HarfangLab Use-Case with MISP
EDR Use-Cases with MISP
Historically, teams shared indicators of compromise (IOCs) via email in documents that were often difficult to analyze and challenging to automate for processing.
MISP 2.4.185 released with sighting performance improvements, security and bugs fixes
We are happy to announce the immediate availability of MISP 2.4.185. This is mainly a bug fix release resolving several issues as well as tightening the security posture of the org image handling.
MISP 2.4.184 released with performance improvements, security and bugs fixes.
MISP 2.4.184 released with performance improvements, security and bugs fixes.
Improvements
- Speed up improvements in ssdeep correlation and many other parts of MISP. Thanks to Jakub Onderka for the work on this.
- [objects] restsearch first/last seen filters added.
- [event:publication] Added new setting to block event publication if the publishing user is the creator.
- [events:export] Make setting
MISP.disable_cached_exportsenabled by default. Since the /events/export has been marked deprecated for a years, we are starting the process to phase it out by first disabling the endpoint by default. The MISP ReST search API is the API to be used in the future if you still have very old scripts relying on export. We recommend to start making plans to rework those scripts. - [organisation:orgMerge] Added missing models for organisation handover
Security fixes
A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances.
MISP 2.4.183 released with new ECS log feature, improvements and bugs fixed
MISP 2.4.183 released with a new ECS log feature, improvements and bugs fixed.
- MISP now supports Elastic Common Schema (ECS) security logging. A new option has been added
Security.ecs_logto enable this new functionality. A newSecurity.alert_on_suspicious_loginsto security audit has been added. - The sync configuration in MISP now supports sharing group blueprints for a simple creation of filter rules based on dynamically updated organisation lists.
- Major improvement to STIX import handling and especially the misp-stix library such as Parsing PE binary extensions within File observable objects and many more improvements/fixes.
- API add tag functions updated to also work with uuids, rather than just local IDs.
- [event:view] Added option to mass local cluster tag.
Many bugs fixed and minor improvements. Feel free to read the detailed changelog
MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.
MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.
MISP Core
New Features
- [event:view] Added new option
show_server_correlations_for_all_usersallowing non-privileged users to view server correlations. [Sami Mokaddem]
Changes
-
[Version] bump. [iglocska]
MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes.
MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes.
Changes
- [tools:misp-delegation] Do not use self-documented expression in f-string anymore. [Sami Mokaddem]
- [version] bump. [iglocska]
- [warning-lists] updated to the latest version. [Alexandre Dulaunoy]
- [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]
- [tests] search for errors in logs. [Christophe Vandeplas]
- [warning-lists] updated to the latest version. [Alexandre Dulaunoy]
- [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]
Fix
- [Alert on suspicious logins] disabled by default. [iglocska]
- requires logs table to be better indexed currently to not be a bottleneck (user_id and action fields)
- Will be made default in an upcoming version once the performance issues are resolved
- [tests] fix path in logs_tests.sh. [Christophe Vandeplas]
- [tests] fixes path of logs_tests. [Christophe Vandeplas]
- [userloginprofiles] undefined variable #9424. [Christophe Vandeplas]
- [customauth] missing Class init fixes #9425. [Christophe Vandeplas]
MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.
MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.
New
- [api] added X-MISP-AUTH as an alternative header to Authorization, fixes #9418. [iglocska]
Changes
- [VERSION] bump. [iglocska]
- [workflows] restored 7.2 and 7.3. [iglocska]
- [user login profile] old version compatibility. [iglocska]
- [event index] hover over ID will show the info field, generally more useful than the threat level. [iglocska]
Fix
- [login] fixes bad fix and catches first login after update. [Christophe Vandeplas]
- [revert] dumb check. [iglocska]
- [compatibility] make the ancient gods happy. [iglocska]
- [user login profile] skip checks for ancient php versions. [iglocska]
- [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
- [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]
- [attributes] type field added to editable fields. [iglocska]
- [RPZ] export custom parameters ingored, fixes #9420. [iglocska]
- [Attribute:editPostProcessing] Fixed sighting capture. [Sami Mokaddem]
- [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
- [attribute:validation] Typo in function name. [Sami Mokaddem]
- [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]
Other
-
Merge remote-tracking branch ‘origin/develop’ into 2.4. [Christophe Vandeplas]
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.
First baby steps taken towards LLM integration
We currently included our first attempt at an LLM integration for report summarisation and extraction. The development is an outcome of our work with @aaronkaplan during hack.lu 2024 and relies on stochasticCTIExtractor for the extraction and interfacing with LLMs.
MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.
MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.
Improvements
- [workflow] Added option to provide a custom JSON in the hashpath picker helper.
- [workflow] New action modules (blocklist, warninglist, counter…) to add event in the blocklist.
- [workflow] New trigger event before save.
- [workflow] Various improvements in the quick hashpath filter.
- [workflow] Improved webhook to support HTTP request method, headers, payload. It also now supports self-signed certificates.
- [workflow] Many improvements in debugging and workflow logging.
- [RestClient/OpenAPI]
totp_deleteadded in query builder and API documentation. - [STIX upload] Improved in the galaxies handling including more detailed option while importing STIX 2 and creating galaxies/clusters.
Changes
- [dashboard-widget:worldmap] Added support of custom scale in widget config.
- [API even:restSearch] Added support of
orgc_idas valid filter. - [Auditing] API access time is now stored once per hour by default.
- [API]
includeGranularCorrelationsis now exposed in the event RestSearch.
Fixes
- [API] Add sharinggroup as an allowed parameter in attribute search.
- [objects:edit] Restored behavior of upgrading object to newer template.
- Many other fixes check the ChangeLog for detailed changes.
Other improvements
MISP Objects
- New objects added such as
cryptocurrency-transactionand many updates to other objects. For detailed changes, MISP objects changelog.
MISP Galaxy
- Many new objects such as
ammunition,firearmsand many updates in threat actor, Sigma and many other. For detailed changes, MISP galaxy changelog
MISP warning-lists
- Warning-lists updated to the latest version. New warning list with known hostname for lookup source IP of the DNS resolver. MISP warning-lists changelog.
Don’t forget to follow us on Mastodon
The MISP projet has its own Mastodon server misp-community.org - don’t forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP 2.4.177 released with various improvements and bugs fixed.
MISP 2.4.177 released with various bugs fixed and improvements.
Improvements
- [dev] added a shell script to generate the restsearch parameters.
- [CLI] add command to expire active AuthKeys that do not have an IP allowlist set.
- [cli] Add command to trigger password change on next login for users with old pw.
- [Users] add last password change timestamp for users.
- [workflowModules:event_distribution_operation] Added action module.
Changes
-
[tests] testing disabling the timestamp greater as old timestamp for password changes.
MISP 2.4.176 released with various improvements and bugs fixed.
MISP 2.4.176 released with various improvements and bugs fixed. This version also includes major improvements in the misp-stix library especially on the storing relationships and the description of relationships in the MISP standard format.
MISP to Microsoft Sentinel integration with Upload Indicators API
MISP to Microsoft Sentinel integration
Introduction
The MISP to Microsoft Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App to connect to Sentinel.
MISP 2.4.175 released with various bugs fixed, improvements and security fixes.
MISP 2.4.175 released with various bugs fixed, improvements and security fixes.
Improvements
- Added support of
start_dateandend_dateoptions in the MISP dashboard widgets. - In the user periodic reporting, allow users to set the number of days to include in the reporting (UI).
- In the MISP dashboard org Widget, added support for
first_half_yearandsecond_half_yeartimeframe. - New enrich object functionality added, in order to allow for the enrichment of a complete MISP object. Used by the SigMF module but this can be used with any expansion modules supporting objects.
- New feeds added.
- Improve the diagnostics when an instance does not have internet access or does not use the self-update feature
Bugs fixed
- Update the CA bundle of the CakePHP submodule maintained by the MISP project.
- IndexFilter: correct index page filtering is now fixed for ReST requets.
- Prevent
push_rulesfrom being required in API requests to the/server/editendpoint. - The annoying MISP event import bug from JSON has been fixed, you can now import MISP JSON events without the
Eventkey. - Various fixes in the MISP dashboard interface.
- Fix
Security fixes
- CVE-2023-40224 <= MISP 2.4.174 - allows XSS in app/View/Events/index.ctp. (reported by BeDisruptive OSS Team)
- CVE-2023-41098 <= MISP 2.4.174 - In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
Thanks to BeDisruptive OSS Team and Centre for Cyber Security Belgium (CCB) for the reporting.
MISP now supports Signal Metadata Format Specification SigMF
As one of the outcomes of GeekWeek8, MISP now supports a new set of features useful for handling radio frequency information in the Signal Metadata Format Specification) (SigMF), commonly used in Software Defined Radio (SDR), digital signal processing and data analysis applications.
MISP to Azure Sentinel integration
MISP to Azure Sentinel integration
Introduction
The MISP to Azure / Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.
MISP and fail2ban
fail2ban - MISP
fail2ban is known to do a great job at giving attackers a hard time when they try to “test” passwords or enumerate users of a service. fail2ban constantly analyses relevant log files and keeps track of IP addresses trying to log into such services. If a configurable threshold is reached, it uses the Linux firewall (Netfilter / iptables) to block the suspected attackers.
MISP web scraper
MISP web scraper
There are a lot of websites that regularly publish reports on new threats, campaigns or actors with useful indicators, references and context information. Unfortunately only a few publish information in an easily accessible and structured format, such as a MISP-feed. As a result, we often find ourself manually scraping these sites, and then copy-pasting this information in new MISP events. These tedious tasks are time-consuming and certainly not the most interesting aspect of CTI-work.
Creating a MISP Object, 101
MISP Objects
MISP objects are containers around contextually linked attributes. They support analysts in grouping related attributes and describing the relations that exist between the data points in a threat event. Combining these objects and relations is something that can then be used to represent the story of what is being told in the threat event.
Create an import script for MISP , step-by-step tutorial
Create an import script for MISP in Python, step-by-step tutorial
Script description
Example add_github_user.py
Here the goal is to push to MISP information gathered on Github. The script add_github_user.py will be used as an example.
MISP service monitoring with Cacti
MISP service monitoring with Cacti
Introduction
A previous post covered how to do MISP service monitoring with OpenNSM. Because having different options is good, this post covers how to achieve similar results with Cacti. For those not familiar with Cacti: it is a network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality.