MISP v2

Use the MISP integration to create manage events, samples, and attributes, and add various object types.

Configure MISP V2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for MISP V2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • MISP server URL (e.g., https://192.168.0.1 )
    • API Key
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Search for events: misp-search
  2. Get the reputation of a file: file
  3. Check if a URL is in MISP events: url
  4. Get the reputation of an IP address: ip
  5. Create a MISP event: misp-create-event
  6. Download a file sample: misp-download-sample
  7. Add an attribute to an event: misp-add-attribute
  8. Upload a file sample: misp-upload-sample
  9. Delete an event: misp-delete-event
  10. Add a tag to an event or attribute: misp-add-tag
  11. Add sighting to an attribute: misp-add-sighting
  12. Add an OSINT feed: misp-add-events-from-feed
  13. Add an email object to an event: misp-add-email-object
  14. Add a domain object to an event: misp-add-domain-object
  15. Add a URL object to an event: misp-add-url-object
  16. Add an object to an event: misp-add-object
  17. Add an IP object to an event: misp-add-ip-object

1. Search for events


Search for events in MISP.

Base Command

misp-search

Input

Argument Name Description Required
type The attribute type. Use any valid MISP attribute. Optional
value Search for the specified value in the attributes' value field. Optional
category The attribute category. Use any valid MISP attribute category. Optional
org Search by creator organization by supplying the organization ID. Optional
tags The tag to include in the results. To exclude a tag, prefix the tag name with "!". Can be: "AND", "OR", and "NOT" followed by ":". To use a list of tags, separate them by ",". To chain logical operators use ";". For example, "AND:tag1,tag2;OR:tag3". Optional
from Event search start date (2015-02-15) Optional
to Event search end date (2015-02-15) Optional
last Events published within the last "x" amount of time. Valid time values are days, hours, and minutes (for example "5d", "12h", "30m"). This filter uses the published timestamp of the event. Optional
eventid The events to include or exclude from the search Optional
uuid Return events that include an attribute with the given UUID. Alternatively the event's UUID must match the value(s) passed, e.g., 59523300-4be8-4fa6-8867-0037ac110002 Optional
to_ids Return only the attributes set with the "to_ids" flag Optional

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Distribution number MISP event distribution.
MISP.Event.ThreatLevelID number Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined).
MISP.Event.PublishTimestamp number Timestamp of the publish time (if published).
MISP.Event.EventCreatorEmail string Email address of the event creator.
MISP.Event.Date date Event creation date.
MISP.Event.Locked boolean Is the event locked.
MISP.Event.OwnerOrganisation.ID number Owner organization ID.
MISP.Event.OwnerOrganisation.Name string Owner organization name.
MISP.Event.OwnerOrganisation.UUID string Owner organization UUID.
MISP.Event.RelatedEvent.ID number Event IDs of related events (can be a list).
MISP.Event.ProposalEmailLock boolean If email lock was proposed.
MISP.Event.Timestamp number Timestamp of the event.
MISP.Event.Galaxy.Description string Event's galaxy description.
MISP.Event.Galaxy.Name string Galaxy name.
MISP.Event.Galaxy.Type number Galaxy type.
MISP.Event.Published boolean Whether the event is published.
MISP.Event.DisableCorrelation boolean Whether correlation is disabled.
MISP.Event.UUID string Event UUID.
MISP.Event.ShadowAttribute Unknown Event shadow attributes.
MISP.Event.Attribute.Distribution number Attribute distribution.
MISP.Event.Attribute.Value string Attribute value.
MISP.Event.Attribute.EventID number Attribute event ID.
MISP.Event.Attribute.Timestamp number Attribute timestamp.
MISP.Event.Attribute.Deleted boolean Whether the attribute is deleted.
MISP.Event.Attribute.DisableCorrelation boolean Whether attribute correlation is disabled.
MISP.Event.Attribute.Type string Attribute type.
MISP.Event.Attribute.ID number Attribute ID.
MISP.Event.Attribute.UUID string Attribute UUID.
MISP.Event.Attribute.ShadowAttribute Unknown Attribute shadow attribute.
MISP.Event.Attribute.ToIDs boolean Whether the Intrusion Detection System flag is set.
MISP.Event.Attribute.Category string Attribute category.
MISP.Event.Attribute.SharingGroupID number Attribute sharing group ID.
MISP.Event.Attribute.Comment string Attribute comment.
MISP.Event.Analysis number Event analysis (0 Initial, 1 Ongoing, 2 Completed).
MISP.Event.SharingGroupID number Event sharing group ID.
MISP.Event.Tag.Name string All tag names in the event.
MISP.Event.Object.MetaCategory String Object Meta Category.
MISP.Event.Object.Distribution Number Distribution of object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event which the object first created.
MISP.Event.Object.TemplateUUID String UUID of template
MISP.Event.Object.Timestamp String Timestamp of object creation
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of object.
MISP.Event.Object.UUID String UUID of object.
MISP.Event.Object.Attribute.Value String Value of attribute.
MISP.Event.Object.Attribute.EventID Number ID of first event that originated from the object.
MISP.Event.Object.Attribute.Timestamp Date Timestamp of object creation.
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Type of object.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-search category="External analysis" type="url"

Context Example

{
    "MISP.Event": [
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565012166", 
            "Object": [
                {
                    "Comment": "", 
                    "EventID": "743", 
                    "Timestamp": "1565012146", 
                    "Description": "Url object", 
                    "UUID": "3c90797e-2aba-4ac2-bc4a-73c797425e1f", 
                    "Deleted": false, 
                    "Attribute": [
                        {
                            "Category": "Network activity", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "287e1b44-24c1-45b9-9ef9-541d00ae447b", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": true, 
                            "Value": "www.google.com", 
                            "ID": "26138", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "domain", 
                            "EventID": "743", 
                            "DisableCorrelation": false, 
                            "Type": "url", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }
                    ], 
                    "TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6", 
                    "TemplateVersion": "7", 
                    "SharingGroupID": "0", 
                    "ObjectReference": [], 
                    "MetaCategory": "network", 
                    "Distribution": "5", 
                    "ID": "3223", 
                    "Name": "ip-port"
                }
            ], 
            "ThreatLevelID": "1", 
            "Date": "2019-08-05", 
            "RelatedEvent": [
                {
                    "ID": "753"
                }
            ], 
            "Info": "Example event", 
            "Locked": false, 
            "OwnerOrganisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "Analysis": "0", 
            "Published": false, 
            "DisableCorrelation": false, 
            "ID": "743", 
            "PublishTimestamp": "0", 
            "UUID": "5d48302c-bf84-4671-9080-0728ac110002", 
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "Just an example", 
                    "ShadowAttribute": [], 
                    "UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe", 
                    "ObjectID": "0", 
                    "Deleted": false, 
                    "Timestamp": "1565012014", 
                    "ToIDs": false, 
                    "Value": "www.example.com", 
                    "ID": "26128", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": null, 
                    "EventID": "743", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "0", 
                    "Galaxy": []
                }
            ], 
            "Galaxy": []
        }, 
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565013591", 
            "Object": [], 
            "ThreatLevelID": "1", 
            "Date": "2019-08-05", 
            "RelatedEvent": [
                {
                    "ID": "743"
                }
            ], 
            "Info": "Example event", 
            "Locked": false, 
            "OwnerOrganisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "Analysis": "0", 
            "Published": false, 
            "DisableCorrelation": false, 
            "ID": "753", 
            "PublishTimestamp": "0", 
            "UUID": "5d483655-ac78-4765-9169-70f7ac110002", 
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "Just an example", 
                    "ShadowAttribute": [], 
                    "UUID": "8468ac01-126f-4e73-8cff-7371303014aa", 
                    "ObjectID": "0", 
                    "Deleted": false, 
                    "Timestamp": "1565013591", 
                    "ToIDs": false, 
                    "Value": "www.example.com", 
                    "ID": "26160", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": null, 
                    "EventID": "753", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "0", 
                    "Galaxy": []
                }
            ], 
            "Galaxy": []
        }
    ]
}

Human Readable Output

Results in MISP for search:

category type type_attribute
External analysis url url
Total of 2 events found

Event ID: 743

Analysis Attributes Event Creator Email Info Related Events Threat Level ID Timestamp
Initial [
{
"ID": "26128",
"Type": "url",
"Category": "External analysis",
"ToIDs": false,
"UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe",
"EventID": "743",
"Distribution": "0",
"Timestamp": "1565012014",
"Comment": "Just an example",
"SharingGroupID": "0",
"Deleted": false,
"DisableCorrelation": false,
"ObjectID": "0",
"ObjectRelation": null,
"Value": "www.example.com",
"Galaxy": [],
"ShadowAttribute": []
},
{
"ID": "26136",
"Type": "ip-src",
"Category": "Payload delivery",
"ToIDs": true,
"UUID": "9fc2d7b1-b784-47fc-ad2d-cdcb5df85144",
"EventID": "743",
"Distribution": "5",
"Timestamp": "1565012133",
"Comment": "Unknown IP",
"SharingGroupID": "0",
"Deleted": false,
"DisableCorrelation": false,
"ObjectID": "0",
"ObjectRelation": null,
"Value": "8.8.3.3",
"Galaxy": [],
"ShadowAttribute": []
}
]
admin@admin.test Example event {'ID': '753'} HIGH 2019-08-05 13:36:06

2. Get the reputation of a file


Checks the file reputation of the given hash.

Base Command

file

Input

Argument Name Description Required
file A CSV list of file hashes to query. Can be MD5, SHA1, or SHA256. Required

Context Output

Path Type Description
File.MD5 Unknown Bad hash found.
File.SHA1 Unknown Bad SHA1 hash.
File.SHA256 Unknown Bad SHA256 hash.
File.Malicious.Vendor Unknown For malicious files, the vendor that made the decision.
File.Malicious.Description Unknown For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator Unknown The indicator that was tested.
DBotScore.Type Unknown Indicator type.
DBotScore.Vendor Unknown The vendor used to calculate the score.
DBotScore.Score Unknown The actual score.

Command Example

!file file="3d74da0a7276735f1afae01951b39ff7a9d92c94"

Context Example

{
    "DBotScore": [
        {
            "Vendor": "MISP.None", 
            "Indicator": "3d74da0a7276735f1afae01951b39ff7a9d92c94", 
            "Score": 3, 
            "Type": "hash"
        }
    ], 
    "File": [
        {
            "Malicious": {
                "Vendor": "MISP.None", 
                "Description": "file hash found in MISP event with ID: 754"
            }, 
            "SHA1": "3d74da0a7276735f1afae01951b39ff7a9d92c94"
        }
    ]
}

Human Readable Output

Results found in MISP for hash: 3d74da0a7276735f1afae01951b39ff7a9d92c94

EventID Organisation Threat Level
754 MISP.None HIGH

3. Check if a URL is in MISP events


Checks if the URL is in MISP events.

Base Command

url

Input

Argument Name Description Required
url URL to check. Required

Context Output

Path Type Description
URL.Data Unknown Bad URLs found.
URL.Malicious.Vendor Unknown For malicious URLs, the vendor that made the decision.
URL.Malicious.Description Unknown For malicious URLs, the reason that the vendor made the decision.
DBotScore.Indicator Unknown The indicator that was tested.
DBotScore.Type Unknown Indicator type.
DBotScore.Vendor Unknown

The vendor used to calculate the score.

DBotScore.Score Unknown The actual score.

Command Example

!url url="www.example.com"

Context Example

{
    "URL": [
        {
            "Malicious": {
                "Vendor": "MISP.ORGNAME", 
                "Description": "IP Found in MISP event: 743"
            }, 
            "Data": "www.example.com"
        }, 
        {
            "Malicious": {
                "Vendor": "MISP.ORGNAME", 
                "Description": "IP Found in MISP event: 753"
            }, 
            "Data": "www.example.com"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "MISP.ORGNAME", 
            "Indicator": "www.example.com", 
            "Score": 3, 
            "Type": "url"
        }, 
        {
            "Vendor": "MISP.ORGNAME", 
            "Indicator": "www.example.com", 
            "Score": 3, 
            "Type": "url"
        }
    ], 
    "MISP.Event": [
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565013625", 
            "Object": [],
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "Just an example", 
                    "ShadowAttribute": [], 
                    "UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe", 
                    "ObjectID": "0", 
                    "Deleted": false, 
                    "Timestamp": "1565012014", 
                    "ToIDs": false, 
                    "Value": "www.example.com", 
                    "ID": "26128", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": null, 
                    "EventID": "743", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "0", 
                    "Galaxy": []
                }
            ]
            "Galaxy": []
        }
    ]
}

Human Readable Output

MISP Reputation for URL: www.example.com

EventID Organisation Threat Level
743 MISP.ORGNAME HIGH
753 MISP.ORGNAME HIGH

4. Get the reputation of an IP address


Checks the reputation of an IP address

Base Command

ip

Input

Argument Name Description Required
ip IP address to check. Required

Context Output

Path Type Description
IP.Address Unknown Bad IP address found.
IP.Malicious.Vendor Unknown For malicious IPs, the vendor that made the decision.
IP.Malicious.Description Unknown For malicious IPs, the reason that the vendor made the decision.
DBotScore.Indicator Unknown The indicator that was tested.
DBotScore.Type Unknown Indicator type.
DBotScore.Vendor Unknown The vendor used to calculate the score.
DBotScore.Score Unknown The actual score.

Command Example

!ip ip="8.8.3.3"

Context Example

{
    "IP": [
        {
            "Malicious": {
                "Vendor": "MISP.ORGNAME", 
                "Description": "IP Found in MISP event: 743"
            }, 
            "Address": "8.8.3.3"
        }
    ], 
    "DBotScore": [
        {
            "Vendor": "MISP.ORGNAME", 
            "Indicator": "8.8.3.3", 
            "Score": 3, 
            "Type": "ip"
        }
    ], 
    "MISP.Event": [
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565013625", 
            "Object": [
            ],
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "Just an example", 
                    "ShadowAttribute": [], 
                    "UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe", 
                    "ObjectID": "0", 
                    "Deleted": false, 
                    "Timestamp": "1565012014", 
                    "ToIDs": false, 
                    "Value": "8.8.3.3", 
                    "ID": "26128", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": null, 
                    "EventID": "743", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "0", 
                    "Galaxy": []
                }
            "Galaxy": []
        }
    ]
}

Human Readable Output

Results found in MISP for IP: 8.8.3.3

EventID Organisation Threat Level
743 MISP.ORGNAME HIGH

5. Create a MISP event


Creates a new MISP event.

Base Command

misp-create-event

Input

Argument Name Description Required
type Event type of the new event. Optional
category Category of the new event. Optional
to_ids Create the event with the IDS flag. Optional
distribution Where to distribute. Optional
comment Comment for the event. Optional
value Value to add to the event. Required
info Event name. Required
published Publish the event. Optional
threat_level_id MISP Threat level ID. Default is "high". Optional
analysis The analysis level. Default is "initial". Optional

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Distribution number MISP event distribution.
MISP.Event.ThreatLevelID number Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined).
MISP.Event.PublishTimestamp number Timestamp of the publish time (if published).
MISP.Event.EventCreatorEmail string Email address of the event creator.
MISP.Event.Date date Event creation date.
MISP.Event.Locked boolean Whether the event is locked.
MISP.Event.OwnerOrganisation.ID number Owner organization ID.
MISP.Event.OwnerOrganisation.Name string Owner organization name.
MISP.Event.OwnerOrganisation.UUID string Owner organization UUID.
MISP.Event.RelatedEvent.ID number Event IDs of related events (can be a list).
MISP.Event.ProposalEmailLock boolean Whether email lock is proposed.
MISP.Event.Timestamp number Timestamp of the event.
MISP.Event.Galaxy.Description string Event's galaxy description.
MISP.Event.Galaxy.Name string Galaxy name.
MISP.Event.Galaxy.Type number Galaxy type.
MISP.Event.Published boolean Whether the event is published.
MISP.Event.DisableCorrelation boolean Whether correlation is disabled.
MISP.Event.UUID string Event UUID.
MISP.Event.ShadowAttribute Unknown Event shadow attributes.
MISP.Event.Attribute.Distribution number Attribute distribution.
MISP.Event.Attribute.Value string Attribute value.
MISP.Event.Attribute.EventID number Attribute event ID.
MISP.Event.Attribute.Timestamp number Attribute timestamp.
MISP.Event.Attribute.Deleted boolean Whether the attribute was deleted.
MISP.Event.Attribute.DisableCorrelation boolean Whether attribute correlation is disabled.
MISP.Event.Attribute.Type string Attribute type.
MISP.Event.Attribute.ID number Attribute ID.
MISP.Event.Attribute.UUID string Attribute UUID.
MISP.Event.Attribute.ShadowAttribute Unknown Attribute shadow attribute.
MISP.Event.Attribute.ToIDs boolean Is the Intrusion Detection System flag set.
MISP.Event.Attribute.Category string Attribute category.
MISP.Event.Attribute.SharingGroupID number Attribute sharing group ID.
MISP.Event.Attribute.Comment string Attribute comment.
MISP.Event.Analysis number Event analysis (0 Initial, 1 Ongoing, 2 Completed).
MISP.Event.SharingGroupID number Event sharing group ID.
MISP.Event.Tag.Name string All tag names in the event.

Command Example

!misp-create-event info="Example event" value="www.example.com" category="External analysis" type="url" comment="Just an example"

Context Example

{
    "MISP.Event": [
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565013591", 
            "Object": [], 
            "ThreatLevelID": "1", 
            "Date": "2019-08-05", 
            "RelatedEvent": [
                {
                    "ID": "743"
                }
            ], 
            "Info": "Example event", 
            "Locked": false, 
            "OwnerOrganisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "Analysis": "0", 
            "Published": false, 
            "DisableCorrelation": false, 
            "ID": "753", 
            "PublishTimestamp": "0", 
            "UUID": "5d483655-ac78-4765-9169-70f7ac110002", 
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "Just an example", 
                    "ShadowAttribute": [], 
                    "UUID": "8468ac01-126f-4e73-8cff-7371303014aa", 
                    "ObjectID": "0", 
                    "Deleted": false, 
                    "Timestamp": "1565013591", 
                    "ToIDs": false, 
                    "Value": "www.example.com", 
                    "ID": "26160", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": null, 
                    "EventID": "753", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "0", 
                    "Galaxy": []
                }
            ], 
            "Galaxy": []
        }
    ]
}

Human Readable Output

MISP create event

New event with ID: 753 has been successfully created.

6. Download a file sample


Downloads a file sample from MISP.

Base Command

misp-download-sample

Input

Argument Name Description Required
hash A hash in MD5 format. If the "allSamples" argument is supplied, this can be any one of the following: md5, sha1, and sha256. Required
eventID If set, it will only fetch data from the given event ID. Optional
allSamples If set, it will return all samples from events that match the hash supplied in the "hash" argument. Optional
unzip Return one zipped file, or all files unzipped, default is "false" (one zipped file). Optional

Context Output

There is no context output for this command.

Command Example

!misp-download-sample hash="3d74da0a7276735f1afae01951b39ff7a9d92c94"

Human Readable Output

Couldn't find file with hash 3d74da0a7276735f1afae01951b39ff7a9d92c94

7. Add an attribute to an event


Adds an attribute to an existing MISP event.

Base Command

misp-add-attribute

Input

Argument Name Description Required
id MISP event ID. Required
type Attribute type. Required
category Attribute category. Required
to_ids Return only events set with the "to_ids" flag, default is "true". Optional
distribution Where to distribute. Optional
comment Comment for the event. .Required
value Attribute value Required

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Distribution number MISP event distribution.
MISP.Event.ThreatLevelID number Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined).
MISP.Event.PublishTimestamp number Timestamp of the publish time (if published).
MISP.Event.EventCreatorEmail string Email address of the event creator.
MISP.Event.Date date Event creation date.
MISP.Event.Locked boolean Is the event locked.
MISP.Event.OwnerOrganisation.ID number Owner organization ID.
MISP.Event.OwnerOrganisation.Name string Owner organization name.
MISP.Event.OwnerOrganisation.UUID string Owner organization UUID.
MISP.Event.RelatedEvent.ID number Event IDs of related events (can be a list).
MISP.Event.ProposalEmailLock boolean Wheter email lock is proposed.
MISP.Event.Timestamp number Timestamp of the event.
MISP.Event.Galaxy.Description string Galaxy description.
MISP.Event.Galaxy.Name string Galaxy name.
MISP.Event.Galaxy.Type number Galaxy type.
MISP.Event.Published boolean Whether the event is published.
MISP.Event.DisableCorrelation boolean Whether correlation disabled.
MISP.Event.UUID string Event UUID.
MISP.Event.ShadowAttribute Unknown Event shadow attributes.
MISP.Event.Attribute.Distribution number Attribute distribution.
MISP.Event.Attribute.Value string Attribute value.
MISP.Event.Attribute.EventID number Attribute event ID.
MISP.Event.Attribute.Timestamp number Attribute timestamp.
MISP.Event.Attribute.Deleted boolean Whether the attribute was deleted.
MISP.Event.Attribute.DisableCorrelation boolean Whether attribute correlation is disabled.
MISP.Event.Attribute.Type string Attribute type.
MISP.Event.Attribute.ID number Attribute ID.
MISP.Event.Attribute.UUID string Attribute UUID.
MISP.Event.Attribute.ShadowAttribute Unknown Attribute shadow attribute.
MISP.Event.Attribute.ToIDs boolean Whether the Intrusion Detection System flag is set.
MISP.Event.Attribute.Category string Attribute category.
MISP.Event.Attribute.SharingGroupID number Attribute sharing group ID.
MISP.Event.Attribute.Comment string Attribute comment.
MISP.Event.Analysis number Event analysis (0 Initial, 1 Ongoing, 2 Completed).
MISP.Event.SharingGroupID number Event sharing group ID.
MISP.Event.Tag.Name string All tag names in the event.

Command Example

!misp-add-attribute id=743 comment="Unknown IP" value="8.8.3.3" category="Payload delivery" type="ip-src"

Context Example

{
    "MISP.Event": [
        {
            "EventCreatorEmail": "admin@admin.test", 
            "SharingGroupID": "0", 
            "Organisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "ShadowAttribute": [], 
            "Distribution": "0", 
            "ProposalEmailLock": false, 
            "Timestamp": "1565013607", 
            "Object": [
                {
                    "Comment": "", 
                    "EventID": "743", 
                    "Timestamp": "1565012146", 
                    "Description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", 
                    "UUID": "3c90797e-2aba-4ac2-bc4a-73c797425e1f", 
                    "Deleted": false, 
                    "Attribute": [
                        {
                            "Category": "Network activity", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "e3ada1ae-da37-4efe-9581-73aa95960624", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": false, 
                            "Value": "8080", 
                            "ID": "26137", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "dst-port", 
                            "EventID": "743", 
                            "DisableCorrelation": true, 
                            "Type": "port", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }, 
                        {
                            "Category": "Network activity", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "287e1b44-24c1-45b9-9ef9-541d00ae447b", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": true, 
                            "Value": "google.com", 
                            "ID": "26138", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "domain", 
                            "EventID": "743", 
                            "DisableCorrelation": false, 
                            "Type": "domain", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }, 
                        {
                            "Category": "Network activity", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "5ef0f03b-f85a-4d8d-97c3-c3f740623a73", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": true, 
                            "Value": "8.8.8.8", 
                            "ID": "26139", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "ip", 
                            "EventID": "743", 
                            "DisableCorrelation": false, 
                            "Type": "ip-dst", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }, 
                        {
                            "Category": "Network activity", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "953e3da1-a4b5-4fe2-8d35-7e1afdb72e74", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": true, 
                            "Value": "4.4.4.4", 
                            "ID": "26140", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "ip", 
                            "EventID": "743", 
                            "DisableCorrelation": false, 
                            "Type": "ip-dst", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }, 
                        {
                            "Category": "Other", 
                            "Comment": "", 
                            "ShadowAttribute": [], 
                            "UUID": "f1d3cd7e-ed01-4aba-bb8f-65c0ac119707", 
                            "ObjectID": "3223", 
                            "Deleted": false, 
                            "Timestamp": "1565012146", 
                            "ToIDs": false, 
                            "Value": "2018-05-05", 
                            "ID": "26141", 
                            "SharingGroupID": "0", 
                            "ObjectRelation": "first-seen", 
                            "EventID": "743", 
                            "DisableCorrelation": true, 
                            "Type": "datetime", 
                            "Distribution": "5", 
                            "Galaxy": []
                        }
                    ], 
                    "TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6", 
                    "TemplateVersion": "7", 
                    "SharingGroupID": "0", 
                    "ObjectReference": [], 
                    "MetaCategory": "network", 
                    "Distribution": "5", 
                    "ID": "3223", 
                    "Name": "ip-port"
                },
            ], 
            "ThreatLevelID": "1", 
            "Date": "2019-08-05", 
            "RelatedEvent": [
                {
                    "ID": "753"
                }
            ], 
            "Info": "Example event", 
            "Locked": false, 
            "OwnerOrganisation": {
                "UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002", 
                "ID": "1", 
                "Name": "ORGNAME"
            }, 
            "Analysis": "0", 
            "Published": false, 
            "DisableCorrelation": false, 
            "ID": "743", 
            "PublishTimestamp": "0", 
            "UUID": "5d48302c-bf84-4671-9080-0728ac110002", 
            "Attribute": [], 
            "Galaxy": []
        }
    ]
}

Human Readable Output

MISP add attribute

New attribute: 8.8.3.3 was added to event id 743.

8 Upload a file sample


Uploads a file sample to MISP.

Base Command

misp-upload-sample

Input

Argument Name Description Required
fileEntryID Entry ID of the file to upload. Required
event_id The event ID of the event to which to add the uploaded file. Optional
distribution The distribution setting used for the attributes and for the newly created event, if relevant (0-3). Optional
to_ids Flags all attributes created during the transaction to be marked as "to_ids" or not. Optional
category The category that will be assigned to the uploaded samples, (Payload delivery, Artifacts dropped, Payload Installation, External Analysis). Optional
info Used to populate the event info field if no event ID is supplied. Alternatively, if not supplied, MISP will generate a message showing that it is a malware sample collection generated on the given day. Optional
analysis The analysis level. Default is "initial". Optional
threat_level_id The threat level ID of the newly created event. Default is "high". Optional
comment This will populate the comment field of any attribute created using this API. Optional

Context Output

Path Type Description
MISP.UploadedSample Unknown Object containing {filename: event id} of the uploaded file.

Command Example

!misp-upload-sample fileEntryID=655@6 info="MISP V2 Integration"

Context Example

{
    "MISP.UploadedSample": {
        "MISP_V2_unified.yml": 754
    }
}

Human Readable Output

MISP upload sample

  • message: Success, saved all attributes.
  • event id: 754
  • file name: MISP_V2_unified.yml

9. Delete an event


Deletes an event according to event ID.

Base Command

misp-delete-event

Input

Argument Name Description Required
event_id Event ID to delete. Required

Context Output

There is no context output for this command.

Command Example

!misp-delete-event event_id=735

Human Readable Output

10. Add a tag to an event or attribute


Adds a tag to the given UUID event or attribute.

Base Command

misp-add-tag

Input

Argument Name Description Required
uuid UUID of the attribute/event, for example: "59575300-4be8-4ff6-8767-0037ac110032". Required
tag Tag to add to the attribute or event. Required

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Distribution number MISP event distribution.
MISP.Event.ThreatLevelID number Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined).
MISP.Event.PublishTimestamp number Timestamp of the publish time (if published).
MISP.Event.EventCreatorEmail string Email address of the event creator.
MISP.Event.Date date Event creation date.
MISP.Event.Locked boolean Whether the event is locked.
MISP.Event.OwnerOrganisation.ID number Owner organization ID.
MISP.Event.OwnerOrganisation.Name string Owner organization name.
MISP.Event.OwnerOrganisation.UUID string Owner organization UUID.
MISP.Event.RelatedEvent.ID number Event IDs of related events (can be a list).
MISP.Event.ProposalEmailLock boolean Whether email lock is proposed.
MISP.Event.Timestamp number Timestamp of the event.
MISP.Event.Galaxy.Description string Galaxy description.
MISP.Event.Galaxy.Name string Galaxy name.
MISP.Event.Galaxy.Type number Galaxy type
MISP.Event.Published boolean Whether the event is published.
MISP.Event.DisableCorrelation boolean Whether correlation is disabled.
MISP.Event.UUID string Event UUID
MISP.Event.ShadowAttribute Unknown Event shadow attributes
MISP.Event.Attribute.Distribution number Attribute distribution
MISP.Event.Attribute.Value string Attribute value
MISP.Event.Attribute.EventID number Attribute event ID
MISP.Event.Attribute.Timestamp number Attribute timestamp
MISP.Event.Attribute.Deleted boolean Is the attribute deleted
MISP.Event.Attribute.DisableCorrelation boolean Is attribute correlation disabled
MISP.Event.Attribute.Type string Attribute type
MISP.Event.Attribute.ID number Attribute ID
MISP.Event.Attribute.UUID string Attribute UUID
MISP.Event.Attribute.ShadowAttribute Unknown Attribute shadow attribute
MISP.Event.Attribute.ToIDs boolean Is the Intrusion Detection System flag set
MISP.Event.Attribute.Category string Attribute category
MISP.Event.Attribute.SharingGroupID number Attribute sharing group ID
MISP.Event.Attribute.Comment string Attribute comment
MISP.Event.Analysis number Event analysis (0 Initial, 1 Ongoing, 2 Completed)
MISP.Event.SharingGroupID number Event sharing group ID
MISP.Event.Tag.Name string All tag names in the event

Command Example

!misp-add-tag tag="Example tag" uuid=5ce29ac4-3b54-459e-a6ee-00acac110002

Context Example

{
    "MISP.Event": []
}

Human Readable Output

Tag Example tag has been successfully added to event 5ce29ac4-3b54-459e-a6ee-00acac110002

11. Add sighting to an attribute


Adds sighting to an attribute. The id and uuid arguments are optional, but one must be specified in the command.

Base Command

misp-add-sighting

Input

Argument Name Description Required
type Type of sighting to add. Required
id ID of the attribute to which to add a sighting. Required if uuid is empty. Can be retrieved from the misp-search command. Optional
uuid UUID of the attribute to which to add a sighting. Required if id is empty. Can be retrieved from the misp-search command. Optional

Context Output

There is no context output for this command.

Command Example

!misp-add-sighting type=sighting uuid=23513ce2-2060-4bc8-9b44-6bd735e4f740

Human Readable Output

Sighting 'sighting' has been successfully added to attribute 23513ce2-2060-4bc8-9b44-6bd735e4f740

12. Add an OSINT feed


Adds an OSINT feed.

Base Command

misp-add-events-from-feed

Input

Argument Name Description Required
feed URL of the feed to add. Optional
limit Maximum number of files to add. Optional

Context Output

Path Type Description
MISP.Event.ID number IDs of newly created events.

Command Example

!misp-add-events-from-feed limit=14 feed=CIRCL

Human Readable Output

Total of 0 events was added to MISP.

13. Add an email object to an event


Adds an email object to the specified event ID.

Base Command

misp-add-email-object

Input

Argument Name Description Required
entry_id Entry ID of the email. Required
event_id ID of the event to which to add the object. Required

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Object.MetaCategory String Object meta category.
MISP.Event.Object.Distribution Number Distribution of object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event in which the object was first created.
MISP.Event.Object.TemplateUUID String UUID of the template.
MISP.Event.Object.Timestamp String Timestamp when the object was created.
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of the object.
MISP.Event.Object.UUID String UUID of the object.
MISP.Event.Object.Attribute.Value String Value of the attribute.
MISP.Event.Object.Attribute.EventID Number ID of the first event from which the object originated.
MISP.Event.Object.Attribute.Timestamp Date Timestamp when the object was created.
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Object type.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-add-email-object event_id=743 entry_id=678@6

Context Example

{
    "MISP.Event": {
        "Object": {
            "Comment": "", 
            "EventID": "743", 
            "Timestamp": "1565013620", 
            "Description": "Email object describing an email with meta-information", 
            "UUID": "e00e6a2c-682b-48b3-bb01-aee21832ebf0", 
            "Deleted": false, 
            "Attribute": [
                {
                    "Category": "External analysis", 
                    "Comment": "", 
                    "UUID": "52d1d881-a1fb-4a2c-b5bc-047fb0073c2f", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": false, 
                    "Value": "Full email.eml", 
                    "ID": "26175", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "eml", 
                    "EventID": "743", 
                    "value1": "Full email.eml", 
                    "DisableCorrelation": true, 
                    "Type": "attachment", 
                    "Distribution": "5", 
                    "value2": ""
                }
                {
                    "Category": "Payload delivery", 
                    "Comment": "", 
                    "UUID": "5ddaae1c-ce54-4191-9d61-907d2c101103", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": false, 
                    "Value": "<example.gmail.com>", 
                    "ID": "26177", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "message-id", 
                    "EventID": "743", 
                    "value1": "<example.gmail.com>", 
                    "DisableCorrelation": true, 
                    "Type": "email-message-id", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "26daac8a-730e-4951-bad1-d8134feba2cb", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": true, 
                    "Value": "\"Example Demisto (ca)\" <example@demisto.com>", 
                    "ID": "26178", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "to", 
                    "EventID": "743", 
                    "value1": "\"Example Demisto (ca)\" <example.>", 
                    "DisableCorrelation": true, 
                    "Type": "email-dst", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Payload delivery", 
                    "Comment": "", 
                    "UUID": "d6ca6b5f-edba-4d46-9a9f-15fec4f6bd2b", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": false, 
                    "Value": "[TEST][DEMISTO] CASO 1 EMAIL DA SISTEMA DEMISTO | ZIP+PASSWORD", 
                    "ID": "26179", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "subject", 
                    "EventID": "743", 
                    "value1": "[TEST][DEMISTO] CASO 1 EMAIL DA SISTEMA DEMISTO | ZIP+PASSWORD", 
                    "DisableCorrelation": false, 
                    "Type": "email-subject", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Payload delivery", 
                    "Comment": "", 
                    "UUID": "983eaba4-a94e-49ab-ae18-40151778a9ba", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": true, 
                    "Value": "\"Example Demisto (ca)\" <example@demisto.com>", 
                    "ID": "26180", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "from", 
                    "EventID": "743", 
                    "value1": "\"Example Demisto (ca)\" <example@demisto.com>", 
                    "DisableCorrelation": false, 
                    "Type": "email-src", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Payload delivery", 
                    "Comment": "", 
                    "UUID": "c432d6c7-5d34-4b64-a6b4-5813d1874bd2", 
                    "ObjectID": "3231", 
                    "Deleted": false, 
                    "Timestamp": "1565013620", 
                    "ToIDs": true, 
                    "Value": "example@demisto.com", 
                    "ID": "26181", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "return-path", 
                    "EventID": "743", 
                    "value1": "example@demisto.com", 
                    "DisableCorrelation": false, 
                    "Type": "email-src", 
                    "Distribution": "5", 
                    "value2": ""
                }
            ], 
            "TemplateUUID": "a0c666e0-fc65-4be8-b48f-3423d788b552", 
            "TemplateVersion": "12", 
            "SharingGroupID": "0", 
            "MetaCategory": "network", 
            "Distribution": "5", 
            "ID": "3231", 
            "Name": "email"
        }, 
        "ID": "743"
    }
}

Human Readable Output

Object has been added to MISP event ID 743

14. Add a domain object to an event


Adds a domain object.

Base Command

misp-add-domain-object

Input

Argument Name Description Required
event_id ID of a MISP event. Required
name The domain name, for example: "google.com". Required
dns A list (array) or IP addresses resolved by DNS. Required
creation_date Date that the domain was created. Optional
last_seen Datetime that the domain was last seen, for example: 2019-02-03 . Optional
first_seen Datetime that the domain was first seen, for example: 2019-02-03 . Optional
text A description of the domain. Optional

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Object.MetaCategory String Object meta category.
MISP.Event.Object.Distribution Number Distribution of the object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event in which the object was first created.
MISP.Event.Object.TemplateUUID String UUID of the template.
MISP.Event.Object.Timestamp String Timestamp when the object was created.
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of the object.
MISP.Event.Object.UUID String UUID of the object.
MISP.Event.Object.Attribute.Value String Value of the attribute.
MISP.Event.Object.Attribute.EventID Number ID of the first event from which the object originated.
MISP.Event.Object.Attribute.Timestamp Date Timestamp of object creation
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Object type.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-add-domain-object event_id=743 dns="8.8.8.8,8.8.4.4" name="google.com" text="Google DNS"

Context Example

{
    "MISP.Event": {
        "Object": {
            "Comment": "", 
            "EventID": "743", 
            "Timestamp": "1565013623", 
            "Description": "A domain and IP address seen as a tuple in a specific time frame.", 
            "UUID": "ee732c55-78d4-4e2a-8616-e1b07c85397b", 
            "Deleted": false, 
            "Attribute": [
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "c52ec904-30c9-47ce-a7d5-a1aaa9326576", 
                    "ObjectID": "3232", 
                    "Deleted": false, 
                    "Timestamp": "1565013623", 
                    "ToIDs": true, 
                    "Value": "8.8.8.8", 
                    "ID": "26182", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "ip", 
                    "EventID": "743", 
                    "value1": "8.8.8.8", 
                    "DisableCorrelation": false, 
                    "Type": "ip-dst", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "b48f0132-c90a-4b79-ae12-190476155b47", 
                    "ObjectID": "3232", 
                    "Deleted": false, 
                    "Timestamp": "1565013623", 
                    "ToIDs": true, 
                    "Value": "8.8.4.4", 
                    "ID": "26183", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "ip", 
                    "EventID": "743", 
                    "value1": "8.8.4.4", 
                    "DisableCorrelation": false, 
                    "Type": "ip-dst", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "8fc80065-07ca-4151-b8e4-df919aa53dbb", 
                    "ObjectID": "3232", 
                    "Deleted": false, 
                    "Timestamp": "1565013623", 
                    "ToIDs": true, 
                    "Value": "google.com", 
                    "ID": "26184", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "domain", 
                    "EventID": "743", 
                    "value1": "google.com", 
                    "DisableCorrelation": false, 
                    "Type": "domain", 
                    "Distribution": "5", 
                    "value2": ""
                }
            ], 
            "TemplateUUID": "43b3b146-77eb-4931-b4cc-b66c60f28734", 
            "TemplateVersion": "6", 
            "SharingGroupID": "0", 
            "MetaCategory": "network", 
            "Distribution": "5", 
            "ID": "3232", 
            "Name": "domain-ip"
        }, 
        "ID": "743"
    }
}

Human Readable Output

Object has been added to MISP event ID 743

15. Add a URL object to an event


Adds a URL object to a MISP event.

Base Command

misp-add-url-object

Input

Argument Name Description Required
url Full URL to add to the event. Required
first_seen Date that this URL was first seen, for example: 2019-02-03 . Optional
text Description of the URL. Optional
last_seen Date that this URL was last seen, for example: 2019-02-03 . Optional
event_id ID of the event. Required

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Object.MetaCategory String Object meta category.
MISP.Event.Object.Distribution Number Distribution of the object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event in which the object was first created.
MISP.Event.Object.TemplateUUID String UUID of the template.
MISP.Event.Object.Timestamp String Timestamp when the object was created.
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of the object.
MISP.Event.Object.UUID String UUID of the object.
MISP.Event.Object.Attribute.Value String Value of the attribute.
MISP.Event.Object.Attribute.EventID Number ID of the first event from which the object originated.
MISP.Event.Object.Attribute.Timestamp Date Timestamp when the object was created.
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Object type.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-add-url-object event_id=743 url=https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1

Context Example

{
    "MISP.Event": {
        "Object": {
            "Comment": "", 
            "EventID": "743", 
            "Timestamp": "1565013625", 
            "Description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", 
            "UUID": "f2da7f70-0fa9-446d-8c0e-e2b87f348d3d", 
            "Deleted": false, 
            "Attribute": [
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "9abd47bd-749a-40a1-a79d-1dc8aa9d843f", 
                    "ObjectID": "3233", 
                    "Deleted": false, 
                    "Timestamp": "1565013625", 
                    "ToIDs": true, 
                    "Value": "https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1", 
                    "ID": "26185", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "url", 
                    "EventID": "743", 
                    "value1": "https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1", 
                    "DisableCorrelation": false, 
                    "Type": "url", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "b8595c60-8eca-4963-8bf9-656adbe86566", 
                    "ObjectID": "3233", 
                    "Deleted": false, 
                    "Timestamp": "1565013625", 
                    "ToIDs": false, 
                    "Value": "https", 
                    "ID": "26186", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "scheme", 
                    "EventID": "743", 
                    "value1": "https", 
                    "DisableCorrelation": true, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "3f7a901d-07ac-4b65-9cf1-a2470d229a90", 
                    "ObjectID": "3233", 
                    "Deleted": false, 
                    "Timestamp": "1565013625", 
                    "ToIDs": false, 
                    "Value": "/MISP/misp-objects/blob/master/objects/url/definition.json", 
                    "ID": "26187", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "resource_path", 
                    "EventID": "743", 
                    "value1": "/MISP/misp-objects/blob/master/objects/url/definition.json", 
                    "DisableCorrelation": false, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "8c2c385b-4f75-4aac-a670-15fe9eb08ce5", 
                    "ObjectID": "3233", 
                    "Deleted": false, 
                    "Timestamp": "1565013625", 
                    "ToIDs": false, 
                    "Value": "q=1", 
                    "ID": "26188", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "query_string", 
                    "EventID": "743", 
                    "value1": "q=1", 
                    "DisableCorrelation": false, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "5098cb2c-27d8-483f-b467-b6d5732a2008", 
                    "ObjectID": "3233", 
                    "Deleted": false, 
                    "Timestamp": "1565013625", 
                    "ToIDs": true, 
                    "Value": "github.com", 
                    "ID": "26189", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "domain", 
                    "EventID": "743", 
                    "value1": "github.com", 
                    "DisableCorrelation": false, 
                    "Type": "domain", 
                    "Distribution": "5", 
                    "value2": ""
                }
            ], 
            "TemplateUUID": "60efb77b-40b5-4c46-871b-ed1ed999fce5", 
            "TemplateVersion": "7", 
            "SharingGroupID": "0", 
            "MetaCategory": "network", 
            "Distribution": "5", 
            "ID": "3233", 
            "Name": "url"
        }, 
        "ID": "743"
    }
}

Human Readable Output

Object has been added to MISP event ID 743

16. Add an object to an event


Adds any other object to MISP.

Base Command

misp-add-object

Input

Argument Name Description Required
event_id ID of the event to add the object to. Required
template Template name. For more information, see the MISP documentation . Required
attributes attributes Required

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Object.MetaCategory String Object meta category.
MISP.Event.Object.Distribution Number Distribution of the object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event in which the object was first created.
MISP.Event.Object.TemplateUUID String UUID of the template.
MISP.Event.Object.Timestamp String Timestamp when the object was created.
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of the object.
MISP.Event.Object.UUID String UUID of the object.
MISP.Event.Object.Attribute.Value String Value of the attribute.
MISP.Event.Object.Attribute.EventID Number ID of the first event from which the object originated.
MISP.Event.Object.Attribute.Timestamp Date Timestamp when the object was created.
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted?
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Object type.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-add-object event_id="15" template="vehicle" attributes="{'description': 'Manager Ferrari', 'make': 'Ferrari', 'model': '308 GTS'}"
!misp-add-object event_id=15 template="http-request" attributes="{'url': 'https://foaas.com/awesome/Mom', 'method': 'GET', 'basicauth-user': 'username', 'basicauth-password': 'password'}
!misp-add-object event_id=15 template=device attributes="{'name': 'AndroidPhone', 'device-type': 'Mobile', 'OS': 'Android', 'version': '9 PKQ1'}"

Context Example

{
    "MISP.Event": {
        "Object": {
            "Comment": "", 
            "EventID": "743", 
            "Timestamp": "1565013618", 
            "Description": "Vehicle object template to describe a vehicle information and registration", 
            "UUID": "00b4293d-2c4d-4c7d-83b6-e72b0a199402", 
            "Deleted": false, 
            "Attribute": [
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "dc7fa7d8-afb4-4740-8f97-ed10adce735f", 
                    "ObjectID": "3230", 
                    "Deleted": false, 
                    "Timestamp": "1565013618", 
                    "ToIDs": false, 
                    "Value": "Manager Ferrari", 
                    "ID": "26172", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "description", 
                    "EventID": "743", 
                    "value1": "Manager Ferrari", 
                    "DisableCorrelation": true, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "8eeabab2-627e-4b1f-b4bd-c11b624fdabe", 
                    "ObjectID": "3230", 
                    "Deleted": false, 
                    "Timestamp": "1565013618", 
                    "ToIDs": false, 
                    "Value": "Ferrari", 
                    "ID": "26173", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "make", 
                    "EventID": "743", 
                    "value1": "Ferrari", 
                    "DisableCorrelation": true, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "bfa5455c-22c2-45b1-9212-eefc59e4b430", 
                    "ObjectID": "3230", 
                    "Deleted": false, 
                    "Timestamp": "1565013618", 
                    "ToIDs": false, 
                    "Value": "308 GTS", 
                    "ID": "26174", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "model", 
                    "EventID": "743", 
                    "value1": "308 GTS", 
                    "DisableCorrelation": true, 
                    "Type": "text", 
                    "Distribution": "5", 
                    "value2": ""
                }
            ], 
            "TemplateUUID": "683c076c-f695-4ff2-8efa-e98a418049f4", 
            "TemplateVersion": "1", 
            "SharingGroupID": "0", 
            "MetaCategory": "misc", 
            "Distribution": "5", 
            "ID": "3230", 
            "Name": "vehicle"
        }, 
        "ID": "743"
    }
}

Human Readable Output

Object has been added to MISP event ID 743

17. Add an IP object to an event


Adds an IP Object to MISP event. The following arguments are optional, but at least one must be supplied for the command to run successfully: "ip", "dst_port", "src_port", "domain", "hostname", "ip_src", and "ip_dst".

Base Command

misp-add-ip-object

Input

Argument Name Description Required
event_id ID of an event. Required
ip IP address (require one of). Optional
dst_port Destination port number. Optional
src_port Source port number. Optional
domain Domain. Optional
hostname Hostname. Optional
ip_src IP source. Optional
ip_dst IP destination. Optional
first_seen Date when the tuple was first seen. Optional
last_seen Date when the tuple was last seen. Optional
comment A description of the object. Optional

Context Output

Path Type Description
MISP.Event.ID number MISP event ID.
MISP.Event.Object.MetaCategory String Object meta category.
MISP.Event.Object.Distribution Number Distribution of the object.
MISP.Event.Object.Name String Name of the object.
MISP.Event.Object.TemplateVersion Number Template version of the object.
MISP.Event.Object.EventID Number ID of the event in which the object was first created.
MISP.Event.Object.TemplateUUID String UUID of the template.
MISP.Event.Object.Timestamp String Timestamp when the object was created.
MISP.Event.Object.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.ID Number ID of the object.
MISP.Event.Object.UUID String UUID of the object.
MISP.Event.Object.Attribute.Value String Value of the attribute.
MISP.Event.Object.Attribute.EventID Number ID of the first event from which the object originated.
MISP.Event.Object.Attribute.Timestamp Date Timestamp when the object was created.
MISP.Event.Object.Attribute.Deleted Boolean Whether the object was deleted.
MISP.Event.Object.Attribute.ObjectID Number ID of the object.
MISP.Event.Object.Attribute.DisableCorrelation Boolean Whether correlation is disabled.
MISP.Event.Object.Attribute.ID Unknown ID of the attribute.
MISP.Event.Object.Attribute.ObjectRelation String Relation of the object.
MISP.Event.Object.Attribute.Type String Object type.
MISP.Event.Object.Attribute.UUID String UUID of the attribute.
MISP.Event.Object.Attribute.ToIDs Boolean Whether the ToIDs flag is on.
MISP.Event.Object.Attribute.Category String Category of the attribute.
MISP.Event.Object.Attribute.SharingGroupID Number ID of the sharing group.
MISP.Event.Object.Attribute.Comment String Comment of the attribute.
MISP.Event.Object.Description String Description of the object.

Command Example

!misp-add-ip-object event_id="743" ip="8.8.8.8,4.4.4.4" dst_port="8080" domain="google.com" first_seen="2018-05-05" text="test dns"

Context Example

{
    "MISP.Event": {
        "Object": {
            "Comment": "", 
            "EventID": "743", 
            "Timestamp": "1565013616", 
            "Description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", 
            "UUID": "14990bd5-aae0-4ceb-be1a-4fee9f6a0af4", 
            "Deleted": false, 
            "Attribute": [
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "2136e8a8-33a3-4480-ba3a-54e165ef7a80", 
                    "ObjectID": "3229", 
                    "Deleted": false, 
                    "Timestamp": "1565013616", 
                    "ToIDs": false, 
                    "Value": "8080", 
                    "ID": "26167", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "dst-port", 
                    "EventID": "743", 
                    "value1": "8080", 
                    "DisableCorrelation": true, 
                    "Type": "port", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "0d5952c5-218c-4a25-8a0c-f361ef37420a", 
                    "ObjectID": "3229", 
                    "Deleted": false, 
                    "Timestamp": "1565013616", 
                    "ToIDs": true, 
                    "Value": "google.com", 
                    "ID": "26168", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "domain", 
                    "EventID": "743", 
                    "value1": "google.com", 
                    "DisableCorrelation": false, 
                    "Type": "domain", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "ebb067d7-4f5e-4536-a164-2df7eafc3060", 
                    "ObjectID": "3229", 
                    "Deleted": false, 
                    "Timestamp": "1565013616", 
                    "ToIDs": true, 
                    "Value": "8.8.8.8", 
                    "ID": "26169", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "ip", 
                    "EventID": "743", 
                    "value1": "8.8.8.8", 
                    "DisableCorrelation": false, 
                    "Type": "ip-dst", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Network activity", 
                    "Comment": "", 
                    "UUID": "99e0cfe2-8581-4ffd-ad39-b8bee6325203", 
                    "ObjectID": "3229", 
                    "Deleted": false, 
                    "Timestamp": "1565013616", 
                    "ToIDs": true, 
                    "Value": "4.4.4.4", 
                    "ID": "26170", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "ip", 
                    "EventID": "743", 
                    "value1": "4.4.4.4", 
                    "DisableCorrelation": false, 
                    "Type": "ip-dst", 
                    "Distribution": "5", 
                    "value2": ""
                }, 
                {
                    "Category": "Other", 
                    "Comment": "", 
                    "UUID": "a85528af-5b1e-4bb4-99bd-80fa46c4f5ae", 
                    "ObjectID": "3229", 
                    "Deleted": false, 
                    "Timestamp": "1565013616", 
                    "ToIDs": false, 
                    "Value": "2018-05-05", 
                    "ID": "26171", 
                    "SharingGroupID": "0", 
                    "ObjectRelation": "first-seen", 
                    "EventID": "743", 
                    "value1": "2018-05-05", 
                    "DisableCorrelation": true, 
                    "Type": "datetime", 
                    "Distribution": "5", 
                    "value2": ""
                }
            ], 
            "TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6", 
            "TemplateVersion": "7", 
            "SharingGroupID": "0", 
            "MetaCategory": "network", 
            "Distribution": "5", 
            "ID": "3229", 
            "Name": "ip-port"
        }, 
        "ID": "743"
    }
}

Human Readable Output

Object has been added to MISP event ID 743