MISP 2.4.189 released with bug fixes, performance improvements and a new blocklist feature.

April 12, 2024

We are pleased to announce the immediate release of MISP 2.4.189, released with bug fixes, performance improvements and a new blocklist feature.

MISP - Elastic Stack - Docker Lab

By Luciano Righetti

April 5, 2024

MISP - Elastic Stack - Docker

This lab explains how to connect MISP to the Elastic Stack in order to leverage IOCs from MISP and trigger alerts based on user defined rules.

MISP 2.4.188 released major performance improvements and many bugs fixed.

March 25, 2024

We are pleased to announce the immediate release of MISP 2.4.188, with major performance improvements and many bugs fixed.

New Features

Datasource Improvements:
- Updates to some datasources with the ignoreIndexHint parameter (mysqlExtended, mysqlObserverExtended).
- Fix for forceIndexHint.
Settings:
- Added setting to temporarily disable the loading of sightings via the API (affects restsearch and /events/view endpoints). This helps with performance issues caused by large sighting data sets.

Changes

PyMISP:
- Multiple version bumps.
Version and Internal Updates:
- General version bump.
- Improved error handling and marking BadRequestException as fail log in CI.
- Attempt to fix a failing test.
- Updated misp-galaxy, misp-object, and warning-lists.
Attribute Search Rework:
- Significant performance improvement when using MysqlExtended or MysqlObserverExtended data sources.
- Event level lookup moved to subqueries for faster queries.
- Ignoring the deleted index to improve speed.
OpenAPI Updates:
- Added content for analyst-data and event-reports.
Sighting Policy Support:
- Added support of sighting policy in sightings:getLastSighting.
Attribute Search Performance:
- Improved performance of includeDecayScore by a factor of 5.
Attribute Fetch Refactor:
- Simplified conditions and optimizations.

Fixes

Attribute Search:
- Enforced unpublishedprivate directive.
Internal Error Handling:
- Error handling improvements in AttachmentScan.
CurlClient HEAD Request:
- Added CURLOPT_NOBODY for HEAD requests.
CLI and ECS Updates:
- Fix for redisReady in dragonfly.
- Change type from Exception to Throwable in ECS.
OIDC:
- Default organization handling if not provided by OIDC.
Publishing and Sync Issues:
- Fix for publishing and sync errors.
Performance Improvements:
- Bulk loading of analyst data to speed up event loading.
UI Update:
- Added MISP.email_reply_to to server config.

Other

Multiple merges of branches and updates.
Fixes and changes in misp-stix, attachment scan error handling, OIDC default org handling, alert email titles, shadow attribute handling, and community additions (ICS-CSIRT.io).

Community and Contribution Updates

Additions and changes to the community, including the introduction of the ICS-CSIRT.io community.

Details changes are available in Changelog.

MISP 2.4.187 released with security fixes, new features and bugs fixes.

March 24, 2024

We are pleased to announce the immediate release of MISP 2.4.187, including security fixes, new features and bugs fixes.

New Features

CLI Enhancements:
- Added org list to shell commands.
- New command to change user role.
- Fixes to role management.
OIDC Update:
- New option OidcAuth.update_user_role to disable role changes from OIDC.

Changes

Version and Software Updates:
- Version bump.
- Updates to PyMISP, misp-galaxy, misp-warninglists, misp-objects, and taxonomies.
Internal Updates:
- Added ext-zstd to suggested PHP extensions.
- Fixed non-focusable relationship dropdown search field in analyst data.

Fixes

General Fixes:
- Corrected variable unset in events:restsearch to prevent attribute override.
- Ensured sync pulls continue after an event save failure.
- Database update fixes for older MySQL versions.
- Improved API consistency.
- Fixed pulling from remote servers when analyst data is not supported.
- Logging fix for removeTagFromObject().
- Security improvements for file and logo uploads. (Thanks to Rémi Matasse and Raphael Lob from Synacktiv for the report)
  - CVE-2024-29859 < MISP 2.4.187 - add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
  - CVE-2024-29858 < MISP 2.4.187 - __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
- Correct message display when disabling a galaxy.
CLI Updates:
- Added new functionalities including listing roles and creating users.

Details changes are available in Changelog.

Introducing Standalone Functionality to MISP Modules - A New Era of Flexibility and Efficiency

March 12, 2024

Introducing Standalone Functionality to MISP Modules: A New Era of Flexibility and Efficiency

In the ever-evolving landscape of information security, the need for adaptable and efficient tools has never been greater. The MISP project, known for facilitating the sharing of structured threat information, has taken a significant leap forward. We’re excited to announce a pivotal enhancement to the misp-modules, a collection of modules for MISP, extending their functionality to operate not only as an integral part of MISP but also as a standalone web application.

MISP 2.4.186 released with analyst data feature including analyst notes, opinions and relationships.

March 6, 2024

We are pleased to announce the immediate release of MISP 2.4.186, which includes two major new feature called “Analyst Data” and “Collections” along with an extension to the MISP standard format.

MISP 2.4.185 released with sighting performance improvements, security and bugs fixes

February 20, 2024

We are happy to announce the immediate availability of MISP 2.4.185. This is mainly a bug fix release resolving several issues as well as tightening the security posture of the org image handling.

MISP 2.4.184 released with performance improvements, security and bugs fixes.

February 6, 2024

MISP 2.4.184 released with performance improvements, security and bugs fixes.

Improvements

Speed up improvements in ssdeep correlation and many other parts of MISP. Thanks to Jakub Onderka for the work on this.
[objects] restsearch first/last seen filters added.
[event:publication] Added new setting to block event publication if the publishing user is the creator.
[events:export] Make setting MISP.disable_cached_exports enabled by default. Since the /events/export has been marked deprecated for a years, we are starting the process to phase it out by first disabling the endpoint by default. The MISP ReST search API is the API to be used in the future if you still have very old scripts relying on export. We recommend to start making plans to rework those scripts.
[organisation:orgMerge] Added missing models for organisation handover

Security fixes

A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances.

MISP 2.4.183 released with new ECS log feature, improvements and bugs fixed

January 9, 2024

MISP 2.4.183 released with a new ECS log feature, improvements and bugs fixed.

MISP now supports Elastic Common Schema (ECS) security logging. A new option has been added Security.ecs_log to enable this new functionality. A new Security.alert_on_suspicious_logins to security audit has been added.
The sync configuration in MISP now supports sharing group blueprints for a simple creation of filter rules based on dynamically updated organisation lists.
Major improvement to STIX import handling and especially the misp-stix library such as Parsing PE binary extensions within File observable objects and many more improvements/fixes.
API add tag functions updated to also work with uuids, rather than just local IDs.
[event:view] Added option to mass local cluster tag.

Many bugs fixed and minor improvements. Feel free to read the detailed changelog

MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.

December 22, 2023

MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.

MISP Core

New Features

[event:view] Added new option show_server_correlations_for_all_users allowing non-privileged users to view server correlations. [Sami Mokaddem]

Changes

[Version] bump. [iglocska]

Continue reading

MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes.

December 21, 2023

Changes

[tools:misp-delegation] Do not use self-documented expression in f-string anymore. [Sami Mokaddem]
[version] bump. [iglocska]
[warning-lists] updated to the latest version. [Alexandre Dulaunoy]
[misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]
[tests] search for errors in logs. [Christophe Vandeplas]
[warning-lists] updated to the latest version. [Alexandre Dulaunoy]
[misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]

Fix

[Alert on suspicious logins] disabled by default. [iglocska]
- requires logs table to be better indexed currently to not be a bottleneck (user_id and action fields)
- Will be made default in an upcoming version once the performance issues are resolved
[tests] fix path in logs_tests.sh. [Christophe Vandeplas]
[tests] fixes path of logs_tests. [Christophe Vandeplas]
[userloginprofiles] undefined variable #9424. [Christophe Vandeplas]
[customauth] missing Class init fixes #9425. [Christophe Vandeplas]

MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.

December 20, 2023

MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.

New

[api] added X-MISP-AUTH as an alternative header to Authorization, fixes #9418. [iglocska]

Changes

[VERSION] bump. [iglocska]
[workflows] restored 7.2 and 7.3. [iglocska]
[user login profile] old version compatibility. [iglocska]
[event index] hover over ID will show the info field, generally more useful than the threat level. [iglocska]

Fix

[login] fixes bad fix and catches first login after update. [Christophe Vandeplas]
[revert] dumb check. [iglocska]
[compatibility] make the ancient gods happy. [iglocska]
[user login profile] skip checks for ancient php versions. [iglocska]
[Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
[attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]
[attributes] type field added to editable fields. [iglocska]
[RPZ] export custom parameters ingored, fixes #9420. [iglocska]
[Attribute:editPostProcessing] Fixed sighting capture. [Sami Mokaddem]
[Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
[attribute:validation] Typo in function name. [Sami Mokaddem]
[attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]

Other

Merge remote-tracking branch ‘origin/develop’ into 2.4. [Christophe Vandeplas]

Continue reading

MISP 2.4.179 released with a host of improvements a security fix and some new tooling.

November 26, 2023

MISP 2.4.179 released with a host of improvements a security fix and some new tooling.

First baby steps taken towards LLM integration

We currently included our first attempt at an LLM integration for report summarisation and extraction. The development is an outcome of our work with @aaronkaplan during hack.lu 2024 and relies on stochasticCTIExtractor for the extraction and interfacing with LLMs.

MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.

October 30, 2023

MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.

Improvements

[workflow] Added option to provide a custom JSON in the hashpath picker helper.
[workflow] New action modules (blocklist, warninglist, counter…) to add event in the blocklist.
[workflow] New trigger event before save.
[workflow] Various improvements in the quick hashpath filter.
[workflow] Improved webhook to support HTTP request method, headers, payload. It also now supports self-signed certificates.
[workflow] Many improvements in debugging and workflow logging.
[RestClient/OpenAPI] totp_delete added in query builder and API documentation.
[STIX upload] Improved in the galaxies handling including more detailed option while importing STIX 2 and creating galaxies/clusters.

Changes

[dashboard-widget:worldmap] Added support of custom scale in widget config.
[API even:restSearch] Added support of orgc_id as valid filter.
[Auditing] API access time is now stored once per hour by default.
[API] includeGranularCorrelations is now exposed in the event RestSearch.

Fixes

[API] Add sharinggroup as an allowed parameter in attribute search.
[objects:edit] Restored behavior of upgrading object to newer template.
Many other fixes check the ChangeLog for detailed changes.

Other improvements

MISP Objects

New objects added such as cryptocurrency-transaction and many updates to other objects. For detailed changes, MISP objects changelog.

MISP Galaxy

Many new objects such as ammunition, firearms and many updates in threat actor, Sigma and many other. For detailed changes, MISP galaxy changelog

MISP warning-lists

Warning-lists updated to the latest version. New warning list with known hostname for lookup source IP of the DNS resolver. MISP warning-lists changelog.

Don’t forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don’t forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP 2.4.177 released with various improvements and bugs fixed.

September 27, 2023

MISP 2.4.177 released with various bugs fixed and improvements.

Improvements

[dev] added a shell script to generate the restsearch parameters.
[CLI] add command to expire active AuthKeys that do not have an IP allowlist set.
[cli] Add command to trigger password change on next login for users with old pw.
[Users] add last password change timestamp for users.
[workflowModules:event_distribution_operation] Added action module.

Changes

[tests] testing disabling the timestamp greater as old timestamp for password changes.

Continue reading

MISP 2.4.176 released with various improvements and bugs fixed.

September 15, 2023

MISP 2.4.176 released with various improvements and bugs fixed. This version also includes major improvements in the misp-stix library especially on the storing relationships and the description of relationships in the MISP standard format.

MISP to Microsoft Sentinel integration with Upload Indicators API

By Koen Van Impe

August 26, 2023

MISP to Microsoft Sentinel integration

Introduction

The MISP to Microsoft Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App to connect to Sentinel.

MISP 2.4.175 released with various bugs fixed, improvements and security fixes.

August 24, 2023

MISP 2.4.175 released with various bugs fixed, improvements and security fixes.

Improvements

Added support of start_date and end_date options in the MISP dashboard widgets.
In the user periodic reporting, allow users to set the number of days to include in the reporting (UI).
In the MISP dashboard org Widget, added support for first_half_year and second_half_year timeframe.
New enrich object functionality added, in order to allow for the enrichment of a complete MISP object. Used by the SigMF module but this can be used with any expansion modules supporting objects.
New feeds added.
Improve the diagnostics when an instance does not have internet access or does not use the self-update feature

Bugs fixed

Update the CA bundle of the CakePHP submodule maintained by the MISP project.
IndexFilter: correct index page filtering is now fixed for ReST requets.
Prevent push_rules from being required in API requests to the /server/edit endpoint.
The annoying MISP event import bug from JSON has been fixed, you can now import MISP JSON events without the Event key.
Various fixes in the MISP dashboard interface.
Fix

Security fixes

CVE-2023-40224 <= MISP 2.4.174 - allows XSS in app/View/Events/index.ctp. (reported by BeDisruptive OSS Team)
CVE-2023-41098 <= MISP 2.4.174 - In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.

Thanks to BeDisruptive OSS Team and Centre for Cyber Security Belgium (CCB) for the reporting.

MISP now supports Signal Metadata Format Specification SigMF

August 23, 2023

As one of the outcomes of GeekWeek8, MISP now supports a new set of features useful for handling radio frequency information in the Signal Metadata Format Specification) (SigMF), commonly used in Software Defined Radio (SDR), digital signal processing and data analysis applications.

MISP to Azure Sentinel integration

By Koen Van Impe

April 3, 2023

MISP to Azure Sentinel integration

Introduction

The MISP to Azure / Sentinel integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.

Documentation

Legal

Reaching us

Who are we?

Threat Intelligence

MISP - Elastic Stack - Docker

New Features

Changes

Fixes

Other

Community and Contribution Updates

New Features

Changes

Fixes

Introducing Standalone Functionality to MISP Modules: A New Era of Flexibility and Efficiency

Improvements

Security fixes

MISP Core

New Features

Changes

MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes.

Changes

Fix

New

Changes

Fix

Other

First baby steps taken towards LLM integration

Improvements

Changes

Fixes

Other improvements

MISP Objects

MISP Galaxy

MISP warning-lists

Don’t forget to follow us on Mastodon

Improvements

Changes

MISP to Microsoft Sentinel integration

Introduction

Improvements

Bugs fixed

Security fixes

MISP to Azure Sentinel integration

Introduction

Search

Tags