MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

Added index filtering for events via the automation

pull/15/head
Iglocska 2016-07-28 23:58:45 +02:00
parent e9ed7179e7
commit 0d3881961c
1 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
automation/README.md
View File

@ -652,6 +652,46 @@ sigOnly is an optional flag that will block all attributes from being exported t
https://<misp url>/attributes/returnAttributes/download/25/md5&&sha256&&!filename/true
~~~~
## Filtering event metadata
As described in the REST section, it is possible to retrieve a list of events along with their metadata by sending a GET request to the /events API. However, this API in particular is a bit more versatile. You can pass search parameters along to search among the events on various fields and retrieve a list of matching events (along with their metadata). Use the following URL:
~~~~
https://<misp url>/events/index
~~~~
POST a JSON object with the desired lookup fields and values to receive a JSON back.
An example for a valid lookup:
~~~~
Authorization: <your API key>
Accept: application/json
Content-type: application/json
~~~~
Body:
~~~~json
{"searchinfo":"Locky", "searchpublished":1, "searchdistribution":!0}
~~~~
The list of valid parameters:
<dl>
<dt>searchpublished:</dt>/n<dd>Filters on published or unpulished events [0,1] - negatable</dd>
<dt>searchinfo:</dt><dd>Filters on strings found in the event info - negatable</dd>
<dt>searchtag:</dt><dd>Filters on attached tag names - negatable</dd>
<dt>searcheventid:</dt><dd>Filters on specific event IDs - negatable</dd>
<dt>searchthreatlevel:</dt><dd>Filters on a given event threat level [1,2,3,4] - negatable</dd>
<dt>searchdistribution:</dt><dd>Filters on the distribution level [0,1,2,3] - negatable</dd>
<dt>searchanalysis:</dt><dd>Filters on the given analysis phase of the event [0,1,2,3] - negatable</dd>
<dt>searchattribute:</dt><dd>Filters on a contained attribute value - negatable</dd>
<dt>searchorg:</dt><dd>Filters on the creator organisation - negatable</dd>
<dt>searchemail:</dt><dd>Filters on the creator user's email address (admin only) - negatable</dd>
<dt>searchDatefrom:</dt><dd>Filters on the date, anything newer than the given date in YYYY-MM-DD format is taken - non-negatable</dd>
<dt>searchDateuntil:</dt><dd>Filters on the date, anything older than the given date in YYYY-MM-DD format is taken - non-negatable</dd>
</dl>
## Download attachment or malware sample
If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax: