# Build complex MISP search queries with PyMISP

Getting the different **AND**, **OR** or **NOT** conditions right when building a MISP search query can be challenging. But you can get help from **PyMISP**. 

The function [build_complex_query](https://pymisp.readthedocs.io/en/latest/modules.html#pymisp.PyMISP.build_complex_query) allows you to build complex queries. The function accepts three variables (all dictionaries)

- or_parameters
- and_parameters
- not_parameters

The function will **not** execute the query, it only returns the search query that you can use in a follow-up query. You can use the function to build for example a search query for tags or values.

In [1]:
import urllib3
from pymisp import PyMISP, MISPEvent
import sys
sys.path.insert(0, "/home/koenv/cti-operational-procedure/vault/")
from keys import misp_url, misp_key, misp_verifycert

if misp_verifycert is False:
    import urllib3
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

misp = PyMISP(misp_url, misp_key, misp_verifycert)
    
print("I will use the server {}".format(misp_url))

The version of PyMISP recommended by the MISP instance (2.4.162) is newer than the one you're using now (2.4.159). Please upgrade PyMISP.


I will use the server https://misp.demo.cudeso.be/


In [2]:
or_parameters = [ ]
and_parameters = [ "workflow:state=\incomplete\"", "workflow:todo=\"review-for-privacy\"" ]
not_parameters = [ "tlp:red"]

In [3]:
complex_search_query = misp.build_complex_query(or_parameters=or_parameters, \
                                                and_parameters=and_parameters, \
                                                not_parameters=not_parameters)
print("You can use this complex search query {}".format(complex_search_query))

You can use this complex search query {'AND': ['workflow:state=\\incomplete"', 'workflow:todo="review-for-privacy"'], 'NOT': ['tlp:red']}


In [4]:
search_result = misp.search(tags=complex_search_query, pythonify=True)
for event in search_result:
    print(event.info)
    for tag in event.tags:
        print("  {}".format(tag.name))

Threat event with PII
  workflow:todo="review-for-privacy"
  workflow:state="incomplete"
  tlp:amber
