-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsearch_attributes.rs
More file actions
114 lines (97 loc) · 4.45 KB
/
search_attributes.rs
File metadata and controls
114 lines (97 loc) · 4.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
//! Search for attributes using the MISP restSearch API.
//!
//! Demonstrates `SearchBuilder`, `build_complex_query`, relative timestamps,
//! pagination, and different return formats.
//!
//! # Usage
//!
//! ```bash
//! MISP_URL=https://misp.example.com MISP_KEY=your-api-key cargo run --example search_attributes
//! ```
use rustmisp::{
MispClient, MispResult, ReturnFormat, SearchBuilder, SearchController, build_complex_query,
};
#[tokio::main]
async fn main() -> MispResult<()> {
let url = std::env::var("MISP_URL").expect("Set MISP_URL environment variable");
let key = std::env::var("MISP_KEY").expect("Set MISP_KEY environment variable");
let ssl_verify = std::env::var("MISP_SSL_VERIFY")
.map(|v| v != "0" && v.to_lowercase() != "false")
.unwrap_or(true);
let client = MispClient::new(&url, &key, ssl_verify)?;
// ── 1. Simple value search ──────────────────────────────────────────────
// Find all attributes matching a specific IP address.
let params = SearchBuilder::new()
.value("198.51.100.42")
.type_attribute("ip-dst")
.limit(10)
.build();
let results = client.search(SearchController::Attributes, ¶ms).await?;
println!("=== Simple IP search ===");
println!("{results:#}");
// ── 2. Date-range search ────────────────────────────────────────────────
// Find attributes added in the last 7 days with the to_ids flag set.
let params = SearchBuilder::new()
.last("7d")
.to_ids(true)
.enforce_warninglist(true)
.include_event_tags(true)
.limit(25)
.build();
let results = client.search(SearchController::Attributes, ¶ms).await?;
println!("\n=== Last 7 days (to_ids=true) ===");
println!("{results:#}");
// ── 3. Complex tag query (AND / OR / NOT) ───────────────────────────────
// Find attributes tagged with (tlp:green OR tlp:white) AND malware,
// but NOT tlp:red.
let tag_query = build_complex_query(
Some(vec!["tlp:green", "tlp:white"]),
Some(vec!["malware"]),
Some(vec!["tlp:red"]),
);
let params = SearchBuilder::new()
.tags_query(tag_query)
.published(true)
.limit(20)
.build();
let results = client.search(SearchController::Attributes, ¶ms).await?;
println!("\n=== Complex tag query ===");
println!("{results:#}");
// ── 4. Multi-type search with pagination ────────────────────────────────
// Search across several network indicator types, page 1.
let params = SearchBuilder::new()
.type_attributes(vec!["ip-src", "ip-dst", "domain", "hostname", "url"])
.category("Network activity")
.date_from("2025-01-01")
.page(1)
.limit(50)
.include_event_uuid(true)
.include_correlations(true)
.build();
let results = client.search(SearchController::Attributes, ¶ms).await?;
println!("\n=== Network indicators (page 1) ===");
println!("{results:#}");
// ── 5. CSV export ───────────────────────────────────────────────────────
// Retrieve attributes as CSV for downstream processing.
let params = SearchBuilder::new()
.type_attribute("sha256")
.to_ids(true)
.limit(10)
.return_format(ReturnFormat::Csv)
.requested_attributes(vec!["uuid", "value", "type", "timestamp"])
.build();
let csv = client.search(SearchController::Attributes, ¶ms).await?;
println!("\n=== SHA-256 hashes (CSV) ===");
println!("{csv}");
// ── 6. Event-level search ───────────────────────────────────────────────
// Search for events containing specific indicators.
let params = SearchBuilder::new()
.value("malware.example.com")
.published(true)
.limit(5)
.build();
let results = client.search(SearchController::Events, ¶ms).await?;
println!("\n=== Events containing domain ===");
println!("{results:#}");
Ok(())
}