Many organizations run MISP instances with other cybersecurity tools and OSINT for data-driven investigations. Investigators can integrate both internal and external data to map with MISP data in various ways. This blog details how to look up information directly in the MISP community using MISP Transforms on Maltego Graph, highlighting its seamless integration for efficient and comprehensive investigations.
The JTAN (Joint Threat Analysis Network) Project, co-funded by the European Union’s CEF program, addresses the critical need for efficient and effective threat intelligence sharing among cybersecurity teams. As cyber threats grow in complexity and scale, the ability to quickly exchange and analyze threat data across organizations has become essential for maintaining robust security.
MISP 2.4.194 released with new functionalities and various bugs fixed.
New Features
Bookmark Functionality:
Users can now create bookmarks.
Bookmarks can be shared with all users in the same organization.
Heartbeat Endpoint:
New /users/heartbeat endpoint.
Accessible without authentication; returns a 200 response to indicate the instance is operational.
Designed for quick checks to see if the instance is up and running.
Skip OTP Requirement:
New role permission to exclude certain roles from OTP requirements.
Useful for filtered, local service accounts.
Users API Update:
Added a new boolean field indicating whether TOTP is set up for the user.
Applicable to /users/view, /admin/users/view, /admin/users/index endpoints.
Changes
Various Version Bumps:
Updates for misp-stix, schema, PyMISP, warning-lists, misp-galaxy, and misp-objects.
Bookmark Improvements:
Added title documentation for the exposed_to_org field.
Enhanced quick search support for bookmarks.
ACL and Schema Updates:
Heartbeat added to the ACL component.
Updates to schema and mysql.sql.
Fixes
Default Roles and Permissions:
Added delegation permission for sync user and publisher roles.
Readded default roles.
Fixed issues with PyMISP tests, default roles, and various editor and ingestion bugs.
UI and Functional Fixes:
Corrected event report markdown editor to display tags.
Included user agent in feed ingestion to address issues with specific feeds.
Fixed editing view for galaxycluster blocklist.
Readded missing org logo in the decaying model.
Corrected JSON response handling in the decaying tool.
Fixed object reference links for proper view refocus.
Corrected errors in the server edit view.
Fixed typo in bookmark description.
Adjusted default role settings in mysql.sql.
Updated local flag in EventTags to be boolean.
Corrected filenames in RHEL background worker migration guide.
Improved performance by increasing chunk size for sighting sync.
For a complete list of updates, please refer to the changelog pages. Many thanks to all the diligent contributors that ensure that MISP keeps improving rapidly!
We are excited to announce the release of MISP v2.4.190. This latest version introduces a slew of new features, improvements, and fixes designed to streamline operations and enhance security measures for our users.
Kunai is an open-source security monitoring tool, specifically designed to address the threat-hunting and threat-detection problematic on Linux. It has been inspired by Microsoft Sysmon, to provide a Sysmon alike experience to the end user. However, it comes with some more advanced features such as fine grained event filtering, detection rules and IoC matching. In this blog post, we are going to introduce how to implement real time MISP IoC matching in a very short amount of time.
The MISP Project, renowned for its threat intelligence sharing platform, and Yeti Platform, the Forensics Intelligence platform supporting CTI and DFIR practitioners, are coming together to create a more robust and interconnected open source landscape.
We are pleased to announce the immediate release of MISP 2.4.188, with major performance improvements and many bugs fixed.
New Features
Datasource Improvements:
Updates to some datasources with the ignoreIndexHint parameter (mysqlExtended, mysqlObserverExtended).
Fix for forceIndexHint.
Settings:
Added setting to temporarily disable the loading of sightings via the API (affects restsearch and /events/view endpoints). This helps with performance issues caused by large sighting data sets.
Changes
PyMISP:
Multiple version bumps.
Version and Internal Updates:
General version bump.
Improved error handling and marking BadRequestException as fail log in CI.
Attempt to fix a failing test.
Updated misp-galaxy, misp-object, and warning-lists.
Attribute Search Rework:
Significant performance improvement when using MysqlExtended or MysqlObserverExtended data sources.
Event level lookup moved to subqueries for faster queries.
Ignoring the deleted index to improve speed.
OpenAPI Updates:
Added content for analyst-data and event-reports.
Sighting Policy Support:
Added support of sighting policy in sightings:getLastSighting.
Attribute Search Performance:
Improved performance of includeDecayScore by a factor of 5.
Attribute Fetch Refactor:
Simplified conditions and optimizations.
Fixes
Attribute Search:
Enforced unpublishedprivate directive.
Internal Error Handling:
Error handling improvements in AttachmentScan.
CurlClient HEAD Request:
Added CURLOPT_NOBODY for HEAD requests.
CLI and ECS Updates:
Fix for redisReady in dragonfly.
Change type from Exception to Throwable in ECS.
OIDC:
Default organization handling if not provided by OIDC.
Publishing and Sync Issues:
Fix for publishing and sync errors.
Performance Improvements:
Bulk loading of analyst data to speed up event loading.
UI Update:
Added MISP.email_reply_to to server config.
Other
Multiple merges of branches and updates.
Fixes and changes in misp-stix, attachment scan error handling, OIDC default org handling, alert email titles, shadow attribute handling, and community additions (ICS-CSIRT.io).
Community and Contribution Updates
Additions and changes to the community, including the introduction of the ICS-CSIRT.io community.
Poppy a new Bloom filter format and open source library
Introduction
At CIRCL we use regularly bloom filters for some of our use cases especially in digital forensic. Such as providing a small, fast and shareable caching mechanism for Hashlookup database which can be used by incident responders.
Introducing Standalone Functionality to MISP Modules: A New Era of Flexibility and Efficiency
In the ever-evolving landscape of information security, the need for adaptable and efficient tools has never been greater. The MISP project, known for facilitating the sharing of structured threat information, has taken a significant leap forward. We’re excited to announce a pivotal enhancement to the misp-modules, a collection of modules for MISP, extending their functionality to operate not only as an integral part of MISP but also as a standalone web application.
We are pleased to announce the immediate release of MISP 2.4.186, which includes two major new feature called “Analyst Data” and “Collections” along with an extension to the MISP standard format.
Historically, teams shared indicators of compromise (IOCs) via email in documents that were often difficult to analyze and challenging to automate for processing.
We are happy to announce the immediate availability of MISP 2.4.185. This is mainly a bug fix release resolving several issues as well as tightening the security posture of the org image handling.
MISP 2.4.184 released with performance improvements, security and bugs fixes.
Improvements
Speed up improvements in ssdeep correlation and many other parts of MISP. Thanks to Jakub Onderka for the work on this.
[objects] restsearch first/last seen filters added.
[event:publication] Added new setting to block event publication if the publishing user is the creator.
[events:export] Make setting MISP.disable_cached_exports enabled by default. Since the /events/export has been marked deprecated for a years, we are starting the process to phase it out by first disabling the endpoint by default. The MISP ReST search API is the API to be used in the future if you still have very old scripts relying on export. We recommend to start making plans to rework those scripts.
[organisation:orgMerge] Added missing models for organisation handover
Security fixes
A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances.
Bridging the Gap: Introducing MISP Airgap for Secure Environments
In an era where cybersecurity threats are ever-evolving, the need for robust and secure information sharing platforms is paramount. Enter MISP (Threat Intelligence Sharing Platform), a renowned tool in the cybersecurity arsenal. But how do you deploy such a critical tool in the most secure environments, those that are air-gapped from the outside world? This is where the MISP airgap project comes into play.
