misp_search_events
Search MISP events by IOC value, attribute type, tags, date range, or organization to find relevant threat intelligence.
Instructions
Search MISP events by IOC value, type, tags, date range, or organization
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| value | No | IOC value to search across all attributes | |
| type | No | Attribute type filter (ip-src, ip-dst, domain, md5, sha256, url, email-src, etc.) | |
| category | No | Category filter (Network activity, Payload delivery, External analysis, etc.) | |
| tags | No | Tag filters (e.g., tlp:white, misp-galaxy:mitre-attack-pattern) | |
| eventId | No | Specific event ID | |
| org | No | Organization filter | |
| dateFrom | No | Start date (YYYY-MM-DD) | |
| dateTo | No | End date (YYYY-MM-DD) | |
| last | No | Relative time (e.g., 1d, 7d, 30d, 6m) | |
| published | No | Only published events | |
| limit | No | Max results (default 50) | |
| page | No | Page number for pagination |
Implementation Reference
- src/tools/events.ts:24-77 (handler)The handler function for the misp_search_events tool. It receives validated params, calls client.searchEvents(), maps results to a summary (id, info, date, threat_level, analysis, published, org, attribute_count, tags), and returns them as JSON text.
async (params) => { try { const events = await client.searchEvents({ value: params.value, type: params.type, category: params.category, tags: params.tags, eventid: params.eventId, org: params.org, dateFrom: params.dateFrom, dateTo: params.dateTo, last: params.last, published: params.published, limit: params.limit, page: params.page, }); if (events.length === 0) { return { content: [{ type: "text", text: "No events found matching the search criteria." }], }; } const summary = events.map((e) => ({ id: e.id, info: e.info, date: e.date, threat_level: ["", "High", "Medium", "Low", "Undefined"][ parseInt(e.threat_level_id) || 0 ], analysis: ["Initial", "Ongoing", "Complete"][parseInt(e.analysis) || 0], published: e.published, org: e.Orgc?.name || "Unknown", attribute_count: e.attribute_count, tags: (e.Tag || []).map((t) => t.name), })); return { content: [ { type: "text", text: JSON.stringify(summary, null, 2), }, ], }; } catch (err) { return { content: [ { type: "text", text: `Error searching events: ${err instanceof Error ? err.message : String(err)}` }, ], isError: true, }; } } - src/tools/events.ts:10-23 (schema)Zod schema definitions for all input parameters of misp_search_events: value, type, category, tags, eventId, org, dateFrom, dateTo, last, published, limit, page.
{ value: z.string().optional().describe("IOC value to search across all attributes"), type: z.string().optional().describe("Attribute type filter (ip-src, ip-dst, domain, md5, sha256, url, email-src, etc.)"), category: z.string().optional().describe("Category filter (Network activity, Payload delivery, External analysis, etc.)"), tags: z.array(z.string()).optional().describe("Tag filters (e.g., tlp:white, misp-galaxy:mitre-attack-pattern)"), eventId: z.string().optional().describe("Specific event ID"), org: z.string().optional().describe("Organization filter"), dateFrom: z.string().optional().describe("Start date (YYYY-MM-DD)"), dateTo: z.string().optional().describe("End date (YYYY-MM-DD)"), last: z.string().optional().describe("Relative time (e.g., 1d, 7d, 30d, 6m)"), published: z.boolean().optional().describe("Only published events"), limit: z.number().optional().describe("Max results (default 50)"), page: z.number().optional().describe("Page number for pagination"), }, - src/tools/events.ts:7-78 (registration)Registration of the tool via server.tool('misp_search_events', ...) within the registerEventTools function.
server.tool( "misp_search_events", "Search MISP events by IOC value, type, tags, date range, or organization", { value: z.string().optional().describe("IOC value to search across all attributes"), type: z.string().optional().describe("Attribute type filter (ip-src, ip-dst, domain, md5, sha256, url, email-src, etc.)"), category: z.string().optional().describe("Category filter (Network activity, Payload delivery, External analysis, etc.)"), tags: z.array(z.string()).optional().describe("Tag filters (e.g., tlp:white, misp-galaxy:mitre-attack-pattern)"), eventId: z.string().optional().describe("Specific event ID"), org: z.string().optional().describe("Organization filter"), dateFrom: z.string().optional().describe("Start date (YYYY-MM-DD)"), dateTo: z.string().optional().describe("End date (YYYY-MM-DD)"), last: z.string().optional().describe("Relative time (e.g., 1d, 7d, 30d, 6m)"), published: z.boolean().optional().describe("Only published events"), limit: z.number().optional().describe("Max results (default 50)"), page: z.number().optional().describe("Page number for pagination"), }, async (params) => { try { const events = await client.searchEvents({ value: params.value, type: params.type, category: params.category, tags: params.tags, eventid: params.eventId, org: params.org, dateFrom: params.dateFrom, dateTo: params.dateTo, last: params.last, published: params.published, limit: params.limit, page: params.page, }); if (events.length === 0) { return { content: [{ type: "text", text: "No events found matching the search criteria." }], }; } const summary = events.map((e) => ({ id: e.id, info: e.info, date: e.date, threat_level: ["", "High", "Medium", "Low", "Undefined"][ parseInt(e.threat_level_id) || 0 ], analysis: ["Initial", "Ongoing", "Complete"][parseInt(e.analysis) || 0], published: e.published, org: e.Orgc?.name || "Unknown", attribute_count: e.attribute_count, tags: (e.Tag || []).map((t) => t.name), })); return { content: [ { type: "text", text: JSON.stringify(summary, null, 2), }, ], }; } catch (err) { return { content: [ { type: "text", text: `Error searching events: ${err instanceof Error ? err.message : String(err)}` }, ], isError: true, }; } } ); - src/client.ts:132-169 (helper)The client.searchEvents() helper method that builds the request body and sends a POST to /events/restSearch on the MISP API. Returns mapped MispEvent[] from the response.
async searchEvents(params: { value?: string; type?: string; category?: string; tags?: string[]; eventid?: string; org?: string; dateFrom?: string; dateTo?: string; last?: string; published?: boolean; limit?: number; page?: number; }): Promise<MispEvent[]> { const body: Record<string, unknown> = { returnFormat: "json", limit: params.limit ?? 50, }; if (params.value) body.value = params.value; if (params.type) body.type = params.type; if (params.category) body.category = params.category; if (params.tags) body.tags = params.tags; if (params.eventid) body.eventid = params.eventid; if (params.org) body.org = params.org; if (params.dateFrom) body.from = params.dateFrom; if (params.dateTo) body.to = params.dateTo; if (params.last) body.last = params.last; if (params.published !== undefined) body.published = params.published ? 1 : 0; if (params.page) body.page = params.page; const data = await this.request<EventSearchResponse>( "POST", "/events/restSearch", body ); return (data.response || []).map((r) => r.Event); } - src/types.ts:202-204 (helper)Type definition for EventSearchResponse used by the helper to type the API response.
export interface EventSearchResponse { response: Array<{ Event: MispEvent }>; }