Is your feature request related to a problem? Please describe.

I have a situation where there is a main MISP instance that acts as a central sharing point between partners.

Multiple partners share events to a sharing group, and those events are synced to the main MISP instance.

All shared events are then synchronized (via the main MISP) with the local MISP instances of all partners.

The agreement is that shared events, once shared, will not be modified further.

I would like to go through the shared events one by one. If I used parameters like timestamp or publish_timestamp, there’s a possibility of missing some shared events (due to connectivity problems, etc.).

Describe the solution you'd like

My idea is to query only my local MISP instance. Since event IDs are auto-incremented, a filter based on eventid would be ideal. This way, it would be possible to perform a restSearch using the sharing group ID and the ID of the last shared event I have already reviewed. I think that this functionality would also be beneficial because it avoids fetching unnecessary ranges of data.

I’ve forked the MISP code and added an eventid_filter parameter. This solution is just a proof of concept and it does not have to be accepted as is.

For my use case, it would be enough to return events with an ID greater than or equal to a given value (similar to how the timestamp and publish_timestamp parameters work). However, I implemented it so that it supports conditions such as <, >, <=, >=, !=, and =. For example, "eventid_filter": "<50" would return only events with an ID less than 50, and so on.

There is now some overlap with the existing eventid parameter (= and != conditions).

Is there a reason why this functionality hasn’t been implemented yet? Could it be added to the official MISP codebase, or is there some limitation that I might not be aware of?

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct