Skip to main content
Skip table of contents

Threat intelligence attributes

LIst attributes:

Attributes in MISP can be network indicators (e.g. IP address), system indicators (e.g. a string in memory), or even bank account details. MISP attributes are purely based on usage (what people and organizations use daily).

  • A type (e.g. MD5, url) is how an attribute is described

  • An attribute is always in a category (e.g. Payload delivery) which puts it in a context

    • A category is what describes an attribute

  • An IDS flag on an attribute allows to determine if an attribute can be automatically used for detection

To access the list of attributes, click List Attributes on the left pane, The Attributes page opens, that displays a list of last 60 attributes.

The Events page displays the following information:

  • Event: This is the ID number of the event that the attribute is tied to. If an event belongs to your organization, then this field will be colored red.

  • Org: The organization that has created the event

  • Category: The category of the attribute, showing what the attribute describes (for example the malware's payload)

  • Type: The type of the value contained in the attribute (for example a source IP address)

  • Value: The actual value of the attribute, describing an aspect, defined by the category and type fields of the malware (for example

  • Comment: An optional comment attached to the attribute

  • IDS: Shows whether the attribute has been flagged for NIDS signature generation or not

  • Distribution: Describes who will have access to the event

  • Actions: A set of buttons that allow you to edit or delete the attribute

Search attributes:

Data contained in the value field of an attribute can be searched. You can search for attributes based on contained expression within the value, event ID, submitting organization, category and type. To search for attributes, click Search Attributes on the left pane, The Search Attributes page opens.

  • For the value, event ID and organization, you can enter several search terms by entering each term as a new line.

  • To exclude things from a result, use the NOT operator (!) in front of the term.

  • For string searches (such as searching for an expression or tags) - lookups are simple string matches.

  • If you want a substring match encapsulate the lookup string between "%" characters.

Apart from being able to list all events, it is also possible to search for data contained in the value field of an attribute, by clicking on the "Search Attributes" button.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.