RESTful API - Specify dates

[jdell64]

I am using the api endpoint:

https://<server-name>/events/

and trying to get all the events. The issue I'm having is that this endpoint returns too many events at once. Is there a way to specify start / end in the RESTful api? I saw you could with the /events/xml/download endpoint, but I just want to get the json response rather than a file.

I've tried:

https://<server-name>/events?from=2016-01-01
https://<server-name>/events/null/null/null/2016-01-01

[iglocska]

Sure, have a look here for the available filters and their usage:

https://circl.lu/doc/misp/automation/index.html#filtering-event-metadata

You can also pass them via the url as parameters but it is advised against since special characters in url parameters can be an issue. Though in your case the dates would work.

What you probably want:

searchdatefrom (YYYY-MM-DD - using the date field)
searchdateto (YYYY-MM-DD - using the date field)
searchtimestamp (timestamp - using the event timestamp, sadly not in the documentation yet)
searchpublishtimestamp (timestamp - using the event timestamp, sadly not in the documentation yet)

So if you wanted to use the timestamp (that is the last modification to the event):

POST to:

https://mymisp/events/index

Using the headers:

Authorization: my_api_key
Accept: application/json
Content-type: application/json

Body:

{"searchtimestamp":your_timestamp_threshold}

Or simply use a GET request and fetch:

https://mymisp/events/index/searchtimestamp:my_timestamp

[jdell64]

Oh nice! So, this may be related:

MISP/MISP#1703

sorry for opening so many issues. I did try to do a pull request, but alas, I don't know PHP that well.

Does searchtimestamp specify a start time, or an exact time?

[jdell64]

Additionally, does the code just convert the timestamp to YYYY-MM-DD? Does it end up dropping the hour and minute fields?

[iglocska]

No worries at all, the more the merrier.

They are different fields.

Basically, the event has a user-set field called "date" in YYYY-MM-DD format with the precision only being a date.

There is the publish timestamp, which is a unix timestamp representing when the event was last published and there is also the timestamp field which is simply the timestamp the event was last edited at.

[chriswhite199]

Clarification question related to this - when passing to / from dates in yyyy-MM-dd format, how are time zones dealt with - are all date values assumed to be in the standard UTC, or are they interpreted based upon the timezone of the server you're querying?

If the later if true, then can you affect this by passing an HTTP header or (undocumented?) query param to denote the target timezone of the from / to dates passed?

[jdell64]

Any update on this?

[adulau]

This should have been fixed in MISP/MISP@c60cc78 - could you pull and test it? Thanks a lot.

[jdell64]

I believe this is resolved... I'm not hosting my own instance, but using the ops-trust.net one.