From 1c5739f7856823cfcaedab6e8421ccd28e58513d Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Thu, 21 Jul 2022 22:37:23 -0700 Subject: [PATCH 1/4] 'stop maintaining and delete release_notes.html' --- release_notes/release_notes.html | 35 -------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 release_notes/release_notes.html diff --git a/release_notes/release_notes.html b/release_notes/release_notes.html deleted file mode 100644 index 434c832..0000000 --- a/release_notes/release_notes.html +++ /dev/null @@ -1,35 +0,0 @@ -MISP Release Notes - Published by Splunk April 27, 2022 -

-Version 2.2.0 - Released April 27, 2022 - -Version 2.1.7 - Released February 03, 2022 - -Version 2.1.5 - Released July 12, 2021 - -Version 2.0.4 - Released February 05, 2021 - -Version 1.0.19 - Released January 18, 2019 - -Version 1.0.14 - Released February 07, 2018 - -Version 1.0.12 - Released September 27, 2017 - From 149a85e6f06e7c753b2a04296d9da7d3ef438fdc Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Mon, 17 Jul 2023 10:11:41 -0700 Subject: [PATCH 2/4] Remove semgrep workflow file --- .github/workflows/semgrep.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 712cc1b..0000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Semgrep -on: - pull_request_target: - branches: - - next - - main - push: - branches: - - next - - main -jobs: - semgrep: - runs-on: ubuntu-latest - steps: - - if: github.event_name == 'push' - run: | - echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV - echo "REF=${{ github.REF }}" >> $GITHUB_ENV - - if: github.event_name == 'pull_request_target' - run: | - echo "REPOSITORY=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV - echo "REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV - - uses: 'phantomcyber/dev-cicd-tools/github-actions/semgrep@main' - with: - SEMGREP_DEPLOYMENT_ID: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - REPOSITORY: ${{ github.repository }} - REF: ${{ github.ref }} From 4f7b5cde661c79bf4f44189b82dbd61346f575fb Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-bot <73200433+splunk-soar-connectors-bot@users.noreply.github.com> Date: Tue, 20 Aug 2024 14:41:58 -0700 Subject: [PATCH 3/4] Merging next to main for release 2.2.2 (#13) * PAPP-34531 MISP: Feature - Tags Allowance Added for Event Create and Update (#12) * Bumped up the version of misp from 2.2.1 to 2.2.2 * [maint] update min phantom version (#14) Co-authored-by: grokas-splunk Co-authored-by: splunk-soar-connectors-admin Co-authored-by: root --- README.md | 10 +++++++-- misp.json | 50 +++++++++++++++++++++++++++++++++++++----- misp_connector.py | 26 ++++++++++++++++++++++ release_notes/2.2.2.md | 1 + 4 files changed, 79 insertions(+), 8 deletions(-) create mode 100644 release_notes/2.2.2.md diff --git a/README.md b/README.md index cce4c92..399f778 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ # MISP Publisher: Splunk -Connector Version: 2.2.1 +Connector Version: 2.2.2 Product Vendor: MISP Product Name: MISP Product Version Supported (regex): ".\*" -Minimum Product Version: 5.2.0 +Minimum Product Version: 6.2.1 Take action with Malware Information Sharing Platform @@ -156,6 +156,7 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **source_emails** | optional | Source email addresses to be added as attributes | string | `email` **dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` **urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags | string | **json** | optional | JSON key value list of attributes | string | #### Action Output @@ -175,6 +176,7 @@ action_result.parameter.source_ips | string | `ip` | 122.122.122.122 action_result.parameter.threat_level_id | string | | undefined action_result.parameter.to_ids | boolean | | True False action_result.parameter.urls | string | `url` | https://test.com +action_result.parameter.tags | string | | test_1,test_2 action_result.data.\*.Org.id | string | | 1 action_result.data.\*.Org.local | boolean | | True False action_result.data.\*.Org.name | string | | ORGNAME @@ -236,6 +238,8 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **source_emails** | optional | Source email addresses to be added as attributes | string | `email` **dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` **urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags (append to existing tags default) | string | +**replace_tags** | optional | Replace tags with new provided tags | boolean | **json** | optional | JSON key value list of attributes | string | #### Action Output @@ -246,6 +250,8 @@ action_result.parameter.dest_emails | string | `email` | test@test.com action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 action_result.parameter.domains | string | `domain` | www.test.com action_result.parameter.event_id | numeric | `misp event id` | 686 +action_result.parameter.tags | string | | test_1,test2 +action_result.parameter.replace_tags | boolean | | True False action_result.parameter.json | string | | {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} action_result.parameter.source_emails | string | `email` | test@test.com action_result.parameter.source_ips | string | `ip` | 122.122.122.122 diff --git a/misp.json b/misp.json index ac80596..7627009 100644 --- a/misp.json +++ b/misp.json @@ -7,12 +7,12 @@ "type": "threat intel", "license": "Copyright (c) 2017-2024 Splunk Inc.", "main_module": "misp_connector.py", - "app_version": "2.2.1", - "utctime_updated": "2022-02-03T21:33:46.000000Z", + "app_version": "2.2.2", + "utctime_updated": "2024-08-19T20:43:28.000000Z", "product_vendor": "MISP", "product_name": "MISP", "product_version_regex": ".*", - "min_phantom_version": "5.2.0", + "min_phantom_version": "6.2.1", "fips_compliant": true, "python_version": "3", "latest_tested_versions": [ @@ -238,10 +238,15 @@ "order": 11, "primary": true }, + "tags": { + "description": "Comma separated list of tags", + "data_type": "string", + "order": 12 + }, "json": { "description": "JSON key value list of attributes", "data_type": "string", - "order": 12 + "order": 13 } }, "render": { @@ -370,6 +375,13 @@ "https://test.com" ] }, + { + "data_path": "action_result.parameter.tags", + "data_type": "string", + "example_values": [ + "test_1,test_2" + ] + }, { "data_path": "action_result.data.*.Org.id", "data_type": "string", @@ -750,10 +762,21 @@ "order": 7, "primary": true }, + "tags": { + "description": "Comma separated list of tags (append to existing tags default)", + "data_type": "string", + "order": 8 + }, + "replace_tags": { + "description": "Replace tags with new provided tags", + "data_type": "boolean", + "default": false, + "order": 9 + }, "json": { "description": "JSON key value list of attributes", "data_type": "string", - "order": 8 + "order": 10 } }, "render": { @@ -811,6 +834,21 @@ 686 ] }, + { + "data_path": "action_result.parameter.tags", + "data_type": "string", + "example_values": [ + "test_1,test2" + ] + }, + { + "data_path": "action_result.parameter.replace_tags", + "data_type": "boolean", + "example_values": [ + true, + false + ] + }, { "data_path": "action_result.parameter.json", "data_type": "string", @@ -2422,4 +2460,4 @@ } ] } -} +} \ No newline at end of file diff --git a/misp_connector.py b/misp_connector.py index 9342ced..eff662e 100644 --- a/misp_connector.py +++ b/misp_connector.py @@ -296,6 +296,16 @@ def _create_event(self, param): action_result.set_summary({"message": "Event created with id: {0}".format(self._event.id)}) + tags = param.get("tags", "") + tag_list = [tag.strip() for tag in tags.split(",")] if tags else [] + if tag_list: + try: + for tag in tag_list: + self._misp.tag(self._event, tag) + except Exception as e: + error_message = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message)) + addAttributes = param.get("add_attributes", True) if addAttributes: ret_val = self._perform_adds(param, action_result, add_data=True) @@ -483,6 +493,22 @@ def _add_attributes(self, param): for attribute in attributes: action_result.add_data(attribute) + tags = param.get("tags", "") + replace_tags = param.get("replace_tags", False) + tag_list = [tag.strip() for tag in tags.split(",")] if tags else [] + if tag_list: + try: + if replace_tags: + existing_tags = self._event.tags + for tag in existing_tags: + self._misp.untag(self._event, tag.name) + + for tag in tag_list: + self._misp.tag(self._event, tag) + except Exception as e: + error_message = self._get_error_message_from_exception(e) + return action_result.set_status(phantom.APP_ERROR, "Failed to add tags to MISP event:{0}".format(error_message)) + if hasattr(self._event, "id"): summary = {} summary["message"] = "Attributes added to event: {0}".format(self._event.id) diff --git a/release_notes/2.2.2.md b/release_notes/2.2.2.md new file mode 100644 index 0000000..56aa114 --- /dev/null +++ b/release_notes/2.2.2.md @@ -0,0 +1 @@ +* Tags can now be added during an event create or update [PAPP-34531] \ No newline at end of file From 4e5d7f66d51b9944f20affbe4ff1fc7d8cd527d0 Mon Sep 17 00:00:00 2001 From: splunk-soar-connectors-admin Date: Wed, 11 Dec 2024 23:51:43 +0000 Subject: [PATCH 4/4] Update README.md --- README.md | 640 +++++++++++++++++++++++++++--------------------------- 1 file changed, 320 insertions(+), 320 deletions(-) diff --git a/README.md b/README.md index 0eebd6d..ab786f0 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ [comment]: # "Auto-generated SOAR connector documentation" # MISP -Publisher: Splunk -Connector Version: 2.2.3 -Product Vendor: MISP -Product Name: MISP -Product Version Supported (regex): ".\*" -Minimum Product Version: 6.3.0 +Publisher: Splunk +Connector Version: 2.2.3 +Product Vendor: MISP +Product Name: MISP +Product Version Supported (regex): ".\*" +Minimum Product Version: 6.3.0 Take action with Malware Information Sharing Platform @@ -42,11 +42,11 @@ Laurent LAPORTE. ## cachetools-4.2.2 This app uses the cachetools module, which is licensed under the MIT License, Copyright (c) -2014-2021 Thomas Kemmer. +2014-2021 Thomas Kemmer. -Misp will return integers which correspond to various values. Here is the complete list: - -For **distribution** : +Misp will return integers which correspond to various values. Here is the complete list: + +For **distribution** : - 0: Your Org Only - 1: This Community Only @@ -55,22 +55,22 @@ For **distribution** : - 4: Sharing Group - 5: Inherit - -For **threat level id** : + +For **threat level id** : - 1: High - 2: Medium - 3: Low - 4: Undefined - -For **analysis** : + +For **analysis** : - 0: Initial - 1: Ongoing - 2: Completed - + **Note:** - There is no validation provided in case of an incorrect value in the 'json' action parameter of @@ -114,29 +114,29 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION **verify_server_cert** | optional | boolean | Verify server certificate **api_key** | required | password | API Key found under Event Actions: Automation -### Supported Actions -[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity -[create event](#action-create-event) - Create a new event in MISP -[update event](#action-update-event) - Add attributes / IOCs to an event in MISP -[run query](#action-run-query) - Run a query to find events or attributes -[get attributes](#action-get-attributes) - Get attributes for a specific event +### Supported Actions +[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity +[create event](#action-create-event) - Create a new event in MISP +[update event](#action-update-event) - Add attributes / IOCs to an event in MISP +[run query](#action-run-query) - Run a query to find events or attributes +[get attributes](#action-get-attributes) - Get attributes for a specific event ## action: 'test connectivity' Validate the asset configuration for connectivity -Type: **test** +Type: **test** Read only: **True** #### Action Parameters No parameters are required for this action #### Action Output -No Output +No Output ## action: 'create event' Create a new event in MISP -Type: **generic** +Type: **generic** Read only: **False** This action first creates an event, then adds attributes to that event. Parameters urls, domains, source_ips, dest_ips, source_emails, dest_emails accept comma-separated values. @@ -144,85 +144,85 @@ This action first creates an event, then adds attributes to that event. Paramete #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**distribution** | required | Distribution level for sharing | string | -**threat_level_id** | required | Threat level id | string | -**analysis** | required | Current stage of analysis for event | string | -**info** | required | Information / Description for Event | string | -**add_attributes** | optional | Add attributes upon event creation | boolean | -**to_ids** | optional | Set 'to_IDS' flag=True in MISP | boolean | -**source_ips** | optional | Source IPs to be added as attributes | string | `ip` -**dest_ips** | optional | Destination IPs to be added as attributes | string | `ip` -**domains** | optional | Domains to be added as attributes | string | `domain` -**source_emails** | optional | Source email addresses to be added as attributes | string | `email` -**dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` -**urls** | optional | URLs to be added as attributes | string | `url` -**tags** | optional | Comma separated list of tags | string | -**json** | optional | JSON key value list of attributes | string | +**distribution** | required | Distribution level for sharing | string | +**threat_level_id** | required | Threat level id | string | +**analysis** | required | Current stage of analysis for event | string | +**info** | required | Information / Description for Event | string | +**add_attributes** | optional | Add attributes upon event creation | boolean | +**to_ids** | optional | Set 'to_IDS' flag=True in MISP | boolean | +**source_ips** | optional | Source IPs to be added as attributes | string | `ip` +**dest_ips** | optional | Destination IPs to be added as attributes | string | `ip` +**domains** | optional | Domains to be added as attributes | string | `domain` +**source_emails** | optional | Source email addresses to be added as attributes | string | `email` +**dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` +**urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags | string | +**json** | optional | JSON key value list of attributes | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.add_attributes | boolean | | True False -action_result.parameter.analysis | string | | Initial -action_result.parameter.dest_emails | string | `email` | test@test.com -action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 -action_result.parameter.distribution | string | | This Community Only -action_result.parameter.domains | string | `domain` | www.test.com -action_result.parameter.info | string | | Event Info Goes Here -action_result.parameter.json | string | | {"ip-src|port":"1.1.1.1:888"} -action_result.parameter.source_emails | string | `email` | test@test.com -action_result.parameter.source_ips | string | `ip` | 122.122.122.122 -action_result.parameter.threat_level_id | string | | undefined -action_result.parameter.to_ids | boolean | | True False -action_result.parameter.urls | string | `url` | https://test.com -action_result.parameter.tags | string | | test_1,test_2 -action_result.data.\*.Org.id | string | | 1 -action_result.data.\*.Org.local | boolean | | True False -action_result.data.\*.Org.name | string | | ORGNAME -action_result.data.\*.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.Orgc.id | string | | 1 -action_result.data.\*.Orgc.local | boolean | | True False -action_result.data.\*.Orgc.name | string | | ORGNAME -action_result.data.\*.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.analysis | string | | 0 -action_result.data.\*.attribute_count | string | | -action_result.data.\*.category | string | | Network activity -action_result.data.\*.comment | string | | -action_result.data.\*.date | string | | 2021-06-09 -action_result.data.\*.deleted | boolean | | True False -action_result.data.\*.disable_correlation | boolean | | True False -action_result.data.\*.distribution | string | | -action_result.data.\*.event_creator_email | string | | test@test.com -action_result.data.\*.event_id | string | `misp event id` | 2052 -action_result.data.\*.extends_uuid | string | | -action_result.data.\*.id | string | | -action_result.data.\*.info | string | | -action_result.data.\*.locked | boolean | | True False -action_result.data.\*.object_id | string | | 0 -action_result.data.\*.org_id | string | | 1 -action_result.data.\*.orgc_id | string | | 1 -action_result.data.\*.proposal_email_lock | boolean | | True False -action_result.data.\*.publish_timestamp | numeric | | 0 -action_result.data.\*.published | boolean | | True False -action_result.data.\*.sharing_group_id | string | | 0 -action_result.data.\*.threat_level_id | string | | -action_result.data.\*.timestamp | string | | 1623206691 -action_result.data.\*.to_ids | boolean | | True False -action_result.data.\*.type | string | | url -action_result.data.\*.uuid | string | | 82c82204-4ebd-42cb-a913-4df726b5d7fe -action_result.data.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 8.8.8.8 -action_result.data.0.id | string | `misp event id` | -action_result.summary.errors | string | | 'test' is/are invalid attribute name/names in 'json' action parameter -action_result.summary.message | string | | Event created with id: 2139 -action_result.message | string | | Message: Event created with id: 2139, Errors: 'test' is/are invalid attribute name/names in 'json' action parameter -summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 +action_result.status | string | | success failed +action_result.parameter.add_attributes | boolean | | True False +action_result.parameter.analysis | string | | Initial +action_result.parameter.dest_emails | string | `email` | test@test.com +action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 +action_result.parameter.distribution | string | | This Community Only +action_result.parameter.domains | string | `domain` | www.test.com +action_result.parameter.info | string | | Event Info Goes Here +action_result.parameter.json | string | | {"ip-src|port":"1.1.1.1:888"} +action_result.parameter.source_emails | string | `email` | test@test.com +action_result.parameter.source_ips | string | `ip` | 122.122.122.122 +action_result.parameter.threat_level_id | string | | undefined +action_result.parameter.to_ids | boolean | | True False +action_result.parameter.urls | string | `url` | https://test.com +action_result.parameter.tags | string | | test_1,test_2 +action_result.data.\*.Org.id | string | | 1 +action_result.data.\*.Org.local | boolean | | True False +action_result.data.\*.Org.name | string | | ORGNAME +action_result.data.\*.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.Orgc.id | string | | 1 +action_result.data.\*.Orgc.local | boolean | | True False +action_result.data.\*.Orgc.name | string | | ORGNAME +action_result.data.\*.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.analysis | string | | 0 +action_result.data.\*.attribute_count | string | | +action_result.data.\*.category | string | | Network activity +action_result.data.\*.comment | string | | +action_result.data.\*.date | string | | 2021-06-09 +action_result.data.\*.deleted | boolean | | True False +action_result.data.\*.disable_correlation | boolean | | True False +action_result.data.\*.distribution | string | | +action_result.data.\*.event_creator_email | string | | test@test.com +action_result.data.\*.event_id | string | `misp event id` | 2052 +action_result.data.\*.extends_uuid | string | | +action_result.data.\*.id | string | | +action_result.data.\*.info | string | | +action_result.data.\*.locked | boolean | | True False +action_result.data.\*.object_id | string | | 0 +action_result.data.\*.org_id | string | | 1 +action_result.data.\*.orgc_id | string | | 1 +action_result.data.\*.proposal_email_lock | boolean | | True False +action_result.data.\*.publish_timestamp | numeric | | 0 +action_result.data.\*.published | boolean | | True False +action_result.data.\*.sharing_group_id | string | | 0 +action_result.data.\*.threat_level_id | string | | +action_result.data.\*.timestamp | string | | 1623206691 +action_result.data.\*.to_ids | boolean | | True False +action_result.data.\*.type | string | | url +action_result.data.\*.uuid | string | | 82c82204-4ebd-42cb-a913-4df726b5d7fe +action_result.data.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 8.8.8.8 +action_result.data.0.id | string | `misp event id` | +action_result.summary.errors | string | | 'test' is/are invalid attribute name/names in 'json' action parameter +action_result.summary.message | string | | Event created with id: 2139 +action_result.message | string | | Message: Event created with id: 2139, Errors: 'test' is/are invalid attribute name/names in 'json' action parameter +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'update event' Add attributes / IOCs to an event in MISP -Type: **generic** +Type: **generic** Read only: **False** Parameters urls, domains, source_ips, dest_ips, source_emails, dest_emails accept comma-separated values. @@ -230,58 +230,58 @@ Parameters urls, domains, source_ips, dest_ips, source_emails, dest_emails accep #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**event_id** | required | MISP event ID for adding attributes | numeric | `misp event id` -**to_ids** | optional | Set 'to_IDS' flag=True in MISP | boolean | -**source_ips** | optional | Source IPs to be added as attributes | string | `ip` -**dest_ips** | optional | Destination IPs to be added as attributes | string | `ip` -**domains** | optional | Domains to be added as attributes | string | `domain` -**source_emails** | optional | Source email addresses to be added as attributes | string | `email` -**dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` -**urls** | optional | URLs to be added as attributes | string | `url` -**tags** | optional | Comma separated list of tags (append to existing tags default) | string | -**replace_tags** | optional | Replace tags with new provided tags | boolean | -**json** | optional | JSON key value list of attributes | string | +**event_id** | required | MISP event ID for adding attributes | numeric | `misp event id` +**to_ids** | optional | Set 'to_IDS' flag=True in MISP | boolean | +**source_ips** | optional | Source IPs to be added as attributes | string | `ip` +**dest_ips** | optional | Destination IPs to be added as attributes | string | `ip` +**domains** | optional | Domains to be added as attributes | string | `domain` +**source_emails** | optional | Source email addresses to be added as attributes | string | `email` +**dest_emails** | optional | Destination email addresses to be added as attributes | string | `email` +**urls** | optional | URLs to be added as attributes | string | `url` +**tags** | optional | Comma separated list of tags (append to existing tags default) | string | +**replace_tags** | optional | Replace tags with new provided tags | boolean | +**json** | optional | JSON key value list of attributes | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.dest_emails | string | `email` | test@test.com -action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 -action_result.parameter.domains | string | `domain` | www.test.com -action_result.parameter.event_id | numeric | `misp event id` | 686 -action_result.parameter.tags | string | | test_1,test2 -action_result.parameter.replace_tags | boolean | | True False -action_result.parameter.json | string | | {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} -action_result.parameter.source_emails | string | `email` | test@test.com -action_result.parameter.source_ips | string | `ip` | 122.122.122.122 -action_result.parameter.to_ids | boolean | | True False -action_result.parameter.urls | string | `url` | http://test.com -action_result.data.\*.category | string | | Other -action_result.data.\*.comment | string | | -action_result.data.\*.deleted | boolean | | True False -action_result.data.\*.disable_correlation | boolean | | True False -action_result.data.\*.distribution | string | | 5 -action_result.data.\*.event_id | string | `misp event id` | 2121 -action_result.data.\*.id | string | `misp attribute id` | 5360 -action_result.data.\*.object_id | string | | 0 -action_result.data.\*.sharing_group_id | string | | 0 -action_result.data.\*.timestamp | string | | 1623038555 -action_result.data.\*.to_ids | boolean | | True False -action_result.data.\*.type | string | | port -action_result.data.\*.uuid | string | | 68e219ee-5727-4cb2-a32f-8dc27aa4231f -action_result.data.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | email1@email.com -action_result.summary | string | | -action_result.summary.errors | string | | 'soufds' is/are invalid attribute name/names in 'json' action parameter -action_result.summary.message | string | | Attributes added to event: 2121 -action_result.message | string | | Message: Attributes added to event: 2121, Errors: 'soufds' is/are invalid attribute name/names in 'json' action parameter -summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 +action_result.status | string | | success failed +action_result.parameter.dest_emails | string | `email` | test@test.com +action_result.parameter.dest_ips | string | `ip` | 122.122.122.122 +action_result.parameter.domains | string | `domain` | www.test.com +action_result.parameter.event_id | numeric | `misp event id` | 686 +action_result.parameter.tags | string | | test_1,test2 +action_result.parameter.replace_tags | boolean | | True False +action_result.parameter.json | string | | {"comment":["email_1,email11","email_2"], "soufds":"jflkl"} +action_result.parameter.source_emails | string | `email` | test@test.com +action_result.parameter.source_ips | string | `ip` | 122.122.122.122 +action_result.parameter.to_ids | boolean | | True False +action_result.parameter.urls | string | `url` | http://test.com +action_result.data.\*.category | string | | Other +action_result.data.\*.comment | string | | +action_result.data.\*.deleted | boolean | | True False +action_result.data.\*.disable_correlation | boolean | | True False +action_result.data.\*.distribution | string | | 5 +action_result.data.\*.event_id | string | `misp event id` | 2121 +action_result.data.\*.id | string | `misp attribute id` | 5360 +action_result.data.\*.object_id | string | | 0 +action_result.data.\*.sharing_group_id | string | | 0 +action_result.data.\*.timestamp | string | | 1623038555 +action_result.data.\*.to_ids | boolean | | True False +action_result.data.\*.type | string | | port +action_result.data.\*.uuid | string | | 68e219ee-5727-4cb2-a32f-8dc27aa4231f +action_result.data.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | email1@email.com +action_result.summary | string | | +action_result.summary.errors | string | | 'soufds' is/are invalid attribute name/names in 'json' action parameter +action_result.summary.message | string | | Attributes added to event: 2121 +action_result.message | string | | Message: Attributes added to event: 2121, Errors: 'soufds' is/are invalid attribute name/names in 'json' action parameter +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'run query' Run a query to find events or attributes -Type: **investigate** +Type: **investigate** Read only: **True** By setting max_results to 0, you can get every result. It is recommended you do not do this, as MISP can return a lot of data. The default is 10, and this will be the oldest 10 results.

The other field expects a json string, which can have the key value pairs of any field which the search API supports.

By giving max results as a negative number, n, it will take the last n results from the query. From there, you can take the timestamp from the first object in the resulting list, then pass it in the other field like so: {"timestamp": <timestamp + 1>}. All the results will now be after that specified timestamp.

Also note that when searching for events, events with no attributes will not be returned. @@ -289,160 +289,160 @@ By setting max_results to 0, you can get every result. It is recommended you do #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**controller** | required | Search for events or attributes | string | -**max_results** | optional | Max results to return | numeric | -**event_id** | optional | Comma seperated list of Event IDs | string | `misp event id` -**tags** | optional | Comma seperated list of tags | string | -**other** | optional | Other search parameters, as a JSON object | string | +**controller** | required | Search for events or attributes | string | +**max_results** | optional | Max results to return | numeric | +**event_id** | optional | Comma seperated list of Event IDs | string | `misp event id` +**tags** | optional | Comma seperated list of tags | string | +**other** | optional | Other search parameters, as a JSON object | string | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.controller | string | | events attributes -action_result.parameter.event_id | string | `misp event id` | 1 -action_result.parameter.max_results | numeric | | 1000 -action_result.parameter.other | string | | -action_result.parameter.tags | string | | test_1 -action_result.data.\*.\*.Event.Attribute.\*.category | string | | Network activity -action_result.data.\*.\*.Event.Attribute.\*.comment | string | | -action_result.data.\*.\*.Event.Attribute.\*.deleted | numeric | | True False -action_result.data.\*.\*.Event.Attribute.\*.disable_correlation | numeric | | True False -action_result.data.\*.\*.Event.Attribute.\*.distribution | string | | 5 -action_result.data.\*.\*.Event.Attribute.\*.event_id | string | | 1 -action_result.data.\*.\*.Event.Attribute.\*.first_seen | string | | -action_result.data.\*.\*.Event.Attribute.\*.id | string | | 4265 -action_result.data.\*.\*.Event.Attribute.\*.last_seen | string | | -action_result.data.\*.\*.Event.Attribute.\*.object_id | string | | 0 -action_result.data.\*.\*.Event.Attribute.\*.object_relation | string | | -action_result.data.\*.\*.Event.Attribute.\*.sharing_group_id | string | | 0 -action_result.data.\*.\*.Event.Attribute.\*.timestamp | string | | 1622191169 -action_result.data.\*.\*.Event.Attribute.\*.to_ids | numeric | | True False -action_result.data.\*.\*.Event.Attribute.\*.type | string | `url` | email-dst -action_result.data.\*.\*.Event.Attribute.\*.uuid | string | | 03fa856e-b6f9-4e34-82ac-1e50dd058f37 -action_result.data.\*.\*.Event.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | abc@abc.com -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.category | string | | Payload delivery -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.comment | string | | -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.deleted | numeric | | True False -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.disable_correlation | numeric | | True False -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.distribution | string | | 5 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.event_id | string | | 2020 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.first_seen | string | | -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.id | string | | 4953 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.last_seen | string | | -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.object_id | string | | 10 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.object_relation | string | | filename -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.sharing_group_id | string | | 0 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.timestamp | string | | 1623078296 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.to_ids | numeric | | True False -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.type | string | | filename -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.uuid | string | | 2fd53a9b-44fd-4ebc-af93-0e1605cf3b64 -action_result.data.\*.\*.Event.Object.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 6.43.3.2 -action_result.data.\*.\*.Event.Object.\*.comment | string | | -action_result.data.\*.\*.Event.Object.\*.deleted | numeric | | True False -action_result.data.\*.\*.Event.Object.\*.description | string | | File object describing a file with meta-information -action_result.data.\*.\*.Event.Object.\*.distribution | string | | 5 -action_result.data.\*.\*.Event.Object.\*.event_id | string | | 2020 -action_result.data.\*.\*.Event.Object.\*.first_seen | string | | -action_result.data.\*.\*.Event.Object.\*.id | string | | 10 -action_result.data.\*.\*.Event.Object.\*.last_seen | string | | -action_result.data.\*.\*.Event.Object.\*.meta-category | string | | file -action_result.data.\*.\*.Event.Object.\*.name | string | | file -action_result.data.\*.\*.Event.Object.\*.sharing_group_id | string | | 0 -action_result.data.\*.\*.Event.Object.\*.template_uuid | string | | 688c46fb-5edb-40a3-8273-1af7923e2215 -action_result.data.\*.\*.Event.Object.\*.template_version | string | | 24 -action_result.data.\*.\*.Event.Object.\*.timestamp | string | | 1623078296 -action_result.data.\*.\*.Event.Object.\*.uuid | string | | 4b5cb238-9e55-40eb-b60e-b30f71cab6f6 -action_result.data.\*.\*.Event.Org.id | string | | 1 -action_result.data.\*.\*.Event.Org.local | numeric | | True False -action_result.data.\*.\*.Event.Org.name | string | | ORGNAME -action_result.data.\*.\*.Event.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.\*.Event.Orgc.id | string | | 1 -action_result.data.\*.\*.Event.Orgc.local | numeric | | True False -action_result.data.\*.\*.Event.Orgc.name | string | | ORGNAME -action_result.data.\*.\*.Event.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.id | string | | 1 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.name | string | | ORGNAME -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.id | string | | 1 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.name | string | | ORGNAME -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.analysis | string | | 0 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.date | string | | 2021-06-14 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.distribution | string | | 1 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.id | string | | 2161 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.info | string | | Event created by test -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.org_id | string | | 1 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.orgc_id | string | | 1 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.published | numeric | | True False -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.threat_level_id | string | | 4 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.timestamp | string | | 1623645286 -action_result.data.\*.\*.Event.RelatedEvent.\*.Event.uuid | string | | f346cd43-ef47-4401-b725-a5f4f45a4ed3 -action_result.data.\*.\*.Event.Tag.\*.colour | string | | #7ab870 -action_result.data.\*.\*.Event.Tag.\*.exportable | numeric | | True False -action_result.data.\*.\*.Event.Tag.\*.hide_tag | numeric | | True False -action_result.data.\*.\*.Event.Tag.\*.id | string | | 8 -action_result.data.\*.\*.Event.Tag.\*.is_custom_galaxy | numeric | | True False -action_result.data.\*.\*.Event.Tag.\*.is_galaxy | numeric | | True False -action_result.data.\*.\*.Event.Tag.\*.local | numeric | | 1 -action_result.data.\*.\*.Event.Tag.\*.name | string | | test_1 -action_result.data.\*.\*.Event.Tag.\*.numerical_value | string | | -action_result.data.\*.\*.Event.Tag.\*.user_id | string | | 1 -action_result.data.\*.\*.Event.analysis | string | | 0 -action_result.data.\*.\*.Event.attribute_count | string | | 7 -action_result.data.\*.\*.Event.date | string | | 2021-03-17 -action_result.data.\*.\*.Event.disable_correlation | numeric | | True False -action_result.data.\*.\*.Event.distribution | string | | 1 -action_result.data.\*.\*.Event.event_creator_email | string | `email` | test@test.com -action_result.data.\*.\*.Event.extends_uuid | string | | -action_result.data.\*.\*.Event.id | string | | 1 -action_result.data.\*.\*.Event.info | string | | Event created by test -action_result.data.\*.\*.Event.locked | numeric | | True False -action_result.data.\*.\*.Event.org_id | string | | 1 -action_result.data.\*.\*.Event.orgc_id | string | | 1 -action_result.data.\*.\*.Event.proposal_email_lock | numeric | | True False -action_result.data.\*.\*.Event.publish_timestamp | string | | 0 -action_result.data.\*.\*.Event.published | numeric | | True False -action_result.data.\*.\*.Event.sharing_group_id | string | | 0 -action_result.data.\*.\*.Event.threat_level_id | string | | 4 -action_result.data.\*.\*.Event.timestamp | string | | 1623657727 -action_result.data.\*.\*.Event.uuid | string | | 15483d56-fc32-4e54-a8b4-e9f56e7818bd -action_result.data.\*.Attribute.\*.Event.distribution | string | | 1 -action_result.data.\*.Attribute.\*.Event.id | string | | 2020 -action_result.data.\*.Attribute.\*.Event.info | string | | Event created by test -action_result.data.\*.Attribute.\*.Event.org_id | string | | 1 -action_result.data.\*.Attribute.\*.Event.orgc_id | string | | 1 -action_result.data.\*.Attribute.\*.Event.uuid | string | | 342c12ab-32ad-41d0-aea2-1c3dccc6ce09 -action_result.data.\*.Attribute.\*.Object.distribution | string | | 5 -action_result.data.\*.Attribute.\*.Object.id | string | | 10 -action_result.data.\*.Attribute.\*.Object.sharing_group_id | string | | 0 -action_result.data.\*.Attribute.\*.category | string | | Other Payload delivery -action_result.data.\*.Attribute.\*.comment | string | | -action_result.data.\*.Attribute.\*.deleted | numeric | | True False -action_result.data.\*.Attribute.\*.disable_correlation | numeric | | False True -action_result.data.\*.Attribute.\*.distribution | string | | 5 -action_result.data.\*.Attribute.\*.event_id | string | `misp event id` | 1 -action_result.data.\*.Attribute.\*.first_seen | string | | -action_result.data.\*.Attribute.\*.id | string | `misp attribute id` | 164201 -action_result.data.\*.Attribute.\*.last_seen | string | | -action_result.data.\*.Attribute.\*.object_id | string | | 0 10 -action_result.data.\*.Attribute.\*.object_relation | string | | filename -action_result.data.\*.Attribute.\*.sharing_group_id | string | | 0 -action_result.data.\*.Attribute.\*.timestamp | string | | 1498505296 -action_result.data.\*.Attribute.\*.to_ids | boolean | | True False -action_result.data.\*.Attribute.\*.type | string | | comment filename -action_result.data.\*.Attribute.\*.uuid | string | | 56e96919-ad18-4f68-8aa1-539002de0b81 -action_result.data.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | email1@gmail.com -action_result.data.\*.attribute_count | string | | 103 -action_result.summary | string | | -action_result.message | string | | Successfully ran query -summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 +action_result.status | string | | success failed +action_result.parameter.controller | string | | events attributes +action_result.parameter.event_id | string | `misp event id` | 1 +action_result.parameter.max_results | numeric | | 1000 +action_result.parameter.other | string | | +action_result.parameter.tags | string | | test_1 +action_result.data.\*.\*.Event.Attribute.\*.category | string | | Network activity +action_result.data.\*.\*.Event.Attribute.\*.comment | string | | +action_result.data.\*.\*.Event.Attribute.\*.deleted | numeric | | True False +action_result.data.\*.\*.Event.Attribute.\*.disable_correlation | numeric | | True False +action_result.data.\*.\*.Event.Attribute.\*.distribution | string | | 5 +action_result.data.\*.\*.Event.Attribute.\*.event_id | string | | 1 +action_result.data.\*.\*.Event.Attribute.\*.first_seen | string | | +action_result.data.\*.\*.Event.Attribute.\*.id | string | | 4265 +action_result.data.\*.\*.Event.Attribute.\*.last_seen | string | | +action_result.data.\*.\*.Event.Attribute.\*.object_id | string | | 0 +action_result.data.\*.\*.Event.Attribute.\*.object_relation | string | | +action_result.data.\*.\*.Event.Attribute.\*.sharing_group_id | string | | 0 +action_result.data.\*.\*.Event.Attribute.\*.timestamp | string | | 1622191169 +action_result.data.\*.\*.Event.Attribute.\*.to_ids | numeric | | True False +action_result.data.\*.\*.Event.Attribute.\*.type | string | `url` | email-dst +action_result.data.\*.\*.Event.Attribute.\*.uuid | string | | 03fa856e-b6f9-4e34-82ac-1e50dd058f37 +action_result.data.\*.\*.Event.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | abc@abc.com +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.category | string | | Payload delivery +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.comment | string | | +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.deleted | numeric | | True False +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.disable_correlation | numeric | | True False +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.distribution | string | | 5 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.event_id | string | | 2020 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.first_seen | string | | +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.id | string | | 4953 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.last_seen | string | | +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.object_id | string | | 10 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.object_relation | string | | filename +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.sharing_group_id | string | | 0 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.timestamp | string | | 1623078296 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.to_ids | numeric | | True False +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.type | string | | filename +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.uuid | string | | 2fd53a9b-44fd-4ebc-af93-0e1605cf3b64 +action_result.data.\*.\*.Event.Object.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 6.43.3.2 +action_result.data.\*.\*.Event.Object.\*.comment | string | | +action_result.data.\*.\*.Event.Object.\*.deleted | numeric | | True False +action_result.data.\*.\*.Event.Object.\*.description | string | | File object describing a file with meta-information +action_result.data.\*.\*.Event.Object.\*.distribution | string | | 5 +action_result.data.\*.\*.Event.Object.\*.event_id | string | | 2020 +action_result.data.\*.\*.Event.Object.\*.first_seen | string | | +action_result.data.\*.\*.Event.Object.\*.id | string | | 10 +action_result.data.\*.\*.Event.Object.\*.last_seen | string | | +action_result.data.\*.\*.Event.Object.\*.meta-category | string | | file +action_result.data.\*.\*.Event.Object.\*.name | string | | file +action_result.data.\*.\*.Event.Object.\*.sharing_group_id | string | | 0 +action_result.data.\*.\*.Event.Object.\*.template_uuid | string | | 688c46fb-5edb-40a3-8273-1af7923e2215 +action_result.data.\*.\*.Event.Object.\*.template_version | string | | 24 +action_result.data.\*.\*.Event.Object.\*.timestamp | string | | 1623078296 +action_result.data.\*.\*.Event.Object.\*.uuid | string | | 4b5cb238-9e55-40eb-b60e-b30f71cab6f6 +action_result.data.\*.\*.Event.Org.id | string | | 1 +action_result.data.\*.\*.Event.Org.local | numeric | | True False +action_result.data.\*.\*.Event.Org.name | string | | ORGNAME +action_result.data.\*.\*.Event.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.\*.Event.Orgc.id | string | | 1 +action_result.data.\*.\*.Event.Orgc.local | numeric | | True False +action_result.data.\*.\*.Event.Orgc.name | string | | ORGNAME +action_result.data.\*.\*.Event.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.id | string | | 1 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.name | string | | ORGNAME +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Org.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.id | string | | 1 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.name | string | | ORGNAME +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.Orgc.uuid | string | | 2af87aa3-a713-4ca5-83f7-03ae949c8459 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.analysis | string | | 0 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.date | string | | 2021-06-14 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.distribution | string | | 1 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.id | string | | 2161 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.info | string | | Event created by test +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.org_id | string | | 1 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.orgc_id | string | | 1 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.published | numeric | | True False +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.threat_level_id | string | | 4 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.timestamp | string | | 1623645286 +action_result.data.\*.\*.Event.RelatedEvent.\*.Event.uuid | string | | f346cd43-ef47-4401-b725-a5f4f45a4ed3 +action_result.data.\*.\*.Event.Tag.\*.colour | string | | #7ab870 +action_result.data.\*.\*.Event.Tag.\*.exportable | numeric | | True False +action_result.data.\*.\*.Event.Tag.\*.hide_tag | numeric | | True False +action_result.data.\*.\*.Event.Tag.\*.id | string | | 8 +action_result.data.\*.\*.Event.Tag.\*.is_custom_galaxy | numeric | | True False +action_result.data.\*.\*.Event.Tag.\*.is_galaxy | numeric | | True False +action_result.data.\*.\*.Event.Tag.\*.local | numeric | | 1 +action_result.data.\*.\*.Event.Tag.\*.name | string | | test_1 +action_result.data.\*.\*.Event.Tag.\*.numerical_value | string | | +action_result.data.\*.\*.Event.Tag.\*.user_id | string | | 1 +action_result.data.\*.\*.Event.analysis | string | | 0 +action_result.data.\*.\*.Event.attribute_count | string | | 7 +action_result.data.\*.\*.Event.date | string | | 2021-03-17 +action_result.data.\*.\*.Event.disable_correlation | numeric | | True False +action_result.data.\*.\*.Event.distribution | string | | 1 +action_result.data.\*.\*.Event.event_creator_email | string | `email` | test@test.com +action_result.data.\*.\*.Event.extends_uuid | string | | +action_result.data.\*.\*.Event.id | string | | 1 +action_result.data.\*.\*.Event.info | string | | Event created by test +action_result.data.\*.\*.Event.locked | numeric | | True False +action_result.data.\*.\*.Event.org_id | string | | 1 +action_result.data.\*.\*.Event.orgc_id | string | | 1 +action_result.data.\*.\*.Event.proposal_email_lock | numeric | | True False +action_result.data.\*.\*.Event.publish_timestamp | string | | 0 +action_result.data.\*.\*.Event.published | numeric | | True False +action_result.data.\*.\*.Event.sharing_group_id | string | | 0 +action_result.data.\*.\*.Event.threat_level_id | string | | 4 +action_result.data.\*.\*.Event.timestamp | string | | 1623657727 +action_result.data.\*.\*.Event.uuid | string | | 15483d56-fc32-4e54-a8b4-e9f56e7818bd +action_result.data.\*.Attribute.\*.Event.distribution | string | | 1 +action_result.data.\*.Attribute.\*.Event.id | string | | 2020 +action_result.data.\*.Attribute.\*.Event.info | string | | Event created by test +action_result.data.\*.Attribute.\*.Event.org_id | string | | 1 +action_result.data.\*.Attribute.\*.Event.orgc_id | string | | 1 +action_result.data.\*.Attribute.\*.Event.uuid | string | | 342c12ab-32ad-41d0-aea2-1c3dccc6ce09 +action_result.data.\*.Attribute.\*.Object.distribution | string | | 5 +action_result.data.\*.Attribute.\*.Object.id | string | | 10 +action_result.data.\*.Attribute.\*.Object.sharing_group_id | string | | 0 +action_result.data.\*.Attribute.\*.category | string | | Other Payload delivery +action_result.data.\*.Attribute.\*.comment | string | | +action_result.data.\*.Attribute.\*.deleted | numeric | | True False +action_result.data.\*.Attribute.\*.disable_correlation | numeric | | False True +action_result.data.\*.Attribute.\*.distribution | string | | 5 +action_result.data.\*.Attribute.\*.event_id | string | `misp event id` | 1 +action_result.data.\*.Attribute.\*.first_seen | string | | +action_result.data.\*.Attribute.\*.id | string | `misp attribute id` | 164201 +action_result.data.\*.Attribute.\*.last_seen | string | | +action_result.data.\*.Attribute.\*.object_id | string | | 0 10 +action_result.data.\*.Attribute.\*.object_relation | string | | filename +action_result.data.\*.Attribute.\*.sharing_group_id | string | | 0 +action_result.data.\*.Attribute.\*.timestamp | string | | 1498505296 +action_result.data.\*.Attribute.\*.to_ids | boolean | | True False +action_result.data.\*.Attribute.\*.type | string | | comment filename +action_result.data.\*.Attribute.\*.uuid | string | | 56e96919-ad18-4f68-8aa1-539002de0b81 +action_result.data.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | email1@gmail.com +action_result.data.\*.attribute_count | string | | 103 +action_result.summary | string | | +action_result.message | string | | Successfully ran query +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 ## action: 'get attributes' Get attributes for a specific event -Type: **investigate** +Type: **investigate** Read only: **True** download_samples will only download files which are marked as a 'malware-sample'. @@ -450,42 +450,42 @@ Read only: **True** #### Action Parameters PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- -**event_id** | required | An Event ID | numeric | `misp event id` -**download_samples** | optional | Download malware samples to vault | boolean | +**event_id** | required | An Event ID | numeric | `misp event id` +**download_samples** | optional | Download malware samples to vault | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- -action_result.status | string | | success failed -action_result.parameter.download_samples | boolean | | True False -action_result.parameter.event_id | numeric | `misp event id` | 686 -action_result.data.\*.Attribute.\*.Event.distribution | string | | 1 -action_result.data.\*.Attribute.\*.Event.id | string | `misp event id` | 2028 -action_result.data.\*.Attribute.\*.Event.info | string | | Event created by test -action_result.data.\*.Attribute.\*.Event.org_id | string | | 1 -action_result.data.\*.Attribute.\*.Event.orgc_id | string | | 1 -action_result.data.\*.Attribute.\*.Event.uuid | string | | 552d93e4-fa0d-48cb-810e-a5f56c0af5ea 342c12ab-32ad-41d0-aea2-1c3dccc6ce09 -action_result.data.\*.Attribute.\*.Object.distribution | string | | 5 -action_result.data.\*.Attribute.\*.Object.id | string | | 10 -action_result.data.\*.Attribute.\*.Object.sharing_group_id | string | | 0 -action_result.data.\*.Attribute.\*.category | string | | Network activity -action_result.data.\*.Attribute.\*.comment | string | | -action_result.data.\*.Attribute.\*.deleted | boolean | | False True -action_result.data.\*.Attribute.\*.disable_correlation | boolean | | False True -action_result.data.\*.Attribute.\*.distribution | string | | 5 -action_result.data.\*.Attribute.\*.event_id | string | `misp event id` | 686 -action_result.data.\*.Attribute.\*.first_seen | string | | -action_result.data.\*.Attribute.\*.id | string | `misp attribute id` | 164191 -action_result.data.\*.Attribute.\*.last_seen | string | | -action_result.data.\*.Attribute.\*.object_id | string | | 0 10 -action_result.data.\*.Attribute.\*.object_relation | string | | filename -action_result.data.\*.Attribute.\*.sharing_group_id | string | | 0 -action_result.data.\*.Attribute.\*.timestamp | string | | 1498002097 -action_result.data.\*.Attribute.\*.to_ids | boolean | | True False -action_result.data.\*.Attribute.\*.type | string | | ip-src -action_result.data.\*.Attribute.\*.uuid | string | | 5949b2b1-35b4-4152-a633-7e530a10000d -action_result.data.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 192.162.8.1 -action_result.summary | string | | -action_result.message | string | | Successfully retrieved attributes -summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 +action_result.status | string | | success failed +action_result.parameter.download_samples | boolean | | True False +action_result.parameter.event_id | numeric | `misp event id` | 686 +action_result.data.\*.Attribute.\*.Event.distribution | string | | 1 +action_result.data.\*.Attribute.\*.Event.id | string | `misp event id` | 2028 +action_result.data.\*.Attribute.\*.Event.info | string | | Event created by test +action_result.data.\*.Attribute.\*.Event.org_id | string | | 1 +action_result.data.\*.Attribute.\*.Event.orgc_id | string | | 1 +action_result.data.\*.Attribute.\*.Event.uuid | string | | 552d93e4-fa0d-48cb-810e-a5f56c0af5ea 342c12ab-32ad-41d0-aea2-1c3dccc6ce09 +action_result.data.\*.Attribute.\*.Object.distribution | string | | 5 +action_result.data.\*.Attribute.\*.Object.id | string | | 10 +action_result.data.\*.Attribute.\*.Object.sharing_group_id | string | | 0 +action_result.data.\*.Attribute.\*.category | string | | Network activity +action_result.data.\*.Attribute.\*.comment | string | | +action_result.data.\*.Attribute.\*.deleted | boolean | | False True +action_result.data.\*.Attribute.\*.disable_correlation | boolean | | False True +action_result.data.\*.Attribute.\*.distribution | string | | 5 +action_result.data.\*.Attribute.\*.event_id | string | `misp event id` | 686 +action_result.data.\*.Attribute.\*.first_seen | string | | +action_result.data.\*.Attribute.\*.id | string | `misp attribute id` | 164191 +action_result.data.\*.Attribute.\*.last_seen | string | | +action_result.data.\*.Attribute.\*.object_id | string | | 0 10 +action_result.data.\*.Attribute.\*.object_relation | string | | filename +action_result.data.\*.Attribute.\*.sharing_group_id | string | | 0 +action_result.data.\*.Attribute.\*.timestamp | string | | 1498002097 +action_result.data.\*.Attribute.\*.to_ids | boolean | | True False +action_result.data.\*.Attribute.\*.type | string | | ip-src +action_result.data.\*.Attribute.\*.uuid | string | | 5949b2b1-35b4-4152-a633-7e530a10000d +action_result.data.\*.Attribute.\*.value | string | `url` `domain` `ip` `email` `hash` `md5` `sha256` `md1` | 192.162.8.1 +action_result.summary | string | | +action_result.message | string | | Successfully retrieved attributes +summary.total_objects | numeric | | 1 +summary.total_objects_successful | numeric | | 1 \ No newline at end of file