Search Attributes
Returns a list of attributes.
External Documentation
To learn more, visit the MISP documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Deleted | Whether to include soft-deleted attributes. If set to True, only deleted attributes will be returned. |
| Event Info | Quick event description. |
| Published | Was the attribute published. |
| UUID | The uuid of the attribute. |
| Value 1 | Search attribute by value. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Attack Galaxy | The attack galaxy. |
| Attribute Timestamp | The timestamp of the attribute. |
| Category | The category of the attribute. |
| Decaying Model | Specify the decaying model from which the decaying score should be calculated. |
| Enforce Warning List | Should the warning list be enforced. Adds blocked field for matching attributes. |
| Event ID | The unique identifier of an event. |
| Event Timestamp | The timestamp of the event. |
| Exclude Decayed | Should the decayed elements by excluded. |
| First Seen | First seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). |
| From | Get the attributes starting from this time. Note : You can use time related filters.Examples: 7d, timestamps, [14d, 7d](For ranges) |
| Headerless | Removes header in the CSV export. |
| Include Context | Adds events context fields in the CSV export. |
| Include Correlations | Includes correlations. |
| Include Decay Score | Include all enabled decaying score. |
| Include Event Tags | Include tags of matching events in the response. |
| Include Event UUID | Include matching eventUuids in the response. |
| Include Full Model | Include all model information of matching events in the response. |
| Include Proposals | Include proposals of matching events in the response. |
| Include Sightings | Extend response with Sightings DB results if the module is enabled. |
| Include Warninglist Hits | Includes the warning lists hits. |
| Last | Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m), ISO 8601 datetime format or timestamp. |
| Last Seen | Last seen within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). |
| Limit | Limit the amount of pages shown. |
| Model Overrides | The model overrides. Example: <br/>{<br/> "lifetime": 3,<br/> "decay_speed": 2.3,<br/> "threshold": 30,<br/> "default_base_score": 80,<br/> "base_score_config": {<br/> "estimative-language:confidence-in-analytic-judgment": 0.25,<br/> "estimative-language:likelihood-probability": 0.25,<br/> "phishing:psychological-acceptability": 0.25,<br/> "phishing:state": 0.2<br/> }<br/>}<br/> |
| Object Relation | Filter by the attribute object relation value. |
| Organization ID | The unique identifier of the organization. |
| Page | The page number. |
| Publish Timestamp | The timestamp of publish. |
| Requested Attributes | List of properties that will be selected in the CSV export. |
| Score | An alias to override on-the-fly the threshold of the decaying model. |
| Sharing Group | Sharing group ID(s), either as single string or list of IDs. |
| Tags | Search by the tags of the attributes. |
| Threat Level ID | - |
| Timestamp | The timestamp. |
| To | Get the attributes until this time. Note : You can use time related filters.Examples: 7d, timestamps, [14d, 7d](For ranges) |
| To IDs | To IDs. |
| Type | The type of attribute. Visit https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes under the parameter type for the full list of types. |
| Value 2 | Search attribute by value. |
| Value 3 | Search attribute by value. |
| With Attachments | Extends the response with the base64 representation of the attachment, if there is one. |
Example Output
{
"response": {
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000",
"data": "string",
"event_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"decay_score": [
{
"score": 10.5,
"base_score": 80,
"decayed": true,
"DecayingModel": {
"id": "12345",
"name": "Phishing model"
}
}
],
"Event": {
"id": "12345",
"org_id": "12345",
"distribution": "0",
"info": "logged source ip",
"orgc_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"date": "1991-01-15",
"published": false,
"analysis": "0",
"attribute_count": "321",
"timestamp": "1617875568",
"sharing_group_id": "1",
"proposal_email_lock": true,
"locked": true,
"threat_level_id": "1",
"publish_timestamp": "1617875568",
"sighting_timestamp": "1617875568",
"disable_correlation": false,
"extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"event_creator_email": "user@example.com"
},
"Object": {
"id": "12345",
"name": "ail-leak",
"meta-category": "string",
"description": "string",
"template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"template_version": "1",
"event_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "string",
"deleted": true,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000",
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000"
}
]
},
"Tag": [
{
"id": "12345",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"org_id": "12345",
"user_id": "12345",
"hide_tag": false,
"numerical_value": "12345",
"is_galaxy": true,
"is_custom_galaxy": true,
"inherited": 1
}
]
}
]
}
}
Workflow Library Example
Search Attributes with Misp and Send Results Via Email
Preview this Workflow on desktop