To learn more, visit the MISP documentation.

Basic Parameters

ParameterDescription
DeletedWhether to include soft-deleted attributes. If set to True, only deleted attributes will be returned.
Event InfoQuick event description.
PublishedWas the attribute published.
UUIDThe uuid of the attribute.
Value 1Search attribute by value.

Advanced Parameters

ParameterDescription
Attack GalaxyThe attack galaxy.
Attribute TimestampThe timestamp of the attribute.
CategoryThe category of the attribute.
Decaying ModelSpecify the decaying model from which the decaying score should be calculated.
Enforce Warning ListShould the warning list be enforced. Adds blocked field for matching attributes.
Event IDThe unique identifier of an event.
Event TimestampThe timestamp of the event.
Exclude DecayedShould the decayed elements by excluded.
First SeenFirst seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m).
FromGet the attributes starting from this time.Note : You can use time related filters.Examples: 7d, timestamps, [14d, 7d](For ranges)
HeaderlessRemoves header in the CSV export.
Include ContextAdds events context fields in the CSV export.
Include CorrelationsIncludes correlations.
Include Decay ScoreInclude all enabled decaying score.
Include Event TagsInclude tags of matching events in the response.
Include Event UUIDInclude matching eventUuids in the response.
Include Full ModelInclude all model information of matching events in the response.
Include ProposalsInclude proposals of matching events in the response.
Include SightingsExtend response with Sightings DB results if the module is enabled.
Include Warninglist HitsIncludes the warning lists hits.
LastEvents published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), ISO 8601 datetime format or timestamp.
Last SeenLast seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m).
LimitLimit the amount of pages shown.
Model OverridesThe model overrides.Example:{ "lifetime": 3, "decay_speed": 2.3, "threshold": 30, "default_base_score": 80, "base_score_config": { "estimative-language:confidence-in-analytic-judgment": 0.25, "estimative-language:likelihood-probability": 0.25, "phishing:psychological-acceptability": 0.25, "phishing:state": 0.2 }}
Object RelationFilter by the attribute object relation value.
Organization IDThe unique identifier of the organization.
PageThe page number.
Publish TimestampThe timestamp of publish.
Requested AttributesList of properties that will be selected in the CSV export.
ScoreAn alias to override on-the-fly the threshold of the decaying model.
Sharing GroupSharing group ID(s), either as single string or list of IDs.
TagsSearch by the tags of the attributes.
Threat Level ID-
TimestampThe timestamp.
ToGet the attributes until this time.Note : You can use time related filters.Examples: 7d, timestamps, [14d, 7d](For ranges)
To IDsTo IDs.
TypeThe type of attribute.Visit https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes under the parameter typefor the full list of types.
Value 2Search attribute by value.
Value 3Search attribute by value.
With AttachmentsExtends the response with the base64 representation of the attachment, if there is one.

Example Output

{    "response": {        "Attribute": [            {                "id": "12345",                "event_id": "12345",                "object_id": "12345",                "object_relation": "sensor",                "category": "Internal reference",                "type": "md5",                "value": "127.0.0.1",                "to_ids": true,                "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                "timestamp": "1617875568",                "distribution": "0",                "sharing_group_id": "1",                "comment": "logged source ip",                "deleted": false,                "disable_correlation": false,                "first_seen": "1581984000000000",                "last_seen": "1581984000000000",                "data": "string",                "event_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                "decay_score": [                    {                        "score": 10.5,                        "base_score": 80,                        "decayed": true,                        "DecayingModel": {                            "id": "12345",                            "name": "Phishing model"                        }                    }                ],                "Event": {                    "id": "12345",                    "org_id": "12345",                    "distribution": "0",                    "info": "logged source ip",                    "orgc_id": "12345",                    "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                    "date": "1991-01-15",                    "published": false,                    "analysis": "0",                    "attribute_count": "321",                    "timestamp": "1617875568",                    "sharing_group_id": "1",                    "proposal_email_lock": true,                    "locked": true,                    "threat_level_id": "1",                    "publish_timestamp": "1617875568",                    "sighting_timestamp": "1617875568",                    "disable_correlation": false,                    "extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                    "event_creator_email": "user@example.com"                },                "Object": {                    "id": "12345",                    "name": "ail-leak",                    "meta-category": "string",                    "description": "string",                    "template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                    "template_version": "1",                    "event_id": "12345",                    "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                    "timestamp": "1617875568",                    "distribution": "0",                    "sharing_group_id": "1",                    "comment": "string",                    "deleted": true,                    "first_seen": "1581984000000000",                    "last_seen": "1581984000000000",                    "Attribute": [                        {                            "id": "12345",                            "event_id": "12345",                            "object_id": "12345",                            "object_relation": "sensor",                            "category": "Internal reference",                            "type": "md5",                            "value": "127.0.0.1",                            "to_ids": true,                            "uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",                            "timestamp": "1617875568",                            "distribution": "0",                            "sharing_group_id": "1",                            "comment": "logged source ip",                            "deleted": false,                            "disable_correlation": false,                            "first_seen": "1581984000000000",                            "last_seen": "1581984000000000"                        }                    ]                },                "Tag": [                    {                        "id": "12345",                        "name": "tlp:white",                        "colour": "#ffffff",                        "exportable": true,                        "org_id": "12345",                        "user_id": "12345",                        "hide_tag": false,                        "numerical_value": "12345",                        "is_galaxy": true,                        "is_custom_galaxy": true,                        "inherited": 1                    }                ]            }        ]    }}

Workflow Library Example

Search Attributes with Misp and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

MISP Custom ActionSearch Events