here.', $baseurl . '/servers/openapi');?>

REST client to test your API queries against your MISP and export the resulting tuned queries as curl or python scripts.');?> here.');?>

%s. You can %s this key.', $me['authkey'], $this->Form->postLink( __('reset'), array('controller' => 'users', 'action' => 'resetauthkey', 'me'), array('div' => false) ) ); } else { echo __( 'You can view and manage your API keys under your profile, found %s', sprintf( '%s', $baseurl, __('here') ) ); } ?> __('Search'), 'description' => array( __('It is possible to search the database for attributes based on a list of criteria.'), __('To return an event or a list of events in a desired format, use the following syntax'), __('Whilst a list of parameters is provided below, it isn\'t necessarily exhaustive, specific export formats could have additional parameters.') ), 'parameters' => array( "returnFormat" => __('Set the return format of the search (Currently supported: json, xml, openioc, suricata, snort - more formats are being moved to restSearch with the goal being that all searches happen through this API). Can be passed as the first parameter after restSearch or via the JSON payload.'), "limit" => __('Limit the number of results returned, depending on the scope (for example 10 attributes or 10 full events).'), "page" => __('If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).'), "value" => __('Search for the given value in the attributes\' value field.'), "type" => __('The attribute type, any valid MISP attribute type is accepted.'), "category" => __('The attribute category, any valid MISP attribute category is accepted.'), "org" => __('Search by the creator organisation by supplying the organisation identifier.'), "tags" => __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.'), "quickfilter" => __('Enabling this (by passing "1" as the argument) will make the search ignore all of the other arguments, except for the auth key and value. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.'), "from" => __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.'), "to" => __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.'), "eventid" => __('The events that should be included / excluded from the search'), "withAttachments" => __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute'), "metadata" => __('Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.'), "uuid" => __('Restrict the results by uuid.'), "publish_timestamp" => __('Restrict the results by the timestamp of the last publishing of the event. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).'), "last" => __('(Deprecated synonym for publish_timestamp) Restrict the results by the timestamp of the last publishing of the event. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).'), "timestamp" => __('Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute\'s timestamp will be used for the lookup. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).'), "published" => __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.'), "enforceWarninglist" => __('Remove any attributes from the result that would cause a hit on a warninglist entry.'), "to_ids" => __('By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.'), "deleted" => __('If this parameter is set to 1, it will return soft-deleted attributes along with active ones. By using "only" as a parameter it will limit the returned data set to soft-deleted data only.'), "includeEventUuid" => __('Instead of just including the event ID, also include the event UUID in each of the attributes.'), "event_timestamp" => __('Only return attributes from events that have received a modification after the given timestamp. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).'), "sgReferenceOnly" => __('If this flag is set, sharing group objects will not be included, instead only the sharing group ID is set.'), "eventinfo" => __("Filter on the event's info field."), "searchall" => __("Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields."), "attackGalaxy" => __("Select the ATT&CK matrix like galaxy to use when using returnFormat = attack. Defaults to the Mitre ATT&CK library via mitre-attack-pattern.") ), 'url' => array( $baseurl . '/attributes/restSearch', $baseurl . '/events/restSearch' ) ); echo sprintf('

%s

', $data['title']); echo sprintf('

', implode(" ", $data['description'])); echo sprintf("

%s

", implode("\n", $data['url'])); foreach ($data['parameters'] as $k => $v) { echo sprintf('%s: %s
', $k, $v); } $description = __('To export all attributes of types ip-src and ip-dst that have a TLP marking and are not marked TLP:red, use the syntax below. String searches are by default exact lookups, but you can use mysql style "%" wildcards to do substring searches.'); $url = $baseurl . '/attributes/restSearch'; $headers = array( 'Accept: application/json', 'Content-type: application/json', 'Authorization: ' . $api_key ); $headers = implode("\n", $headers); $body = json_encode( array( 'returnFormat' => 'json', 'type' => array('OR' => array('ip-src', 'ip-dst')), 'tags' => array('NOT' => array('tlp:red'), 'OR' => array('tlp:%')), ), JSON_PRETTY_PRINT); echo sprintf('

URL:

%s

Headers:

%s

Body:

%s

', $description, $url, $headers, $body); ?> __('Galaxy Cluster Search'), 'description' => array( __('It is possible to search the database for galaxy clustesrs based on a list of criteria.'), __('To return an cluster or a list of clusters in the JSON format, use the following syntax'), __('Whilst a list of parameters is provided below, it isn\'t necessarily exhaustive') ), 'parameters' => array( 'limit' => __('Limit the number of results returned, depending on the scope (for example 10 clusters).'), 'page' => __('If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).'), 'id' => __('Specify the exact local ID the be returned'), 'uuid' => __('Specify the exact local UUID the be returned'), 'galaxy_id' => __('Specify the exact local ID of the galaxy containing all the clusters the be returned'), 'galaxy_uuid' => __('Specify the exact local UUID of the galaxy containing all the clusters the be returned'), 'published' => __('Specify the publication state of the clusters to be returned'), 'value' => __('Specify the value of the clusters to be returned'), 'extends_uuid' => __('Specify the UUID of the cluster that was forked by the returned clusters'), 'extends_version' => __('Specify the version of the cluster that was forked by the returned clusters'), 'version' => __('Specify the version to be returned'), 'distribution' => __('Specify the distribution to be returned'), 'org_id' => __('Specify the org_id to get all clusters belonging to this organisation.'), 'orgc_id' => __('Specify the orgc_id to get all clusters that were created by this organisation.'), 'tag_name' => __('Specify the tag name of the cluster to be returned'), 'custom' => __('Specify if custom, default or both clusters should be returned'), 'minimal' => __('Only return the UUID and the version of the returned clusters'), ), 'url' => array( $baseurl . '/galaxy_clusters/restSearch', ) ); echo sprintf('

%s

', $data['title']); echo sprintf('

', implode(" ", $data['description'])); echo sprintf("

%s

", implode("\n", $data['url'])); foreach ($data['parameters'] as $k => $v) { echo sprintf('%s: %s
', $k, $v); } ?>

requested_attributes:
includeContext:
headerless:

' . __('URL parameters') . ''; echo sprintf( '

%s

', __('It is also possible to pass all of the above parameters via URL parameters, however this is HIGHLY discouraged. If you however have no other options, simply pass the parameters in the following fashion:'), $baseurl . '/attributes/restSearch/returnFormat:text/tags:!tlp:red||!tlp:amber||tlp:green||tlp:white/publish_timestamp:14d||7d', __('As you can see above, "||" can be used to add more values to a "list" and all parameters are passed as key:value components to the URL. Keep in mind, certain special characters in URLs can cause issues, your searches may end up being leaked to logs in transit and there are length limitations to take into account. Use this as a last resort.') ); ?>

You can export RPZ zone files for DNS level firewalling by using the RPZ export functionality of MISP. The file generated will include all of the IDS flagged domain, hostname and IP-src/IP-dst attribute values that you have access to.');?>

$v): ?> :

/attributes/rpz/download/[tags]/[eventId]/[from]/[to]/[policy]/[walled_garden]/[ns]/[email]/[serial]/[refresh]/[retry]/[expiry]/[minimum_ttl]/[ttl]

OSINT&&!OUTDATEDLocal-Datamy.stop.page.net5h');?>

{"request": {"tags": ["OSINT", "!OUTDATED"], "policy": "Local-Data", "walled_garden": "my.stop.page.net", "refresh": "5h"}

JSON:

{"request": {"type": "ip", "eventid": ["!51","!62"],"withAttachment": false,"tags": ["APT1","!OSINT"],"from": false,"to": "2015-02-15"}}

XML:

<request><type>ip</type><eventid>!51</eventid><eventid>!62</eventid><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request>

type: :

 $value) {
            echo '' . h($key) . ': ' . h($value) . PHP_EOL;
        }
    ?>

tags:
event_id:
allowNonIDS:
from:
to:
last:
enforceWarninglist:

', h(implode(', ', $hashTypes)));?>

7c12772809c1c0c3deda6103b10fdfa0113"); ?>

{"request": {"hash": "7c12772809c1c0c3deda6103b10fdfa0", "allSamples": 1, "eventID": 13}}

hash:
allSamples:
eventID:

{"request": {"files": [{"filename": filename1, "data": base64encodedfile1}, {"filename": filename2, "data": base64encodedfile2}], "optional_parameter1", "optional_parameter2", "optional_parameter3"}}

JSON:

{"request":{"files": [{"filename": "test1.txt", "data": "dGVzdA=="}, {"filename": "test2.txt", "data": "dGVzdDI="}], "distribution": 1, "info" : "test", "event_id": 15}}

XML:

test3.txtdGVzdA==test4.txtdGVzdDI=test115");?>

event_id:
distribution:
to_ids:
category:
info:
analysis:
threat_level_id:
comment:

{"event":228, "tag":8}

{"event":228, "tag":"OSINT"}


GET	/shadow_attributes/view/[proposal_id]
GET	/shadow_attributes/index
GET	/shadow_attributes/index/[event_id]
POST	/shadow_attributes/add/[event_id]
POST	/shadow_attributes/edit/[attribute_id]
POST	/shadow_attributes/accept/[proposal_id]
POST	/shadow_attributes/discard/[proposal_id]

JSON

XML

5.5.5.50ip-srcNetwork activity');?>

:
An example for a valid lookup');?>:

URL:
Headers:

Body: {"searcheventinfo":"Locky", "searchpublished":1, "searchdistribution":!0}

searchpublished:
searcheventinfo:
searchtag:
searcheventid:
searchthreatlevel:
searchdistribution:
searchanalysis:
searchattribute:
searchorg:
searchemail:
searchDatefrom:
searchDateuntil:

__('Freetext Import API'), 'description' => array( __('The freetext import tool is also exposed to the API.'), __('Simply POST the contents to be parsed and either directly create attributes out of them or simply return the parsing results.'), __('Use the boolean (0/1) adhere_to_warninglists and return_meta_attributes url parameters to filter out values tripping over a warninglist and to decide whether to save the attributes parsed or simply return them as meta attributes.'), __('The contents of the POST body should be the text to be parsed.') ), 'url' => array( $baseurl . '/[event_id]/[adhere_to_warninglists]/[return_meta_attributes]' ) ); echo sprintf('

%s

', $data['title']); echo sprintf('

', implode(" ", $data['description'])); echo sprintf("

%s

", implode("\n", $data['url'])); $data = array( 'title' => __('Administering the background workers via the API.'), 'description' => array( __('You can start/stop and view the bacground workers via the API.'), sprintf('
%s: %s/servers/%s
', __('Add worker'), $baseurl, 'startWorker/[queue_name]'), sprintf('%s: %s/servers/%s
', __('Stop worker'), $baseurl, 'stopWorker/[worker_pid]'), sprintf('%s: %s/servers/%s
', __('Get worker info'), $baseurl, 'getWorkers') ) ); echo sprintf('

%s

', $data['title']); echo sprintf('

', implode(" ", $data['description'])); foreach ($command_line_functions as $clusterRef => $cluster) { echo sprintf('

%s

', $clusterRef, $cluster['header']); echo sprintf('

%s:
', $cluster['description']); foreach ($cluster['data'] as $commandName => $command) { echo '' . Inflector::humanize($commandName) . ': ' . $command . '
'; } } ?>