mirror of https://github.com/MISP/misp-book
Added index filtering for events via the automation
parent
e9ed7179e7
commit
0d3881961c
|
@ -652,6 +652,46 @@ sigOnly is an optional flag that will block all attributes from being exported t
|
||||||
https://<misp url>/attributes/returnAttributes/download/25/md5&&sha256&&!filename/true
|
https://<misp url>/attributes/returnAttributes/download/25/md5&&sha256&&!filename/true
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
|
## Filtering event metadata
|
||||||
|
|
||||||
|
As described in the REST section, it is possible to retrieve a list of events along with their metadata by sending a GET request to the /events API. However, this API in particular is a bit more versatile. You can pass search parameters along to search among the events on various fields and retrieve a list of matching events (along with their metadata). Use the following URL:
|
||||||
|
|
||||||
|
~~~~
|
||||||
|
https://<misp url>/events/index
|
||||||
|
~~~~
|
||||||
|
|
||||||
|
POST a JSON object with the desired lookup fields and values to receive a JSON back.
|
||||||
|
An example for a valid lookup:
|
||||||
|
|
||||||
|
~~~~
|
||||||
|
Authorization: <your API key>
|
||||||
|
Accept: application/json
|
||||||
|
Content-type: application/json
|
||||||
|
~~~~
|
||||||
|
|
||||||
|
Body:
|
||||||
|
|
||||||
|
~~~~json
|
||||||
|
{"searchinfo":"Locky", "searchpublished":1, "searchdistribution":!0}
|
||||||
|
~~~~
|
||||||
|
|
||||||
|
|
||||||
|
The list of valid parameters:
|
||||||
|
<dl>
|
||||||
|
<dt>searchpublished:</dt>/n<dd>Filters on published or unpulished events [0,1] - negatable</dd>
|
||||||
|
<dt>searchinfo:</dt><dd>Filters on strings found in the event info - negatable</dd>
|
||||||
|
<dt>searchtag:</dt><dd>Filters on attached tag names - negatable</dd>
|
||||||
|
<dt>searcheventid:</dt><dd>Filters on specific event IDs - negatable</dd>
|
||||||
|
<dt>searchthreatlevel:</dt><dd>Filters on a given event threat level [1,2,3,4] - negatable</dd>
|
||||||
|
<dt>searchdistribution:</dt><dd>Filters on the distribution level [0,1,2,3] - negatable</dd>
|
||||||
|
<dt>searchanalysis:</dt><dd>Filters on the given analysis phase of the event [0,1,2,3] - negatable</dd>
|
||||||
|
<dt>searchattribute:</dt><dd>Filters on a contained attribute value - negatable</dd>
|
||||||
|
<dt>searchorg:</dt><dd>Filters on the creator organisation - negatable</dd>
|
||||||
|
<dt>searchemail:</dt><dd>Filters on the creator user's email address (admin only) - negatable</dd>
|
||||||
|
<dt>searchDatefrom:</dt><dd>Filters on the date, anything newer than the given date in YYYY-MM-DD format is taken - non-negatable</dd>
|
||||||
|
<dt>searchDateuntil:</dt><dd>Filters on the date, anything older than the given date in YYYY-MM-DD format is taken - non-negatable</dd>
|
||||||
|
</dl>
|
||||||
|
|
||||||
## Download attachment or malware sample
|
## Download attachment or malware sample
|
||||||
|
|
||||||
If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax:
|
If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax:
|
||||||
|
|
Loading…
Reference in New Issue