered and paginated list of attributes limit number optional parameter for get a filtered and paginated list of attributes value string optional value for the parameter value1 string optional value for the parameter value2 string optional value for the parameter type string optional type of the resource category string optional parameter for get a filtered and paginated list of attributes org string optional parameter for get a filtered and paginated list of attributes tags array optional parameter for get a filtered and paginated list of attributes from string optional parameter for get a filtered and paginated list of attributes to string optional parameter for get a filtered and paginated list of attributes last number optional parameter for get a filtered and paginated list of attributes eventid string optional unique identifier withattachments boolean optional parameter for get a filtered and paginated list of attributes uuid string optional unique identifier publish timestamp string optional parameter for get a filtered and paginated list of attributes published boolean optional parameter for get a filtered and paginated list of attributes timestamp string optional parameter for get a filtered and paginated list of attributes attribute timestamp string optional parameter for get a filtered and paginated list of attributes enforcewarninglist boolean optional parameter for get a filtered and paginated list of attributes to ids boolean optional unique identifier deleted boolean optional parameter for get a filtered and paginated list of attributes input example {"json body" {"page" 0,"limit" 1,"value" "127 0 0 1","value1" "127 0 0 1","value2" "127 0 0 1","type" "md5","category" "internal reference","org" "12345","tags" \["tlp\ amber"],"from" "string","to" "string","last" 0,"eventid" "12345","withattachments"\ false,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","publish timestamp" "1617875568","published"\ false,"timestamp" "1617875568","attribute timestamp" "1617875568","enforcewarninglist"\ true,"to ids"\ true,"deleted"\ false,"event timestamp" "1617875568","threat level id" "1","eventinfo" "string","sharinggroup" \["1"],"decayingmodel" "string","score" "string","first seen" "string","last seen" "string","includeeventuuid"\ false,"includeeventtags"\ false,"includeproposals"\ false,"requested attributes" \["id"],"includecontext"\ true,"headerless"\ true,"includewarninglisthits"\ true,"attackgalaxy" "mitre attack","object relation" "filepath","includesightings"\ true,"includecorrelations"\ true,"modeloverrides" {"lifetime" 3,"decay speed" 2 3,"threshold" 30,"default base score" 80,"base score config" {"estimative language\ confidence in analytic judgment" 0 25,"estimative language\ likelihood probability" 0 25,"phishing\ psychological acceptability" 0 25,"phishing\ state" 0 2}},"includedecayscore"\ false,"includefullmodel"\ false,"excludedecayed"\ false,"returnformat" "json"}} output parameter type description response object output field response response attribute array output field response attribute response attribute id string unique identifier response attribute event id string unique identifier response attribute object id string unique identifier response attribute object relation string output field response attribute object relation response attribute category string output field response attribute category response attribute type string type of the resource response attribute value string value for the parameter response attribute to ids boolean unique identifier response attribute uuid string unique identifier response attribute timestamp string output field response attribute timestamp response attribute distribution string output field response attribute distribution response attribute sharing group id string unique identifier response attribute comment string output field response attribute comment response attribute deleted boolean output field response attribute deleted response attribute disable correlation boolean output field response attribute disable correlation response attribute first seen string output field response attribute first seen response attribute last seen string output field response attribute last seen response attribute data string response data response attribute event uuid string unique identifier response attribute decay score array score value response attribute decay score score number score value response attribute decay score base score number score value response attribute decay score decayed boolean output field response attribute decay score decayed output example {"response" {"attribute" \[{}]}} get a filtered and paginated list of objects retrieve a filtered and paginated list of objects from misp based on specified criteria in headers and json body endpoint url /objects/restsearch method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional integer or null (pagesearchfilter) >= 1 limit number optional integer or null (limitsearchfilter) >= 0 quickfilter string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) searchall string optional search events by matching any tag names, event descriptions, attribute values or attribute comments (searchallrestsearchfilter) timestamp string optional timestamp format is in ^\d+$ object name string optional object name to search for less than or equal to 131071 characters object template uuid string optional object template uuid to search for object template version string optional object template version to search for format is in ^\d+$ eventid string optional event id to search for format is in ^\d+$ less than or equal to 10 characters eventinfo string optional less than or equal to 65535 characters ignore boolean optional default is false if true matches both true and false values for to ids and published from string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) to string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) date string optional value is string or null (daterestsearchfilter) you can use any of the valid time related filters (examples are 7d, timestamps, \[14d, 7d] for ranges, etc ) tags array optional array of strings (tagrestsearchfilter) last number optional events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), iso 8601 datetime format or timestamp (lastrestsearchfilter) event timestamp string optional event timestamp format is in ^\d+$ default is '0' publish timestamp string optional event timestamp format is in ^\d+$ default is '0' org string optional either organisation id or organisation name if organisation id is used, less than or equal to 10 characters if organisation name is used, less than or equal to 255 characters uuid string optional uuid to search for value string optional value to search for less than or equal to 131071 characters (attributevalue) type string optional type to search for less than or equal to 100 characters (attributetype) input example {"headers" {"accept" "application/json","content type" "application/json"}} output parameter type description status code number http status code of the response reason string response reason phrase response array output field response response object object output field response object response object id string unique identifier response object name string name of the resource response object meta category string output field response object meta category response object description string output field response object description response object template uuid string unique identifier response object template version string output field response object template version response object event id string unique identifier response object uuid string unique identifier response object timestamp string output field response object timestamp response object distribution string output field response object distribution response object sharing group id string unique identifier response object comment string output field response object comment response object deleted boolean output field response object deleted response object first seen string output field response object first seen response object last seen string output field response object last seen response object attribute array output field response object attribute response object attribute id string unique identifier response object attribute event id string unique identifier response object attribute object id string unique identifier response object attribute object relation string output field response object attribute object relation response object attribute category string output field response object attribute category output example {"response" \[{"object" {}}]} get attribute fetches a specific attribute from misp for threat analysis and intelligence, using provided headers endpoint url attributes method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output example {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false} get attribute by id retrieve details for a specific attribute in misp by providing the unique attribute id endpoint url attributes/view/{{attributeid}} method get input argument name type required description path parameters attributeid string required parameters for the get attribute by id action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string"}} output parameter type description attribute object output field attribute attribute id string unique identifier attribute event id string unique identifier attribute object id string unique identifier attribute object relation string output field attribute object relation attribute category string output field attribute category attribute type string type of the resource attribute value string value for the parameter attribute to ids boolean unique identifier attribute uuid string unique identifier attribute timestamp string output field attribute timestamp attribute distribution string output field attribute distribution attribute sharing group id string unique identifier attribute comment string output field attribute comment attribute deleted boolean output field attribute deleted attribute disable correlation boolean output field attribute disable correlation attribute first seen string output field attribute first seen attribute last seen string output field attribute last seen output example {"attribute" {"id" "12345","event id" "12345","object id" "12345","object relation" "sensor","category" "internal reference","type" "md5","value" "127 0 0 1","to ids"\ true,"uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","timestamp" "1617875568","distribution" "0","sharing group id" "1","comment" "logged source ip","deleted"\ false,"disable correlation"\ false}} get count of attributes by category retrieve the count of misp attributes by category, using context and percentage as path parameters endpoint url attributes/attributestatistics/{{context}}/{{percentage}} method get input argument name type required description path parameters context string required parameters for the get count of attributes by category action path parameters percentage number required parameters for the get count of attributes by category action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"context" "type","percentage" 1}} output example {"antivirus detection" "10"} get event by id retrieve detailed information for a specific event in misp by providing the unique event id endpoint url events/view/{{eventid}} method get input argument name type required description path parameters eventid string required parameters for the get event by id action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description event object output field event event id string unique identifier event org id string unique identifier event distribution string output field event distribution event info string output field event info event orgc id string unique identifier event uuid string unique identifier event date string date value event published boolean output field event published event analysis string output field event analysis event attribute count string count value event timestamp string output field event timestamp event sharing group id string unique identifier event proposal email lock boolean output field event proposal email lock event locked boolean output field event locked event threat level id string unique identifier event publish timestamp string output field event publish timestamp event sighting timestamp string output field event sighting timestamp event disable correlation boolean output field event disable correlation event extends uuid string unique identifier event event creator email string output field event event creator email event feed object output field event feed event feed id string unique identifier event feed name string name of the resource event feed provider string unique identifier output example {"event" {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"}} get events retrieves a list of threat intelligence events from misp using specified headers for an informed security overview endpoint url events method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output example {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"} get list of attribute types retrieves a list of available attribute types from misp, with authentication headers required endpoint url attributes/describetypes method get input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"headers" {"accept" "application/json","content type" "application/json"}} output parameter type description sane defaults object output field sane defaults sane defaults md5 object output field sane defaults md5 sane defaults md5 default category string output field sane defaults md5 default category sane defaults md5 to ids number unique identifier sane defaults pdb object output field sane defaults pdb sane defaults pdb default category string output field sane defaults pdb default category sane defaults pdb to ids number unique identifier types array type of the resource categories array output field categories category type mappings object type of the resource category type mappings internal reference array type of the resource category type mappings antivirus detection array type of the resource output example {"sane defaults" {"md5" {"default category" "payload delivery","to ids" 1},"pdb" {"default category" "artifacts dropped","to ids" 0}},"types" \["md5"],"categories" \["internal reference"],"category type mappings" {"internal reference" \["text","link","comment"],"antivirus detection" \["link","comment","text"]}} publish event publishes a specified event in misp using the provided eventid, requiring headers and path parameters endpoint url events/publish/{{eventid}} method post input argument name type required description path parameters eventid string required parameters for the publish event action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string"}} output parameter type description name string name of the resource message string response message url string url endpoint for the request id string unique identifier output example {"name" "publish","message" "job queued","url" "https //misp local/events/alert/1","id" "string"} remove event tag removes a specified tag from an event in misp using the provided event and tag ids, requiring headers and path parameters endpoint url events/removetag/{{eventid}}/{{tagid}} method post input argument name type required description path parameters eventid string required parameters for the remove event tag action path parameters tagid string required parameters for the remove event tag action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"eventid" "string","tagid" "string"}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag removed ","check publish"\ true,"errors" "tag could not be added "} remove tag from attribute removes a specified tag from an attribute in misp by utilizing the provided attributeid and tagid endpoint url attributes/removetag/{{attributeid}}/{{tagid}} method post input argument name type required description path parameters attributeid string required parameters for the remove tag from attribute action path parameters tagid string required parameters for the remove tag from attribute action headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"attributeid" "string","tagid" "string"}} output parameter type description saved boolean output field saved success string whether the operation was successful check publish boolean output field check publish errors string error message if any output example {"saved"\ true,"success" "tag removed ","check publish"\ true,"errors" "tag could not be added "} search events performs a search for events in misp using specified headers to quickly locate relevant event data endpoint url events/index method post input argument name type required description headers object required http headers for the request headers accept string required http headers for the request headers content type string required http headers for the request page number optional parameter for search events limit number optional parameter for search events sort string optional parameter for search events direction string optional parameter for search events minimal boolean optional parameter for search events attribute string optional parameter for search events eventid string optional unique identifier datefrom string optional parameter for search events dateuntil string optional parameter for search events org string optional parameter for search events eventinfo string optional parameter for search events tag string optional parameter for search events tags array optional parameter for search events distribution string optional parameter for search events sharinggroup string optional parameter for search events analysis string optional parameter for search events threatlevel string optional parameter for search events email string optional parameter for search events hasproposal string optional parameter for search events timestamp string optional parameter for search events publish timestamp string optional parameter for search events searchdatefrom string optional parameter for search events input example {"json body" {"page" 0,"limit" 1,"sort" "timestamp","direction" "asc","minimal"\ false,"attribute" "covert channel","eventid" "12345","datefrom" "2021 03 05","dateuntil" "2021 03 05","org" "circl","eventinfo" "phishing campaing","tag" "tlp\ white","tags" \["tlp\ amber","cycat\ scope=\\"exploit\\""],"distribution" "0","sharinggroup" "1","analysis" "0","threatlevel" "1","email" "admin\@admin test","hasproposal" "1","timestamp" "1","publish timestamp" "1","searchdatefrom" "2020 01 20","searchdateuntil" "2020 01 20"}} output example {"id" "12345","org id" "12345","distribution" "0","info" "logged source ip","orgc id" "12345","uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b","date" "1991 01 15","published"\ false,"analysis" "0","attribute count" "321","timestamp" "1617875568","sharing group id" "1","proposal email lock"\ true,"locked"\ true,"threat level id" "1"} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt