0
# Event Management
1

2
Comprehensive event lifecycle management for creating, retrieving, updating, publishing, and managing MISP events with full support for attributes, objects, and metadata.
3

4
## Capabilities
5

6
### Event Retrieval
7

8
List and retrieve events with filtering and detailed control over included data.
9

10
```python { .api }
11
def events(self, pythonify: bool = False) -> dict[str, Any] | list[MISPEvent] | list[dict[str, Any]]:
12
    """
13
    Get all events from the MISP instance.
14
    
15
    Parameters:
16
    - pythonify: Return MISPEvent objects instead of raw JSON
17
    
18
    Returns:
19
    List of events or error dictionary
20
    """
21

22
def get_event(
23
    self,
24
    event: MISPEvent | int | str | UUID,
25
    deleted: bool | int | list[int] = False,
26
    extended: bool | int = False,
27
    pythonify: bool = False
28
) -> dict[str, Any] | MISPEvent:
29
    """
30
    Get an event from MISP instance with collections like attributes, objects, tags.
31
    
32
    Parameters:
33
    - event: Event ID, UUID, or MISPEvent object
34
    - deleted: Include soft-deleted attributes
35
    - extended: Include extended event information
36
    - pythonify: Return MISPEvent object instead of raw JSON
37
    
38
    Returns:
39
    Event data or MISPEvent object
40
    """
41

42
def event_exists(self, event: MISPEvent | int | str | UUID) -> bool:
43
    """
44
    Check if event exists in MISP.
45
    
46
    Parameters:
47
    - event: Event ID, UUID, or MISPEvent object to check
48
    
49
    Returns:
50
    True if event exists, False otherwise
51
    """
52
```
53

54
### Event Creation & Updates
55

56
Create new events and update existing events with comprehensive validation and metadata management.
57

58
```python { .api }
59
def add_event(self, event: MISPEvent, pythonify: bool = False, metadata: bool = False) -> dict[str, Any] | MISPEvent:
60
    """
61
    Create new event in MISP.
62
    
63
    Parameters:
64
    - event: MISPEvent object to create
65
    - pythonify: Return MISPEvent object instead of raw JSON
66
    - metadata: Include metadata in response
67
    
68
    Returns:
69
    Created event or error dictionary
70
    """
71

72
def update_event(
73
    self,
74
    event: MISPEvent,
75
    event_id: int | None = None,
76
    pythonify: bool = False,
77
    metadata: bool = False
78
) -> dict[str, Any] | MISPEvent:
79
    """
80
    Update existing event in MISP.
81
    
82
    Parameters:
83
    - event: MISPEvent object with updates
84
    - event_id: Specific event ID to update
85
    - pythonify: Return MISPEvent object instead of raw JSON
86
    - metadata: Include metadata in response
87
    
88
    Returns:
89
    Updated event or error dictionary
90
    """
91
```
92

93
### Event Publishing & Distribution
94

95
Publish events for sharing and manage distribution settings.
96

97
```python { .api }
98
def publish(self, event: MISPEvent | int | str | UUID, alert: bool = False) -> dict[str, Any] | list[dict[str, Any]]:
99
    """
100
    Publish event for distribution.
101
    
102
    Parameters:
103
    - event: Event ID, UUID, or MISPEvent object to publish
104
    - alert: Send email alerts to subscribers
105
    
106
    Returns:
107
    Publication result or error dictionary
108
    """
109

110
def unpublish(self, event: MISPEvent | int | str | UUID) -> dict[str, Any] | list[dict[str, Any]]:
111
    """
112
    Unpublish previously published event.
113
    
114
    Parameters:
115
    - event: Event ID, UUID, or MISPEvent object to unpublish
116
    
117
    Returns:
118
    Unpublication result or error dictionary
119
    """
120
```
121

122
### Event Deletion & Management
123

124
Delete events and manage event lifecycle with proper validation.
125

126
```python { .api }
127
def delete_event(self, event: MISPEvent | int | str | UUID) -> dict[str, Any] | list[dict[str, Any]]:
128
    """
129
    Delete event from MISP.
130
    
131
    Parameters:
132
    - event: Event ID, UUID, or MISPEvent object to delete
133
    
134
    Returns:
135
    Deletion result or error dictionary
136
    """
137

138
def contact_event_reporter(self, event: MISPEvent | int | str | UUID, message: str) -> dict[str, Any] | list[dict[str, Any]]:
139
    """
140
    Send message to event reporter/creator.
141
    
142
    Parameters:
143
    - event: Event ID, UUID, or MISPEvent object
144
    - message: Message content to send
145
    
146
    Returns:
147
    Message delivery result
148
    """
149

150
def enrich_event(self, event: MISPEvent | int | str | UUID, enrich_with: str | list[str]) -> dict[str, Any]:
151
    """
152
    Enrich event with data from enrichment modules.
153
    
154
    Parameters:
155
    - event: Event ID, UUID, or MISPEvent object to enrich
156
    - enrich_with: Module name(s) for enrichment
157
    
158
    Returns:
159
    Enrichment results
160
    """
161
```
162

163
### Event Delegation
164

165
Manage event delegation for multi-organization workflows.
166

167
```python { .api }
168
def event_delegations(self, pythonify: bool = False) -> dict[str, Any] | list[MISPEventDelegation] | list[dict[str, Any]]:
169
    """
170
    Get all event delegations.
171
    
172
    Parameters:
173
    - pythonify: Return MISPEventDelegation objects instead of raw JSON
174
    
175
    Returns:
176
    List of event delegations
177
    """
178

179
def accept_event_delegation(self, delegation: MISPEventDelegation | int | str, pythonify: bool = False) -> dict[str, Any] | list[dict[str, Any]]:
180
    """
181
    Accept event delegation request.
182
    
183
    Parameters:
184
    - delegation: Delegation ID or MISPEventDelegation object
185
    - pythonify: Return objects instead of raw JSON
186
    
187
    Returns:
188
    Acceptance result
189
    """
190

191
def discard_event_delegation(self, delegation: MISPEventDelegation | int | str, pythonify: bool = False) -> dict[str, Any] | list[dict[str, Any]]:
192
    """
193
    Discard event delegation request.
194
    
195
    Parameters:
196
    - delegation: Delegation ID or MISPEventDelegation object
197
    - pythonify: Return objects instead of raw JSON
198
    
199
    Returns:
200
    Discard result
201
    """
202

203
def delegate_event(
204
    self,
205
    event: MISPEvent | int | str | UUID | None = None,
206
    organisation: MISPOrganisation | int | str | UUID | None = None,
207
    sharing_group: MISPSharingGroup | int | str | UUID | None = None,
208
    message: str | None = None,
209
    pythonify: bool = False
210
) -> dict[str, Any] | list[dict[str, Any]]:
211
    """
212
    Delegate event to another organization.
213
    
214
    Parameters:
215
    - event: Event to delegate
216
    - organisation: Target organization
217
    - sharing_group: Target sharing group
218
    - message: Delegation message
219
    - pythonify: Return objects instead of raw JSON
220
    
221
    Returns:
222
    Delegation result
223
    """
224
```
225

226
### Event Reports
227

228
Manage event reports and documentation.
229

230
```python { .api }
231
def get_event_report(
232
    self,
233
    event_report: MISPEventReport | int | str | UUID,
234
    pythonify: bool = False
235
) -> dict[str, Any] | MISPEventReport:
236
    """
237
    Get specific event report.
238
    
239
    Parameters:
240
    - event_report: Report ID or MISPEventReport object
241
    - pythonify: Return MISPEventReport object instead of raw JSON
242
    
243
    Returns:
244
    Event report data
245
    """
246

247
def get_event_reports(
248
    self,
249
    event_id: int | str,
250
    pythonify: bool = False
251
) -> dict[str, Any] | list[MISPEventReport] | list[dict[str, Any]]:
252
    """
253
    Get all reports for an event.
254
    
255
    Parameters:
256
    - event_id: Event ID to get reports for
257
    - pythonify: Return MISPEventReport objects instead of raw JSON
258
    
259
    Returns:
260
    List of event reports
261
    """
262

263
def add_event_report(
264
    self,
265
    event: MISPEvent | int | str | UUID,
266
    event_report: MISPEventReport,
267
    pythonify: bool = False
268
) -> dict[str, Any] | MISPEventReport:
269
    """
270
    Add report to event.
271
    
272
    Parameters:
273
    - event: Target event
274
    - event_report: MISPEventReport object to add
275
    - pythonify: Return MISPEventReport object instead of raw JSON
276
    
277
    Returns:
278
    Added event report
279
    """
280

281
def update_event_report(
282
    self,
283
    event_report: MISPEventReport,
284
    event_report_id: int | None = None,
285
    pythonify: bool = False
286
) -> dict[str, Any] | MISPEventReport:
287
    """
288
    Update existing event report.
289
    
290
    Parameters:
291
    - event_report: MISPEventReport object with updates
292
    - event_report_id: Specific report ID to update
293
    - pythonify: Return MISPEventReport object instead of raw JSON
294
    
295
    Returns:
296
    Updated event report
297
    """
298

299
def delete_event_report(
300
    self,
301
    event_report: MISPEventReport | int | str | UUID,
302
    hard: bool = False
303
) -> dict[str, Any] | list[dict[str, Any]]:
304
    """
305
    Delete event report.
306
    
307
    Parameters:
308
    - event_report: Report ID or MISPEventReport object to delete
309
    - hard: Hard delete (permanent) vs soft delete
310
    
311
    Returns:
312
    Deletion result
313
    """
314
```
315

316
## Usage Examples
317

318
### Basic Event Operations
319

320
```python
321
from pymisp import PyMISP, MISPEvent, MISPAttribute
322

323
# Initialize client
324
misp = PyMISP('https://misp.example.com', 'your-api-key')
325

326
# Get all events
327
events = misp.events()
328
print(f"Total events: {len(events)}")
329

330
# Get specific event with full details
331
event = misp.get_event('event-uuid-here', extended=True, pythonify=True)
332
print(f"Event: {event.info}")
333

334
# Check if event exists
335
if misp.event_exists('event-id-here'):
336
    print("Event exists")
337
```
338

339
### Creating and Publishing Events
340

341
```python
342
# Create new event
343
event = MISPEvent()
344
event.info = "Suspicious Activity Detected"
345
event.distribution = 1  # Community only
346
event.threat_level_id = 2  # Medium
347

348
# Add event to MISP
349
response = misp.add_event(event, pythonify=True)
350
event_id = response.id
351

352
# Publish event for sharing
353
misp.publish(event_id, alert=True)
354
print(f"Event {event_id} published")
355

356
# Update event
357
event.analysis = 2  # Complete
358
misp.update_event(event, pythonify=True)
359
```
360

361
### Event Enrichment and Communication
362

363
```python
364
# Enrich event with external data
365
enrichment = misp.enrich_event(event_id, ['virustotal', 'shodan'])
366
print(f"Enrichment results: {enrichment}")
367

368
# Contact event reporter
369
message = "Need additional context about this threat"
370
misp.contact_event_reporter(event_id, message)
371

372
# Delegate event to another organization
373
misp.delegate_event(
374
    event=event_id,
375
    organisation='target-org-id',
376
    message="Please review and provide analysis"
377
)
378
```
379

380
### Event Reports
381

382
```python
383
from pymisp import MISPEventReport
384

385
# Create event report
386
report = MISPEventReport()
387
report.name = "Technical Analysis Report"
388
report.content = "Detailed technical analysis of the incident..."
389

390
# Add report to event
391
misp.add_event_report(event_id, report)
392

393
# Get all reports for event
394
reports = misp.get_event_reports(event_id, pythonify=True)
395
for report in reports:
396
    print(f"Report: {report.name}")
397
```
398

399
## Types
400

401
All event-related methods use the following key types:
402

403
```python { .api }
404
from pymisp import MISPEvent, MISPEventReport, MISPEventDelegation
405
from typing import Any, Union
406
from uuid import UUID
407

408
# Type aliases
409
EventIdentifier = Union[MISPEvent, int, str, UUID]
410
ResponseType = Union[dict[str, Any], list[dict[str, Any]]]
411
```