mirror of https://github.com/MISP/misp-book
Automation: STIX section updated
parent
8e35f38dbf
commit
8adf6e26aa
|
@ -334,9 +334,38 @@ https://<misp url>/events/stix/download
|
|||
<request><id>!51</id><id>!62</id><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request>
|
||||
~~~~
|
||||
|
||||
### Various ways to narrow down the search results of the STIX export
|
||||
|
||||
For example, to retrieve all events tagged "APT1" but excluding events tagged "OSINT" and excluding events #51 and #62 without any attachments:
|
||||
~~~~
|
||||
https://<misp url>/events/stix/download/!51&&!62/false/APT1&&!OSINT/2015-02-15
|
||||
~~~~
|
||||
|
||||
To export the same events using a POST request use:
|
||||
~~~~
|
||||
https://<misp url>/events/stix/download.json
|
||||
~~~~
|
||||
|
||||
Together with this JSON object in the POST message:
|
||||
|
||||
~~~~json
|
||||
{"request": {"id":["!51","!62"],"tags":["APT1","!OSINT"],"from":"2015-02-15"}}
|
||||
~~~~
|
||||
XML is automatically assumed when using the STIX export:
|
||||
|
||||
~~~~
|
||||
https://<misp url>/events/stix/download
|
||||
~~~~
|
||||
|
||||
The same search could be accomplished using the following POSTed XML object (note that ampersands need to be escaped, or alternatively separate id and tag elements can be used):
|
||||
|
||||
~~~~xml
|
||||
<request><id>!51</id><id>!62</id><tags>APT1</tags><tags>!OSINT</tags><from>2015-02-15</from></request>
|
||||
~~~~
|
||||
|
||||
## RPZ export
|
||||
|
||||
You can export RPZ zone files for DNS level firewalling by using the RPZ export functionality of MISP. The file generated will include all of the IDS
|
||||
You can export RPZ zone files for DNS level firewall by using the RPZ export functionality of MISP. The file generated will include all of the IDS
|
||||
flagged domain, hostname and IP-src/IP-dst attribute values that you have access to.
|
||||
|
||||
It is possible to further restrict the exported values using the following filters:
|
||||
|
|
Loading…
Reference in New Issue