Skip to main content

Search Events

Search events.

External Documentation

To learn more, visit the MISP documentation.

Basic Parameters

ParameterDescription
AttributeFilter events matching the given string with attributes values.
DirectionDirection of the sort.
EmailFilter events by matching the event creator user email.
Event IDThe ID of the event. Must be equal or under 10 characters.
MinimalReturns a minimal version of the event.Note: only events with attributeCount > 0 will be returned.
OrganisationFilter events by matching the creator organisation name.
SortField to be used to sort the result.
Threat LevelRepresents the threat level.

Advanced Parameters

ParameterDescription
Analysis StateRepresents the threat level.
DistributionWho will be able to see this event once it becomes published and eventually when it becomes pulled.
Event InfoFilter events by matching the event info text.
From DateReturns events that in which creation date is greater or equal.
Has ProposalFilter events by checking if it has attributes with change proposals.
LimitLimit search filter. Must be greater or equal to 0.
PagePage number. Must be greater or equal to 1.
Search Date FromFilter attributes in which creation date is greater or equal.
Search Date Until.Filter attributes that in which creation date is less or equal.
Sharing Group IDThe sharing group of the events. Must be equal or under 10 characters.
Start Publish TimestampEvent publish timestamp greater or equal.
Start TimestampEvent timestamp greater or equal.
TagThe tag of the events. Must be equal or under 255 characters.
TagsFilter events by matching any of the event tags of a given list of tag names.
Until dateReturns events that in which creation date is less or equal.

Example Output

[
{
"id": "12345",
"org_id": "12345",
"distribution": "0",
"info": "logged source ip",
"orgc_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"date": "1991-01-15",
"published": false,
"analysis": "0",
"attribute_count": "321",
"timestamp": "1617875568",
"sharing_group_id": "1",
"proposal_email_lock": true,
"locked": true,
"threat_level_id": "1",
"publish_timestamp": "1617875568",
"sighting_timestamp": "1617875568",
"disable_correlation": false,
"extends_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"event_creator_email": "user@example.com",
"Feed": {
"id": "3",
"name": "CIRCL OSINT Feed",
"provider": "CIRCL",
"url": "https://www.circl.lu/doc/misp/feed-osint",
"rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"\"}",
"enabled": true,
"distribution": "0",
"sharing_group_id": "1",
"tag_id": "12345",
"default": true,
"source_format": "1",
"fixed_event": true,
"delta_merge": true,
"event_id": "12345",
"publish": false,
"override_ids": true,
"settings": "{\"csv\":{\"value\":\"\",\"delimiter\":\"\"},\"common\":{\"excluderegex\":\"\"},\"disable_correlation\":\"1\"}",
"input_source": "local",
"delete_local_file": true,
"lookup_visible": true,
"headers": "X-Custom-Header-A: Foo\nX-Custom-Header-B: Bar\n",
"caching_enabled": true,
"force_to_ids": true,
"orgc_id": "12345",
"cache_timestamp": "1617875568"
},
"Org": {
"id": "12345",
"name": "ORGNAME",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b"
},
"Orgc": {
"id": "12345",
"name": "ORGNAME",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b"
},
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000"
}
],
"ShadowAttribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000"
}
],
"RelatedEvent": [
{}
],
"Galaxy": [
{
"id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"name": "Ransomware",
"type": "ransomware",
"description": "Ransomware galaxy based on ...",
"version": "1",
"icon": "globe",
"namespace": "misp",
"kill_chain_order": {
"fraud-tactics": [
"Initiation",
"Target Compromise",
"Perform Fraud",
"Obtain Fraudulent Assets",
"Assets Transfer",
"Monetisation"
]
}
}
],
"Object": [
{
"id": "12345",
"name": "ail-leak",
"meta-category": "string",
"description": "string",
"template_uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"template_version": "1",
"event_id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "string",
"deleted": true,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000",
"Attribute": [
{
"id": "12345",
"event_id": "12345",
"object_id": "12345",
"object_relation": "sensor",
"category": "Internal reference",
"type": "md5",
"value": "127.0.0.1",
"to_ids": true,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"timestamp": "1617875568",
"distribution": "0",
"sharing_group_id": "1",
"comment": "logged source ip",
"deleted": false,
"disable_correlation": false,
"first_seen": "1581984000000000",
"last_seen": "1581984000000000"
}
]
}
],
"EventReport": [
{
"id": "12345",
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"event_id": "12345",
"name": "Report of the incident",
"content": "string",
"distribution": "0",
"sharing_group_id": "1",
"timestamp": "1617875568",
"deleted": false
}
],
"Tag": [
{
"id": "12345",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"org_id": "12345",
"user_id": "12345",
"hide_tag": false,
"numerical_value": "12345",
"is_galaxy": true,
"is_custom_galaxy": true,
"inherited": 1
}
]
}
]

Workflow Library Example

Search Events with Misp and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop