MISP v2 (Deprecated)
This Integration is part of the MISP Pack.#
Deprecated
Use the MISP v3 integration instead.
Use the MISP integration to create manage events, samples, and attributes, and add various object types.
Configure MISP V2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for MISP V2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- MISP server URL (e.g., https://192.168.0.1 )
- API Key
- Use system proxy settings
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for events: misp-search
- Search for attributes: misp-search-attributes
- Get the reputation of a file: file
- Check if a URL is in MISP events: url
- Get the reputation of an IP address: ip
- Create a MISP event: misp-create-event
- Download a file sample: misp-download-sample
- Add an attribute to an event: misp-add-attribute
- Upload a file sample: misp-upload-sample
- Delete an event: misp-delete-event
- Add a tag to an event or attribute: misp-add-tag
- Add sighting to an attribute: misp-add-sighting
- Add an OSINT feed: misp-add-events-from-feed
- Add an email object to an event: misp-add-email-object
- Add a domain object to an event: misp-add-domain-object
- Add a URL object to an event: misp-add-url-object
- Add an object to an event: misp-add-object
- Add an IP object to an event: misp-add-ip-object
1. Search for events
Search for events in MISP.
Base Command
misp-search
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The attribute type. Use any valid MISP attribute. | Optional |
| value | Search for the specified value in the attributes' value field. | Optional |
| category | The attribute category. Use any valid MISP attribute category. | Optional |
| org | Search by creator organization by supplying the organization ID. | Optional |
| tags | A comma-separated list of tags to include in the results. To exclude a tag, prefix the tag name with "!". Can be: "AND", "OR", and "NOT" followed by ":". To chain logical operators use ";". for example, "AND:tag1,tag2;OR:tag3". | Optional |
| from | Event search start date (2015-02-15) | Optional |
| to | Event search end date (2015-02-15) | Optional |
| last | Events published within the last "x" amount of time. Valid time values are days, hours, and minutes (for example "5d", "12h", "30m"). This filter uses the published timestamp of the event. | Optional |
| eventid | The events to include or exclude from the search | Optional |
| uuid | Return events that include an attribute with the given UUID. Alternatively the event's UUID must match the value(s) passed, e.g., 59523300-4be8-4fa6-8867-0037ac110002 | Optional |
| to_ids | Whether to return only the attributes set with the "to_ids" flag | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Distribution | number | MISP event distribution. |
| MISP.Event.ThreatLevelID | number | Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined). |
| MISP.Event.PublishTimestamp | number | Timestamp of the publish time (if published). |
| MISP.Event.EventCreatorEmail | string | Email address of the event creator. |
| MISP.Event.Date | date | Event creation date. |
| MISP.Event.Locked | boolean | Is the event locked. |
| MISP.Event.OwnerOrganisation.ID | number | Owner organization ID. |
| MISP.Event.OwnerOrganisation.Name | string | Owner organization name. |
| MISP.Event.OwnerOrganisation.UUID | string | Owner organization UUID. |
| MISP.Event.RelatedEvent.ID | number | Event IDs of related events (can be a list). |
| MISP.Event.ProposalEmailLock | boolean | If email lock was proposed. |
| MISP.Event.Timestamp | number | Timestamp of the event. |
| MISP.Event.Galaxy.Description | string | Event's galaxy description. |
| MISP.Event.Galaxy.Name | string | Galaxy name. |
| MISP.Event.Galaxy.Type | number | Galaxy type. |
| MISP.Event.Published | boolean | Whether the event is published. |
| MISP.Event.DisableCorrelation | boolean | Whether correlation is disabled. |
| MISP.Event.UUID | string | Event UUID. |
| MISP.Event.ShadowAttribute | Unknown | Event shadow attributes. |
| MISP.Event.Attribute.Distribution | number | Attribute distribution. |
| MISP.Event.Attribute.Value | string | Attribute value. |
| MISP.Event.Attribute.EventID | number | Attribute event ID. |
| MISP.Event.Attribute.Timestamp | number | Attribute timestamp. |
| MISP.Event.Attribute.Deleted | boolean | Whether the attribute is deleted. |
| MISP.Event.Attribute.DisableCorrelation | boolean | Whether attribute correlation is disabled. |
| MISP.Event.Attribute.Type | string | Attribute type. |
| MISP.Event.Attribute.ID | number | Attribute ID. |
| MISP.Event.Attribute.UUID | string | Attribute UUID. |
| MISP.Event.Attribute.ShadowAttribute | Unknown | Attribute shadow attribute. |
| MISP.Event.Attribute.ToIDs | boolean | Whether the Intrusion Detection System flag is set. |
| MISP.Event.Attribute.Category | string | Attribute category. |
| MISP.Event.Attribute.SharingGroupID | number | Attribute sharing group ID. |
| MISP.Event.Attribute.Comment | string | Attribute comment. |
| MISP.Event.Analysis | number | Event analysis (0 Initial, 1 Ongoing, 2 Completed). |
| MISP.Event.SharingGroupID | number | Event sharing group ID. |
| MISP.Event.Tag.Name | string | All tag names in the event. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event which the object first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template |
| MISP.Event.Object.Timestamp | String | Timestamp of object creation |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of first event that originated from the object. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp of object creation. |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Type of object. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-search category="External analysis" type="url"
Context Example
{
"MISP.Event": [
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565012166",
"Object": [
{
"Comment": "",
"EventID": "743",
"Timestamp": "1565012146",
"Description": "Url object",
"UUID": "3c90797e-2aba-4ac2-bc4a-73c797425e1f",
"Deleted": false,
"Attribute": [
{
"Category": "Network activity",
"Comment": "",
"ShadowAttribute": [],
"UUID": "287e1b44-24c1-45b9-9ef9-541d00ae447b",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": true,
"Value": "www.google.com",
"ID": "26138",
"SharingGroupID": "0",
"ObjectRelation": "domain",
"EventID": "743",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "5",
"Galaxy": []
}
],
"TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"TemplateVersion": "7",
"SharingGroupID": "0",
"ObjectReference": [],
"MetaCategory": "network",
"Distribution": "5",
"ID": "3223",
"Name": "ip-port"
}
],
"ThreatLevelID": "1",
"Date": "2019-08-05",
"RelatedEvent": [
{
"ID": "753"
}
],
"Info": "Example event",
"Locked": false,
"OwnerOrganisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"Analysis": "0",
"Published": false,
"DisableCorrelation": false,
"ID": "743",
"PublishTimestamp": "0",
"UUID": "5d48302c-bf84-4671-9080-0728ac110002",
"Attribute": [
{
"Category": "External analysis",
"Comment": "Just an example",
"ShadowAttribute": [],
"UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe",
"ObjectID": "0",
"Deleted": false,
"Timestamp": "1565012014",
"ToIDs": false,
"Value": "www.example.com",
"ID": "26128",
"SharingGroupID": "0",
"ObjectRelation": null,
"EventID": "743",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "0",
"Galaxy": []
}
],
"Galaxy": []
},
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565013591",
"Object": [],
"ThreatLevelID": "1",
"Date": "2019-08-05",
"RelatedEvent": [
{
"ID": "743"
}
],
"Info": "Example event",
"Locked": false,
"OwnerOrganisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"Analysis": "0",
"Published": false,
"DisableCorrelation": false,
"ID": "753",
"PublishTimestamp": "0",
"UUID": "5d483655-ac78-4765-9169-70f7ac110002",
"Attribute": [
{
"Category": "External analysis",
"Comment": "Just an example",
"ShadowAttribute": [],
"UUID": "8468ac01-126f-4e73-8cff-7371303014aa",
"ObjectID": "0",
"Deleted": false,
"Timestamp": "1565013591",
"ToIDs": false,
"Value": "www.example.com",
"ID": "26160",
"SharingGroupID": "0",
"ObjectRelation": null,
"EventID": "753",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "0",
"Galaxy": []
}
],
"Galaxy": []
}
]
}
Human Readable Output
Results in MISP for search:
| category | type | type_attribute |
|---|---|---|
| External analysis | url | url |
| Total of 2 events found |
Event ID: 743
| Analysis | Attributes | Event Creator Email | Info | Related Events | Threat Level ID | Timestamp |
|---|---|---|---|---|---|---|
| Initial |
[
{ "ID": "26128", "Type": "url", "Category": "External analysis", "ToIDs": false, "UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe", "EventID": "743", "Distribution": "0", "Timestamp": "1565012014", "Comment": "Just an example", "SharingGroupID": "0", "Deleted": false, "DisableCorrelation": false, "ObjectID": "0", "ObjectRelation": null, "Value": "www.example.com", "Galaxy": [], "ShadowAttribute": [] }, { "ID": "26136", "Type": "ip-src", "Category": "Payload delivery", "ToIDs": true, "UUID": "9fc2d7b1-b784-47fc-ad2d-cdcb5df85144", "EventID": "743", "Distribution": "5", "Timestamp": "1565012133", "Comment": "Unknown IP", "SharingGroupID": "0", "Deleted": false, "DisableCorrelation": false, "ObjectID": "0", "ObjectRelation": null, "Value": "8.8.3.3", "Galaxy": [], "ShadowAttribute": [] } ] |
admin@admin.test | Example event | {'ID': '753'} | HIGH | 2019-08-05 13:36:06 |
2. Search for attributes
Search for attributes in MISP.
Base Command
misp-search-attributes
Input
| Argument Name | Description | Required |
|---|---|---|
| type | The attribute type. Use any valid MISP attribute. | Optional |
| value | Search for the specified value in the attributes' value field. | Optional |
| category | The attribute category. Use any valid MISP attribute category. | Optional |
| uuid | Return events that include an attribute with the given UUID. Alternatively the event's UUID must match the value(s) passed, e.g., 59523300-4be8-4fa6-8867-0037ac110002. | Optional |
| to_ids | Whether to return only the attributes set with the "to_ids" flag. | Optional |
| last | Events published within the last "x" amount of time. Valid time values are days, hours, and minutes (for example "5d", "12h", "30m"). This filter uses the published timestamp of the event. | Optional |
| include_decay_score | Include the decay score at attribute level. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Attribute.Distribution | number | Attribute distribution. |
| MISP.Attribute.Value | string | Attribute value. |
| MISP.Attribute.EventID | number | Attribute event ID. |
| MISP.Attribute.Timestamp | number | Attribute timestamp. |
| MISP.Attribute.Deleted | boolean | Whether the attribute is deleted. |
| MISP.Attribute.DisableCorrelation | boolean | Whether attribute correlation is disabled. |
| MISP.Attribute.Type | string | Attribute type. |
| MISP.Attribute.ID | number | Attribute ID. |
| MISP.Attribute.UUID | string | Attribute UUID. |
| MISP.Attribute.ShadowAttribute | Unknown | Attribute shadow attribute. |
| MISP.Attribute.ToIDs | boolean | Whether the Intrusion Detection System flag is set. |
| MISP.Attribute.Category | string | Attribute category. |
| MISP.Attribute.SharingGroupID | number | Attribute sharing group ID. |
| MISP.Attribute.Comment | string | Attribute comment. |
| MISP.Attribute.Event.ID | number | MISP event ID. |
| MISP.Attribute.Event.Distribution | number | MISP event distribution. |
| MISP.Attribute.Event.ThreatLevelID | number | Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined). |
| MISP.Attribute.Event.PublishTimestamp | number | Timestamp of the publish time (if published). |
| MISP.Attribute.Event.EventCreatorEmail | string | Email address of the event creator. |
| MISP.Attribute.Event.Date | date | Event creation date. |
| MISP.Attribute.Event.Locked | boolean | Is the event locked. |
| MISP.Attribute.Event.OwnerOrganisation.ID | number | Owner organization ID. |
| MISP.Attribute.Event.OwnerOrganisation.Name | string | Owner organization name. |
| MISP.Attribute.Event.OwnerOrganisation.UUID | string | Owner organization UUID. |
| MISP.Attribute.Event.RelatedEvent.ID | number | Event IDs of related events (can be a list). |
| MISP.Attribute.Event.ProposalEmailLock | boolean | If email lock was proposed. |
| MISP.Attribute.Event.Timestamp | number | Timestamp of the event. |
| MISP.Attribute.Event.Galaxy.Description | string | Event's galaxy description. |
| MISP.Attribute.Event.Galaxy.Name | string | Galaxy name. |
| MISP.Attribute.Event.Galaxy.Type | number | Galaxy type. |
| MISP.Attribute.Event.Published | boolean | Whether the event is published. |
| MISP.Attribute.Event.DisableCorrelation | boolean | Whether correlation is disabled. |
| MISP.Attribute.Event.UUID | string | Event UUID. |
| MISP.Attribute.Event.ShadowAttribute | Unknown | Event shadow attributes. |
| MISP.Attribute.Event.Analysis | number | Event analysis (0 Initial, 1 Ongoing, 2 Completed). |
| MISP.Attribute.Event.SharingGroupID | number | Event sharing group ID. |
| MISP.Attribute.Event.Tag.Name | string | All tag names in the event. |
| MISP.Attribute.Object.MetaCategory | String | Object meta category. |
| MISP.Attribute.Object.Distribution | Number | Distribution of object. |
| MISP.Attribute.Object.Name | String | Name of the object. |
| MISP.Attribute.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Attribute.Object.EventID | Number | ID of the event which the object first created. |
| MISP.Attribute.Object.TemplateUUID | String | UUID of the template. |
| MISP.Attribute.Object.Timestamp | String | Timestamp of object creation. |
| MISP.Attribute.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Attribute.Object.ID | Number | ID of object. |
| MISP.Attribute.Object.UUID | String | UUID of the object. |
| MISP.Attribute.Object.Description | String | Description of the object. |
| MISP.Attribute.Galaxy.Description | string | Event's galaxy description. |
| MISP.Attribute.Galaxy.Name | string | Galaxy name. |
| MISP.Attribute.Galaxy.Type | number | Galaxy type. |
| MISP.Attribute.Tag.Name | string | All tag names in the event. |
Command Example
!misp-search-attributes category="Other" value="Ferrari"
Context Example
{
"MISP.Attribute": [
{
'ID': '215746',
'EventID': '12041',
'ObjectID': '35655',
'ObjectRelation': 'make',
'Category': 'Other',
'Type': 'text',
'ToIDs': False,
'UUID': '175c30f8-8bba-44bc-9727-7065da0ed109',
'Timestamp': '1619620662',
'Distribution': '5',
'SharingGroupID': '0',
'Comment': '',
'Deleted': False,
'DisableCorrelation': True,
'Value': 'Ferrari',
'Event': {
'OrganisationID': '1',
'Distribution': '0',
'ID': '12041',
'Info': 'Testplayboook',
'OwnerOrganisation.ID': '1',
'UUID': '60897327-db98-4cab-8911-32faac110002'
},
'Object': {
'ID': '35655',
'Distribution': '5',
'SharingGroupID': '0'
}
}
]
}
Human Readable Output
MISP attributes-search returned 2 attributes.
Attribute ID: 67899
| Category | Comment | Deleted | DisableCorrelation | Distribution | Event | EventID | ID | Object | ObjectID | ObjectRelation | SharingGroupID | Timestamp | ToIDs | Type | UUID | Value |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Other | false | true | 5 |
OrganisationID: 1
Distribution: 0 ID: 12041 Info: Testplayboook OwnerOrganisation.ID: 1 UUID: 60897327-db98-4cab-8911-32faac110002 |
12041 | 215746 |
ID: 35655
Distribution: 5 SharingGroupID: 0 |
35655 | make | 0 | 1619620662 | false | text | 175c30f8-8bba-44bc-9727-7065da0ed109 | Ferrari |
3. Get the reputation of a file
Checks the file reputation of the given hash.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | A CSV list of file hashes to query. Can be MD5, SHA1, or SHA256. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | Unknown | Bad hash found. |
| File.SHA1 | Unknown | Bad SHA1 hash. |
| File.SHA256 | Unknown | Bad SHA256 hash. |
| File.Malicious.Vendor | Unknown | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | Unknown | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | Unknown | The indicator that was tested. |
| DBotScore.Type | Unknown | Indicator type. |
| DBotScore.Vendor | Unknown | The vendor used to calculate the score. |
| DBotScore.Score | Unknown | The actual score. |
Command Example
!file file="3d74da0a7276735f1afae01951b39ff7a9d92c94"
Context Example
{
"DBotScore": [
{
"Vendor": "MISP",
"Indicator": "3d74da0a7276735f1afae01951b39ff7a9d92c94",
"Score": 3,
"Type": "hash"
}
],
"File": [
{
"Malicious": {
"Vendor": "MISP",
"Description": "file hash found in MISP event with ID: 754"
},
"SHA1": "3d74da0a7276735f1afae01951b39ff7a9d92c94"
}
]
}
Human Readable Output
Results found in MISP for hash: 3d74da0a7276735f1afae01951b39ff7a9d92c94
| EventID | Organisation | Threat Level |
|---|---|---|
| 754 | MISP | HIGH |
4. Check if a URL is in MISP events
Checks if the URL is in MISP events.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| URL.Data | Unknown | Bad URLs found. |
| URL.Malicious.Vendor | Unknown | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | Unknown | For malicious URLs, the reason that the vendor made the decision. |
| DBotScore.Indicator | Unknown | The indicator that was tested. |
| DBotScore.Type | Unknown | Indicator type. |
| DBotScore.Vendor | Unknown |
The vendor used to calculate the score. |
| DBotScore.Score | Unknown | The actual score. |
Command Example
!url url="www.example.com"
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "MISP.ORGNAME",
"Description": "IP Found in MISP event: 743"
},
"Data": "www.example.com"
},
{
"Malicious": {
"Vendor": "MISP.ORGNAME",
"Description": "IP Found in MISP event: 753"
},
"Data": "www.example.com"
}
],
"DBotScore": [
{
"Vendor": "MISP.ORGNAME",
"Indicator": "www.example.com",
"Score": 3,
"Type": "url"
},
{
"Vendor": "MISP.ORGNAME",
"Indicator": "www.example.com",
"Score": 3,
"Type": "url"
}
],
"MISP.Event": [
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565013625",
"Object": [],
"Attribute": [
{
"Category": "External analysis",
"Comment": "Just an example",
"ShadowAttribute": [],
"UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe",
"ObjectID": "0",
"Deleted": false,
"Timestamp": "1565012014",
"ToIDs": false,
"Value": "www.example.com",
"ID": "26128",
"SharingGroupID": "0",
"ObjectRelation": null,
"EventID": "743",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "0",
"Galaxy": []
}
]
"Galaxy": []
}
]
}
Human Readable Output
MISP Reputation for URL: www.example.com
| EventID | Organisation | Threat Level |
|---|---|---|
| 743 | MISP.ORGNAME | HIGH |
| 753 | MISP.ORGNAME | HIGH |
5. Get the reputation of an IP address
Checks the reputation of an IP address
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | IP address to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | Unknown | Bad IP address found. |
| IP.Malicious.Vendor | Unknown | For malicious IPs, the vendor that made the decision. |
| IP.Malicious.Description | Unknown | For malicious IPs, the reason that the vendor made the decision. |
| DBotScore.Indicator | Unknown | The indicator that was tested. |
| DBotScore.Type | Unknown | Indicator type. |
| DBotScore.Vendor | Unknown | The vendor used to calculate the score. |
| DBotScore.Score | Unknown | The actual score. |
Command Example
!ip ip="8.8.3.3"
Context Example
{
"IP": [
{
"Malicious": {
"Vendor": "MISP.ORGNAME",
"Description": "IP Found in MISP event: 743"
},
"Address": "8.8.3.3"
}
],
"DBotScore": [
{
"Vendor": "MISP.ORGNAME",
"Indicator": "8.8.3.3",
"Score": 3,
"Type": "ip"
}
],
"MISP.Event": [
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565013625",
"Object": [
],
"Attribute": [
{
"Category": "External analysis",
"Comment": "Just an example",
"ShadowAttribute": [],
"UUID": "c320c9f6-4619-450a-b150-9c62e341fbfe",
"ObjectID": "0",
"Deleted": false,
"Timestamp": "1565012014",
"ToIDs": false,
"Value": "8.8.3.3",
"ID": "26128",
"SharingGroupID": "0",
"ObjectRelation": null,
"EventID": "743",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "0",
"Galaxy": []
}
"Galaxy": []
}
]
}
Human Readable Output
Results found in MISP for IP: 8.8.3.3
| EventID | Organisation | Threat Level |
|---|---|---|
| 743 | MISP.ORGNAME | HIGH |
6. Create a MISP event
Creates a new MISP event.
Base Command
misp-create-event
Input
| Argument Name | Description | Required |
|---|---|---|
| type | Event type of the new event. | Optional |
| category | Category of the new event. | Optional |
| to_ids | Create the event with the IDS flag. | Optional |
| distribution | Where to distribute the attribute. | Optional |
| comment | Comment for the event. | Optional |
| value | Value to add to the event. | Required |
| info | Event name. | Required |
| published | Whether to publish the event. | Optional |
| threat_level_id | MISP Threat level ID. Default is "high". | Optional |
| analysis | The analysis level. Default is "initial". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Distribution | number | MISP event distribution. |
| MISP.Event.ThreatLevelID | number | Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined). |
| MISP.Event.PublishTimestamp | number | Timestamp of the publish time (if published). |
| MISP.Event.EventCreatorEmail | string | Email address of the event creator. |
| MISP.Event.Date | date | Event creation date. |
| MISP.Event.Locked | boolean | Whether the event is locked. |
| MISP.Event.OwnerOrganisation.ID | number | Owner organization ID. |
| MISP.Event.OwnerOrganisation.Name | string | Owner organization name. |
| MISP.Event.OwnerOrganisation.UUID | string | Owner organization UUID. |
| MISP.Event.RelatedEvent.ID | number | Event IDs of related events (can be a list). |
| MISP.Event.ProposalEmailLock | boolean | Whether email lock is proposed. |
| MISP.Event.Timestamp | number | Timestamp of the event. |
| MISP.Event.Galaxy.Description | string | Event's galaxy description. |
| MISP.Event.Galaxy.Name | string | Galaxy name. |
| MISP.Event.Galaxy.Type | number | Galaxy type. |
| MISP.Event.Published | boolean | Whether the event is published. |
| MISP.Event.DisableCorrelation | boolean | Whether correlation is disabled. |
| MISP.Event.UUID | string | Event UUID. |
| MISP.Event.ShadowAttribute | Unknown | Event shadow attributes. |
| MISP.Event.Attribute.Distribution | number | Attribute distribution. |
| MISP.Event.Attribute.Value | string | Attribute value. |
| MISP.Event.Attribute.EventID | number | Attribute event ID. |
| MISP.Event.Attribute.Timestamp | number | Attribute timestamp. |
| MISP.Event.Attribute.Deleted | boolean | Whether the attribute was deleted. |
| MISP.Event.Attribute.DisableCorrelation | boolean | Whether attribute correlation is disabled. |
| MISP.Event.Attribute.Type | string | Attribute type. |
| MISP.Event.Attribute.ID | number | Attribute ID. |
| MISP.Event.Attribute.UUID | string | Attribute UUID. |
| MISP.Event.Attribute.ShadowAttribute | Unknown | Attribute shadow attribute. |
| MISP.Event.Attribute.ToIDs | boolean | Is the Intrusion Detection System flag set. |
| MISP.Event.Attribute.Category | string | Attribute category. |
| MISP.Event.Attribute.SharingGroupID | number | Attribute sharing group ID. |
| MISP.Event.Attribute.Comment | string | Attribute comment for the attribute. |
| MISP.Event.Analysis | number | Event analysis (0 Initial, 1 Ongoing, 2 Completed). |
| MISP.Event.SharingGroupID | number | Event sharing group ID. |
| MISP.Event.Tag.Name | string | All tag names in the event. |
Command Example
!misp-create-event info="Example event" value="www.example.com" category="External analysis" type="url" comment="Just an example"
Context Example
{
"MISP.Event": [
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565013591",
"Object": [],
"ThreatLevelID": "1",
"Date": "2019-08-05",
"RelatedEvent": [
{
"ID": "743"
}
],
"Info": "Example event",
"Locked": false,
"OwnerOrganisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"Analysis": "0",
"Published": false,
"DisableCorrelation": false,
"ID": "753",
"PublishTimestamp": "0",
"UUID": "5d483655-ac78-4765-9169-70f7ac110002",
"Attribute": [
{
"Category": "External analysis",
"Comment": "Just an example",
"ShadowAttribute": [],
"UUID": "8468ac01-126f-4e73-8cff-7371303014aa",
"ObjectID": "0",
"Deleted": false,
"Timestamp": "1565013591",
"ToIDs": false,
"Value": "www.example.com",
"ID": "26160",
"SharingGroupID": "0",
"ObjectRelation": null,
"EventID": "753",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "0",
"Galaxy": []
}
],
"Galaxy": []
}
]
}
Human Readable Output
MISP create event
New event with ID: 753 has been successfully created.
7. Download a file sample
Downloads a file sample from MISP.
Base Command
misp-download-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| hash | A hash in MD5 format. If the "allSamples" argument is supplied, this can be any one of the following: md5, sha1, and sha256. | Required |
| eventID | If set, will only fetch data from the given event ID. | Optional |
| allSamples | If set, will return all samples from events that match the hash supplied in the "hash " argument. | Optional |
| unzip | Return one zipped file, or all files unzipped. Default is "false" (one zipped file). | Optional |
Context Output
There is no context output for this command.
Command Example
!misp-download-sample hash="3d74da0a7276735f1afae01951b39ff7a9d92c94"
Human Readable Output
Couldn't find file with hash 3d74da0a7276735f1afae01951b39ff7a9d92c94
8. Add an attribute to an event
Adds an attribute to an existing MISP event.
Base Command
misp-add-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| id | MISP event ID. | Required |
| type | Attribute type. | Required |
| category | Attribute category. | Required |
| to_ids | Whether to return only events set with the "to_ids" flag. Default is "true". | Optional |
| distribution | Where to distribute the attribute. | Optional |
| comment | Comment for the event. | .Required |
| value | Attribute value | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Distribution | number | MISP event distribution. |
| MISP.Event.ThreatLevelID | number | Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined). |
| MISP.Event.PublishTimestamp | number | Timestamp of the publish time (if published). |
| MISP.Event.EventCreatorEmail | string | Email address of the event creator. |
| MISP.Event.Date | date | Event creation date. |
| MISP.Event.Locked | boolean | Is the event locked. |
| MISP.Event.OwnerOrganisation.ID | number | Owner organization ID. |
| MISP.Event.OwnerOrganisation.Name | string | Owner organization name. |
| MISP.Event.OwnerOrganisation.UUID | string | Owner organization UUID. |
| MISP.Event.RelatedEvent.ID | number | Event IDs of related events (can be a list). |
| MISP.Event.ProposalEmailLock | boolean | Wheter email lock is proposed. |
| MISP.Event.Timestamp | number | Timestamp of the event. |
| MISP.Event.Galaxy.Description | string | Galaxy description. |
| MISP.Event.Galaxy.Name | string | Galaxy name. |
| MISP.Event.Galaxy.Type | number | Galaxy type. |
| MISP.Event.Published | boolean | Whether the event is published. |
| MISP.Event.DisableCorrelation | boolean | Whether correlation disabled. |
| MISP.Event.UUID | string | Event UUID. |
| MISP.Event.ShadowAttribute | Unknown | Event shadow attributes. |
| MISP.Event.Attribute.Distribution | number | Attribute distribution. |
| MISP.Event.Attribute.Value | string | Attribute value. |
| MISP.Event.Attribute.EventID | number | Attribute event ID. |
| MISP.Event.Attribute.Timestamp | number | Attribute timestamp. |
| MISP.Event.Attribute.Deleted | boolean | Whether the attribute was deleted. |
| MISP.Event.Attribute.DisableCorrelation | boolean | Whether attribute correlation is disabled. |
| MISP.Event.Attribute.Type | string | Attribute type. |
| MISP.Event.Attribute.ID | number | Attribute ID. |
| MISP.Event.Attribute.UUID | string | Attribute UUID. |
| MISP.Event.Attribute.ShadowAttribute | Unknown | Attribute shadow attribute. |
| MISP.Event.Attribute.ToIDs | boolean | Whether the Intrusion Detection System flag is set. |
| MISP.Event.Attribute.Category | string | Attribute category. |
| MISP.Event.Attribute.SharingGroupID | number | Attribute sharing group ID. |
| MISP.Event.Attribute.Comment | string | Attribute comment. |
| MISP.Event.Analysis | number | Event analysis (0 Initial, 1 Ongoing, 2 Completed). |
| MISP.Event.SharingGroupID | number | Event sharing group ID. |
| MISP.Event.Tag.Name | string | All tag names in the event. |
Command Example
!misp-add-attribute id=743 comment="Unknown IP" value="8.8.3.3" category="Payload delivery" type="ip-src"
Context Example
{
"MISP.Event": [
{
"EventCreatorEmail": "admin@admin.test",
"SharingGroupID": "0",
"Organisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"ShadowAttribute": [],
"Distribution": "0",
"ProposalEmailLock": false,
"Timestamp": "1565013607",
"Object": [
{
"Comment": "",
"EventID": "743",
"Timestamp": "1565012146",
"Description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"UUID": "3c90797e-2aba-4ac2-bc4a-73c797425e1f",
"Deleted": false,
"Attribute": [
{
"Category": "Network activity",
"Comment": "",
"ShadowAttribute": [],
"UUID": "e3ada1ae-da37-4efe-9581-73aa95960624",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": false,
"Value": "8080",
"ID": "26137",
"SharingGroupID": "0",
"ObjectRelation": "dst-port",
"EventID": "743",
"DisableCorrelation": true,
"Type": "port",
"Distribution": "5",
"Galaxy": []
},
{
"Category": "Network activity",
"Comment": "",
"ShadowAttribute": [],
"UUID": "287e1b44-24c1-45b9-9ef9-541d00ae447b",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": true,
"Value": "google.com",
"ID": "26138",
"SharingGroupID": "0",
"ObjectRelation": "domain",
"EventID": "743",
"DisableCorrelation": false,
"Type": "domain",
"Distribution": "5",
"Galaxy": []
},
{
"Category": "Network activity",
"Comment": "",
"ShadowAttribute": [],
"UUID": "5ef0f03b-f85a-4d8d-97c3-c3f740623a73",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": true,
"Value": "8.8.8.8",
"ID": "26139",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"Galaxy": []
},
{
"Category": "Network activity",
"Comment": "",
"ShadowAttribute": [],
"UUID": "953e3da1-a4b5-4fe2-8d35-7e1afdb72e74",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": true,
"Value": "4.4.4.4",
"ID": "26140",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"Galaxy": []
},
{
"Category": "Other",
"Comment": "",
"ShadowAttribute": [],
"UUID": "f1d3cd7e-ed01-4aba-bb8f-65c0ac119707",
"ObjectID": "3223",
"Deleted": false,
"Timestamp": "1565012146",
"ToIDs": false,
"Value": "2018-05-05",
"ID": "26141",
"SharingGroupID": "0",
"ObjectRelation": "first-seen",
"EventID": "743",
"DisableCorrelation": true,
"Type": "datetime",
"Distribution": "5",
"Galaxy": []
}
],
"TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"TemplateVersion": "7",
"SharingGroupID": "0",
"ObjectReference": [],
"MetaCategory": "network",
"Distribution": "5",
"ID": "3223",
"Name": "ip-port"
},
],
"ThreatLevelID": "1",
"Date": "2019-08-05",
"RelatedEvent": [
{
"ID": "753"
}
],
"Info": "Example event",
"Locked": false,
"OwnerOrganisation": {
"UUID": "5ce29ac4-3b54-459e-a6ee-00acac110002",
"ID": "1",
"Name": "ORGNAME"
},
"Analysis": "0",
"Published": false,
"DisableCorrelation": false,
"ID": "743",
"PublishTimestamp": "0",
"UUID": "5d48302c-bf84-4671-9080-0728ac110002",
"Attribute": [],
"Galaxy": []
}
]
}
Human Readable Output
MISP add attribute
New attribute: 8.8.3.3 was added to event id 743.
9 Upload a file sample
Uploads a file sample to MISP.
Base Command
misp-upload-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| fileEntryID | Entry ID of the file to upload. | Required |
| event_id | The event ID of the event to which to add the uploaded file. | Optional |
| distribution | The distribution setting used for the attributes and for the newly created event, if relevant (0-3). | Optional |
| to_ids | Flags all attributes created during the transaction to be marked as "to_ids" or not. | Optional |
| category | The category that will be assigned to the uploaded samples, (Payload delivery, Artifacts dropped, Payload Installation, External Analysis). | Optional |
| info | Used to populate the event info field if no event ID is supplied. Alternatively, if not supplied, MISP will generate a message showing that it is a malware sample collection generated on the given day. | Optional |
| analysis | The analysis level. Default is "initial". | Optional |
| threat_level_id | The threat level ID of the newly created event. Default is "high". | Optional |
| comment | This will populate the comment field of any attribute created using this API. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.UploadedSample | Unknown | Object containing {filename: event id} of the uploaded file. |
Command Example
!misp-upload-sample fileEntryID=655@6 info="MISP V2 Integration"
Context Example
{
"MISP.UploadedSample": {
"MISP_V2_unified.yml": 754
}
}
Human Readable Output
MISP upload sample
- message: Success, saved all attributes.
- event id: 754
- file name: MISP_V2_unified.yml
10. Delete an event
Deletes an event according to event ID.
Base Command
misp-delete-event
Input
| Argument Name | Description | Required |
|---|---|---|
| event_id | Event ID to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!misp-delete-event event_id=735
Human Readable Output
11. Add a tag to an event or attribute
Adds a tag to the given UUID event or attribute.
Base Command
misp-add-tag
Input
| Argument Name | Description | Required |
|---|---|---|
| uuid | UUID of the attribute/event, for example: "59575300-4be8-4ff6-8767-0037ac110032". | Required |
| tag | Tag to add to the attribute or event. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Distribution | number | MISP event distribution. |
| MISP.Event.ThreatLevelID | number | Threat level of the MISP event (1 High, 2 Medium, 3 Low, 4 Undefined). |
| MISP.Event.PublishTimestamp | number | Timestamp of the publish time (if published). |
| MISP.Event.EventCreatorEmail | string | Email address of the event creator. |
| MISP.Event.Date | date | Event creation date. |
| MISP.Event.Locked | boolean | Whether the event is locked. |
| MISP.Event.OwnerOrganisation.ID | number | Owner organization ID. |
| MISP.Event.OwnerOrganisation.Name | string | Owner organization name. |
| MISP.Event.OwnerOrganisation.UUID | string | Owner organization UUID. |
| MISP.Event.RelatedEvent.ID | number | Event IDs of related events (can be a list). |
| MISP.Event.ProposalEmailLock | boolean | Whether email lock is proposed. |
| MISP.Event.Timestamp | number | Timestamp of the event. |
| MISP.Event.Galaxy.Description | string | Galaxy description. |
| MISP.Event.Galaxy.Name | string | Galaxy name. |
| MISP.Event.Galaxy.Type | number | Galaxy type |
| MISP.Event.Published | boolean | Whether the event is published. |
| MISP.Event.DisableCorrelation | boolean | Whether correlation is disabled. |
| MISP.Event.UUID | string | Event UUID. |
| MISP.Event.ShadowAttribute | Unknown | Event shadow attributes. |
| MISP.Event.Attribute.Distribution | number | Attribute distribution. |
| MISP.Event.Attribute.Value | string | Attribute value. |
| MISP.Event.Attribute.EventID | number | Attribute event ID. |
| MISP.Event.Attribute.Timestamp | number | Attribute timestamp. |
| MISP.Event.Attribute.Deleted | boolean | Is the attribute deleted. |
| MISP.Event.Attribute.DisableCorrelation | boolean | Is attribute correlation disabled. |
| MISP.Event.Attribute.Type | string | Attribute type. |
| MISP.Event.Attribute.ID | number | Attribute ID. |
| MISP.Event.Attribute.UUID | string | Attribute UUID. |
| MISP.Event.Attribute.ShadowAttribute | Unknown | Attribute shadow attribute. |
| MISP.Event.Attribute.ToIDs | boolean | Is the Intrusion Detection System flag set. |
| MISP.Event.Attribute.Category | string | Attribute category. |
| MISP.Event.Attribute.SharingGroupID | number | Attribute sharing group ID. |
| MISP.Event.Attribute.Comment | string | Attribute comment. |
| MISP.Event.Analysis | number | Event analysis (0 Initial, 1 Ongoing, 2 Completed). |
| MISP.Event.SharingGroupID | number | Event sharing group ID. |
| MISP.Event.Tag.Name | string | All tag names in the event. |
Command Example
!misp-add-tag tag="Example tag" uuid=5ce29ac4-3b54-459e-a6ee-00acac110002
Context Example
{
"MISP.Event": []
}
Human Readable Output
Tag Example tag has been successfully added to event 5ce29ac4-3b54-459e-a6ee-00acac110002
12. Add sighting to an attribute
Adds sighting to an attribute. The id and uuid arguments are optional, but one must be specified in the command.
Base Command
misp-add-sighting
Input
| Argument Name | Description | Required |
|---|---|---|
| type | Type of sighting to add. | Required |
| id | ID of the attribute to which to add a sighting. Required if uuid is empty. Can be retrieved from the misp-search command. | Optional |
| uuid | UUID of the attribute to which to add a sighting. Required if id is empty. Can be retrieved from the misp-search command. | Optional |
Context Output
There is no context output for this command.
Command Example
!misp-add-sighting type=sighting uuid=23513ce2-2060-4bc8-9b44-6bd735e4f740
Human Readable Output
Sighting 'sighting' has been successfully added to attribute 23513ce2-2060-4bc8-9b44-6bd735e4f740
13. Add an OSINT feed
Adds an OSINT feed.
Base Command
misp-add-events-from-feed
Input
| Argument Name | Description | Required |
|---|---|---|
| feed | URL of the feed to add. | Optional |
| limit | Maximum number of files to add. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | IDs of newly created events. |
Command Example
!misp-add-events-from-feed limit=14 feed=CIRCL
Human Readable Output
Total of 0 events was added to MISP.
14. Add an email object to an event
Adds an email object to the specified event ID.
Base Command
misp-add-email-object
Input
| Argument Name | Description | Required |
|---|---|---|
| entry_id | Entry ID of the email. | Required |
| event_id | ID of the event to which to add the object. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event in which the object was first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template. |
| MISP.Event.Object.Timestamp | String | Timestamp when the object was created. |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of the object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of the attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of the first event from which the object originated. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp when the object was created. |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Object type. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-add-email-object event_id=743 entry_id=678@6
Context Example
{
"MISP.Event": {
"Object": {
"Comment": "",
"EventID": "743",
"Timestamp": "1565013620",
"Description": "Email object describing an email with meta-information",
"UUID": "e00e6a2c-682b-48b3-bb01-aee21832ebf0",
"Deleted": false,
"Attribute": [
{
"Category": "External analysis",
"Comment": "",
"UUID": "52d1d881-a1fb-4a2c-b5bc-047fb0073c2f",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": false,
"Value": "Full email.eml",
"ID": "26175",
"SharingGroupID": "0",
"ObjectRelation": "eml",
"EventID": "743",
"value1": "Full email.eml",
"DisableCorrelation": true,
"Type": "attachment",
"Distribution": "5",
"value2": ""
}
{
"Category": "Payload delivery",
"Comment": "",
"UUID": "5ddaae1c-ce54-4191-9d61-907d2c101103",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": false,
"Value": "<example.gmail.com>",
"ID": "26177",
"SharingGroupID": "0",
"ObjectRelation": "message-id",
"EventID": "743",
"value1": "<example.gmail.com>",
"DisableCorrelation": true,
"Type": "email-message-id",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "26daac8a-730e-4951-bad1-d8134feba2cb",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": true,
"Value": "\"Example Demisto (ca)\" <example@demisto.com>",
"ID": "26178",
"SharingGroupID": "0",
"ObjectRelation": "to",
"EventID": "743",
"value1": "\"Example Demisto (ca)\" <example.>",
"DisableCorrelation": true,
"Type": "email-dst",
"Distribution": "5",
"value2": ""
},
{
"Category": "Payload delivery",
"Comment": "",
"UUID": "d6ca6b5f-edba-4d46-9a9f-15fec4f6bd2b",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": false,
"Value": "[TEST][DEMISTO] CASO 1 EMAIL DA SISTEMA DEMISTO | ZIP+PASSWORD",
"ID": "26179",
"SharingGroupID": "0",
"ObjectRelation": "subject",
"EventID": "743",
"value1": "[TEST][DEMISTO] CASO 1 EMAIL DA SISTEMA DEMISTO | ZIP+PASSWORD",
"DisableCorrelation": false,
"Type": "email-subject",
"Distribution": "5",
"value2": ""
},
{
"Category": "Payload delivery",
"Comment": "",
"UUID": "983eaba4-a94e-49ab-ae18-40151778a9ba",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": true,
"Value": "\"Example Demisto (ca)\" <example@demisto.com>",
"ID": "26180",
"SharingGroupID": "0",
"ObjectRelation": "from",
"EventID": "743",
"value1": "\"Example Demisto (ca)\" <example@demisto.com>",
"DisableCorrelation": false,
"Type": "email-src",
"Distribution": "5",
"value2": ""
},
{
"Category": "Payload delivery",
"Comment": "",
"UUID": "c432d6c7-5d34-4b64-a6b4-5813d1874bd2",
"ObjectID": "3231",
"Deleted": false,
"Timestamp": "1565013620",
"ToIDs": true,
"Value": "example@demisto.com",
"ID": "26181",
"SharingGroupID": "0",
"ObjectRelation": "return-path",
"EventID": "743",
"value1": "example@demisto.com",
"DisableCorrelation": false,
"Type": "email-src",
"Distribution": "5",
"value2": ""
}
],
"TemplateUUID": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"TemplateVersion": "12",
"SharingGroupID": "0",
"MetaCategory": "network",
"Distribution": "5",
"ID": "3231",
"Name": "email"
},
"ID": "743"
}
}
Human Readable Output
Object has been added to MISP event ID 743
15. Add a domain object to an event
Adds a domain object.
Base Command
misp-add-domain-object
Input
| Argument Name | Description | Required |
|---|---|---|
| event_id | ID of a MISP event. | Required |
| name | The domain name, for example: "google.com". | Required |
| dns | A list (array) or IP addresses resolved by DNS. | Required |
| creation_date | Date that the domain was created. | Optional |
| last_seen |
Datetime that the domain was last seen, for example:
2019-02-03
.
|
Optional |
| first_seen |
Datetime that the domain was first seen, for example:
2019-02-03
.
|
Optional |
| text | A description of the domain. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of the object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event in which the object was first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template. |
| MISP.Event.Object.Timestamp | String | Timestamp when the object was created. |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of the object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of the attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of the first event from which the object originated. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp of object creation |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Object type. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-add-domain-object event_id=743 dns="8.8.8.8,8.8.4.4" name="google.com" text="Google DNS"
Context Example
{
"MISP.Event": {
"Object": {
"Comment": "",
"EventID": "743",
"Timestamp": "1565013623",
"Description": "A domain and IP address seen as a tuple in a specific time frame.",
"UUID": "ee732c55-78d4-4e2a-8616-e1b07c85397b",
"Deleted": false,
"Attribute": [
{
"Category": "Network activity",
"Comment": "",
"UUID": "c52ec904-30c9-47ce-a7d5-a1aaa9326576",
"ObjectID": "3232",
"Deleted": false,
"Timestamp": "1565013623",
"ToIDs": true,
"Value": "8.8.8.8",
"ID": "26182",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"value1": "8.8.8.8",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "b48f0132-c90a-4b79-ae12-190476155b47",
"ObjectID": "3232",
"Deleted": false,
"Timestamp": "1565013623",
"ToIDs": true,
"Value": "8.8.4.4",
"ID": "26183",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"value1": "8.8.4.4",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "8fc80065-07ca-4151-b8e4-df919aa53dbb",
"ObjectID": "3232",
"Deleted": false,
"Timestamp": "1565013623",
"ToIDs": true,
"Value": "google.com",
"ID": "26184",
"SharingGroupID": "0",
"ObjectRelation": "domain",
"EventID": "743",
"value1": "google.com",
"DisableCorrelation": false,
"Type": "domain",
"Distribution": "5",
"value2": ""
}
],
"TemplateUUID": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"TemplateVersion": "6",
"SharingGroupID": "0",
"MetaCategory": "network",
"Distribution": "5",
"ID": "3232",
"Name": "domain-ip"
},
"ID": "743"
}
}
Human Readable Output
Object has been added to MISP event ID 743
16. Add a URL object to an event
Adds a URL object to a MISP event.
Base Command
misp-add-url-object
Input
| Argument Name | Description | Required |
|---|---|---|
| url | Full URL to add to the event. | Required |
| first_seen |
Date that this URL was first seen, for example:
2019-02-03
.
|
Optional |
| text | Description of the URL. | Optional |
| last_seen |
Date that this URL was last seen, for example:
2019-02-03
.
|
Optional |
| event_id | ID of the event. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of the object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event in which the object was first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template. |
| MISP.Event.Object.Timestamp | String | Timestamp when the object was created. |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of the object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of the attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of the first event from which the object originated. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp when the object was created. |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Object type. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-add-url-object event_id=743 url=https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1
Context Example
{
"MISP.Event": {
"Object": {
"Comment": "",
"EventID": "743",
"Timestamp": "1565013625",
"Description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"UUID": "f2da7f70-0fa9-446d-8c0e-e2b87f348d3d",
"Deleted": false,
"Attribute": [
{
"Category": "Network activity",
"Comment": "",
"UUID": "9abd47bd-749a-40a1-a79d-1dc8aa9d843f",
"ObjectID": "3233",
"Deleted": false,
"Timestamp": "1565013625",
"ToIDs": true,
"Value": "https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1",
"ID": "26185",
"SharingGroupID": "0",
"ObjectRelation": "url",
"EventID": "743",
"value1": "https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json?q=1",
"DisableCorrelation": false,
"Type": "url",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "b8595c60-8eca-4963-8bf9-656adbe86566",
"ObjectID": "3233",
"Deleted": false,
"Timestamp": "1565013625",
"ToIDs": false,
"Value": "https",
"ID": "26186",
"SharingGroupID": "0",
"ObjectRelation": "scheme",
"EventID": "743",
"value1": "https",
"DisableCorrelation": true,
"Type": "text",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "3f7a901d-07ac-4b65-9cf1-a2470d229a90",
"ObjectID": "3233",
"Deleted": false,
"Timestamp": "1565013625",
"ToIDs": false,
"Value": "/MISP/misp-objects/blob/master/objects/url/definition.json",
"ID": "26187",
"SharingGroupID": "0",
"ObjectRelation": "resource_path",
"EventID": "743",
"value1": "/MISP/misp-objects/blob/master/objects/url/definition.json",
"DisableCorrelation": false,
"Type": "text",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "8c2c385b-4f75-4aac-a670-15fe9eb08ce5",
"ObjectID": "3233",
"Deleted": false,
"Timestamp": "1565013625",
"ToIDs": false,
"Value": "q=1",
"ID": "26188",
"SharingGroupID": "0",
"ObjectRelation": "query_string",
"EventID": "743",
"value1": "q=1",
"DisableCorrelation": false,
"Type": "text",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "5098cb2c-27d8-483f-b467-b6d5732a2008",
"ObjectID": "3233",
"Deleted": false,
"Timestamp": "1565013625",
"ToIDs": true,
"Value": "github.com",
"ID": "26189",
"SharingGroupID": "0",
"ObjectRelation": "domain",
"EventID": "743",
"value1": "github.com",
"DisableCorrelation": false,
"Type": "domain",
"Distribution": "5",
"value2": ""
}
],
"TemplateUUID": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"TemplateVersion": "7",
"SharingGroupID": "0",
"MetaCategory": "network",
"Distribution": "5",
"ID": "3233",
"Name": "url"
},
"ID": "743"
}
}
Human Readable Output
Object has been added to MISP event ID 743
17. Add an object to an event
Adds any other object to MISP.
Base Command
misp-add-object
Input
| Argument Name | Description | Required |
|---|---|---|
| event_id | ID of the event to add the object to. | Required |
| template | Template name. For more information, see the MISP documentation . | Required |
| attributes | attributes | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of the object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event in which the object was first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template. |
| MISP.Event.Object.Timestamp | String | Timestamp when the object was created. |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of the object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of the attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of the first event from which the object originated. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp when the object was created. |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted? |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Object type. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-add-object event_id="15" template="vehicle" attributes="{'description': 'Manager Ferrari', 'make': 'Ferrari', 'model': '308 GTS'}"
!misp-add-object event_id=15 template="http-request" attributes="{'url': 'https://foaas.com/awesome/Mom', 'method': 'GET', 'basicauth-user': 'username', 'basicauth-password': 'password'}
!misp-add-object event_id=15 template=device attributes="{'name': 'AndroidPhone', 'device-type': 'Mobile', 'OS': 'Android', 'version': '9 PKQ1'}"
Context Example
{
"MISP.Event": {
"Object": {
"Comment": "",
"EventID": "743",
"Timestamp": "1565013618",
"Description": "Vehicle object template to describe a vehicle information and registration",
"UUID": "00b4293d-2c4d-4c7d-83b6-e72b0a199402",
"Deleted": false,
"Attribute": [
{
"Category": "Other",
"Comment": "",
"UUID": "dc7fa7d8-afb4-4740-8f97-ed10adce735f",
"ObjectID": "3230",
"Deleted": false,
"Timestamp": "1565013618",
"ToIDs": false,
"Value": "Manager Ferrari",
"ID": "26172",
"SharingGroupID": "0",
"ObjectRelation": "description",
"EventID": "743",
"value1": "Manager Ferrari",
"DisableCorrelation": true,
"Type": "text",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "8eeabab2-627e-4b1f-b4bd-c11b624fdabe",
"ObjectID": "3230",
"Deleted": false,
"Timestamp": "1565013618",
"ToIDs": false,
"Value": "Ferrari",
"ID": "26173",
"SharingGroupID": "0",
"ObjectRelation": "make",
"EventID": "743",
"value1": "Ferrari",
"DisableCorrelation": true,
"Type": "text",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "bfa5455c-22c2-45b1-9212-eefc59e4b430",
"ObjectID": "3230",
"Deleted": false,
"Timestamp": "1565013618",
"ToIDs": false,
"Value": "308 GTS",
"ID": "26174",
"SharingGroupID": "0",
"ObjectRelation": "model",
"EventID": "743",
"value1": "308 GTS",
"DisableCorrelation": true,
"Type": "text",
"Distribution": "5",
"value2": ""
}
],
"TemplateUUID": "683c076c-f695-4ff2-8efa-e98a418049f4",
"TemplateVersion": "1",
"SharingGroupID": "0",
"MetaCategory": "misc",
"Distribution": "5",
"ID": "3230",
"Name": "vehicle"
},
"ID": "743"
}
}
Human Readable Output
Object has been added to MISP event ID 743
18. Add an IP object to an event
Adds an IP Object to the MISP event. The following arguments are optional, but at least one must be supplied for the command to run successfully: "ip", "dst_port", "src_port", "domain", "hostname", "ip_src", and "ip_dst".
Base Command
misp-add-ip-object
Input
| Argument Name | Description | Required |
|---|---|---|
| event_id | ID of an event. | Required |
| ip | IP address (require one of). | Optional |
| dst_port | Destination port number. | Optional |
| src_port | Source port number. | Optional |
| domain | Domain. | Optional |
| hostname | Hostname. | Optional |
| ip_src | IP source. | Optional |
| ip_dst | IP destination. | Optional |
| first_seen | Date when the tuple was first seen. | Optional |
| last_seen | Date when the tuple was last seen. | Optional |
| comment | A description of the object. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MISP.Event.ID | number | MISP event ID. |
| MISP.Event.Object.MetaCategory | String | Object meta category. |
| MISP.Event.Object.Distribution | Number | Distribution of the object. |
| MISP.Event.Object.Name | String | Name of the object. |
| MISP.Event.Object.TemplateVersion | Number | Template version of the object. |
| MISP.Event.Object.EventID | Number | ID of the event in which the object was first created. |
| MISP.Event.Object.TemplateUUID | String | UUID of the template. |
| MISP.Event.Object.Timestamp | String | Timestamp when the object was created. |
| MISP.Event.Object.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.ID | Number | ID of the object. |
| MISP.Event.Object.UUID | String | UUID of the object. |
| MISP.Event.Object.Attribute.Value | String | Value of the attribute. |
| MISP.Event.Object.Attribute.EventID | Number | ID of the first event from which the object originated. |
| MISP.Event.Object.Attribute.Timestamp | Date | Timestamp when the object was created. |
| MISP.Event.Object.Attribute.Deleted | Boolean | Whether the object was deleted. |
| MISP.Event.Object.Attribute.ObjectID | Number | ID of the object. |
| MISP.Event.Object.Attribute.DisableCorrelation | Boolean | Whether correlation is disabled. |
| MISP.Event.Object.Attribute.ID | Unknown | ID of the attribute. |
| MISP.Event.Object.Attribute.ObjectRelation | String | Relation of the object. |
| MISP.Event.Object.Attribute.Type | String | Object type. |
| MISP.Event.Object.Attribute.UUID | String | UUID of the attribute. |
| MISP.Event.Object.Attribute.ToIDs | Boolean | Whether the to_ids flag is on. |
| MISP.Event.Object.Attribute.Category | String | Category of the attribute. |
| MISP.Event.Object.Attribute.SharingGroupID | Number | ID of the sharing group. |
| MISP.Event.Object.Attribute.Comment | String | Comment of the attribute. |
| MISP.Event.Object.Description | String | Description of the object. |
Command Example
!misp-add-ip-object event_id="743" ip="8.8.8.8,4.4.4.4" dst_port="8080" domain="google.com" first_seen="2018-05-05" text="test dns"
Context Example
{
"MISP.Event": {
"Object": {
"Comment": "",
"EventID": "743",
"Timestamp": "1565013616",
"Description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"UUID": "14990bd5-aae0-4ceb-be1a-4fee9f6a0af4",
"Deleted": false,
"Attribute": [
{
"Category": "Network activity",
"Comment": "",
"UUID": "2136e8a8-33a3-4480-ba3a-54e165ef7a80",
"ObjectID": "3229",
"Deleted": false,
"Timestamp": "1565013616",
"ToIDs": false,
"Value": "8080",
"ID": "26167",
"SharingGroupID": "0",
"ObjectRelation": "dst-port",
"EventID": "743",
"value1": "8080",
"DisableCorrelation": true,
"Type": "port",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "0d5952c5-218c-4a25-8a0c-f361ef37420a",
"ObjectID": "3229",
"Deleted": false,
"Timestamp": "1565013616",
"ToIDs": true,
"Value": "google.com",
"ID": "26168",
"SharingGroupID": "0",
"ObjectRelation": "domain",
"EventID": "743",
"value1": "google.com",
"DisableCorrelation": false,
"Type": "domain",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "ebb067d7-4f5e-4536-a164-2df7eafc3060",
"ObjectID": "3229",
"Deleted": false,
"Timestamp": "1565013616",
"ToIDs": true,
"Value": "8.8.8.8",
"ID": "26169",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"value1": "8.8.8.8",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"value2": ""
},
{
"Category": "Network activity",
"Comment": "",
"UUID": "99e0cfe2-8581-4ffd-ad39-b8bee6325203",
"ObjectID": "3229",
"Deleted": false,
"Timestamp": "1565013616",
"ToIDs": true,
"Value": "4.4.4.4",
"ID": "26170",
"SharingGroupID": "0",
"ObjectRelation": "ip",
"EventID": "743",
"value1": "4.4.4.4",
"DisableCorrelation": false,
"Type": "ip-dst",
"Distribution": "5",
"value2": ""
},
{
"Category": "Other",
"Comment": "",
"UUID": "a85528af-5b1e-4bb4-99bd-80fa46c4f5ae",
"ObjectID": "3229",
"Deleted": false,
"Timestamp": "1565013616",
"ToIDs": false,
"Value": "2018-05-05",
"ID": "26171",
"SharingGroupID": "0",
"ObjectRelation": "first-seen",
"EventID": "743",
"value1": "2018-05-05",
"DisableCorrelation": true,
"Type": "datetime",
"Distribution": "5",
"value2": ""
}
],
"TemplateUUID": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"TemplateVersion": "7",
"SharingGroupID": "0",
"MetaCategory": "network",
"Distribution": "5",
"ID": "3229",
"Name": "ip-port"
},
"ID": "743"
}
}
Human Readable Output
Object has been added to MISP event ID 743