Search Attributes
Returns a list of attributes.
External Documentation
To learn more, visit the MISP documentation.
Basic Parameters
Parameter | Description |
---|---|
Deleted | Whether to include soft-deleted attributes. If set to True , only deleted attributes will be returned. |
Event Info | Quick event description. |
Published | Was the attribute published. |
UUID | The uuid of the attribute. |
Value 1 | Search attribute by value. |
Advanced Parameters
Parameter | Description |
---|---|
Attack Galaxy | The attack galaxy. |
Attribute Timestamp | The timestamp of the attribute. |
Category | The category of the attribute. |
Decaying Model | Specify the decaying model from which the decaying score should be calculated. |
Enforce Warning List | Should the warning list be enforced. Adds blocked field for matching attributes. |
Event ID | The unique identifier of an event. |
Event Timestamp | The timestamp of the event. |
Exclude Decayed | Should the decayed elements by excluded. |
First Seen | First seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). |
From | Get the attributes starting from this time.Note : You can use time related filters.Examples: 7d , timestamps, [14d, 7d] (For ranges) |
Headerless | Removes header in the CSV export. |
Include Context | Adds events context fields in the CSV export. |
Include Correlations | Includes correlations. |
Include Decay Score | Include all enabled decaying score. |
Include Event Tags | Include tags of matching events in the response. |
Include Event UUID | Include matching eventUuids in the response. |
Include Full Model | Include all model information of matching events in the response. |
Include Proposals | Include proposals of matching events in the response. |
Include Sightings | Extend response with Sightings DB results if the module is enabled. |
Include Warninglist Hits | Includes the warning lists hits. |
Last | Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), ISO 8601 datetime format or timestamp. |
Last Seen | Last seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). |
Limit | Limit the amount of pages shown. |
Model Overrides | The model overrides.Example:
|
Object Relation | Filter by the attribute object relation value. |
Organization ID | The unique identifier of the organization. |
Page | The page number. |
Publish Timestamp | The timestamp of publish. |
Requested Attributes | List of properties that will be selected in the CSV export. |
Score | An alias to override on-the-fly the threshold of the decaying model. |
Sharing Group | Sharing group ID(s), either as single string or list of IDs. |
Tags | Search by the tags of the attributes. |
Threat Level ID | - |
Timestamp | The timestamp. |
To | Get the attributes until this time.Note : You can use time related filters.Examples: 7d , timestamps, [14d, 7d] (For ranges) |
To IDs | To IDs. |
Type | The type of attribute.Visit https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes under the parameter type for the full list of types. |
Value 2 | Search attribute by value. |
Value 3 | Search attribute by value. |
With Attachments | Extends the response with the base64 representation of the attachment, if there is one. |
Example Output
{
"response": {
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000",
"data": "string",
"event_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"decay_score": [
{
"score": 10.5,
"base_score": 80,
"decayed": true,
"DecayingModel": {
"id": "12345",
"name": "Phishing model"
}
}
],
"Event": {
"id": "12345",
"org_id": "12345",
"distribution": "0",
"info": "logged source ip",
"orgc_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"date": "1991-01-15",
"published": false,
"analysis": "0",
"attribute_count": "321",
"timestamp": "1617875568",
"sharing_group_id": "1",
"proposal_email_lock": true,
"locked": true,
"threat_level_id": "1",
"publish_timestamp": "1617875568",
"sighting_timestamp": "1617875568",
"disable_correlation": false,
"extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"event_creator_email": "user@example.com"
},
"Object": {
"id": "12345",
"name": "ail-leak",
"meta-category": "string",
"description": "string",
"template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"template_version": "1",
"event_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "string",
"deleted": true,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000",
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000"
}
]
},
"Tag": [
{
"id": "12345",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"org_id": "12345",
"user_id": "12345",
"hide_tag": false,
"numerical_value": "12345",
"is_galaxy": true,
"is_custom_galaxy": true,
"inherited": 1
}
]
}
]
}
}
Workflow Library Example
Search Attributes with Misp and Send Results Via Email
Preview this Workflow on desktop