Search Events

5 min

description performs a search for events in misp using specified headers to quickly locate relevant event data endpoint url events/index method post inputs json body (object) page (number) limit (number) sort (string) direction (string) minimal (boolean) attribute (string) eventid (string) datefrom (string) dateuntil (string) org (string) eventinfo (string) tag (string) tags (array) distribution (string) sharinggroup (string) analysis (string) threatlevel (string) email (string) hasproposal (string) timestamp (string) publish timestamp (string) searchdatefrom (string) searchdateuntil (string) headers (object) – required accept (string) – required content type (string) – required output example \[ \[ { "id" "12345", "org id" "12345", "distribution" "0", "info" "logged source ip", "orgc id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "date" "1991 01 15", "published" false, "analysis" "0", "attribute count" "321", "timestamp" "1617875568", "sharing group id" "1", "proposal email lock" true, "locked" true, "threat level id" "1", "publish timestamp" "1617875568", "sighting timestamp" "1617875568", "disable correlation" false, "extends uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "event creator email" "user\@example com", "feed" { "id" "3", "name" "circl osint feed", "provider" "circl", "url" "https //www circl lu/doc/misp/feed osint", "rules" "{\\"tags\\" {\\"or\\" \[],\\"not\\" \[]},\\"orgs\\" {\\"or\\" \[],\\"not\\" \[]},\\"url params\\" \\"\\"}", "enabled" true, "distribution" "0", "sharing group id" "1", "tag id" "12345", "default" true, "source format" "1", "fixed event" true, "delta merge" true, "event id" "12345", "publish" false, "override ids" true, "settings" "{\\"csv\\" {\\"value\\" \\"\\",\\"delimiter\\" \\"\\"},\\"common\\" {\\"excluderegex\\" \\"\\"},\\"disable correlation\\" \\"1\\"}", "input source" "local", "delete local file" true, "lookup visible" true, "headers" "x custom header a foo\nx custom header b bar\n", "caching enabled" true, "force to ids" true, "orgc id" "12345", "cache timestamp" "1617875568" }, "org" { "id" "12345", "name" "orgname", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b" }, "orgc" { "id" "12345", "name" "orgname", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b" }, "attribute" \[ { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false, "first seen" "1581984000000000", "last seen" "1581984000000000" } ], "shadowattribute" \[ { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false, "first seen" "1581984000000000", "last seen" "1581984000000000" } ], "relatedevent" \[ {} ], "galaxy" \[ { "id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "name" "ransomware", "type" "ransomware", "description" "ransomware galaxy based on ", "version" "1", "icon" "globe", "namespace" "misp", "kill chain order" { "fraud tactics" \[ "initiation", "target compromise", "perform fraud", "obtain fraudulent assets", "assets transfer", "monetisation" ] } } ], "object" \[ { "id" "12345", "name" "ail leak", "meta category" "string", "description" "string", "template uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "template version" "1", "event id" "12345", "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "string", "deleted" true, "first seen" "1581984000000000", "last seen" "1581984000000000", "attribute" \[ { "id" "12345", "event id" "12345", "object id" "12345", "object relation" "sensor", "category" "internal reference", "type" "md5", "value" "127 0 0 1", "to ids" true, "uuid" "c99506a6 1255 4b71 afa5 7b8ba48c3b1b", "timestamp" "1617875568", "distribution" "0", "sharing group id" "1", "comment" "logged source ip", "deleted" false, "disable correlation" false, "first seen" "1581984000000000", "last seen" "1581984000000000" } ] } ], "eventreport" \[ {} ], "tag" \[ { "id" "12345", "name" "tlp\ white", "colour" "#ffffff", "exportable" true, "org id" "12345", "user id" "12345", "hide tag" false, "numerical value" "12345", "is galaxy" true, "is custom galaxy" true, "inherited" 1 } ] } ] ]

Remove Tag from Attribute

Microsoft Azure Sentinel Connector