http://open-source-security-software.net/organization/MISP/releases.atom Recent releases for MISP 2024-11-15T14:46:37.079005+00:00 python-feedgen misp-dashboard v1.0 misp-dashboard v1.0 2018-02-23T10:46:27+00:00 MISP dashboard version 1.0 released MISP dashboard v1.0 is the first operational release which includes: - Real-time geolocation - Historical geolocation - Searching capabilities - Trends about threats and activity from one or more MISP instances Even if MISP dashboard is already a working mature project, there are lot of rooms for improvements. As an illustration, subsequent release will include these following items: - Optimizing contribution scoring and model to encourage sharing and contributions enrichment - Improving user experience (UX) and layout control (UI) to better fits security teams needs and requirements - Increasing geolocation coverage to provide better support for CSIRTs finding threats in their constituency ## Acknowledgements This project is partially funded by CEF (Connecting Europe Facility) under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***. ![](https://www.misp-project.org/assets/images/en_cef.png) 2018-02-23T10:46:27+00:00 misp-dashboard v1.1 misp-dashboard v1.1 2018-10-01T14:28:37+00:00 MISP dashboard version 1.1 released - Trending has been improved with a new algorithm - Support to keep historical view in the live dashboard - Audit - users logging is now properly accounting all users (following the new JSON misp_json_user channel) - Multiple dashboard view is now fixed and should work properly if you have multiple clients using the dashboard - Trophy ranking algorithm has been improved and you can view your position in the leader board - Many bugs were fixed ## Acknowledgements This project is partially funded by CEF (Connecting Europe Facility) under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***. ![](https://www.misp-project.org/assets/images/en_cef.png) 2018-10-01T14:28:37+00:00 misp-dashboard v1.2 misp-dashboard v1.2 2019-06-24T13:24:30+00:00 # v1.2 (2019-06-24) Major improvement in the filtering in main part of the dashboard. Filtering can be done on any fields from the MISP ZMQ notification from the log view. Diagnostic tool added and various bugs fixed. ![dash2](https://user-images.githubusercontent.com/3309/60022361-f4a00f00-9693-11e9-8d11-b829a04c5f9d.png) ![dash01](https://user-images.githubusercontent.com/3309/60022362-f4a00f00-9693-11e9-85b4-d645ffaaf955.png) ## New - [updates] Update script - WiP. [mokaddem] - Started dev of diagnostic tool - WiP. [mokaddem] - [dispatcher/livelog] Added support of ObjectAttributes. [mokaddem] - [platform] Added cheap check to see if we run under a RedHat fla… (#90) [Steve Clement] new: [platform] Added cheap check to see if we run under a RedHat fla… - [platform] Added cheap check to see if we run under a RedHat flavoured OS. [Steve Clement] - Added cleaning script. [mokaddem] # Changes - [diagnostic] Added support of multiple subscribers - WiP. [mokaddem] - [diagnostic] Improved config comparison. [mokaddem] - [diagnostic] Provide suggestion to fix py-redis version. [mokaddem] - More sane response decoding, done by the ORM. [mokaddem] - Slightly improved pgrep parsing. [mokaddem] - Removed debug message. [mokaddem] - [diagnostic] Added packages check. [mokaddem] - [updater] More intuitive db numbering. [mokaddem] - [config] Moved dbVersion in the appropriate section. [mokaddem] - [updates] Improved database updates. [mokaddem] - Increased dispatcher pooling rate and improved diagnostic's text feedback. [mokaddem] - [diagnostic] Added info about elapsed time. [mokaddem] - [diagnostic] Moved timeoutException into util and bumped requirements. [mokaddem] - [diagnostic] Added tests for server. [mokaddem] - Added more processes and subscriber tests. [mokaddem] - Added more tests in diagnostic tool. [mokaddem] - Improved diagnostic tool. [mokaddem] - Removed useless comments. [mokaddem] - [doc] license has been rectified to the standard format. [Alexandre Dulaunoy] - [doc] default LICENSE template is not there to be changed. [Alexandre Dulaunoy] - [dev] Added debug mode to config, False by default. (#100) [Steve Clement] chg: [dev] Added debug mode to config, False by default. - [dev] Added debug mode to config, False by default. [Steve Clement] - [perms] Check if permissions fail on the MaxMind db files chg: [installer] Check if network is present and the first wget worked chg: [installer] Exit if the virtualenv creation/update fails. [Steve Clement] - [log] Let the user know which "IP" was not resolved. [Steve Clement] - [log] Added 3 seperate log files: helpers.log / zmq_subscribre.log / zmq_dispatcher.log fix: [log] Catch permission errors on log files. [Steve Clement] - [sort] isort on source files fix: [typo] fix retreive to retrieve. [Steve Clement] - [users] Added help text if punchcard is empty and updated README. [mokaddem] - Create zmqs user + sudoer right for www-data. [Jean-Louis Huynen] - [doc] update doc. [mokaddem] - [README] updated README with the new clean script. [mokaddem] # Fix - [diagnostic] socket subscribing multiple time and improved status message. [mokaddem] - Mergeconflict and log filename. [mokaddem] - Force closing the connection before trying to reconnect. [mokaddem] - [all] Fixed issue with py-redis>2.x and fix failed merge conflict. [mokaddem] - [contributors] Show the correct datetime. [mokaddem] - [diagnostic] Catch connectionError exception. [mokaddem] - [web] Set filename to be `min` [mokaddem] - [web] Added missing thirdparty dependencies. [mokaddem] - [doc] Some typos fixed (#102) [Steve Clement] fix: [doc] Some typos fixed - [doc] Some typos fixed fix: [doc] License updated and note added. [Steve Clement] - Fix: [js] Contributors dates will now look: 2019-04-03@11:03 - Amend … (#101) [Steve Clement] fix: [js] Contributors dates will now look: 2019-04-03@11:03 - Amend … - Fix: [js] Contributors dates will now look: 2019-04-03@11:03 - Amend if unwanted. [Steve Clement] - [import] Fixed missing import sys. [Steve Clement] - [import] import sys was missing for proper error handling. [Steve Clement] - [error] If the port is used, be graceful (#95) [Steve Clement] fix: [error] If the port is used, be graceful - [flask] Added favicon.ico. [Steve Clement] - [geoadd] Catch the following issue: https://github.com/MISP/misp- dashboard/issues/70. [Steve Clement] - [errorHandling] more try catch error. [Steve Clement] - [error] If the port is used, be graceful. [Steve Clement] - [isort] isort source files: https://github.com/timothycrosley/isort/wiki/isort-Plugins. [Steve Clement] - [start_all] Minor mistake/typo. (#93) [Steve Clement] fix: [start_all] Minor mistake/typo. - [start_all] Minor mistake/typo. [Steve Clement] - [scl] Somewhy which scl does not work for user apache... (#92) [Steve Clement] fix: [scl] Somewhy which scl does not work for user apache... - [scl] Somewhy which scl does not work for user apache... [Steve Clement] - [scl] Fix for scl based OSs. (#91) [Steve Clement] fix: [scl] Fix for scl based OSs. - [scl] Fix for scl based OSs. [Steve Clement] - [dispatcher] EventTags were not processed correctly. [mokaddem] - [deps] Fixed a dependency issue as per https://github.com/MISP/misp- dashboard/issues/76 new: [deps] Added requirements.txt for easier dependency management new: [GI] Added gitignore for cleaner dev environment. [Steve Clement] # Other - Merge pull request #106 from MISP/subzero. [Sami Mokaddem] Pulling from several 0MQ feeds + screens + diagnostic tool - Merge branch 'master' of github.com:MISP/misp-dashboard into subzero. [mokaddem] - Merge pull request #103 from MISP/diagnosticTool. [Sami Mokaddem] Livelog Improvement, Diagnostic tool and Updater - Merge branch 'master' of github.com:MISP/misp-dashboard into HEAD. [mokaddem] - Merge remote-tracking branch 'origin/master' into HEAD. [mokaddem] - New+chg: [livelog] Added basic filtering capabilities and fullscreen mode Also, Improved table, reconnection mechanism and UI. [mokaddem] - Update README.md. [Sami Mokaddem] Note about restarting the system after updating by pulling. - Merge pull request #97 from SteveClement/tryCatch. [Steve Clement] chg: [various] Added various try/excepts and split the log files into 3 - Merge branch 'master' into tryCatch. [Steve Clement] - Merge pull request #94 from cudeso/master. [Sami Mokaddem] No module zmq error documentation - No module zmq error documentation. [Koen Van Impe] - Back to localhost binding. [Sascha Rommelfangen] - Update zmq_subscribers.py. [Sami Mokaddem] Added a test comment - Put 0MQ subscribers into screens. [Jean-Louis Huynen] - Updated README. [Sami Mokaddem] Added notice about start_all.sh - Updated WSGI port number. [Sami Mokaddem] - Merge branch 'master' of https://github.com/MISP/misp-dashboard. [mokaddem] - Info on emptying redis database. [Christophe Vandeplas] - Merge pull request #68 from hellekin/patch-1. [Alexandre Dulaunoy] Fix link to project - Fix link to project. [I WON'T BE HERE WHEN M$ COMES] The project link misses the TLD. Was this .eu or .org? :) ## Acknowledgements This project is partially funded by CEF (Connecting Europe Facility) under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***. ![](https://www.misp-project.org/assets/images/en_cef.png) 2019-06-24T13:24:30+00:00 misp-dashboard v1.3 misp-dashboard v1.3 2019-08-30T14:52:39+00:00 # v1.3 (2019-08-30) ## Changes - [livelog] Scrolling Logs when fullscreen is on - Fix #118. [mokaddem] - [livelog] Fix z-index and fullscreen log panel z-index. [mokaddem] - [startup] Wait until redis is ready before starting the zmqs scripts. [mokaddem] - [start] Added restart capability. [mokaddem] ## Fix - Catch if country does not have alpha_2 attribute - fix #119. [mokaddem] - [contrib] Hide broken organisation images - Fix #110. [mokaddem] - [diagnostic] Corrected copy/paste typo. [mokaddem] Just me being a monkey - [update] Changed string formating to `format` [mokaddem] - [helpers] Changed string formating to `format` and slight refact. [mokaddem] - [diagnostic] Changed string formating to `format` [mokaddem] - [installer] Make it work on RHEL/CentOS. [Steve Clement] - [logs:helper] Helpers get their own log file. [mokaddem] - Try another mean to forward the country to the client. [mokaddem] - [geohelper] Prevent crash if country not defined in the geo response. [mokaddem] ## Other - Merge pull request #121 from mokaddem/fewFixes2. [Sami Mokaddem] Various fixes and improvements - Merge branch 'master' of github.com:MISP/misp-dashboard. [mokaddem] - Merge pull request #113 from Kortho/patch-2. [Sami Mokaddem] added net-tools to debian-based install command - Added net-tools to debian-based install command. [Kortho] needed to run the netstat command - Merge pull request #112 from Kortho/patch-1. [Sami Mokaddem] removed hard-coded zmq startup - Added user zmqs back. [Kortho] - Removed hard-coded zmq startup. [Kortho] It was hard coded to run as a specific user and a hard coded location of script - Merge pull request #111 from SteveClement/CentOS_RHEL. [Steve Clement] fix: [installer] Make it work on RHEL/CentOS - Merge pull request #109 from MISP/fixlogs. [Sami Mokaddem] fix: [logs:helper] Helpers get their own log file - Merge pull request #108 from MISP/fixGeoReader. [Sami Mokaddem] Fix geo reader - Clarified updated from pulling. [Sami Mokaddem] - Merge branch 'fixlogs' [mokaddem] 2019-08-30T14:52:39+00:00 MISP v2.3.0 MISP v2.3.0 2014-10-07T21:39:13+00:00 2014-10-07T21:39:13+00:00 MISP v2.4.80 MISP v2.4.80 2017-09-28T19:16:58+00:00 A new version of MISP [2.4.80](https://github.com/MISP/MISP/tree/v2.4.80) has been released including the most awaited [MISP objects](https://github.com/MISP/misp-objects) feature along with other new features, security fix [CVE-2017-14337](https://www.circl.lu/advisory/CVE-2017-14337/) and improvements. ## MISP Objects MISP now includes support for MISP objects. This allows MISP to support complex/combined objects in a flexible way along with their [relationships](http://www.misp-project.org/objects.html#_relationships) towards other objects or even attributes. MISP objects already available by default are documented in [HTML](https://www.misp-project.org/objects.html) or [PDF](https://www.misp-project.org/objects.pdf). The object model allows MISP users to add objects in addition to standard attributes to an event. Objects are composed of one or more attributes which are defined by the object templates. The [object templates](https://github.com/MISP/misp-objects/tree/master/objects) are public and can be easily contributed to by everyone, allowing analysts, users and security professionals to build their own representation of various objects and share them back to their communities. The default MISP object templates included are: ail-leak, cookie, credit-card, ddos, domain|ip, elf, elf-section, email, file, geolocation, http-request, ip|port, macho, macho-section, passive-dns, pe, pe-section, person, phone, r2graphity, regexp, registry-key, tor-node, url, vulnerability, whois, x509, yabin. An example which describes a DGA (Domain Generation Algorithm) linked to two domain indicators using the MISP object functionality: ![DGA expressed as MISP object](/assets/images/misp/blog/DGA-in-MISP.png){:class="img-responsive"} Relationships can be described from an existing list of relationship types (e.g. `executed-by`, `impersonates`, `communicates-with`,...) or by values from your own relationship vocabulary. This allows to model a fairly large set of cases from incident, collected intelligence, attacks or course-of-action to malware analysis. Version 2.4.80 also includes an extended file import for binaries relying on [PyMISP](https://github.com/MISP/PyMISP/blob/master/pymisp/tools/create_misp_object.py) and [LIEF](https://lief.quarkslab.com/) to create parsed file objects for PE, ELF and MachOS binary formats. We are expecting to see many creative uses of the new MISP object feature and improvements in the following weeks. If you upgrade from an existing version of MISP, don't forget to do a `git submodule init && git submodule update` (or use the update in the UI) and restart the workers. This release includes many bug fixes, improvements and new features. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. Don't hesitate to [open an issue](https://github.com/MISP/MISP/issues) if you have any feedback, found a bug or want to propose new features. Don't forget our [MISP summit 0x3](https://2017.hack.lu/misp-summit/) before the [hack.lu](https://2017.hack.lu/) 2017 conference which will take place from 14:00 to 18:00, Monday 16 October 2017. The core team of MISP will also join the [hack.lu open source security software hackathon 0x2 ](https://hackathon.hack.lu/) which will take place 19-20 October 2017. A new MISP training will take place in Luxembourg the 21st November 2017, [registration is now open](https://www.eventbrite.com/e/misp-training-november-edition-tickets-36347289722). 2017-09-28T19:16:58+00:00 MISP v2.4.81 MISP v2.4.81 2017-10-10T16:13:59+00:00 A new version of MISP [2.4.81](https://github.com/MISP/MISP/tree/v2.4.81) has been released including a significant rework of the graphical visualisation, support for STIX 2.0 export, multiple bug-fixes and improvements for misp-objects. The new correlation graph has been improved and now includes the correlation at the galaxy (e.g. threat-actors, tools), taxonomy, attribute and the recently introduced object levels. The navigation and expansion within the correlation graph has now a series of shortcut keys (`q` and `e`) to quickly navigate within large graphs. There is also a new contextual information pane, to quickly show the currently selected and hovered nodes. This improves the navigation over large graphs and quickly expands the information from the selected nodes. ![MISP 2.4.81 new correlation graph](/assets/images/misp/blog/correlation-graph.png){:class="img-responsive"} STIX 2.0 is now supported as an export format in this release. Even though the STIX 2.0 format is still unpublished and at an early stage, we decided to implement a first export tool to see the gaps of the format and helps our users to test the export with potential tools which start to support the version 2.0. As MISP commitment is to support the maximum of format, STIX 1.1 has been also expanded to support the MISP objects in this release. Feedback on the current STIX 2.0 format export is welcome. The attachment uploader has been updated to align to a consistent model between the standard and the advanced sample upload. The API now includes the support the advanced upload. Server settings are now accessible via the API. The MISP XML format is now properly sanitised to provide continuous support for users still using the XML format, though we highly recommend to use the MISP JSON format instead. This release also includes many bug fixes (especially for misp objects) and a minor security fix. A huge thanks to all the contributors who reported bugs or opened pull-requests to improve MISP. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. Don't hesitate to [open an issue](https://github.com/MISP/MISP/issues) if you have any feedback, found a bug or want to propose new features. Don't forget our [MISP summit 0x3](https://2017.hack.lu/misp-summit/) before the [hack.lu](https://2017.hack.lu/) 2017 conference which will take place from 14:00 to 18:00, Monday 16 October 2017. The core team of MISP will also join the [hack.lu open source security software hackathon 0x2 ](https://hackathon.hack.lu/) which will take place 19-20 October 2017. A new MISP training will take place in Luxembourg the 21st November 2017, [registration is now open](https://www.eventbrite.com/e/misp-training-november-edition-tickets-36347289722). 2017-10-10T16:13:59+00:00 MISP v2.4.82 MISP v2.4.82 2017-11-10T11:13:01+00:00 A new version of MISP [2.4.82](https://github.com/MISP/MISP/tree/v2.4.82) has been released including an improved publish-subscribe ZMQ format, improvements in the feeds system, sightings are now ingested and synchronised among MISP instances, many bug fixes and export improvements. MISP includes a nifty real-time publish-subscribe system to notify subscribers on any updates on a MISP instance. 2.4.82 introduced new channels and expanded format to deliver additional information to the subscribers. The system can be used to feed stream processing automation systems (e.g. IntelMQ), real-time SIEM interaction , monitoring or custom applications. As an example, we developed a complete dashboard application called [misp-dashboard](https://www.github.com/MISP/misp-dashboard) which solely relies on the publish-subscribe ZMQ feature to allow for a geolocalised view, historical searches of geographical information and a contributor dashboard which is the first version of the gamification project in MISP to promote information sharing (a separate post will come soon). <div class="myvideo"> <video style="display:block; width:100%; height:auto;" autoplay controls loop="loop"> <source src="{{ site.baseurl }}/assets/images/misp/video/misp-zmq-dashboard-integration.mp4" type="video/mp4" /> </video> </div> MISP ZMQ has new channels especially related to MISP objects in addition to events and attributes. CSV export has been improved to allow the selection of columns to be included in the export. CSV is still the most commonly exported format used and we had feedback from various organisations relying on CSV requesting enhancements to the export format. The old legacy CSV export will work as before like exporting all attributes: ~~~~ GET https://<misp-instance>/events/csv/download/<event-id> ~~~~ The new export format allows to select more columns using the following query format: ~~~~ GET https://<misp-instance>/events/csv/download/<event-id>?attributes=timestamp,type,uuid,value ~~~~ The order of columns will be honoured including those related to object level information. To select object level columns, simply pre-pend the given object column's name by object_, such as: ~~~~ GET https://<misp-instance>/events/csv/download/<event-id>?attributes=timestamp,type,uuid,value&object_attributes=uuid,name ~~~~ The following columns will be returned (all columns related to objects will be prefixed with object_): `timestamp,type,uuid,value,object_uuid,object_name` includeContext option includes the tags for the event for each line. The STIX 2.0 export has been improved to include custom objects, Person object included in Identity SDO, tool SDO now includes [exploit-kit from MISP galaxy](/galaxy.html#_exploit_kit) and all the [galaxy which can be mapped](https://www.misp-project.org/galaxy.html), course-of-action SDO added. Export code has been improved to cope with the utter complex mess of STIX patterning standard. The STIX 1.x export now includes reporter in STIX incident and producer in STIX indicator and MISP TLP Marking as STIX tlpMarking. File objects are now included in STIX 1.x export. The MISP feed format has been improved to include objects, attribute tags and object references. The format has been also significantly improved with a quick-hash-list to perform fast lookups and improve the MISP caching mechanisms for large feeds. If you rely on the feed generator in PyMISP, [feed-generator has been updated](https://github.com/MISP/PyMISP/commit/195cd6d7fc305ac6628ed8f2ff762b3f69a9b6ca). The feed preview in MISP has been improved to include the objects and support the new feed format. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. For the MISP users joining the [Borderless Cyber Conference and Technical Symposium / 6-8 Dec 2017 / Prague](https://eu17.first-oasis-conference.org/en/), we will do a MISP training on the 8th December. 2017-11-10T11:13:01+00:00 MISP v2.4.83 MISP v2.4.83 2017-12-06T09:49:01+00:00 A new version of MISP [2.4.83](https://github.com/MISP/MISP/tree/v2.4.83) has been released including attribute level tag filtering on synchronisation, full audit logging via ZMQ or Syslog, user email domain restriction at the org level, many more improvements and bug fixes. Tag filters have been enhanced and filtering is on - all events containing matching tags on event + attribute level (positive lookup) - all events not containing matching tags (negative lookup) - filter attributes within a matched event for blocked attributes (negative lookup) Tag filtering improved performance for large MISP instances actively when using filtering. A new functionality has been added to limit the use of certain email domains to an organisation. This extends the granularity of filtering for specific organisations to avoid out-of-scope users within a specific organisation. Audit logging has been improved to log all the audit logs in ZMQ and/or Syslog. syslog logging now includes all audit log entries and it's separated into proper severity levels. ZMQ logging and syslog logging are both optional features. New types were introduced such as mac-address and mac-eui-64 in MISP to allow sharing indicators related to EUI-48 and EUI-64. Phone type detection is better especially in the free-text import along with the normalisation of the phone attribute type to ensure consistent correlations. The CSV export has received an overhaul, improving performance and extending the export's flexibility by new filters such as a "value" filter or the inclusion of attribute level tagging. ZMQ channel has been improved to support complex software relying on the ZMQ feed such as the recently released [misp-dashboard](https://github.com/MISP/misp-dashboard). Feed preview enhanced especially for the MISP feed format to allow quick pivoting to the correlating events in a feed from individual attributes. Many bug fixes and improvement were introduced in this version. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. New MISP trainings are foreseen the 17/01 and 18/01 in Luxembourg including a full-day API and extension hands-on. [For more information and registration](https://www.circl.lu/services/misp-training-materials/). 2017-12-06T09:49:01+00:00 MISP v2.4.84 MISP v2.4.84 2017-12-06T19:44:23+00:00 Fixed a critical issue introduced in 2.4.83 blocking the synchronisation of edits in certain situations - events being edited didn't set the locked = 1 flag on push - as reported by SIEMENS 2017-12-06T19:44:23+00:00 MISP v2.4.85 MISP v2.4.85 2017-12-22T20:41:37+00:00 A new version of MISP [2.4.85](https://github.com/MISP/MISP/tree/v2.4.85) has been released including improvements to the feed ingestion performance, warning-list handling and many bug fixes. Warning-lists can now be used for filtering out import when using the API via /attributes/add either pass the url param `/enforceWarninglist:1` or set the `"enforceWarninglist":1` key on individual attributes to be checked. Warning-lists performance is improved especially on the ingestion, the deletion of the warning-lists can be done from the UI and very large warning-lists are now properly updated even on MySQL instances configured with conservative maximum packet sizes. Feed quick sync is now part of MISP allowing the calling of attributes using the precalculated hashes without having to parse the complete feed. We strongly recommend feed providers to use the [latest feed generator](https://github.com/MISP/PyMISP/commit/195cd6d7fc305ac6628ed8f2ff762b3f69a9b6ca) in PyMISP to benefit from the quick sync. Tags can now be restricted to a single user (in addition to the existing restrictions per organisation). This can help to support analyst workflows where a certain type of user can tag or classify in an organisation. Auth keys of users can now be reset from the command line by using `/var/www/MISP/app/Console/cake Authkey [email@of.user]`. Improvement and cleanup in the event index: - removed threat level and analysis from the index as they're eclipsed by the taxonomies for most use-cases - changed the behaviour when users click on org logoes (redirect to filtered index) Various UI improvements to clean up the interface for the analysts, including changes such as the collapse of attributes with highly correlating events: ![collapse of correlation](/assets/images/misp/blog/collapse.png){:class="img-responsive"} The advanced sighting view on objects is now properly working. New attribute types were introduced in MISP in order to improve the support of new or improved objects: - x509-fingerprint-sha256 - to support the updated [x509 object](https://www.misp-project.org/objects.html#_x509) - x509-fingerprint-md5 - to support the updated [x509 object](https://www.misp-project.org/objects.html#_x509) - stix2-pattern - to a new [stix2-pattern object](https://www.misp-project.org/objects.html#_stix2_pattern) - whois-registrant-org - to support the updated [whois object](https://www.misp-project.org/objects.html#_whois) The STIX 2.0 export had undergone significant improvements to support the full mapping between the MISP and STIX 2.0 standards. If a mapping is not supported in the STIX 2.0 standard, we also export custom objects to allow organisations to still receive These often crucial pieces of MISP information in the STIX export. The basic logic for STIX 2.0 import has been implemented for it to make it's debut in the next release. Many bug fixes and improvement were introduced in this version. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. PyMISP has been also updated, boasting a more clever approach to timestamp handling while updating MISP JSON files. The PyMISP documentation has been updated [PDF](https://media.readthedocs.org/pdf/pymisp/latest/pymisp.pdf). MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. New MISP trainings are foreseen the 17/01 and 18/01 in Luxembourg including a full-day API and extension hands-on session. [For more information and registration](https://www.circl.lu/services/misp-training-materials/). We have also many other trainings and events foreseen in 2018, [for more information](/events/) 2017-12-22T20:41:37+00:00 MISP v2.4.86 MISP v2.4.86 2018-01-16T13:20:50+00:00 A new version of MISP [2.4.86](https://github.com/MISP/MISP/tree/v2.4.86) has been released including improvements to the sharing groups and their respective APIs, granular access control of MISP-modules at an i nstance-level along with the usual set of bug fixes. There are different use-cases of MISP especially when it comes to large information sharing and exchange communities such as those of ISACs (e.g. [X-ISAC](https://www.x-isac.org/) or similar organisations. Two m ain new features were introduced to improve the support of such scenarios: - An optional feature to limit the visibility of organisations has been added where only site admins and sharing group editors can see the full organisation lists. This is an option that is disabled by default b ut can be enabled on-demand, if it is required in your use-case. Keep in mind sharing group editors can still see the full list of organisations (it's by design as it is an inherent requirement to expand and cre ate sharing groups). - An additional setting in the modules (expansion, import, export) allows limiting the accessibility to specific modules to a single organisation. This is quite useful when specific expansion services are limite d to a single organisations such as services restricted due to API key restrictions or access to specific sensitive services (e.g. ticketing systems, SIEMs lookup,...) Sharing groups are now manageable via the API opening up the possibility of creating and managing sharing groups via other applications. A significant performance improvement (a gain of 50% is quite common) has been incorporated in the latest release when importing large batches of attributes into MISP via the UI or the API. Performance gains have also been made for the attribute index and attribute search, improving lookup times by a factor of 10, due to some silly MySQL indexing behaviours. Many bug fixes and improvement were introduced in this version. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. In addition, [MISP dashboard](https://github.com/MISP/misp-dashboard) has been significantly improved and can be installed in junction with one or several MISP instances. PyMISP has been refactored and improved. The PyMISP documentation has been updated [PDF](https://media.readthedocs.org/pdf/pymisp/latest/pymisp.pdf). MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. MISP trainings are foreseen the 17/01 and 18/01 in Luxembourg including a full-day API and extension hands-on session. [For more information and registration](https://www.circl.lu/services/misp-training-materials/). We have also many other trainings (Vienna in February) and events foreseen in 2018, [for more information](/events/) 2018-01-16T13:20:50+00:00 MISP v2.4.87 MISP v2.4.87 2018-01-28T19:28:53+00:00 A new version of MISP [2.4.87](https://github.com/MISP/MISP/tree/v2.4.87) has been released including a massive contribution enabling support for internationalisation and localisation in the MISP UI (a huge thank to Steve Clement of CIRCL for the tedious work), as well as a host of improvements to the UI, feed and APIs,including bug fixes and speed improvements. The feed system now supports the ability to add any arbitrary HTTP headers which can be used to cache and get feeds from feed providers with authentication. A basic authentication widget has been added to easily generate the appropriate authentication header for a feed. Feed providers are more than welcome to contact us, if they would like to have their feed metadata added to the default MISP installation. The MISP ZMQ publish-subscribe channel has been extended with a new specific channel for all activities related to [tags](https://www.misp-project.org/taxonomies.html). [Warning-list](https://github.com/MISP/misp-warninglists) can now support a regular expressions in addition to the string, substring, hostname and CIDR parsing algorithms. This allows the creation of a new type of versatile of warning-lists, which can be used to filter false-positives at the API level (using the `enforcewarninglist` option in the API) and to limit the export of false-positives. The MISP automatic upgrade model has been improved to decouple DB changes from MISP version number allowing a more flexible upgrade model. Free-text import improved to support automatic category switching based on currently selected types making it more adaptable for corner cases and easing the life of users taking advantage of this functionality in general. Speed-up of the event history and tag views, expect massive speed boosts. Many bug fixes and improvement were introduced in this version. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. PyMISP has been improved with additional tests. The PyMISP documentation has been updated [PDF](https://media.readthedocs.org/pdf/pymisp/latest/pymisp.pdf). MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. We have many trainings and events foreseen in the next weeks, feel free to have a look at [our events page](https://www.misp-project.org/events/). 2018-01-28T19:28:53+00:00 MISP v2.4.88 MISP v2.4.88 2018-02-21T21:13:46+00:00 A new version of MISP [2.4.88](https://github.com/MISP/MISP/tree/v2.4.88) has been released including fuzzy hashing correlation (ssdeep), STIX 1.1 import functionality, various API improvements and many bug fixes Fuzzy hashing (e.g ssdeep or tlsh) is a commonly used technique used to classify malware, binaries or even text. The MISP correlation engine has always been supporting a simple yet powerful matchinging algorithm to find similar attributes. After [an insightful session in Austria](https://www.brz.gv.at/BRZ_News/besser_vernetzt_besser_geschuetzt.html) with Manfred Kaiser working at bmlv.gv.at and based on the previous work of [Brian Wallace](https://github.com/bwall) on ssdeep clustering, MISP 2.4.88 introduces the ability to correlate similar binaries (or just their values) using fuzzy hashing via ssdeep. In addition to the standard and advanced correlation algorithms (e.g. CDIR block matching) in MISP, fuzzy hashing correlation allows the matching of similarities among a set of binaries. The installation of the feature is described in the [README.install](https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.ubuntu1604.txt#L316) and don't forget to set the correlation threshold for ssdeep in MISP serverSetttings (e.g. MISP.ssdeep_correlation_threshold). As of 2.4.88, MISP supports STIX 1.1.1 XML import from the user-interface similarly to how MISP JSON format data is used to create new events. We hope this will help users to import existing threat intelligence from other sources and benefit from the MISP standard format functionality. If you have any issues with import functionalities feel free to [send us sample STIX 1.1.1 files](https://www.misp-project.org/who/#contact). The workflow for merging organisations has been improved to make it more intuitive for the administrators of the MISP instance. The freetext import (the functionality to pass raw text to MISP and automatically detect indicators) API has been improved and it can now by used to return the raw parsing data instead of creating the attributes. Keyboard shortcuts have been added application-wide in MISP to allow easier navigation for the analysts. API to manage sharing groups has been updated and it's now extremely flexible to update sharing groups: ~~~ - added functions to manage the additions/removals of objects from sharing groups - the following APIs are included: - /sharingGroups/addOrg/[sg_id]/[org_id]/[extend] - /sharingGroups/removeOrg/[sg_id]/[org_id] - /sharingGroups/addServer/[sg_id]/[server_id]/[all_orgs] - /sharingGroups/removeServer/[sg_id]/[server_id] - All parameters are optional and can instead be passed as JSON objects such as: { "org_uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "sg_id": "49", "extend": 1 } - The API is extremely flexible with how to name objects, the following parameters are allowed: - Organisations: - org_id (The organisation's local instance ID) - org_uuid (The organisation's global UUID) - org_name (The organisation's identifier as known to the curent instance) - Server: - server_id (The server's local instance ID) - server_url (The URL of the server) - server_name (The local name of the server as assigned when adding the server) The sharing groups can also be addressed by ID or UUID. ~~~ [MISP modules](https://github.com/MISP/misp-modules) are now accessible from MISP API and allow MISP users to use the MISP modules from the API in addition to the user-interface. Multiple bugs were also fixed and especially a security bug [CVE-2018-6926](https://cve.circl.lu/cve/CVE-2018-6926). We would like to thank all the contributors who helped to fix bugs, contributed new features or support us to release this version. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule u pdate` and update galaxies, objects and taxonomies via the UI. MISP trainings are foreseen the 27/03 and 28/03 in Luxembourg including a full-day API and extension hands-on session. [For more information and registration](https://www.circl.lu/services/misp-training-materials/). We are also participating to the [Open Source Security Software Hackathon](https://hackathon.hack.lu/) which takes place the 26 March 2018 in Luxembourg. 2018-02-21T21:13:46+00:00 MISP v2.4.89 MISP v2.4.89 2018-03-24T08:51:40+00:00 A new version of MISP [2.4.89](https://github.com/MISP/MISP/tree/v2.4.89) has been released including a new MISP event graph viewer/editor, many API improvements and critical bug fixes (including security related bug fixes). We introduced a new functionality allowing analysts and MISP users to view objects and attributes via a graphical visualisation. The event graph view supports the ability to edit objects, attributes and create relationships easily. We have foreseen a host of extensions to the event graph that we will be gradually adding in the future. - Screencast of the new event graph editor: https://www.misp-project.org/assets/images/misp/video/event-graph.webm In addition to exporting in the STIX 2.0 format, MISP now supports the importing of STIX 2.0 data, directly from the UI. Significant improvements were made in the parsers for STIX 1.x and STIX 2.0 to support additional types of data. Don't hesitate to send us sample files which don't work as expected to help us improve our mapping. We have also added a warning in the import tool for the STIX import to describe that the STIX format can be lossy compared to the MISP standard format. The API was significantly improved including changes such as attribute UUID in attribute level restSearch, deleteAttributes API can now mass-delete along with many other improvements. Two security bugs were fixed: - Sanitisation is now properly done from misp-modules especially to avoid XSS from potential malicious expansion modules. [CVE-2018-8948](https://cve.circl.lu/cve/CVE-2018-8948) - An API integrity bug where an authenticated user could edit and overwrite an attribute without the UUID set. [CVE-2018-8949](https://cve.circl.lu/cve/CVE-2018-8949) Another important fix was applied to the object handler to remedy a situation where under specific conditions could be overwritten. A recovery tool has been added in the diagnostics page. Tons of bug fixes and minor improvement were added. [Changelog](http://www.misp-project.org/Changelog.txt) contains the complete list of what's changed from version 2.4.88. We would like to thank all the contributors who have been fixing bugs, contributed new features or supported us for this release. MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. 2018-03-24T08:51:40+00:00 MISP v2.4.90 MISP v2.4.90 2018-04-27T14:38:20+00:00 A new version of MISP [2.4.90](https://github.com/MISP/MISP/tree/v2.4.90) has been released including the new extended events feature along with many updates in improvements in the API, user-interface (including many improvement in the graph editor) and many bug fixes. The extended event feature has been added in MISP to allow users to extend events without modifying the original events. For more information about the extended event feature, the blog post [Introducing The New Extended Events Feature in MISP](/2018/04/19/Extended-Events-Feature.html) includes many details and use-cases explaining how it can support organisations in their management of threat information. The graph editor has been significantly improved including filtering on tag/type of attributes, making the physics engine of the graph configurable, along with providing support for the extended MISP events directly in the graph tool. A new functionality has been added to control the server settings via the command line directly. - /var/www/MISP/app/Console/cake Admin getSetting [setting] - setting is optional, if none set "all" is assumed - returns all or a specific setting's current value and metadata - /var/www/MISP/app/Console/cake Admin setSetting [setting] [value] - set a given server setting by full setting name - for example the following will enable the import services: - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" 1 Tasks from MISP can be triggered from the command line and an example of cron entry has been added in the UI. Some improvement in the [Cortex integration](https://github.com/TheHive-Project/Cortex) and settings, to allow the configuration of TLS options and ensuring Cortex 2 compatibility. A clarification has been introduced in the UI to clearly separate the caching of feeds and enable feeds for full import. User roles have gained a new setting, allowing administrators to set the maximum memory usage and execution time per role (e.g. useful to differentiate between regular and API roles that are expected to be more resource intensive). The STIX 2 export has been refactored and supports more features of the MISP standard format and the performance was improved too. To ensure data portability of users (GDPR), a new export button has been added to allow users to get their information in addition to the existing API for user management. Regarding GDPR compliance, the MISP project [released a document about GDPR and information sharing](/compliance/gdpr/) on the topic, which can help operators and users of MISP communities understand what the exact impacts of the regulation are, along with why information sharing is critical in information security. MISP default feeds updated including the (URLhaus)[http://urlhaus.abuse.ch] feed. We would like to thank all of the contributors who have been fixing bugs, contributing new features or supporting us for this release. MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MIS P. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. 2018-04-27T14:38:20+00:00 MISP v2.4.91 MISP v2.4.91 2018-05-16T13:32:44+00:00 A new version of MISP [2.4.91](https://github.com/MISP/MISP/tree/v2.4.91) has been released including new major features, improvements and bug fixes. ### Distribution and sharing visualisation MISP 2.4.91 has a new visual aid in order to simply view the distribution and sharing model of all the attributes within an event. As events can become quite larger, with long lists of objects and attributes, analysts need to verify whether the proper distributions are applied. The new visualisation allows them to view the items per distribution level including the associated sharing groups. The visualisation is dynamic and can be used to filter the given attributes matching a specific distribution setting within the event. ![Visualisation of a MISP event and how the sharing of attributes will take place](https://www.misp-project.org/assets/images/misp/blog/sharing.png){:class="img-responsive"} ### Galaxy at attribute level [MISP Galaxy](https://www.misp-project.org/galaxy.html) includes a large number of libraries to assist in classifying events based on threat actors, kill chains or actor techniques such as described in the [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page) galaxy. Initially, MISP galaxies were limited to be attached to MISP events alone. As many users developed new galaxy cluster to map their own model, MISP 2.4.91 is now capable of attaching MISP clusters at the attribute level. In the example below, a vulnerability attribute can be then easily linked to the respective MITRE ATT&CK adversary technique supporting analysts trying to search for and pivot on techniques, but also supporting various more advanced automation scenarios. ![An example of a MISP galaxy such as MITRE ATT&CK attached to a specific attribute in MISP](https://www.misp-project.org/assets/images/misp/blog/exploitation.png){:class="img-responsive"} ### Privacy notice list and GDPR The MISP Project is actively involved when it comes to questions of compliance, as of lately with a special focus on [information sharing and legal compliance](https://www.misp-project.org/compliance). In the scope of the CEF-TC-2016-3 - Cyber Security co-funding helped us to improve the various aspects of compliance while keeping a strong focus on the information sharing aspect. In MISP 2.4.91, we introduced the [MISP notice system](https://github.com/MISP/misp-noticelist) to inform MISP users of the legal, privacy, policy or even technical implications of using specific attributes, categories or objects. The feature was originally designed to support the Directive 95/46/EC (General Data Protection Regulation - GDPR) by notifying the analyst about the potential risks while entering specific information. The notice feature is a flexible solution to allow for a wide variety of notice systems (expressed in a simple JSON format) to be included in MISP, based on the category or type entered in the system. We expect to see organisations using MISP to enable, disable or extend the notice lists to fit their specific policies, legal frameworks or local regulation frameworks. ![GDPR notice about a specific category](https://www.misp-project.org/assets/images/misp/blog/not1.png) and notice lists are easily configurable: ![Notice lists are configurable](https://www.misp-project.org/assets/images/misp/blog/not2.png) ### API [Feed](https://www.misp-project.org/feeds) management, in 2.4.91, can be also be done via the API such as add/edit/delete feeds. API documentation is directly accessible via the API if a GET request is performed instead of a POST. ZMQ feed has been extended to include base64 encoded attachments in order to improve the integration with the CSP platform (MeliCERTes) and other application relying on the ZMQ feed (3169 fixed). ### Miscellaneous Improvements Event enrichment (via misp-modules) can now be easily triggered from the event menu to automatically enrich all the attributes in event. This enrichment is also globally accessible via the API and exposed via the command-line too. The legacy STIX 1 import has been improved to support CustomObjects, socket address objects, CIQ targets, DNS records object and many others. Many bugs were fixed with special note to issues 3245, 3240, 3202 and 3201. MISP 2.4.91 has been updated to the latest version of CakePHP 2.10 series. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. PyMISP has been also updated, boasting a more clever approach to timestamp handling while updating MISP JSON files. The PyMISP documentation has been updated [PDF](https://media.readthedocs.org/pdf/pymisp/latest/pymisp.pdf). MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. To get the MISP notice list, don't forget to perform a `git submodule init; git submodule update` to initialise the new external dependency. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. A [Call-for-Papers is open](https://cfp.hack.lu/misp0x4/) for the MISP Threat Intelligence Summit 0x4. We would be glad to see users, contributors or organisations actively using MISP or/and threat intelligence to share their experiences and presentation to the CfP. 2018-05-16T13:32:44+00:00 MISP v2.4.92 MISP v2.4.92 2018-06-07T20:36:42+00:00 A new version of MISP [2.4.92](https://github.com/MISP/MISP/tree/v2.4.92) has been released including aggressive performance boosts, various improvements and bug fixes. We received feedback from various users about the negative impact on performance when the [MISP warning-lists](http://www.github.com/MISP/misp-warninglists/) are enabled (a feature allowing the detection and filtering of false positive attributes in MISP). The performance hit incurred by enabling warning-lists has been reduced to such an extend that enabling them will barely have any impact on performance when viewing or browsing events. We hope this performance gain will increase the overall adoption of the warning-lists. A benchmarking tool has been added to the AppModel allowing us to easily spot performance issues across the application. Aggregate execution time, number of iterations and peaked memory usage can be easily spotted in order to facilitate rapid and accurate profiling of the performance across the various functionalities of MISP. The API has been improved to allow objects to be added by template UUID and version in addition to the local ID. A new role permission to publish to the ZMQ pub-sub channel has been added (as kindly requested by our favorite user, who regularly motivates us by sending decapitated horse heads if we slack). This role allows administrators to enable or disable ZMQ publishing per user. The flash message system has been rewritten from scratch, providing a cleaner approach that relies on bootstrap's internal flash messaging look and feel, along with 3 different levels of notifications. Allow hard deleting of attributes that were never published in order to avoid the leaking of sensitive information via soft deleted attributes. Two security vulnerabilities were fixed: [CVE-2018-11245](https://cve.circl.lu/cve/CVE-2018-11245) and [CVE-2018-11562](https://cve.circl.lu/cve/CVE-2018-11562). Thanks to the reporters Jarek Kozluk from zbp.pl and Dawid Czarnecki. Don't hesitate to contact us for [reporting vulnerabilities](https://github.com/MISP/MISP/blob/2.4/CONTRIBUTING.md#reporting-security-vulnerabilities), we love those contributions. The STIX 1 and STIX 2 exports and imports were migrated to Python 3 (don't forget to update the dependencies). The STIX 1 export has been improved to include additional objects such X.509 certificate and MISP objects. The STIX 1 import has been improved for email, whois, and artifact objects along with tags via journal entries. The STIX 2 export has improved regkey object parsing, along with ip|port and custom object export. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. A huge thanks to all the [contributors](https://www.misp-project.org/contributors) who helped us to improve the software and also all the participants in MISP training which always give intere PyMISP has been also updated, boasting a more clever approach to timestamp handling while updating MISP JSON files. The PyMISP documentation has been updated [PDF](https://media.readthedocs.org/pdf/pymisp/latest/pymisp.pdf). [MISP standard Internet-Drafts](https://github.com/MISP/misp-rfc) have been updated and published. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org//objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. A [Call-for-Papers is open](https://cfp.hack.lu/misp0x4/) for the MISP Threat Intelligence Summit 0x4. We would be glad to see users, contributors or organisations actively using MISP or/and threat intelligence to share their experiences and presentation to the CfP. 2018-06-07T20:36:42+00:00 MISP v2.4.93 MISP v2.4.93 2018-06-27T16:27:34+00:00 A new version of MISP [2.4.93](https://github.com/MISP/MISP/tree/v2.4.93) has been released including a much improved and tightly integrated [MITRE ATT&CK](https://attack.mitre.org) interface, a new event locking functionality, initial support for a multilingual interface, various fixes including a security fix ([CVE-2018-12649](https://cve.circl.lu/cve/CVE-2018-12649)). MITRE ATT&CK offers an excellent, efficient and very complete framework to describe adversarial tactics and techniques, which MISP now directly incorporates as a way to contextualise the information contained within (at the event and attribute levels) and to share the contextualised data with your partners. We have been supporting the use of the ATT&CK framework via the [misp-galaxy](https://www.misp-project.org/galaxy.html) from the early beginning but we quickly realised the limitations of using this technique in MISP. So we decided to improve the user-interface by having the ATT&CK matrix directly accessible in MISP in order to be able to more intuitively attach techniques and tactics to MISP data following a method that is more universally linked to ATT&CK. The global statistics were also extended in order to get a quick overview of techniques used. - [screencast](https://www.misp-project.org/assets/images/misp/video/attack.webm) A new functionality has been introduced called the event lock which shows users if another user is editing the event they're viewing (same organisation only). STIX 2 export now includes PE binaries and better support for MISP objects. STIX 1 import has been significantly improved in regards to its capabilities when importing AIS/US-CERT STIX files that include specific relationships for malware samples. A new functionality has been added to allow the toggling of the UI language of the MISP interface (part of the ongoing [internationalization effort](https://github.com/MISP/misp-book/tree/master/translation)) . [CVE-2018-12649](https://cve.circl.lu/cve/CVE-2018-12649) has been fixed, which allowed attackers to bypass the brute force protection via PUT requests. Many bug fixes (including some to the install guides) and minor features including impfuzzy validation. The full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. A huge thanks to all the [contributors](/contributors) who helped us improve the software and also all the participants in MISP trainings giving us a bunch of interesting feedback for improvements. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. A [Call-for-Papers is open](https://cfp.hack.lu/misp0x4/) for the MISP Threat Intelligence Summit 0x4. We would be glad to see users, contributors or organisations actively using MISP or/and threat intelligence to share their experiences and presentation to the CfP. 2018-06-27T16:27:34+00:00 MISP v2.4.94 MISP v2.4.94 2018-08-06T21:38:42+00:00 A new version of MISP [2.4.94](https://github.com/MISP/MISP/tree/v2.4.94) has been released including an improved event graph interface, a new ElasticSearch plugin, various extensions and enhancements to the API, clean-ups and many improvements. Even though it's summertime, we continuously work on the MISP project and a lot of changes were introduced. Major improvements have been implemented in the MISP event graph such as: - Export functionality added in the MISP event graph to export in PNG, JPEG, JSON format and Graphviz dot format. - Saving functionality to save the state of an event graph. This allows a user of an organisation to keep the state of the event graph and retrieve the history. ![New functionality in the MISP event graph to export the graph and save the state of the graph](https://www.misp-project.org/assets/images/misp/blog/save-graph.png) The MITRE ATT&CK matrix user-interface has been extended to add directly techniques at event level without passing by the galaxy interface. A new functionality contributed allows users to log all MISP activities in ElasticSearch. It's pretty simple to configure thanks to its settings being part of the standard plugin settings system, so head over there to find the ElasticSearch configuration options. ![Configuring ElasticSearch with MISP](https://www.misp-project.org/assets/images/misp/blog/elasticsearch.png) The CLI interface has been improved with the ability to get the API key of a given user, to force update the taxonomies, warning lists, notice lists and object templates. All of this serves to improve the automation of deployment of MISP instances without the need to use the UI. MISP Synchronisation has been improved by moving the blacklist event skipping to the negotiation phase instead of first pulling blacklisted events and discard them after the fact. Synchronisation has also been improved in situations involving a large number of deletions. The pre-sync negotiation is now based on UUID-based lookups instead of relying on local IDs. The MISP API has been introduced allowing users to deduce the prefered edit strategy of a given event. This has been introduced to help additional tools to decide whether to edit or extend MISP events. One such tool is TheHive project, which recently received a new release utilising the extend event functionality through this edit strategy API. Various UI views have been improved to ease administration tasks for admins operating large MISP instances, including features such as listing the PGP fingerprints via the verifyGPG interface, a new statistic tab to show how many users/organisations were added over the past months/year and more. Many internal changes and clean-ups were performed based on a recent static analysis of the codebase. For a complete overview of all the changes, the full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. New attribute types such as Monero (xmr) added along with the soft validation. [coin-address object template](https://github.com/MISP/misp-objects/blob/master/objects/coin-address/definition.json) updated to match the xmr attribute type. Major changes in the STIX2 export and import were undertaken to improve the scope of the [MISP open standard](https://github.com/MISP/misp-rfc) and the mapping thereof to the STIX2 JSON format. A huge thanks to all the [contributors](https://www.misp-project.org/contributors) who have tirelessly helped us improve the software and also all the participants in MISP trainings giving us a bunch of interesting feedback for improvements. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. 2018-08-06T21:38:42+00:00 MISP v2.4.95 MISP v2.4.95 2018-09-06T20:57:39+00:00 A new version of MISP ([2.4.95](https://github.com/MISP/MISP/tree/v2.4.95)) has been released with the first stage of a complete rework and refactoring of the API exports, allowing for more flexibility, improved search capabilities, performance and extendability. The search API in MISP has been refactored to streamline and simplify the code's logic and to bring consistency among the various export formats (MISP JSON, MISP XML, OpenIOC, Suricata, Snort and the text export) especially in regards to filtering. The filter system now assumes exact string matches by default and allows users to insert wild-card characters for substring searches across all filters. This provides both performance boosts along with more accurate results when substring matching is not needed along with the flexibility of setting search terms such as starts with or endswith. The API is also backwards compatible with previous versions and existing tools (let us know if you have [any issue](https://www.github/MISP/MISP)). With the new API, building search queries has become more natural and simple to build programmatically. For example, exporting all attributes of types ip-src and ip-dst that have a TLP marking and are not marked tlp:red, can be achieved with the query below. String searches are by default exact lookups, but you can use SQL style "%" wildcards to do substring searches. ~~~~ { "returnFormat": "json", "type": { "OR": [ "ip-src", "ip-dst" ] }, "tags": { "NOT": [ "tlp:red" ], "OR": [ "tlp:%" ] } } ~~~~ All old parameter syntaxes are still supported, though passing ordered parameters via the URL has been deprecated. We are also currently in the process of baking all existing export APIs into the standard API search functionality - simply pass your usual standardised list of parameters as described in the API and choose the return format. Make sure you query the correct scope (/events/restSearch for all events matching a query and /attributes/restSearch for all attributes matching a query). A complete ReST client has been added in the MISP interface to easily query the API from your MISP. A templating system has been included to assist users to create their ReST queries against the API. The ReST client includes the API enumeration documentation based on the API exposed description. Use this tool to build and test queries that you would like to use via other tools and applications. A debug functionality has been added in any API query to quickly show the SQL queries performed by appending `/sql:1` to any query via the API (debugging mode must be set to "debug with SQL dump" - option 2). Many new [MISP modules](https://www.github.com/MISP/misp-modules) were included and we extend MISP to better support enrichment modules with large output (such as the Sigma to search queries converter). In this version, a new on-demand pop-up has been introduced to have a sticky hover to ease cut-and-paste or selection. ![A sigma export to SIEM rules via the misp-modules export](https://www.misp-project.org/assets/images/misp/blog/sigma.png){:class="img-responsive"} A bro NIDS type has been added in MISP to support the exchange of raw bro NIDS signature within MISP communities. For a complete overview of all the changes, the full change log is available [here](https://www.misp.software/Changelog.txt). [PyMISP change log](https://www.misp.software/PyMISP-Changelog.txt) is also available. Enhancements to the STIX2 export and import were undertaken to improve the scope coverage of the [MISP open standard](https://github.com/MISP/misp-rfc) and the mapping thereof to the STIX2 JSON format. Relationships between SDOs have been improved in the export to map the MISP relationships with the fixed relationships described in STIX2. valid_until has been mapped in the STIX2 export based on the expiration date used in the expiration sightings available in MISP. Several new translations were included in MISP for the user-interface localisation. The Japanese translation has been completed, French, Danish and Italian have been improved drastically and many other translations (such as German, Spanish and Korean) are on the way. A huge thanks to all the [contributors](https://www.misp-project.org/contributors) who have tirelessly helped us improve the software and also all the participants in the MISP trainings giving us a bunch of interesting feedback for ideas for improvements. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. 2018-09-06T20:57:39+00:00 MISP v2.4.96 MISP v2.4.96 2018-10-10T04:41:25+00:00 A new version of MISP ([2.4.96](https://github.com/MISP/MISP/tree/v2.4.96)) has been released with a complete rework, refactoring and simplification of the restSearch API, allowing for more flexibility, improved search capabilities, performance and extendability. All of the MISP export APIs have now been unified into the restSearch APIs with a vastly improved query format. The complete documentation of the restSearch is included in the automation page. A pagination system has been added allowing users to easily paginate over search result sets and limit the output. The two new parameters are limit and page, both directly accessible in the MISP query format. The search results in the MISP UI now allows for the direct download of the search results in any of the supported formats available in MISP in a convenient and quick way. The CSV export has been refined to remove inconsistencies in the requested field parameters and the header field names among other fixes. The internal fetcher has been rewritten to use an internal pagination and caching mechanism that scales with the amount of memory given to the PHP process, increasing performance and reducing the chance of ever running into memory limit issues. Various other changes (such as resolving some bottlenecks in regards to object references, potential query length issues in certain situations, etc) improve both the stability and performance of all functions relying on fetching event / attribute data. The freetext import is now delegated to a background process for large imports. It has also received additional tweaks such as support for ASN detection and additional indicator refanging rules. The API for warning-lists has been improved and can now be updated by using a substring contained within a warninglist's name. A simple toggle function mechanism to disable and enable warning-lists via the API has also been added. The [cortex integration is now back](https://blog.thehive-project.org/2018/09/27/cortex-2-1-0-the-response-edition/) to nominal and fully functional with this latest version. A host of additional improvements and bugs fixed were introduced including improvements to the user-interface, API, STIX 1/2 import and export, etc. A huge thanks to all the [contributors](https://www.misp-project.org/contributors) who have tirelessly helped us improve the software and also all the participants in the MISP trainings giving us a bunch of interesting feedback for ideas for improvements. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https:/www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. Don't hesitate to have a look at our [events page](https://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. We have also two MISP trainings foreseen in Luxembourg Monday 17th December [MISP Training - Threat Intelligence Analyst and Administrators](https://en.xing-events.com/MURFIIQ) and Tuesday 18th December [MISP Training - Developers session - API and Extensions ](https://en.xing-events.com/QDBMTBT.html). 2018-10-10T04:41:25+00:00 MISP v2.4.97 MISP v2.4.97 2018-10-30T07:22:39+00:00 A new version of MISP ([2.4.97](https://github.com/MISP/MISP/tree/v2.4.97)) has been released with new features such as related tags, the sighting restSearch API, a new French localisation along with many improvements to the API and he import/export capabilities, such as improved support for [DHS AIS](https://www.us-cert.gov/ais) STIX 1 files. ![MISP event graph to display an overview of the relationships for a malware infection](https://www.misp-project.org/assets/images/misp/blog/eventgraph.png) The new related tags functionality has been introduced to allow users to view the most commonly used tags for a specific attribute across all events. This can help analysts when deciding to use a specific classification based on previous analyses to reduce the time it takes to contextualise the new information. ![MISP event graph to display an overview of the relationships for a malware infection](https://www.misp-project.org/assets/images/misp/blog/related-tags.png) A new API has been introduced, allowing users to search [MISP sightings](https://www.misp.software/2017/02/16/Sighting-The-Next-Level.html) using a set of filter parameters along with a list of data formats (JSON, CSV or XML). The search is available on an event, attribute or instance level. You can easily search by time ranges (from, to or last) using the standard restSearch API syntax. At the API level, many changes were introduced such as: - [Galaxy](https://www.misp-project.org/galaxy.html) API is now exposed and can be browsed via the API. - Event index API can now be exported in CSV format in addition to standard JSON format. - Log entries are now exposed via the API. The API is documented via the template system/REST client. - The Warning-list lookups are now exposed to the API. A value can be quickly tested against the warning-lists enabled on a MISP instance without the need to create any persistent data. Many fixes were introduced to the STIX 1 and 2 import and export including a better support of AIS markings and specific MISP objects. The French localisation of the user-interface is now complete (thanks to all the contributors). French is now the second localisation after Japanese to reach full coverage. If you want to contribute and help with the translation project, don't hesitate to [join us on crowdin](https://crowdin.com/project/misp). MISP [galaxy](/galaxy.pdf), [objects](/objects.pdf) and [taxonomies](/taxonomies.pdf) were notably extended by many contributors. New object templates were introduced to better support the description of forensic analysis cases and improve their sharing. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. A detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. We have also two MISP trainings foreseen in Luxembourg Monday 17th December [MISP Training - Threat Intelligence Analyst and Administrators](https://en.xing-events.com/MURFIIQ) and Tuesday 18th December [MISP Training - Developers session - API and Extensions ](https://en.xing-events.com/QDBMTBT.html). 2018-10-30T07:22:39+00:00 MISP v2.4.98 MISP v2.4.98 2018-11-26T13:28:08+00:00 A new version of MISP ([2.4.98](https://github.com/MISP/MISP/tree/v2.4.98)) has been released with new features such as improved UI consistency (such as attributes search output), improved validation error messages, a new built-in experimental SleuthKit mactime import, new small features and many bugs fixed. The user interface has been significantly improved in regards to the reporting of validation errors occurring whilst attempting to save attributes. The user can now view the attributes not properly imported and the reason for the validation failing. A user can view the failed/succeeded saves resulting from batch imports via the UI. Additionally a host of small fixes for the flash message system have been implemented. A new experimental import functionality has been included to import SleuthKit mactime timelines from MISP directly. The user can import one or more mactime timelines in MISP, which will be included as a mactime object to describe forensic activities on an analysed file system. The import is a two-step process where the user can cherry pick the forensic events which took place and select the meaningful activity to be added in a MISP event. ![SleuthKit mactime import in MISP](https://www.misp-project.org/assets/images/misp/blog/mactime1.png) ![SleuthKit mactime imported in MISP as objects](https://www.misp-project.org/assets/images/misp/blog/mactime2.png) The API has been improved with many new features such as: - The result counts to restsearch API are now visible via the x-result-count header - The option includeProposals is now functional at attribute level restSearch - The event controller readability has been improved - Fixed a bug blocking malware samples from being added using /events/add when the encrypt=1 flag was set for raw sample inclusion - Sighting restSearch API documentation has been fixed - Better handling when trying to edit an attribute without adequate permissions - Throw a proper error when trying to edit an event without access to doing so - Fixed non exportable tags being included in the attribute level restSearch. In the CSV export functionality, the ignore flag is restored to the old behaviour: - If not set, only return published events / to_ids flagged events by default - Setting ignore:0 will result in the default behaviour - Setting ignore:1 will result in unpublished events and non to_ids attributes being filtered out - Fixed a bug that broke the CSV api if ignore:0 was passed Many long-standing bugs were fixed based on the feedback from various users and organisations. In STIX 1 import, AIS marking is now included in import as MISP event tag. Many improvement in STIX 1 and STIX 2 import/export, check the changelog for the complete changes. MISP [galaxy](/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were notably extended by many contributors. New object templates were introduced to improve the support for the description of forensic analysis cases and improve their sharing. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. A detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](https://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. 2018-11-26T13:28:08+00:00 MISP v2.4.99 MISP v2.4.99 2018-12-06T14:43:25+00:00 A new version of MISP ([2.4.99](https://github.com/MISP/MISP/tree/v2.4.99)) has been released with improvements in the UI, API, STIX import and a fixed critical security vulnerability. Thanks to Francois-Xavier Stellamans from NCI Agency Cyber Security who reported a critical vulnerability in the STIX 1 import code. The vulnerability allows a malicious authenticated user to inject commands via an incorrectly escaped variable name (the original name of the STIX file). We strongly urge users to update their MISP instance to the latest version. We also replaced the mechanism of storing the original uploaded files on ingestion with a standardised function that will process the files without passing them to external tools - this reusable system will avoid any similar issues in the future if new similar mechanisms are introduced. CVE allocation is pending (the page will be updated when we receive it). This release includes the following changes: - The following attribute types were added x509-fingerprint-md5 and x509 -fingerprint-sha256 to the network activity category. - A new CLI interface to cleanup the brute-force protection entries from MISP. - Some warning messages inconsistencies were fixed in the UI. - Added a warning when a site administrator is trying to edit an event not belonging to the organisation of the site admin. - [API] Object edit has been fixed to return the object in the correct format. - When editing an object to add new attributes, correctly set the default distribution if nothing is set. - Many fixes and improvement in the STIX 1 and STIX 2.0 import. - XML MISP export has been fixed. We would like to thank all the contributors, reporters and users who helped us in the past days to improve MISP. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](http://www.misp-project.org/taxonomies.pdf) were extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. A detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](https://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytics and automation. 2018-12-06T14:43:25+00:00 MISP v2.4.100 MISP v2.4.100 2019-01-01T10:52:02+00:00 Happy new year! We are so proud of our community which has supported us for the past year and we hope to do even better for 2019. Thanks a lot. A new version of MISP ([2.4.100](https://github.com/MISP/MISP/tree/v2.4.100)) has been released with improvements to the UI, API, import and export along with the addition of a new query bui lder. ![](https://www.misp-project.org/assets/images/misp/blog/restsearchbuilder.png) Considering the criticality of being able to accurately define how we query MISP instances in order to feed and integrate with network security devices, endpoint security devices or monitoring tools, we have tried to improve the life of the users tasked with the above duties via a new query builder, available through the REST client interface (REST client below the Event Action s). The query builder provides a simple interface to create your JSON queries used to getthe information you truly are interested in back for ingestion in your devices and tools easily. Instead of going through the sometimes headache inducing task of trying to manually craft JSON objects, you can now construct complex queries via a series of simple clicks. The query builder is intelligent in a sense that it attempts to provide the exact values that are supported as options and provide you with dynamic contextual information for each of the query filters. You can subsequently test your queries and grab the code generated based on your filter choices in Python or curl format to support your integration. UI usability has been improved with the following fixes (based on various feedbacks during the MISP trainings): - Quickedit (double-click on value) on the event view has been replaced by a more obvious edit icon to ease cutting and pasting values the attribute list. This change has also made for the category, type and IDS fields. - Hover functionality has been improved to avoid glitchy popovers and a scrollbar was added along with multiple bugs that were fixed. - Clarification of the old hide tag functionality to clarify it's intended effect (being a non-selectable tag via the interface for the given instance). Two new attribute types were introduced in MISP (thanks to the contributors): - cdhash - Code Signing which is the canonical hash of the program’s CodeDirectory resource on Apple OS ref:[Code Signing Guide](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html). Thanks to [Daniel Roethlisberger](https://github.com/droe) for the contribution. - ja3-fingerprint-md5 - is a hash for creating SSL client fingerprints in an easy to produce and shareable way. A tool to extract ja3 from pcap and generate ja3 object in MISP called [ja3toMISP](https://github.com/eCrimeLabs/ja3toMISP) has been developed by [eCrimelabs](https://www.ecrimelabs.com/blog/2018/12/30/ja3-to-misp-tool-released). The types are also part of [MISP standard core format which has been updated](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format-06). If you see a missing types or object template in MISP, don't hesitate to report it back to us. Multiple bugs were fixed, such as a synchronisation bug causing certain events not getting synced via a pull due to an overzealous protection mechanism. MISP submodule for STIX 2.x now relies on our [fork of the STIX 2 library](https://github.com/MISP/cti-python-stix2) to support import STIX 2.x files (which time-based UUIDs) produced by some vendors and tools. If you have any issue while updating the submodule, don't forget to run a `git submodule sync` before running a `git submodule update` on existing MISP instances. STIX 1 and 2 import/export has been significantly improved based on the numerous sample files received. If you have specific issues with certain STIX files, feel free to send these to us. We would like to thank all the contributors, reporters and users who helped us in the past months to improve MISP and information sharing at large. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. A detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. We also released the [complete source code of the MISP training materials](https://github.com/MISP/misp-training) and we hope to see many improvements such as translation, new materials or ideas from the training materials. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next activities to improve threat intelligence, analytic and automation. 2019-01-01T10:52:02+00:00 MISP v2.4.101 MISP v2.4.101 2019-01-20T21:32:26+00:00 A new version of MISP ([2.4.101](https://github.com/MISP/MISP/tree/v2.4.101)) has been released with 3 main new features (tag collections, improved tag/galaxy selector and MISP instance caching), along with a host of improvements and bug fixes. ## Tag collections ![](https://www.misp-project.org/assets/images/misp/blog/tag-collection-creation.png) Contextualisation in threat intelligence is one of the key activities when performing analysis and when reviewing or processing information from internal or external sources. The task can be rather tedious, but nevertheless, it's a critical step in ensuring the quality and the information's capacity to be used for automatic processing. MISP 2.4.101 introduces a new concept, in an attempt to improve the "time-to-contextualise" information for users using the platform. Tag collections, a new feature in 2.4.101, aim to allow users to predefine re-usable structures consisting of a set of tags (from taxonomies) along with galaxy information attached. Analysts can use these named collections to quickly classify information with all of the contextualisation labels declared in the collection. This functionality enables anyone using MISP to significantly lower the time it takes to classify information and to ensure that all the pre-defined context related information is attached to an event or attribute. This feature is a first step in opening up the sharing of analysisMISP best practices directly via the platform itself. ## Improved tag/galaxy selector ![](https://www.misp-project.org/assets/images/misp/blog/tag-collection.png) The success of MISP taxonomies and galaxies since their inception has been suffering from a minor but annoying drawback. When we originally designed the user-interfaces of the tag and galaxy systems in MISP, our immediate intent was to handle a rather small set of taxonomies. Since then we have come a long way and thanks to the many excellent contributions we've received from the community, the ugly side-effect of our original design decisions reared its head: adding multiple tags and galaxies has become a tedious chore, especially when trying to contextualise several aspects of the information to be shared, using multiple tags and galaxies. In order to solve this issue, a complete new selector-system has been added to ease the process of adding multiple tags and galaxies. The design was based on various issues and the feedback we have received from private organisations, CSIRTs and analysts. Let us know what you think about it and don't hesitate to [open an issue for bugs or feedback on the improved selector](https://github.com/MISP/MISP/issues). ## MISP instance caching Synchronisation between MISP instances has always been a core functionality of MISP in order to support the sharing of information. This release includes a new feature, allowing administrators to perform MISP remote instance caching without the need to synchronise and pull events. The MISP instance caching feature supports the built-in correlation system of MISP along with the overlap matrix of the feed system. This allows users to see cross-instsance correlations without the need to ingest the data of other instances directly and to include remote instances in the feed correlation system to compare how the information of feeds stacks up to that contained on other instances. This also opens up a host of possible multi-MISP scenarios when it comes to running collection-oriented "junk" MISPs internally and being able to cross correlate them with the operational instances. Keep in mind, in order to benefit from this system, the instance to be cached also has to be on at least version 2.4.101. ## New attribute type "[HASSH](https://github.com/salesforce/hassh)" is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint. hassh-md5 and hasshserver-md5 types are now part of [MISP standard core format which has been updated](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format-06). If you see a missing types or object template in MISP, don't hesitate to report it back to us. ## Many improvements - A new unpublish action has been added to simplify the process in the user-interface. - Disable correlation is now accessible when creating/modifying an attribute. - New default feed added (from [mirai.security.gives](https://mirai.security.gives)). - Many improvements in the STIX2 import and export. - Various bugs fixed. We would like to thank all the contributors, reporters and users who helped us in the past months to improve MISP and information sharing at large. MISP [galaxy](https://www.misp-project.org//galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. A detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next trainings, talks and activities to improve threat intelligence, analytics and automation. 2019-01-20T21:32:26+00:00 MISP v2.4.102 MISP v2.4.102 2019-02-03T10:34:59+00:00 A new version of MISP ([2.4.102](https://github.com/MISP/MISP/tree/v2.4.102)) has been released with several fixes, various UI improvements, new types and a praise to the open source community. ## New types ### Anonymisation Sharing and exchanging information encompasses a lot of different models, communities or practices, with the MISP project being involved in various discussions and projects centered around building sharing and information exchange communities. A complex topic comes up regularly, namely the anonymisation of the information exchanged. Sharing anonymised information often aims to simply share the existence of knowledge about information. We introduced a new attribute type in MISP called "anonymised", which can be combined with a newly introduced object called [anonymisation](https://www.misp-project.org/objects.html#_anonymisation). ![](https://www.misp-project.org/assets/images/misp/blog/anon-graph.png){:class="img-responsive"} ![](https://www.misp-project.org/assets/images/misp/blog/anon2.png){:class="img-responsive"} ![](https://www.misp-project.org/assets/images/misp/blog/anonymisation.png){:class="img-responsive"} The design is flexible and can be extended with new anonymisation techniques and/or approaches. We are standing on the shoulders of giants, for example open source tools such as [Crypto-PAn](https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/), [ipsumpdump](https://github.com/kohler/ipsumdump) or [arx](https://arx.deidentifier.org/). ### Bro -> Zeek The open source NIDS [Bro project was renamed Zeek](https://blog.zeek.org/2018/10/renaming-bro-project_11.html) in late 2018. Bro has a growing community and NIDSs are important in ensuring the detection and enforcement of threat intelligence information shared within various communities at the network level. We added a new MISP type called zeek which can be used in exactly the same fashion as the bro type (which will remain in place to ensure backwards compatibility). As diversity is of utmost importance when it comes to information security and also to open source NIDS options, the MISP standard core format supports [Suricata](https://suricata-ids.org/), [Snort](https://www.snort.org/) and [Zeek](https://www.zeek.org/). ## Sighting ![](https://www.misp-project.org/assets/images/misp/blog/sighting-UI.png){:class="img-responsive"} - MISP UI has been improved to allow sighting at the attribute level or at the global level. - Various improvements to the sighting hover such as a generic hovering support. - ReST API for sighting improved. - ReST API bug fixes where sightings were added to every single attributes when addSighting failed. - Search results now include sighting results too. ## Enhancements - Server settings have been refactored and streamlined with the UI server settings. - [Installation documentation](https://misp.github.io/MISP/) has been improved with a generic Debian installer script. - restSearch APIs improved in regards to better support for URL parameters. - Feed correlation is no longer visible when attributes have correlation disabled. - Translations of the UI were improved and new languages were added (Updated: Czech 4%, Danish 53%, German 21%, French 95%, Italian 39%, Japanese 95%, Korean 3%, Brazilian Portuguese 6%, Spanish 3% new: [i18n] Hungarian, Russian, Ukrainian, Simplified Chinese.) - STIX 1 and 2 exports are now using the restSearch API instead of the old download interface. - Major improvements in the handling of malware samples in STIX 1 and 2 format. Many bugs were fixed and various small improvements were performed. A significant fix to improve performance for older versions of MySQL were implemented to avoid incorrect indexes being preferred for some specific queries. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were extended by many contributors. These are also included by default in MISP. Don't forget to do a `git submodule update` and update galaxies, objects and taxonomies via the UI. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As this is the FOSDEM release, we would like to praise all the open source software and their respective authors who have helped us to make the MISP project a reality, including (in no particular order and this is in no ways meant to be exhaustive) [Redis](https://redis.io/), [PHP](http://php.net/), [Python](https://www.python.org/), [TheHive Project](https://thehive-project.org/), [LIEF - Library to Instrument Executable Formats](https://lief.quarkslab.com/), [MariaDB](https://mariadb.org/), [vis.js](http://visjs.org/index.html), [ZMQ](http://zeromq.org/) ... As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](https://www.misp-project.org/events/) to see our next trainings, talks and activities to improve threat intelligence, analytics and automation. 2019-02-03T10:34:59+00:00 MISP v2.4.103 MISP v2.4.103 2019-03-07T11:57:38+00:00 A new version of MISP ([2.4.103](https://github.com/MISP/MISP/tree/v2.4.103)) has been released with significant UI improvements (including a new flexible attribute filtering tool at the event level), many bug fixes and a fix to a security vulnerability (CVE-2019-9482) which was affecting sighting visibility. # New features ## Improved attribute filtering tool A new attribute filtering tool has been added to the event view to replace the previous filtering. Complex filtering rules can be set to easily filter, navigate and paginate over large events with many attributes and objects. ![MISP screenshot - new attribute filtering tool at event level](https://www.misp-project.org/assets/images/misp/blog/filtering.png){:class="img-responsive"} ![MISP screenshot - new attribute filtering tool at event level](https://www.misp-project.org/assets/images/misp/blog/filtering2.png){:class="img-responsive"} ## Improved hover behaviour for expansion services. Thanks to [Wesley Agena](https://github.com/wesleya) from DomainTools for the improvement in the hover placement while using [misp-modules](https://github.com/MISP/misp-modules) expansion services in MISP. The hover improvements include: - add some logic to choose a better hover placement - make hover hide on outside click, to allow using the scrollbar to view full hover - add an icon in the hover tooltip to turn it into a popup - move popup close button to better position - group attributes for each module in hover UI - prevent duplicate enrichment API queries once the first one is done # UI rework A major project is ongoing to improve the UI accessibility in MISP, UI elements are progressively updated to an adequate templating system to ease the future extension of the UI. This versions already includes a reworked UI for tab UI, index UI, server settings, server preview and much more. The rework is handled in a progressive fashion with the UI being gradually updated to ensure a smooth transition. If you notice any UI specific issues during the transition period, don't hesitate to open an [issue](https://github.com/MISP/MISP/issues) (with a screenshot if possible) to describe the expected behavior. ## Generic matrix-like galaxies are now supported With the increased use of MITRE ATT&CK and the need of describing similar matrix-like models, generic matrix-like galaxies are now supported. You can create your own matrix with the associated custom kill chains. A first [new matrix-like galaxy](https://www.misp-project.org/galaxy.html#_election_guidelines) has been added to MISP called *Universal Development and Security Guidelines as Applicable to Election Technology* made by the [European Commission](https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf) to model the attack model against election processes and technologies. If you want to create your own matrix-like, [a slide deck called MISP Galaxy](https://www.misp-project.org/misp-training/3.2-misp-galaxy.pdf) part of the [MISP training materials](https://github.com/MISP/misp-training#misp-training-materials) explains the basics. # Security fix (CVE-2019-9482) In MISP 2.4.102, an authenticated user could view sightings that they should not be eligible for. Exploiting this requires access to the event that has received the sighting in addition to certain conditions aligning - the issue affects instances with restrictive sighting settings (event only / sighting reported only). This vulnerability got has received the designation [CVE-2019-9482](https://cve.circl.lu/cve/CVE-2019-9482). Thanks to Tyler McLellan of CanCyber.org for reporting the vulnerability. We are eager to receive security reports and/or analyses about the MISP project, [don't hesitate to contact us](https://github.com/MISP/MISP/blob/2.4/CONTRIBUTING.md#reporting-security-vulnerabilities). ## Enhancements - Kerberos authentication has been updated to include ldapEmailField to specify additional location of where email addresses can be found (thanks to [iwitz](https://github.com/iwitz)) - [API] change_pw is now exposed to the API. - The event view now includes the number of objects included in an event. - Additional url setting to add a complementary baseurl especially when a MISP is accessible via different means and an url is required for the sharing groups. The objective is to decouple the baseurl (used to prepend links) from the announce baseurl (for sharing groups / emailing). - Add CORS setting for external integration (thanks to [Hannah Ward](https://github.com/FloatingGhost)). - A major rework on the [auto installer script for MISP](https://misp.github.io/MISP/INSTALL.ubuntu1804/) to transform the installation process into a pleasant journey. - [CLI] DB updates can now be executed via the CLI. This mimics what he is done what the automatic update does when login for the first time after an update. - [API] New tag search API to search for tags. - simply pass the value you want to search for. Use % for wildcards - taxonomy and galaxy metadata returned with tag - [API] The log search API now supports time ranges. - Event view now includes a sparkline to track changes on the event over time. - Many docs and installer guides have been improved. A host of bugs were squashed and various small improvements were implemented. MISP [galaxy](https://www.misp-project.org/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf) and [taxonomies](https://www.misp-project.org/taxonomies.pdf) were extended by many contributors, which are also included by default in MISP. Don't forget to run a `git submodule update` and update galaxies, objects and taxonomies via the UI. [MISP modules](https://github.com/MISP/misp-modules) were also significantly improved especially on the PDF export which includes a complete export of MISP events as a clean and concise PDF report. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next trainings, talks and activities to improve threat intelligence, analytics and automation. 2019-03-07T11:57:38+00:00 MISP v2.4.104 MISP v2.4.104 2019-03-27T15:03:17+00:00 A new version of MISP ([2.4.104](https://github.com/MISP/MISP/tree/v2.4.104)) has been released with a host of new features such as new overlap feed comparator, a new graph visualisation of event and attribute distributions, a history/bookmark system for the REST client and many others. # New features ## New overlap feed comparator Cached feeds can now be compared to the entire set or a subset of the other cached feeds, assisting users in their decision making process for acquiring new feeds based on being able to cover the contents of the new feed with their combination nof existing ingested feeds. ![Comparing a MISP feed to other feeds and check its coverage](https://www.misp-project.org/assets/images/misp/blog/feed-coverage.png) ## Distribution graph A new distribution visualisation graph has been introduced to quickly display the potential recipients of the data. This allows users to get an overview of how far events and attributes will be distributed and shows the members of the community who will receive the information shared. ![MISP distribution graph example](https://www.misp-project.org/assets/images/misp/blog/distribution-graph.png) ## Bookmark and history in REST client The MISP UI REST Client now keeps a history of the 10 most recently performed queries. Additionally, queries can now be recalled and bookmarked for later use, so there's no longer a need to manually keep track of your queries in your notes, it's now in your MISP instance. ![MISP REST Client bookmarks](https://www.misp-project.org/assets/images/misp/blog/rest-bookmarks.png) g ## Required taxonomy It is now possible to retrict the publication of new events via the UI as long as certain tagging conditions aren't met. Administrators can configure "required" taxonomies, thereby enforcing their use in the community (such as TLP for CSIRTs, mandatory classification for military organisation or other required contextualisation requirements for ISACs). ## Kafka publishing CERN provided an outstanding contribution which includes a [Kafka](https://kafka.apache.org/) streaming functionality for MISP in addition to the existing ZMQ pubsub channel. This allows the inclusion of a real-time stream of actions (such as new events, update, new sighting, new tags) from MISP into advanced processing security workflows. For more information, the [CERN presentation](https://indico.cern.ch/event/775579/contributions/3306040/attachments/1808103/2951821/2019-02-20__WLCG_SOC_WG_CERN_SOC_Update.pdf) gives some good insights. ## Improvements - A new ATT&CK heatmap is now displayed per galaxy cluster, aggregating information from the various events and attributes in MISP where the techniques are linked to the given cluster (for example a threat actor). - The matrix-heatmap representation of all matrix type galaxies are now included in the statistic page. - [API] Pagination is now available for the event index. - Galaxies can now be deleted from the user-interface. - A new exercise setup script has been introduced to setup MISP instances for training or exercise: - assumes a hub MISP and a set of training MISPs for different participating teams - This script is to be executed on the hub MISP and assuming a consecutively incrementing numeric component in the training MISPs' URL it will pre-configure them - each instance has to have the same API key for the site admin (the idea is to clone training VMs) - configuration creates users, organisations, sync users, sync connections across both the hub and the individual trainee instances ## Bug fixes - Upgraded to the latest version of CakePHP. - Bro/Zeek export fixed including the cached export feature. - The STIX 2 export received various fixes. - Some improvements to the RPZ export format to include serial. - Multiple bugs fixed in the ZMQ. A host of bugs were squashed and various small improvements were implemented. MISP [galaxy](/galaxy.pdf), [objects](https://www.misp-project.org/objects.pdf), [taxonomies](https://www.misp-project.org/taxonomies.pdf) and [warning-lists](https://www.github.com/MISP/misp-warninglists) were extended by many contributors, which are also included by default in MISP. Don't forget to run a `git submodule update` and update galaxies, objects and taxonomies via the UI. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next trainings, talks and activities to improve threat intelligence, analytics and automation. 2019-03-27T15:03:17+00:00 MISP v2.4.105 MISP v2.4.105 2019-03-31T10:37:56+00:00 A new version of MISP ([2.4.105](https://github.com/MISP/MISP/tree/v2.4.105)) has been released to fix a security vulnerability ([CVE-2019-10254](https://cve.circl.lu/cve/CVE-2019-10254)) in addition to some minor improvements and a fix for the STIX 1.1 import, enabling the import of files with additional namespaces (such as [CISCP](https://www.dhs.gov/cisa/cyber-information-sharing-and-collaboration-program-ciscp)). This release includes a security fix for a reflected XSS ([CVE-2019-10254](https://cve.circl.lu/cve/CVE-2019-10254)) vulnerability in the default layout template as reported by Tuscany Internet eXchange - Misp Team - TIX CyberSecurity (Thanks to them!). We strongly recommend that everyone update their MISPs to the latest version. The STIX 1.1 import can now import STIX files using additional, non-standard namespaces (such as [CISCP](https://www.dhs.gov/cisa/cyber-information-sharing-and-collaboration-program-ciscp)). # Improvements - A new diagnostic to display the status of all the git sub-modules. - Replaced the old non-cached export page with improved restSearch. - Multiple improvements in the UI. - Russian translation of the UI added. - STIX 1.1 export fixed to set the adequate TLP marking. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. Don't hesitate to have a look at our [events page](http://www.misp-project.org/events/) to see our next trainings, talks and activities to improve threat intelligence, analytics and automation. 2019-03-31T10:37:56+00:00 MISP v2.4.106 MISP v2.4.106 2019-04-25T13:48:40+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/graph-thumb.png) A new version of MISP ([2.4.106](https://github.com/MISP/MISP/tree/v2.4.106)) has been released with a host of improvements, including new features such as a feed cache search, CLI tools to manage your MISP instance along with improved diagnostics. # New features - [API] Improved API to update warning-lists, object templates, the galaxy library, taxonomies and notice lists. - Searching the feed caches is now possible via both the UI and the API. This allows users to rapidly find out whether a provided value exists in any of the cached sources (feeds [feeds](https://www.misp-project.org/feeds/) and MISP servers alike). - [CLI] Worker management is now exposed via the CLI. The listing, starting, restarting and killing of workers can now be simply accomplished via the CLI. - [CLI] reset/set a user's API key via the CLI. Overriding a password is now also possible without the need to force a password reset on login. - [Auth] [LinOTP](https://www.linotp.org/) authentication module added in MISP. - A [training deployment script](https://github.com/MISP/MISP/blob/2.4/app/Console/Command/TrainingShell.php) has been added to support the deployment of configurable networked MISP training topologies. The script has been created in order to support the NATO locked shields 2019 exercise, especially in regards to the deployment of a large number of connected player-team instances. # Improvements - Image resizing of attachments has been improved including a local thumbnail cache. - [UI] Thumbnails are now included in the event graph visualisation. - Exports in all formats are now enabled by default even for non-published events. - Refanging of attributes are now done before saving attributes in the UI (refanging algorithms are the ones from the free-text import). - [UI] Refactor of the tag picker to improve performance and re-introduce the custom tags. - [UI] Performance improvements for events with large numbers of attributes and objects. - [doc] Installation scripts and documentation were significantly improved. [MISP Install Documentation ](https://misp.github.io/MISP/) - [UI/translation] Improvements to the various UI translations including the Russian translation. - Improvement of various MySQL queries for outdated and buggy MySQL versions. - Many new [MISP objects template](https://github.com/MISP/misp-objects/) were included. Don’t forget to run a git submodule update and update galaxies, objects and taxonomies via the UI. - Many improvements in the accessibility of MISP user-interface especially for [Accessible Rich Internet Applications (ARIA)](https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA). - Many reported bugs were fixed. # MISP modules Many new [MISP modules](https://github.com/MISP/misp-modules) were added such as a QR code extractor, OCR hover module, Cuckoo sandbox submission and Cisco FireSight manager. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-04-25T13:48:40+00:00 MISP v2.4.107 MISP v2.4.107 2019-05-13T21:05:36+00:00 ![MISP 2.4.107](https://www.misp-project.org/assets/images/misp/blog/similar-objects.png) A new version of MISP ([2.4.107](https://github.com/MISP/MISP/tree/v2.4.107)) has been released with a host of new features, improvements and security fixes. We strongly advise all users to update their MISP installation to this latest version. # New main features ## Similar objects and an easy to use tool to merge them MISP objects are now a cornerstone of describing complex data-structure along with other aspects of threat intelligence. We have seen a regular process of analysts to add new objects and having similar objects in their analysis. In MISP 2.4.107 shows similar objects (with common attributes) and proposes merging strategies into existing objects. The user-interface is easy to use and part of the standard project. ## Native yara and yara-json export For a very long time, MISP supported the sharing of pre-crafted [YARA](https://virustotal.github.io/yara/) attributes and objects. As of 2.4.107, we've introduced the ability to export YARA rules generated from any existing attributes in MISP, via the yara and yara-json exports. Existing YARA rules will remain intact similar to the state before the current release and will be included together with the native YARA rules stored in MISP. The export depends on the [Python plyara module](https://github.com/plyara/plyara). ## API - New includeWarninglistHits option interested for the attribute and event search APIs, enabling users to query any subset of they're misp repositories using the usual search filters to reveal potential false positives or other warnings. - Added new export format (attack) for restSearch, opening up the usual search filters to the [ATT&CK](https://attack.mitre.org/) integration. The new export format returns the ATT&CK matrix data as HTML via the API and is therefore directly viewable via the REST client. The export was designed during the [EU ATT&CK community](https://www.attack-community.org/) workshop organised at eurocontrol. # Various other changes - New update process included in MISP (to prepare the merge of the "zoidberg" branch and improve the migration process). - Installer updated and improved (MISP now works on OpenBSD 6.5 and Debian 9.9). - Module selection improved (sorted and improved the look and feel). - STIX export fixed for email attachments. - RPZ export improved, including new RPZ policy actions (based on [IETF draft](https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00)). - New button to quickly extend a MISP event added in the event view. - Many bugs squashed. # Security fixes Thanks to João Lucas Melo Brasio from [Elytron Security S.A.](https://elytronsecurity.com) who reported the following security vulnerabilities which are now fixed in MISP 2.4.107. - [CVE-2019-11812](https://cve.circl.lu/cve/CVE-2019-11812) A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. - [CVE-2019-11813](https://cve.circl.lu/cve/CVE-2019-11813) An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links. - [CVE-2019-11814](https://cve.circl.lu/cve/CVE-2019-11814) An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as demonstrated by a screenshot.: # MISP modules Many new [MISP modules](https://github.com/MISP/misp-modules) were added such as PDF, PPT, DOCX and XLS importer along with VMRay sandboxes analysis import. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-05-13T21:05:36+00:00 MISP v2.4.108 MISP v2.4.108 2019-06-05T15:11:24+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/anothergraph.png) A new version of MISP ([2.4.108](https://github.com/MISP/MISP/tree/v2.4.108)) has been released with a host of new features, improvements and bugs fixed. We strongly advise all users to update their MISP installations to this latest version. # New main features ## A copy-paste-and-sync function A new tool has been added in MISP to create MISP sync configuration objects in JSON format from the user-interface. This significantly improved the setup of synchronisation links between MISP instances. The synchronisation can now be set up (in addition to the standard setup) in 2 simple steps: - Use your sync user account on the remote MISP instance to extract the sync config in one click; - paste the sync config into your own instance as a site-admin user. That's it, you have the synchronisation configured. ## Improved "paranoid" logging During the [enforce](https://securitymadein.lu/news/ceis-securitymadein-lu-enforce-project/) training session in Paris, law enforcement officers mentioned the need for LEA to have extensive audit mechanisms in regards to information read and user access in general. A new optional paranoid logging functionality has been added to log any queries from the user-interface and the API of a MISP instance. The feature has two sub-features, allowing administrators to configure their MISPs to log the POST/PUT bodies as well as the ability to force paranoid log entries to skip being stored in the database, instead publish the gathered information exclusively via one of the various pub-sub channels (such as ZMQ, Kafka or ElasticSearch ZMQ, Kafka or ElasticSearch) or via syslog. ## API - New logical 'AND' for tag filters has been added in restSearch API. - Added object_relation as a filter for both the event/attribute restSearch functions. - [restResponse] Added documentation for adding tags on Objects. - [API] Allow more flexibility on the return content types. [iglocska] # Various improvements - [logging] Added verbose logging to the server sync test throwing an unexpected error. - [bug] A bug in the event graph displayed broken icons to some specific browsers. The bug was fixed by updating font-awesome 5.8.2 and the loading of font-awesome in visjs. - [event:view] Correctly display title to large by truncating (+ellipsis). - [diagnostic:view] Improved visibility of the `updateAllJson` update button. - [object:add] Disable the first select's option when adding a new row. - [object:add] Added empty option support in select inputs when creating an object. - [UI] Event lock concatinating quoted empty strings. - [UI] Double sanitisation of org view fixed, fixes #4704. - [sync] Further fixes to the deleted flag changes breaking things. - [authkey] Fixed The authkey variable (Viper should work again) (#4694) - [sync] Critical bug fixed that blocked attributes from being included in a push. due to the change to the deleted flag that was not reflected in the way we prepare events for the synchronisation - [UI] Add the create server sync description menu to the server list. - [sync] whitelist fields that can be added via the JSON config. - [UI] Invalid redirect fixed. - [organisation:view] Fixed spinner when viewing events from an org. - [API] Weird responses from JSON objects fixed when data returned is empty. - [API] Wrong JSON output when /events/index returns empty result, fixes #4690. - [UI] Org index filter fixed. - [stix2 import] Fixed external domain & x509 patterns import. - [freetext import] Fixed shadow attribute import. - [event:view] Correctly support the new `deleted` parameter behavior. - [UI] Fixed checklocks polluting the top bar. - [enrichment:popover] Correctly fadeout when clicking on the close button. - [STIX] STIX upload fixed for API use. - [galaxy:add] Consider both model names when doing a mass cluster addition. - [installer] Checksum checker has been fixed and improved. - [stix import] Fixed email attachments parsing. - [stix import] Supporting multi attachment attributes for the email object. # MISP modules Many new [MISP modules](https://github.com/MISP/misp-modules) were added such as Joe Sandbox integration. # MISP galaxy, object templates and warning-lists updated [MISP galaxy](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. New [default feeds](https://www.misp-project.org/feeds/) were added in MISP. Don't hesitate to contact us if you have any idea for new feeds. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](http://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-06-05T15:11:24+00:00 MISP v2.4.109 MISP v2.4.109 2019-06-13T20:18:04+00:00 A new version of MISP ([2.4.109](https://github.com/MISP/MISP/tree/v2.4.109)) has been released with a host of new features, improvements, bug fixes and a minor security fix. We strongly advise all users to update their MISP installations to this latest version. # New main features ## Encapsulate existing attributes into an object ![](https://www.misp-project.org/assets/images/misp/blog/attribute-to-object.gif) When an analyst inserts information into MISP, it's very common to start with a set of unstructured indicators/attributes. At a later stage, common structures emerge and combining attributes into objects start making more and more sense. However, the effort spent on the process of attribute creation would have to be repeated in prior versions via the object creation interface, something that resulted in analysts deciding to save time and effort and move on, leaving the unstructured data as is. To reduce the workload needed to bring structure to our prior work, we have now introduced a new feature, allowing users to easily select a set of attributes and automatically propose suitable object templates depending on the combination of types of the selected attributes. These in turncan be gathered and processed into the desired object. ## Improved ATT&CK and ATT&CK-like matrix support ![](https://www.misp-project.org/assets/images/misp/blog/attack-new.png) ![](https://www.misp-project.org/assets/images/misp/blog/fraud-tactics.png) We received exhaustive feedback during the FIRST.org CTI conference in London and the [ATT&CK EU community](https://www.attack-community.org/) workshop at Eurocontrol concerning the ATT&CK integration in MISP. The matrix visualisation has been improved by sorting and reorganising the individual techniques based on their aggregate scores. These statistics can now easily be queried based on time-ranges, organisations, tags, along with all other restSearch enabled filters to generate ATT&CK like matrix views. # Security fix - CVE-2019-12794 An issue was discovered in MISP 2.4.108. Organisation admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users) or impersonate them by reusing their API keys. This could be abused in a situation where the host organisation of an instance decides to use organisation admins to further manage their own users. The potential for abuse is limited to situations where the host organisation of an instance creates lower-privilege organisation admins instead of the usual site admins, so whilst it was indeed in the spirit of what the powers of organisation admins are, we agree that this was a bad design decision. [CVE-2019-12794](https://cve.circl.lu/cve/CVE-2019-12794) Thanks to Raymond Schippers for the report. ## API - [API] added new restSearch filter - date. - deprecated to and from - date works similarly to timestamp, accepted syntax options: - time ranges in the shorthand format (7d or 24h, etc) - timestamps - fallback parsing for other formats (2019-01-01, "fortnight ago", etc) - date ranges using lists [14d, 7d] # Bugs fixed - A long-standing bug has been fixed when adding tags or galaxies whilst using Firefox. - [permissions] Fixed the default sync/user/publisher permissions to include perm_tagger and perm_tag_editor(sync only). - And many other [fixes](https://www.misp-project.org/Changelog.txt). # MISP galaxy, object templates and warning-lists updated [MISP galaxy](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. New [default feeds](https://www.misp-project.org/feeds/) were added in MISP. Don't hesitate to contact us if you have any idea for new feeds. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. # Warning: Next release 2.4.110 The next version of MISP will include major changes to the data-model by introducing new functionalities that support forensic capabilities, with a special focus on improving the time representation of MISP attributes and objects. The next release will update various tables in the database as usual, but the automatic update might take longer than usual (on larger instances between 30 and 45 minutes) depending on the number of attributes stored in the instance. During the update procedure, MISP will be unavailable until the update is complete. We will notify our users in advance to prepare their upgrade plan for the next release 2.4.110. 2019-06-13T20:18:04+00:00 MISP v2.4.110 MISP v2.4.110 2019-07-08T21:11:25+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/modules-expand.gif) # MISP 2.4.110 released A new version of MISP ([2.4.110](https://github.com/MISP/MISP/tree/v2.4.110)) has been released with a host of new features, improvements, many bugs fixed and one security fix. Even under the searing summer sun, the MISP project team is hard at work, whilst enjoying some cocktails (with or without booze). # New main features ## MISP modules extended to support the full MISP standard format [misp-modules](https://github.com/MISP/misp-modules) now support MISP objects and relationships. The revamped system is still compatible with the old modules, whilst the new modules bolster up the complete MISP standard format. New modules such as [url-haus](https://github.com/MISP/misp-modules/blob/52dadd2df32b19241fdd978e50b717f1967e264b/misp_modules/modules/expansion/urlhaus.py), [joe sandbox query](https://github.com/MISP/misp-modules/blob/be61613da4f5dc8f082a7c1a9e1ec07fdb872560/misp_modules/modules/expansion/joesandbox_query.py) and many others support the new MISP standard format. This new feature allows module developers to create more advanced modules, generating MISP objects and associated relationships from any type of expansion, import or export modules in one click. ![](https://www.misp-project.org//assets/images/misp/blog/misp-modules-new.png) ![](https://www.misp-project.org//assets/images/misp/blog/misp-modules-2.png) ## Local tags introduced ![](https://www.misp-project.org//assets/images/misp/blog/local-tags.png) The long awaited feature "local tags" is now finally available. You can create tags locally if you are a member of the given MISP instance's host organisation, enabling "in-place" tagging for synchronisation and export filtering. MISP events are not modified while using the local tags and are in turn always stripped before being synchronised with other MISP instances and sharing communities. Local tags allow users to avoid violating the ownership model of MISP, but still be able to tag any event or attribute for further dissemination and data contextualisation. Local tagging works for tags, tag collections, galaxies and matrix-like galaxies such as ATT&CK. ## New Norwegian translation Thanks to the contribution from [Kortho](https://github.com/Kortho), the MISP user-interface now includes a Norwegian translation in addition to the previously contributed Japanese, French translations along with multiple work in progress translation efforts getting closer to full coverage, such as Russian, German and Chinese. If you wish to contribute, feel free to join the [crowdin page for MISP](https://crowdin.com/project/misp). It's simple and efficient, translations can be easily done via the web interface. # Various updates and improvements - [Following SANS courses feedback](https://twitter.com/speshulted/status/1141711388617904128), physics can be enabled/disabled on demand. - [UI] Filter has been added in the template object index. - [API] On-demand inclusion of attribute relations via the event view endpoint. Thanks to Siemens for the ideas and feedback. - [security] Made certain settings modifiable via the CLI only. Some settings are too risky to be exposed, even to site admins, so made them CLI accessible only. - [API] New option to excludeLocalTags to events/restSearch. - [UI] Many improvements in the event view regarding related events. In case of multiple correlations, the related events are now in a scrollable box. - [Doc] Installation guides and scripts were improved. - [Bug] Fix an old hard-coded path for the temp directory. - [API] Simple worker management added. # Security fix (CVE-2019-12868) [CVE-2019-12868](https://cve.circl.lu/cve/CVE-2019-12868) has been fixed in MISP 2.4.110. MISP 2.4.109 had remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialisation. This vulnerability can only be triggered by the site admin. Thanks to Dawid Czarnecki for reporting it. # STIX improvements - Parsing observable compositions from external STIX files. - Fixing issues with 'parse' being called on bundles containing custom objects. - Fixed user account pattern and user account observable extension in STIX 2.0 export. - Fixed socket extension parsing. - Fixed registry-key keys and values parsing for patterns. [MISP galaxy](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-07-08T21:11:25+00:00 MISP v2.4.111 MISP v2.4.111 2019-07-20T13:41:21+00:00 # MISP 2.4.111 released A new version of MISP ([2.4.111](https://github.com/MISP/MISP/tree/v2.4.111)) has been released with an improved proposal sync, minor improvements and bugs fixed. ## Proposal synchronisation rework The proposal synchronisation has undergone a long over-due rewrite and as a result it has been significantly improved ompared to the original implementation, which was released several years ago. We strongly invite all users of MISP to upgrade to the latest version to restore the fetch-on of proposals via the synchronisation. The proposal index has been reworked and proposal pull is now limited to the last 14 days (to avoid trying to pull ancient proposals at each sync). ## New attribute type community-id added At the MISP project, we are big supporters of new open standards, which can help communities in an effort to reference forensic evidences, especially network forensic evidences. It has always been difficult to track down common network flows as many tools and products rely on different methods to build network flow ids. [Christian Kreibich](https://github.com/ckreibich) from Corelight decided to take a bash at resolving this issue and has been working on creating the [Community ID Flow Hashing](https://github.com/corelight/community-id-spec) format. As the community-id is open to open source implementations which can be reused, various open source projects already support it such as Zeek (Bro), Suricata, Moloch, HELK, Elastic and now also MISP, as of version 2.4.111. In 2.4.111, a new attribute type has thus been added, along with the following object templates already including the new attribute field: - [Netflow](https://www.misp-project.org/objects.html#_netflow) - [Network connection](https://www.misp-project.org/objects.html#_network_connection) This feature allows to easily correlate network forensic flows from different tools or network equipment. ## Improvements and bugs fixed - [misp-modules enrichment] Fixed index in attribute. - [API] Deletes broken due to invalid boolean. - [API] Delete http method/requests properly accepted by some /delete endpoints. - [sync] Fixed a bug breaking the synchronisation between MISP instances. - [stix2] Import of User Account objects is now supported. - Issues #4864, #4861, #4847 fixed [MISP galaxy](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-07-20T13:41:21+00:00 MISP v2.4.112 MISP v2.4.112 2019-08-02T21:31:12+00:00 # MISP 2.4.112 released ![](https://www.misp-project.org/assets/images/misp/blog/vuln.png) A new version of MISP ([2.4.112](https://github.com/MISP/MISP/tree/v2.4.112)) has been released with a host of API fixes, improvements and a security fix. ## Improvements - [sync] Event index cleaned up, total count of listed events added as X-Result-Count header - [sync] Previewing a remote instance now passes pagination rules in the request instead of fetching the full data-set and paginating in memory. This also include a fix to issues with empty preview pages. Massive performance boost when previewing a remote instance. This requires the remote side to be the same version or newer. - [API] New parameters added to attributes/restSearch to include additional context, fixes #4935, fixes #4940, affects MISP/PyMISP#415. - includeSightings: include sightings for all attributes returned - includeCorrelations: include the correlations to other attributes (includes a light-weight event object with each attribute) - [cli] Added cleanCaches command. - [API] Disable background processing on-demand via URL parameters. - [API] Disable DB logging completely, fixes #4921. - [API] IncludeContext now includes the additional event fields in the attributes/restSearch results (in JSON format). - [data model] New attribute type weakness (CWS) added - [alerting] Block the alerting of events based on the date field as an alternative to the timestamp, fixes #4937. - [warning-list] Speedup improvement in the CIDR lookup. - [UI] Add a quick button for the event attribute toolbar for the showing of related tags. - [restClient] Do not override query body if url hasn't changed. - [feed-metadata] Panels Tracker feed added. - [eventGraph:search] Usage of chosen instead of bootstrap with non- stripped label. ## Bugs fixed Many bugs fixed based on the extensive PyMISP test cases in addition to manual reviews. All fixes are documented in the [changelog](https://www.misp-project.org/Changelog.txt). ## CVE-2019-14286 fixed [CVE-2019-14286](https://cve.circl.lu/cve/CVE-2019-14286) has been fixed. In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event graph view. A malicious MISP event must be crafted in order to trigger the vulnerability. This vulnerability has been fixed in MISP 2.4.112. We strongly encourage everyone to update as soon as possible. Thanks to David Heise who reported the vulnerability. ## misp-modules [misp-modules](https://misp.github.io/misp-modules/) have been improved with new modules especially with a new advanced CVE module which includes the ability to import CVEs along with their associated weaknesses and attack techniques (as you can see in the screenshot). The documentation has been also improved (thanks to all the contributors who helped us on the documentation). [MISP galaxies](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. MISP galaxy has been updated to include the July edition of the MITRE ATT&CK model. We would like to thank all the [contributors](https://www.misp-project.org//contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-08-02T21:31:12+00:00 MISP v2.4.113 MISP v2.4.113 2019-08-20T10:09:27+00:00 # MISP 2.4.113 released A new version of MISP ([2.4.113](https://github.com/MISP/MISP/tree/v2.4.113)) with tons of fixes and small improvements. We strongly recommend to update to this version. ![](https://www.misp-project.org/assets/images/misp/blog/matrix.jpg) ## API and sync - [API] get individual server settings via /servers/getSetting/[setting_name], fixes #4964. - [API] Allow posting freetext data for ingestion via the event UUID instead of ID, fixes #4995. - [internal / API] new component added to handle repeatable code across all controllers (toolbox controller) - added UUID -> ID lookup function and integrated it across several functions - fixes #4990 - fixes #4999 - fixes #4993 - fixes #4991 - fixes #4989 - fixes #4987 - [sync] Added a protection from receiving empty published events from other instances. - a temporary solution to some older, bugged instances emitting them - [sync] Sync object builder tool fixed. - was picking the wrong org as the owner of the remote side - [sync] Fixed an invalid massaging of object attributes before a sync. - on a push, object attributes were not correctly filtered out based on distribution settings - [API] Attribute add rework. Handle attribute creation in a unified manner via captureAttributes - Show sharing groups' uuids. - Delete an object by its uuid, similar syntax to attribute's deletion. - [stix test] Updated STIX1 test files with the updated MISP event files export results. - [stix test] Updated MISP event test files with the latest objects supported. - [logging] Truncate description lengths that would be longer than what the DB can store with the default setup. - [stix export] Change on leveraged ttp at incident level. - No longer referencing ttps created out of MISP objects as leveraged ttps at incident level - Making sure all ttps, course of actions, threat actors and so on created from MISP galaxies are referenced at incident level - [six export] Handling vulnerability attributes the same way as objects. - Fixing at the same time some references (with vulnerability objects related to vulnerability attributes) that were lost - [stix export] Better tags handling. - Avoid passing event level tags everywhere - Using class variable for the tlp markings - Modules can now pre-check a checkbox from userConfig. - [types] email-subject added as a valid type for network activity. - used to describe outgoing e-mail subjects for exfiltration. Perhaps consider adding a new category for exfiltration altogether. - [API] servers/serverSettingsEdit now accepts the force parameter in a posted JSON object. - [API] get organisation by uuid for sightings/listSightings, fixes #4992. - [API] Misp object delete's uuid lookup fixed. - [API] removed testing exception. - [API] Swapped error messages' content from "don't" to "do not" to avoid weird sanitisation artifacts coming from the exception handler. - [API] error message. - [API] Attribute edit fixed. - [API] /galaxies/view by uuid added, fixes #4993. - [API] sightings restSearch now accepts uuids as org_id, fixes #4992. - [API] Delete sightings by UUID, fixes #4987. - [API] /objects/view should accept UUID as a parameter instead of just ID, fixes #4991. - [API] Delete organisations by UUID, fixes #4989. - [API] Access event proposals by uuid via shadow_attributes/index/[uuid], fixes #4988. - [API] Adding an event without the info field set should never work, fixes #4984. ## UI - [enrichment] Handling correctly comments at objects level. - Objects level comments were displayed but not handled at the end, they are now displayed, users can modify them as comments at attributes level, and they are handled then with the saved results - [UI] Handle settings being removed from config.php more gracefully in the UI. - [UI] Row description added in View Warninglists. - [UI] Improved the accessibility of the galaxy matrix view for screen readers. The table elements are now focusable, and only a short text is brailled/spoken by default. ## internal - [session handling] Session handling fixes. - changed the cookie name to MISP-[MISP.uuid] to rely on a unique data-point instead of the URL. This solves issues with multiple MISPs running on the same host via port based virtualhosts sharing sessions - timeout issues potentially fixed when using the recommended PHP session handler. If the garbage collection is configured in php.ini it could previously purge sessions that based on the session timeout should still be valid - [debug] Added an on-demand sync debug to assist some debug sessions. - very primitives, simply concatenates events to be pushed into a file - [internal] Default field list added for attributes. - let's try to standardised on things we output instead of doing it manually. It's a first step - [warning-list] Filter CIDR warning list before eval. - [internal] Potential fix for a race condition generating orphaned attributes, fixes #4886. - This fix will avoid issues where the delay is introduced by the deferred start of the execution via the background workers - deleting an event whilst data is being actively added will still not be interrupted - [internal] Feed lookup by UUID removed as feeds don't actually have UUIDs, fixes #4998. ## misp-modules [misp-modules](https://misp.github.io/misp-modules/) have been improved with new modules especially an improved cuckoo import module (thanks to Pierre-Jean Grenier). The documentation has been also improved (thanks to all the contributors who helped us on the documentation). [MISP galaxies](https://www.misp-project.org/galaxy.html), [MISP object templates](https://www.misp-project.org/objects.html) and [MISP warning-lists](https://github.com/MISP/misp-warninglists/) have been updated to the latest version. MISP galaxy now includes a target-location galaxy to improve classification. We would like to thank all the [contributors](/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-08-20T10:09:27+00:00 MISP v2.4.114 MISP v2.4.114 2019-08-31T14:27:58+00:00 A new version of MISP ([2.4.114](https://github.com/MISP/MISP/tree/v2.4.114)) with some new features supporting collaboration and a list of fixes and small improvements. We strongly recommend to update to this version. ![](https://www.misp-project.org/assets/images/misp/blog/community-view.png) ## Letting the world know about your community One of the most common questions we get from users is whether we can point them to a community that would fit their profile and needs. This is something that often leaves as stumped. Being an open source project, we only really know the part of our user-base that we directly interact with and even if they do, the question of whether we should point users in their directions in the first place is often a puzzling one. We've decided to make everyone's life just a tad bit easier. By incorporating an in-application registry of known communities, we not only allow organisations that run an ISAC or other sharing community to let potential new community members know that they exist in the first place, but also we also allow anyone with a MISP installation to conveniently send requests to communities for access. Simply go to sync actions -> communities, browse the communities vetter or at least known by the MISP project and pick the ones that you consider yourself a good fit for. The system allows you to describe who you are and why you feel that you'd be an asset to the given community and send a request directly to the administrators of the instance. The list of communities for now is rather brief, if you would like your community to be listed, get in touch us at the MISP project, or create a pull request describing your community. ## Keeping an eye on incoming delegation requests As with all new features in MISP, we often struggle with anticipating the interest a new system would generate, often under-estimating the volume of data that they would generate. When we first implemented the delegation system, we expected it to be more of an edge-case scenario. We were obviously wrong, several communities out there rely quite heavily on being able to pseudo-anonymously publish data. This is especially the case in ISAC/ISAO driven communities, where a central trusted authority ensures both the quality of the data produced as well as protecting the identity of those that wish to remain unknown when disclosing information that could be considered a successful intrusion. We have now added an interface that allows users to search both received and issued delegation requests in a more convenient manner. ## Quality of life improvements for administrators Added a new diagnostic tool that allows administrators to keep track of the database table sizes in MISP along with the potentially recoverable space by optimising the table. ## Taxonomies improved with the addition of an Industrial control systems and operational technology (ICS/OT) Taxonomy Industrial control systems and operational technologies (ICS/OT) are often the target of threats, intrusions and attacks. The [FIRST.org Cyber Threat Intelligence SIG](https://www.first.org/global/sigs/cti/) did a tremendous work of documenting these into a series of taxonomies. To support and actively test the use of the ICS/OT taxonomy, the [ics taxonomy](https://www.misp-project.org/taxonomies.html#_ics) is now part of the default MISP taxonomy library. We also encourage any ICS/OT operators to contribute back to the [ics taxonomy JSON file](https://github.com/MISP/misp-taxonomies/blob/master/ics/machinetag.json) in order to improve the taxonomy based on their experiences. By being a taxonomy in MISP, this allows all ICS/OT users to directly tag and contextualise information shared within MISP instances and communities to describe their domain specific incidents and reports along with the related industrial threat intelligence. ## Fixes and improvements - [contact reporter] Various fixes ensuring that the right users can be contacted - [API] A long list of fixes ensuring consistency and proper responses for the less used endpoints, based on [@rafiot](https://github.com/rafiot/)'s exhaustive test suite - [API] Fixed output of the attribute histogram. No more STIX-ish barf inducing numeric string keys for dictionaries - [Feeds and warninglists] A long list of fixes tuning the performance of said subsystems - [PostgreSQL] A list of fixes, making MISP work on psql - [Import modules] Ensuring that the new, object supporting import modules can be called via the API - [other] Various other fixes touching a long range of features, such as UI issues, object merge problems, invalid links and many more We would like to thank all the [contributors](/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. Special shout-outs to Jakub Onderka ([@JakubOnderka](https://github.com/JakubOnderka)) for the tireless work around tuning the warninglist systems and fixes all around, to Pierre-Jean Grenier ([@zaphodef](https://github.com/zaphodef)) for the massive list of fixes ensuring that our APIs behave more sanely and Beckhalo Evgeny ([@4ekin](https://github.com/4ekin)) for taming the beast that is PostgreSQL support. We would also like to make a special dedication to the funding support of [CIRCL](https://twitter.com/circl_lu) and [INEA](https://twitter.com/inea_eu) under the CEF Telecom [2016-LU-IA-0098 grant](https://ec.europa.eu/inea/sites/inea/files/cef_telecom_supported_actions_november_2018.pdf). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-08-31T14:27:58+00:00 MISP v2.4.115 MISP v2.4.115 2019-09-10T14:56:04+00:00 # MISP 2.4.115 released A new version of MISP ([2.4.115](https://github.com/MISP/MISP/tree/v2.4.115)) with a major security fix (CVE-2019-16202) and various small improvements has been released. We strongly recommend all MISP users update to this version. ## Fixed major performance blocker in sync - fix based on the insights of @RichieB2B, the hero we need, not the one we deserve - added orgc_uuid to the minimal event index - added handlers for it on the pull side - when pulling from old instances the new functionality is skipped, resulting in the behaviour we had pre-patch - instances on both sides of the sync are encouraged to update, especially if the slow pulls are causing issues ## API and export - [export] Add a proper filename to the event restsearch API's output to make downloading events a bit more convenient, fixes #4905. - [stix2 import] Dealing with the case of named pipe attribute being imported from custom object. - [stix2 export] Avoid fails with named pipe export as custom object. ## Many fixes and error handling improvement Thanks to Jakub Onderka for the tireless review of the code and all the fixes. For a complete overview, check the [complete changelog is available](https://www.misp-project.org/Changelog.txt). ## CVE-2019-16202 - Vulnerability in MISP version <= 2.4.114 ### Conditions to be vulnerable Any MISP instance version 2.4.114 or below with sync users or organisation administrators allowing incoming synchronisation connections are affected. ### Details By requesting the /servers/index endpoint via the API, authenticated sync and org admin users have access to all synchronisation servers configured, including the API keys used. The vulnerability was caused by a combination of 3 separate issues: - The decision to allow sync users and org admins to have access to the server index was flawed, the idea was that they could assist with finding misconfigurations towards their home instance - The API and the UI code paths handled the query that fetched the server list differently, with the restriction for org admins / sync users missing on the API side - The API keys were included in the output via the API, not taking into the account that users besides site admins could have access to the functionality This allows these users to pivot to the remote instances and authenticate using the acquired sync user keys. ### Mitigation If patching immediately is not an option, whitelisting the IPs of incoming sync accounts to their respective MISP instance IPs avoids any abuse with the obtained keys, though for large sharing communities, this mitigation is not recommended. ### Fix Upgrade to a version of MISP that has tightened the access control for the vulnerable endpoint (>= 2.4.115). This remedies any future attempts to abuse the vulnerability. The 2.4.115 release version also introduces tools that ease the purging of the potentially exposed keys, along with logging attempts to access the vulnerable functionality. The fix itself removes the access of all users besides the site admin to the /servers/index end-point and thus removes the necessity to deal with issue 2 or 3 identified in the details. Site administrators are encouraged to reset all org admin / sync user API keys via the new reset functionality found at the top of the /admin/users/index page, or by POSTing an empty request to /users/resetAllSyncAuthKeys as a site administrator or executing the reset via the CLI command: `/var/www/MISP/app/Console/cake resetSyncAuthkeys [sync_user_id]` Administrators are also encouraged to remotely reset their API keys on instances where the above is not executed by the administrators, by navigating to /servers/index on their own instance and issuing a remote reset for their API keys. This will conveniently issue a reset on the remote instance and store the new key in the sync connection. ### Credits Guenaëlle De Julis and Céline Massompierre from CERT-XLM of Excellium Services. ### Timeline - 2019-09-06 16:25:47: Vulnerability report received from CERT-XLM - 2019-09-06 20:25:02 [TLP:amber]: MISP Project confirmed vulnerability to CERT-XLM along with notifying them of an internal fix being ready for co-ordinated publication, scheduled for 2019-09-09 13:00 - 2019-09-09 13:07:00 [TLP:green]: Co-ordinated limited release, patch released and tagged to GitHub and all known MISP community users notified and encouraged to notify their constituents - 2019-09-10 [TLP:white]: CVE ID assignment, publication of tagged version, publishing of this advisory, release of blog post describing the vulnerability # Acknowledgement We would like to reiterate the importance of continuous security testing and the reporting of findings. Without the diligent work of security professionals in our community, we would have an infinitely harder time of squashing potential vulnerabilities. Thanks again to everyone that has helped us make MISP more secure. If you have found a vulnerability in MISP and would like to get in touch with us, please read our [vulnerability disclosure notice](https://www.misp-project.org/security/). We would like to thank all the [contributors](/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-09-10T14:56:04+00:00 MISP v2.4.116 MISP v2.4.116 2019-09-17T11:20:03+00:00 # MISP 2.4.116 released ![](https://www.misp-project.org/assets/images/misp/blog/decay.png) A new version of MISP ([2.4.116](https://github.com/MISP/MISP/tree/v2.4.116)) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability. ## Major new feature - decaying indicators After several years of gathering requirements, doing [research](https://arxiv.org/abs/1803.11052) and various implementation attempts, MISP 2.4.116 finally includes [a new extensive feature for Decaying Indicators](https://www.misp-project.org/2019/09/12/Decaying-Of-Indicators.html) using an advanced model to expire indicators based on custom and shareable models. The feature allows MISP users to have a simple yet customisable system to automatically (or in some cases semi-manually) mark an Indicator Of Compromise (or more generally, an Attribute) as expired. The expiration system allows for the overlaying of computed scores on all attributes in real-time, based on the configured mappings via a decay model. The feature has been designed not to change the attributes per se, but rather to extend the meta information available about the attributes. As with everything in MISP, this new feature is accessible via both the user-interface and also via the API, in order to allow for the filtering of attributes based on a decay model. <img src="/assets/images/misp/blog/decaying/dm-event.png" alt="Decay Model index" width="700"/> The feature is exhaustive and we highly recommend to read the [blog post and watch the video showing all aspects of the new feature](https://www.misp-project.org/2019/09/12/Decaying-Of-Indicators.html) or [the slides from the MISP training](https://www.misp-project.org/misp-training/a.5-decaying-indicators.pdf). As usual, MISP comes with a set of default decay models which can be extended locally or contributed back to the community at large. ## ATT&CK sighting More and more users and communities are using the ATT&CK framework to contextualise information shared within MISP. The fine team of [ATT&CK recently created a format to share the sightings](https://attack.mitre.org/resources/sightings/) associated with the techniques. MISP 2.4.116 now has a new output format available which allows users to export the sightings in the MITRE ATT&CK sightings format and share it back to the community or with MITRE directly. This allows the sharing of insights about the various techniques and their frequency of usage. ## New sync priority When having a lot of MISP server to sync with, you might want to prioritise the sync for specific communities or MISP instance. In 2.4.116, we introduced the ability to order the priority of the sync between MISP instances. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-09-17T11:20:03+00:00 MISP v2.4.117 MISP v2.4.117 2019-10-12T15:39:56+00:00 # MISP 2.4.117 released A new version of MISP ([2.4.117](https://github.com/MISP/MISP/tree/v2.4.117)) has been release including major performance improvements in MISP and PyMISP, publish filter emails, throttling restSearch (very useful when you want to limit some users using the API of your MISP instance) and many more improvements. ![](https://2019.hack.lu/images/misp-long.png) If you didn't register [MISP summit 0x5](https://2019.hack.lu/misp-summit/) or one of our [MISP training](https://www.misp-project.org/events/), don't hesitate to join us! ## New feature publish filters As port of the cyber-exchange programme, one of the participants - Armins Palms - gave us a great idea for an improvement that has been long overdue. Users now have the possibility to create filter rules for the publish alert e-mails. One of the biggest hurdles for efficiently using MISP's alert system was that it could become quite verbose - if you are only interested in certain topics then receiving an alert about anything that gets published can easily cause alert-fatigue. Using the new system you can accurately configure MISP's behaviour when it comes to alerting you based on your own preferences. The system allows to restrict alert messages by tags and publishing organisation using a nested boolean tree of settings, allowing for complex rule systems. ## New feature user settings One of the hurdles that has stopped us from implementing the above feature was the lack of a per user setting system. All configuration options in MISP have been based on system-wide, organisation-wide or role-based configurations. With the new user setting system, we have a simple but flexible tool to start adding more and more user level configurations. ## IPSum feeds Another outcome of the cyber-exchange programme, thanks @stamparm we now have the different level IPsum feeds pre-configured in the default feed list. ## Performance improvements We have identified and resolved several massive performance blockers in MISP. The issue reared its ugly head once larger, more object-heavy events started being shared, with some bringing even well provisioned servers to their knees. We have seen a rather drastic drop in CPU usage after applying the patch, resulting in our main sharing community's server dropping to about 20% of its previous CPU usage. We highly advise everyone to upgrade their MISP instances ASAP. ## PyMISP performance improvements Similarly to the above fix, PyMISP was also suffering from performance issues in regards to massive events which have been addressed in the latest release, which includes a performance-oriented rework of the internals. Not only are we seeing a 50% cut in execution times when interacting with large events, but more importantly, the memory usage has been slashed to as little as ~5% of the usual numbers we've seen before the patch. It is therefore highly advised for anyone using PyMISP to upgrade to this release ASAP. ## Throttling restSearch If you are running a larger community MISP instance, one of the biggest hurdles for coping with your community's resource requirements is organisations using your heavily used MISP instance as the backend for their internal querying. Not only does this put a potentially unmaintainable level of stress on your instance when it comes to large and active communities, it also encourages bad practices in regards to information disclosures via the executed queries themselves (more information regarding this can be found in our previous blog entry regarding the [benefits of running your own MISP instance](https://misp-project.org/2019/09/25/hostev-vs-own-misp.html)). We have added a set of new options for administrators configuring user roles - it is now possible to enforce rate limits on API users. The setting controls how many heavy search-related queries users can execute within a 15 minute time-frame. The setting is completely optional per role and users are notified about their current quotas, reset times and remaining queries via headers in each request. The only endpoints affected currently are /events/restSearch and /attributes/restSearch, but we may extend this over time with other endpoints. ## Using custom CA bundles MISP comes with CakePHP's default included CA bundle, which is based on the mozilla CA bundle. This can get rather stale, with the currently included bundle being several years old. Thanks to the contribution of @JakubOnderka, it is now possible to override the default bundle with a custom one. ## Redis diagnostics The diagnostics page of MISP offers a wide range of tools to diagnose misconfigurations and issues that might arise with the instance, however, one aspect that was missing an easy way to diagnose was the redis configuration. Thanks to @JakubOnderka's new tool this can now be diagnosed directly from the UI. ## Various other improvements Other improvements include a large list of general bug fixes, affecting UI and API users alike, an internal rework of the authentication workflow thanks to all the work of Andreas Rammhold in preparation for the merge of the LinOTP authentication module, various improvements to the STIX export, a new Netfilter export system and a host of other improvements. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. Special thanks to Jakub Onderka for the continuous stream of excellent improvements, Andreas Rammhold for making the AppController much more sane, the participants of the cyber-exchange programme for helping us improve MISP in all sorts of different ways. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-10-12T15:39:56+00:00 MISP v2.4.118 MISP v2.4.118 2019-11-10T20:34:58+00:00 # MISP 2.4.118 released A new version of MISP ([2.4.118](https://github.com/MISP/MISP/tree/v2.4.118)) has been release including a functionality that allows for tag exclusivity within taxonomies, the support for external Sighting sources via SightingDB and many fixes. # Exclusive taxonomies ![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-1.png) ![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-2.png) ![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-3.png) ![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-4.png) Some time ago, we've introduced the "exclusive" field in the MISP taxonomy format, in order to define rules of exclusivity within a given taxonomy predicate. As of this release, the MISP user-interface shows and enforces inconsistencies of exclusivity between tags assigned at the event and the attribute levels. # SightingDB support Over the course of the past years, the MISP Project has worked on improving the sighting capabilities of the platform in various ways when it comes to being able to provide contextualised sightings for information sharing. Most of the use-cases driving this type of sighting reporting were based on a need to encode intelligence gathered during incidents, as part of reporting or encoding the time-based aspects of intelligence. Being able to contextualise the sighting with information on the source, tie its release to the ACL rules governing the sighted data and describing the type of sighting were of a higher priority than performance. After discussions with users looking for a completely diverging use-case, namely that of bulk, large-scale data/traffic analysis and correlation thereof with the threat information databases of their MISPs. Thanks to our friends at Devo, who have developed an open source system tackling these issues - the [SightingDB server](https://github.com/stricaud/sightingdb) - we had something to integrate into MISP as an alternate sightings system handling lookups against a large-scale sighting system. Devo also decided for the standardisation of the SightingDB protocol format and we have decided to host it under the [misp-standard.org](https://www.misp-standard.org/) umbrella. The SightingDB support includes the following: - Added configuration tool - Added lookups from the event view - Added includeSightingdb flag for the restSearch searches - Added SightingDB search tool - Added SightingDB connection test tool # Improved meta search in restSearch The restSearch now supports the ability to search by creator organisation and also by the meta fields present in the galaxy clusters. Such requests can now be done on any meta field within a galaxy: ~~~~ /attributes/restsearch/ { "galaxy.cfr-suspected-victims": ["China", "Japan"], "galaxy.cfr-target-category" : ["Government"] } ~~~~ along with the various fields of the creator organisation object itself: ~~~~ /events/restsearch/ { "galaxy.synonyms": "APT29", "orgc.nationality": ["Hungary", "Belgium"] } ~~~~ # Update module The database schema model update has been improved in MISP and you can see the current inconsistencies of any past model change or the ongoing upgrade of the database model. This has been introduced because the next version of MISP will include a major improvement to the data model in order to add time references at several layers of the MISP data model. This update, coming in 2.4.119, includes an update of the attributes table which can take a significant amount of time depending of your MISP installation. # MISP modules - many new modules with objects support [Many new modules](http://misp.github.io/misp-modules/) were added such as the (event query language) EQL query module, Endgame EQL export module, OSINT.digitalside.it lookup module and many improvements to existing modules such as the CSV import module, IBM X-Force expansion module and more. Don't forget to update your modules to the latest version. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. Special thanks to Jakub Onderka for the continuous stream of excellent improvements, Sebastien Tricaud for the joint effort in the SightingDB support, [standard](https://raw.githubusercontent.com/MISP/misp-rfc/master/sightingdb-format/raw.md.txt) and [first implementation](https://github.com/stricaud/sightingdb). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-11-10T20:34:58+00:00 MISP v2.4.119 MISP v2.4.119 2019-12-05T18:27:28+00:00 # MISP 2.4.119 released ![](https://www.misp-project.org/assets/images/misp/blog/119-1.png) A new version of MISP ([2.4.119](https://github.com/MISP/MISP/tree/v2.4.119)) has been released, including several functionalities that should make the operation of a MISP instance more convenient. # Vulnerability CVE-2019-19379 has been fixed In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data. The vulnerability has been fixed in 2.4.119 and assigned the following [CVE-2019-19379](https://cve.circl.lu/cve/CVE-2019-19379). We strongly recommend to update to this version. Thanks to Christophe Vandeplas for the reporting. # Database diagnostics There is a new sub-system in the diagnostics tool that will compare the current state of your MISP database to the reference db schema, highlighting potential issues / divergences. Keep in mind, not all issues are necessarily cause for concern, but generally it is recommended to fix the issues that are deemed critical. If you have doubts about why your DB looks different from what is expected, feel free to open up a github issue and we'll try to point you in the right direction. On top of flagging diverging traits of your DB compared to the reference, the system also allows users to generate SQL queries that would rectify the potential issues. Please make sure that you back your database up before running the suggested queries and keep in mind that altering existing tables with high volumes of data can temporarily double the disk space requirements of the given table along with taking a long amount of time (especially true for large log, correlation and sighting tables). # Improved timestamp filtering in MISP attribute_timestamp flag added to attributes/restSearch. Now 4 different timestamp filters exist in MISP and can be used. An explanation of the 4 timestamp filters: - timestamp: Filters on attribute AND event timestamp - event_timestamp: Filters on event timestamp - attribute_timestamp: Filters on attribute timestamp - publish_timestamp: Filters on event.publish_timestamp # API deprecation The preparations for MISPs large refactor are well underway, this time we've added a new system that will start tracking deprecated endpoints in MISP and warning users of their state. The new system has the following functionalities: - an internal list of deprecated endpoints is maintained - any query against these endpoints increments a counter in redis - if the deprecation is a confirmed hard deprecation, the user is warned via response headers (API) or flash messages (UI) - for soft deprecations, we are collecting the information (locally on the instance only, it is up to the administrators to share the outcome with us on demand, outside of MISP, nothing is sent back automatically) on certain endpoints that we might consider deprecating based on usage. We are monitoring our instances to see if there's an interest to keep these features around - if you would like to submit your community's usage of these endpoints, reach out to us! To view the results of the collection, just navigate to the diagnostics page. # Export API refactor All of the deprecated export APIs (such as /events/hids export, /events/stix or /events/xml) have been refactored and are using restSearch under the hood now. Nothing should change from a user perspective except for a size-able gain in peformance thanks to all of the restSearch optimisations. If you do notice some of your legacy scripts misbehaving, please open a github issue and describe what went wrong. # Sighting synchronisation Sightings are now synchronising much more reliably, with a new sighting push setting being added to the server connection and a new publish sighting button being available for users with sighting rights on the event view. # misp-modules version 2.4.119 MISP modules have been improved and many new modules were added in [expansion](http://misp.github.io/misp-modules/expansion/), [export](http://misp.github.io/misp-modules/export_mod/) and [import](http://misp.github.io/misp-modules/import_mod/). Don't forget to update the modules to benefit from the improvements and new features. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2019-12-05T18:27:28+00:00 MISP v2.4.120 MISP v2.4.120 2020-01-21T12:02:04+00:00 # MISP 2.4.120 released A new version of MISP ([2.4.120](https://github.com/MISP/MISP/tree/v2.4.120)) has been released, including an extension to the data-model adding the first_seen and last_seen values at the attribute and object levels. The user-interface has been extended with a timeline view/editor per event, allowing users to see all occurrences of attributes and objects based on time. A new quick object edit tool has been added, enabling users to easily add new attributes to already existing objects. A long list of bugs were fixed and various improvements were made in the existing features. # Update notes Don't forget to have background workers running before updating, there are some updates to the database which can take time depending on the size of your MISP instance. The progress of the update can be verified via the interface of your MISP instance using the following endpoint: /servers/updateProgress . # Timeline feature and improved data-model <video src="https://www.misp-project.org/assets/images/misp/blog/timeline-video.mp4" title="Overview of the MISP timeline feature" width="800" height="450" controls autoplay loop>Video tag is not supported by your browser</video> [MISP standard format](https://www.misp-standard.org/) has been extended to support first_seen and last_seen on any attribute or object in a MISP instance. This functionality is fully accessible via the restSearch API and via the user-interface of MISP. first_seen and last_seen can be set at the attribute and/or the object levels. A complete timeline viewer and editor has been added to allow users to: - Quickly see the overall timeline of attributes and objects; - Zoom in and out in the timeline (alt + mouse wheel); - Edit and change the first_seen and last_seen by moving the attributes/objects directly on the timeline. ![The representation of spear phishing using the timeline function in MISP](https://www.misp-project.org/assets/images/misp/blog/t-misp-overview.png) As an example above, a spear phishing attack and their respective occurrences are displayed on the timeline. This new feature allows users to describe complex time-based information whilst using existing features such as object relationships. # New attribute types - kusto-query attribute type added - Kusto query is the query language for the Kusto services in Microsoft Azure used to search large dataset. It's used in Windows Defender ATP Hunting-Queries as well as Azure Sentinel (Cloud-native SIEM) - chrome-extension-id attribute type added - This attribute is used by Chrome to uniquely identify extensions. This helps the sharing of information about malicious extensions within a MISP sharing community. # misp-modules version 2.4.120 MISP modules have been improved and many new modules were added in the following related scopes: [expansion](http://misp.github.io/misp-modules/expansion/), [export](http://misp.github.io/misp-modules/export_mod/) and [import](http://misp.github.io/misp-modules/import_mod/). Don't forget to update the modules to benefit from the improvements and new features. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-01-21T12:02:04+00:00 MISP v2.4.121 MISP v2.4.121 2020-02-12T20:12:23+00:00 # MISP 2.4.121 released A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.121)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added. # Security issues The new version includes fixes to a set of vulnerabilities, kindly reported by Dawid Czarnecki. For details, see the attached CVE information. - A reflected XSS in the galaxy view [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893) - ACL wasn't always correctly adhered to for the discussion threads [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8892) - Potential time skew between web server and database would cause the brute force protection not to fire.[CVE-2020-8890](https://cve.circl.lu/cve/CVE-2020-8890) Whilst investigating the above, we have identified and resolved other issues with the brute force protection: - Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891) - PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892) Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit. # Additional sync pull filters One of the most annoying side-effects of the synchronisation mechanism was the potential unfiltered flow of massive amounts of aged-out data when first pulling from a newly connected community. We have added a simple filter option when configuring sync connections to pass event index filters along with the sync requests. An example would be to limit the publish age of pulled data to the desired time frame (for example: Only fetch data that is at maximum 2 months old). # New background worker configuration loading Background workers were loading the server wide configurations on startup, meaning that changes to server settings would not be reflected by any background processed job unless the workers were restarted. A new helper resolves this and loads the configuration on each job execution (Thanks to @RichieB2B for reporting the issue). # Memory envelope improvements When fetching data from MISP, it tries to cluster the data into smaller chunks and fetch it piece by piece to avoid memory exhaustion and to be able to serve the data anyway. The new release improves on the estimation, avoiding potential memory exhaustions with larger data-sets. Potential issues are also logged from here on. # SQL schema check improvements Various improvements to both better inform administrators about potential issues along with remediation scripts # A host of other improvements A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements. # MISP Objects templates We received a significant number of [new object templates](https://www.misp-project.org/objects.html) to describe specific additional use cases including disinformation, media and also improved HTTP representation. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-02-12T20:12:23+00:00 MISP v2.4.122 MISP v2.4.122 2020-02-28T18:34:04+00:00 # MISP 2.4.122 released ![iot-2](https://user-images.githubusercontent.com/3309/75576961-3c680900-5a61-11ea-9447-1280210c768d.png) A new version of MISP ([2.4.122](https://github.com/MISP/MISP/tree/v2.4.122)) has been released. This version includes various fixes, minor new features and improvements. # Log user IP addresses on login A new logging optional feature has been added to log user IPs on login. The feature logs on successful login logs the associated user ID for a given IP (with a 30 day retention). It also logs the IP for the associated user ID (indefinite retention). Two new command lines were added: - Get IPs For User ID: `MISP/app/Console/cake Admin UserIP [user_id]` - Get User ID For User IP: `MISP/app/Console/cake Admin IPUser [ip]` # New Danish community added We have a flexible system to announce information sharing communities directly in MISP - in 2.4.122, we have added a Danish MISP user-group community. If you would like to have your community added and announced to all MISP users, don't hesitate to edit the [community JSON file](https://github.com/MISP/MISP/blob/2.4/app/files/community-metadata/defaults.json) and perform a pull-request. # Correlation bug fixed A bug fix solves an issue where attribute edits could purge correlations. The bug was introduced by a merge gone wrong. The attribute edits that modify fields that do not affect the correlations (such as to_ids, comment, etc) would cause correlations to be purged # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-02-28T18:34:04+00:00 MISP v2.4.123 MISP v2.4.123 2020-03-11T15:55:54+00:00 ![dashboard](https://user-images.githubusercontent.com/3309/76436961-24757b00-63b9-11ea-9758-8952ad696ec8.png) # MISP 2.4.123 released A new version of MISP ([2.4.123](https://github.com/MISP/MISP/tree/v2.4.123)) has been released. This version includes various security related fixed, and a new Dashboard system. # Security fixes Thanks to a pentest conducted on behalf of the Centre for Cyber Security Belgium (CCB), we have received a list of ideas to improve our security posture along with 2 vulnerabilities: - 2 XSS vulnerabilities (reported and fixed, more info via [CVE-2020-10246](https://www.misp-project.org/security) and [CVE-2020-10247](https://www.misp-project.org/security)) - various improvements for our password policy - Improvements by adding preventative headers - Providing the more information to the users by revealing potential foul play We would hereby like to thank both the contracted part as well as CCB for sharing the results with us. We are always glad to receive pentest results, it's a great way for organisations to improve the security of MISP and we highly encourage everyone to MISP for potential issues and to [let us know](https://www.misp-project.org//security) - we will do our best to fix any identified issues as soon as possible. # Dashboard system As an outcome of the spread of COVID-19, we ourselves at the MISP-project team have spent a considerable amount of our free time over the past few weeks tracking the spread of and informing ourselves in regards to the outbreak. As an outcome of quickly setting up a Coronavirus-sharing community via MISP for ourselves, in order to share and track information emerging about COVID-19, we have implemented a whole new Dashboarding functionality for MISP. The new Dashboard is accessible directly in MISP and fully customisable by users. - The system relies on bundled and custom widgets - widgets work similarly to other modular parts of MISP, design your own, drop it in the MISP directory to get started - For instructions on how to develop a basic widget visit [The training slide repository](https://www.misp-project.org/misp-training/a.a-widget-dev.pdf) - Under the hood it uses the user settings system, allowing for custom configurations per user - Dashboard templates can be saved and shared, both via MISP and via JSON configuration files - Widgets come with a host of support functionalities (ACL, caching, auto-reloading, configuration systems) We welcome contributions to our ever growing widget collection from our community, let us know if you want to get involved in the effort! If you are interested in the covid-19 specific widgets, they are not included in the code-base directly, but are rather available via the new [widget-collection](https://github.com/MISP/widget-collection) library. # Selecting your home page within MISP Users an now replace their landing page from it redirecting to the event index to any other page in MISP. We recommend the consideration of switching to the dashboard as the first point of entry. Simply navigate to the page you wish to bookmark and click on the little star icon in the header bar. # A bug affecting correlations and an interesting bug hunt Due to a recently introduced bug, we had cases of correlations disappearing after an attribute edit under certain conditions (any edit not touching fields used to decide on whether to correlate an attribute). We have resolved the issue along with a full recorrelation being triggered on update, simply fetch the latest version of MISP and your instance should have the issue resolved once the job finishes. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-03-11T15:55:54+00:00 MISP v2.4.124 MISP v2.4.124 2020-04-06T19:53:57+00:00 # MISP 2.4.124 released A new version of MISP ([2.4.124](https://github.com/MISP/MISP/tree/v2.4.123)) has been released. This version includes various improvements including a new multiline widgets in the dashboard, auditing improvements and many bugs fixed. # Dashboard and widget improved The dashboard has been improved along with a host of bugs fixed. A UI for the multiline widget has been introduced. <img src="https://www.misp-project.org/assets/images/misp/blog/2.4.124/multiline-demo.gif" alt="Multiline Demo" width="700"/> The new interface provides users a simple way to manipulate basic graph components. It includes legends, tooltips, auto-resize, clickable labels and a full support of the 2 most common x-axis: linear and time-based. You can query the chart to see the delta between two data-points by selecting the first then the last points. A summary will then be presented. <img src="https://www.misp-project.org/assets/images/misp/blog/2.4.124/multiline-brush-delta.png" alt="Multiline delta between points" width="700"/> Finally, the widget styling is largely configurable. In addition to the `time_format` and the abscissa type, you can define other parameter influencing how the graph should be presented to the users <img src="https://www.misp-project.org/assets/images/misp/blog/2.4.124/multiline-config.png" alt="Multiline Configuration sample" width="700"/> # (auditing) Individual user monitoring - Site admins can set the monitoring flag on a user if the feature is enabled on the instance - Monitored users will have all requests logged along with POST bodies - Keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation # New community CogSec Collab disinformation MISP includes the possibility to advertise your MISP information sharing community, don't hesitate to propose your community to gain some visibility. We added "[The Cognitive Security Collaborative operates as a sharing community dedicated to information operations](https://www.misp-project.org/2020/03/26/cogsec-collab-misp-community.html)". # COVID-19 MISP COVID-19 MISP is a MISP instance retrofitted for a COVID-19 information sharing community, focusing on two areas of sharing: - Medical information - Cyber threats related to / abusing COVID-19 The information sharing community has a low barrier of entry, everyone can contribute and use the data. By default, the information is classified as TLP:WHITE for broader distribution and usefulness. [For more information and joining the COVID-19 MISP community](https://www.misp-project.org/covid-19-misp/) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-04-06T19:53:57+00:00 MISP v2.4.125 MISP v2.4.125 2020-05-06T17:26:44+00:00 # MISP 2.4.125 released ![](https://www.misp-project.org/assets/images/misp/blog/timeline-sight.png) A new version of MISP ([2.4.125](https://github.com/MISP/MISP/tree/v2.4.125)) has been released. This version includes various improvements including a major refactoring of the feed system, the addition of OTP, a new inbox system to allow for self-registration, sightings in the timeline visualisation and many more improvements. # new inbox system and self-registration feature If you operate a large community such as an ISAC, the creation of new users can be a tedious task. The new self-registration feature allows organisations to receive and review registration before creating the real user in MISP. - if the feature is enabled, users can unauthenticated send a registration request to MISP - request includes information on desired org and some privileges (sync / org admin / publisher) - requests land in the inbox, admins can inspect the registration requests - they can accept/discard them individually or en masse - users will be notified of their credentials automatically - quick user creation if the user asks for an org that doesn't exist yet # E-mail based OTP To add a second layer of security, OTP has been made available thanks to the contribution of @Golbark. If you would like to use this feature, please enable it via your security settings. Users will receive tokens via e-mail that they need to provide each time they authenticate and start a new session with MISP. # Feeds index refactoring and new features - added the ability to select an orgc ID for CSV/freetext feeds - all events created from this feed will carry the selected orgc_id - Refactored the index fully - using the factories - better warnings against the dangerous new feed each pull setting - event index search added - several settings cleaned up / made more clear - auto reload of default feed configuration disabled, fixes #2542, fixes #5789 - added a button / endpoint to handle that instead to allow for the deleted default feeds to stay delete # Debugging improvement - [database] New MySQL data source added for debugging. - MySQLObserver datasource added - prepends all queries with the requested controller/action and user ID for better debugging May improvements were done in this MISP release, for a complete overview, you can have a look at the [complete changelog](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-05-06T17:26:44+00:00 MISP v2.4.126 MISP v2.4.126 2020-06-04T15:38:47+00:00 # MISP 2.4.126 released A new version of MISP ([2.4.126](https://github.com/MISP/MISP/tree/v2.4.126)) has been released a while ago, though we have forgotten to publish a blog post about it - thanks to @coolacid for the reminder. This version includes a security fix and various quality of life improvements. # Security fix - fixed XSS Fixed a persistent XSS that could be triggered by correlating an attribute via the freetext import tool with an attribute that contains a javascript payload in the comment field. By hovering over the correlation, the analyst encoding the information would have the exploit triggered. Thanks to @JakubOnderka for reporting it! # Tool to generate the communities webpage Being able to find the right communities is key when utilising MISP. Thanks to @cvandeplas for implementing this! # experimental CLI only force pull method added It allows an administrator to issue a special kind of pull via the API that overwrites the local data with that on the remote, no matter which one is newer. No additional data gets deleted, but modifications will get reverted to the remote's state. This tool is meant as a last resort if things have gone awry with unwanted local modifications. # A host of quality of life fixes A long list of improvements, fixes and new functionalities have been added, make sure to check out the changelog for an exhaustive list! # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-06-04T15:38:47+00:00 MISP v2.4.127 MISP v2.4.127 2020-06-19T07:25:20+00:00 # MISP 2.4.127 released ![]( https://www.misp-project.org/assets/images/misp/blog/decay.png) A new version of MISP ([2.4.127](https://github.com/MISP/MISP/tree/v2.4.127)) has been released with an improved version of attributes decaying, new set of widgets, many improvements and bugs fixed. # Improved decaying of attributes (version 2) In MISP 2.4.116, a decaying functionality was added to allow users and organisations to easily expire information depending on their personalised objectives and targets. Based on the feedback of the organisations relying on the decaying feature, the following improvements were included: - Added a new user setting, `default_restsearch_parameters`, allowing users to supply restSearch parameters that will be automatically passed to the export mechanism during API queries fetch. The main purpose of this new setting is to enable users to inject filters when integrating with third-party tools not offering the possibility to control the queries performed against MISP. This for example allow to set the default decaying parameters to all restSearch queries performed by the given user. - Added a new setting, `tag_numerical_value_override`, allowing users to override the `numerical_value` of tags. The main purpose of this new setting is to let users convey their own numerical values for tags. It does not constrain site-admins to the values provided by the official misp-taxonomy repository, and instead allows them to define new values for entries not having a numerical value in the first place. ## Major changes in decay computation Attributes' `last_seen` will now takes precedences over their `timestamp` if the former is set. In the decaying implementation prior to this version, if no sightings were recorded, the simulated last sighting was set on the `timestamp` value. However, in this new version, the `last_seen` value will be used instead. Users will be able to alter attributes (attach tags, modify `last_seen`, ...) without refreshing the decaying score to its maximum value. # New widgets added to MISP Additional widgets (contributed by Koen Van Impe) were added in MISP with the following features: - Widget to display system resources (df, cpu, mem) - Widget to display the latest sightings - Widget to display the false positive sightings above certain threshold Don't hesitate to contribute your own widgets and take a look at the existing ones. # Various improvements - [cli] Command for pulling from all remote servers. - [UI] Add event ID to page table. - [events:distributionGraph] Added close button in popover. - [correlations] Refactored correlation saving. - Always show other correlating value (useful for CIDR correlations) - Make correlation saving faster (move more work to database, do not fetch not necessary fields) - Fix some small bugs Many other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-06-19T07:25:20+00:00 MISP v2.4.128 MISP v2.4.128 2020-06-26T12:56:25+00:00 # MISP 2.4.128 released A new version of MISP ([2.4.128](https://github.com/MISP/MISP/tree/v2.4.128)) has been released with a significant refactoring of the STIX import/export along with many improvements and bugs fixed. # STIX 2 and 1 major refactoring and improvements A major refactoring of the STIX (version 1 and version 2) import/export has been performed by Christian Studer. We invite you to read the [Changelog](https://www.misp-project.org/Changelog.txt) for the complete set of changes and improvements. The most significant change is the import of threat-actors, tools and alike. As of this version on, the import process automatically maps the data-points to existing galaxies. As an example, if a synonym of a threat-actor is found in the original STIX file, the import process will attach the existing threat-actor from the MISP galaxy library. It also works with tags. # Security fix - [CVE-2020-14969](https://cve.circl.lu/cve/CVE-2020-14969) <= MISP 2.4.128 - app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. # New features - [correlations] Enable CIDR correlations for ip-src|port and ip-dst|port types - [widget] Authentication failure widget added to provide a dashboard from [D4 project](https://www.d4-project.org/). Many other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-06-26T12:56:25+00:00 MISP v2.4.129 MISP v2.4.129 2020-07-28T09:06:08+00:00 # MISP 2.4.129 released A new version of MISP ([2.4.129](https://github.com/MISP/MISP/tree/v2.4.129)) has been released with an improved merge functionality, a new event block rule system, many security fixes and bugs fixed. # Merge functionality improved - handle objects, tags, etc via @chrisr3d's module result parsing - handle sharing groups correctly - using standardised fetchers internally - API enabled (which will directly merge all contents of the source event into the target event) # event block rule system added. - add simple tag filters to block events from being added. - it will not stop a manual creation of an event with subsequent adding of the tag in a later stage - it will however block synced events # Many bugs fixed and small improvements Many other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-07-28T09:06:08+00:00 MISP v2.4.130 MISP v2.4.130 2020-08-21T13:02:44+00:00 # MISP 2.4.130 released A new version of MISP ([2.4.130](https://github.com/MISP/MISP/tree/v2.4.130)) has been released with performance improvements, multiple bugs fixed and new features. # Speed improvements - [internal] cache tags instead of loading them over and over via the event fetcher, fixes #6201. - should speed things up for exports of datasets that have a lot of recurring tags - moved the caching of some internals to the appmodel level to make it more generic - [internal] Update correlations in one query. Before, for every event saving action, four queries for updating correlations were generated - [correlations] Faster loading related attributes. - [sync] drop the republishing of events when the modification is merely a timestamp bump. - due to an already fixed issue still lingering, invalid event edits keep getting synchronised between instances - these events still generate publish alerts erroneously - this fix compares the previous state of the event to the modification, if there are no material changes (attributes, objects, object relations, event tags added/updated) then the publishing is dropped. # API improvements - Allow tag deletion for an event on update - Allow for attribute tag deletion via Event or Attribute edit. Clean and return the attribute tags on response from editing an attribute, update code to remove legacy - [opendata export] Parsing portal url parameter + slight parameters parsing changes. - As the possibility of specifying the url of the Open data portal to use instead of the default one, we support here this parameter and adapt the way we build the command that will launch the python script - Slight changes to replace some isset tests by empty tests to make sure the concerned fields are not only set, but also contain a value # Improvements - [UI] Show event preview when merging. - [attribute] Add support for IDN domains. - New: [freetext] Convert `[at]` to `@` and `hxtp` and `htxp` to `http` - [widgets] Additional widgets for sharing statistics and layouts. - [CLI] Allow to fetch remove event by UUID. - [stix import] Fixed port in ip-port objects import to lose src and dst context. - [stix export] Fixed the slight difference between parsing x509 fingerprint attributes and x509 objects. - [stix export] Fixed x509 fingerprint attributes export & moved mapping dictionaries to the mapping script - Only the x509-fingerprint-sha1 attribute was exported, and as a standard sha1 attribute, which was a loss of context, now the x509 fingerprint attributes (md5, sha1 & sha256) are exported as expected within a x509 observable - Also moved the mapping dictionaries with the appropriate indent to the mapping script, where they should belong # Many bugs fixed and small improvements Many other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-08-21T13:02:44+00:00 MISP v2.4.131 MISP v2.4.131 2020-09-08T13:57:00+00:00 # MISP 2.4.131 released A new version of MISP ([2.4.131](https://github.com/MISP/MISP/tree/v2.4.131)) has been released with improvements, bug fixes and a major update to JavaScript libraries. # Improvements - New types pgp-public-key/pgp-private-key/email/sha3 added. - Export format for Bro, Snort, OpenIOC updated to support new email type (in addition to the legacy email-src/email-dst attribute type) - A new filter "type" added for the internal fetcher which appends email as a type if email-src/email-dst are found. - [types] email added as a new type, affects #6281. - [diagnostic] Check if database index is unique. - New API export: added "count" returnFormat for the REST API which simply counts the number of attributes/events found (on each respective scope). - The ACL has been extended to open event blacklisting to host org users. Also added a new special permission for the ACL system host_org_user - which will evaluate whether the user is in the org configured in the MISP.host_org_id directive - Major upgrade to jQuery (Bumped jQuery to version 3.5.1.) and related dependencies. - STIX 1 Importing test mechanisms from indicators as yara rules (as used by CISA). - The API GET requests on restsearch with no parameters are no longer allowed. warn the user of the use of GET queries with posted JSON bodies - STIX 2 import - Fixed external pattern types parsing. - Logging - Add the ability to customize the IP header field when logging. - New widget - Feature/achievements widget. - New MISP-SNMP Monitor script. - Various fixes for accessibility for users of screen readers such as ARIA labels. # Naming convention change to be more inclusive Thanks to @Golbark, we no longer use the terms blacklists and whitelists across MISP, instead they are now called blocklists and includelists. Please make sure to align any scripts automatically managing these lists to reflect that. Kudos to NATO for championing inclusiveness in open-source projects! # Many bugs fixed and small improvements A host of other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-09-08T13:57:00+00:00 MISP v2.4.132 MISP v2.4.132 2020-09-21T08:16:25+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/d4_sshd_widget.png) # MISP 2.4.132 released A new version of MISP ([2.4.132](https://github.com/MISP/MISP/tree/v2.4.132)) has been released with several bugs fixed including an important [security](https://www.misp-project.org/security/) fix [CVE-2020-257 66](https://cve.circl.lu/cve/CVE-2020-25766). # Bugs fixed and updates - [bootstrap-datepicker] Updated to version 1.9.0 - [tag filters] fixed a bug introduced with the previous filter fix, resulting in multiple OR tags being ignored as a valid filter. - [internal] Correctly handle positive tag filters for non site admins. - [sightings] anonymise pushed sightings using new Sightings_anonymise_as setting. # CVE-2020-25766 An issue was discovered in MISP before 2.4.132. This could lead to an unwanted actions (such as an event deletion) being triggered. Thanks to Michael Kerscher for the report. It was discovered that under certain situations (resource exhaustion when retrieving sessions data for example), a user could incorrectly receive the login page as a response when paginating the event view's attribute list. This in itself should not cause any issues, but due to a bug in the login form's GET/POST exchange, the user actually having a valid session would instead retrieve the event index, on which the firs t form was submitted (which was an event deletion). In normal situations this is extremely rare and we have only identified a handful of such deletions on our most heavily used community instances. Version 2.4.133 will include a new diagnostic tool that highlights deletions from the time period when the bug was active along with a recovery functionality. # Many bugs fixed and small improvements A host of other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-09-21T08:16:25+00:00 MISP v2.4.133 MISP v2.4.133 2020-10-16T20:54:15+00:00 # MISP 2.4.133 released with major improvements such as the markdown report feature and many UI improvements. # Unstructured/semi-structured report feature MISP is widely known as a powerful tool to gather, correlate and share information. As a response to the growing information-sharing maturity of the community, more features have been introduced over the past few years to meet analyst skills and requirements. MISP has evolved to support a richer data structure allowing analysts and operators to describe and visualize complex scenarios. Data stored in MISP can be adjusted and linked in a comprehensive manner turning them into explorable graphs or timelines representing their activity or events. However, in the current threat intelligence scene, information is often explained and shared in the form of article and using MISP’s raw text comments is far from ergonomic and appealing. Consequently, a crucial piece of data structure was missing and had to be supported: Reports. In MISP 2.4.133, the report feature has been introduced including a complete Markdown editor to edit one or more report(s) attach to an event. The report feature including a complete editor to allow an interactive method to add structured information from the MISP event including attributes, objects, galaxies or tags into the report. ![Editor hints](https://www.misp-project.org/assets/images/misp/blog/event-reports/cm-hints.gif) ![Editor hints tags](https://www.misp-project.org/assets/images/misp/blog/event-reports/cm-hints-tag.gif) The report editor provides features such as: - Markdown syntax shortcuts - Auto-completion - Synchronized scrolling between the text editor and the markdown viewer - Automatic markdown rendering when typing - Fullscreen and resizable interface - Time since last edit & quick save ![Event editor full](https://www.misp-project.org/assets/images/misp/blog/event-reports/editor-full.png) Event reports have all the standard properties regarding information sharing available MISP such as distribution level, sharing communities. A report can be shared to specific groups while structured information can be shared to a wider audience as an example. *Event reports* also offer a wide range of new possibilities that were not doable efficiently before. For example, Counter analysis on cases can be explained, resolution steps and recommendations can be supplied, and complete articles can be included inside an *event*. For more details, check out our blog post: [Event Report: A convenient mechanism to edit, visualize and share reports](https://www.misp-project.org/2020/10/08/Event-Reports.html). # New features ## UI - Add icons for threat levels. - Show organisation nationality flag. - Use flag icons from Twemoji. - Go directly to object reference when referenced object is on the same page. - Major improvements in the misp-modules view especially for the enrichment output. - Many more improvements. Thanks to Jakub Onderka for his continuous attention to the details. ## Recovery of deleted events - A new feature has been added to recover deleted events available in the diagnostics page. The feature uses the event history. # New attribute types and changes - `filename-pattern` filename-pattern to describe a filename based on a pattern (to avoid ambiguity from the filename attribute). - `cpe` attribute to share and describe [CPE - Common Platform Enumeration](https://nvd.nist.gov/products/cpe) - and associated object like [cpe-asset](https://github.com/MISP/misp-objects/blob/main/objects/cpe-asset/definition.json) - `telfhash` attribute type added and associate file object updated. For more details about [telfhash](https://github.com/trendmicro/telfhash). - Normalize `AS` type to asplain notation. # Speedup and optimisation - Speedup sending module results. - Sighting saving optimisation. - [warninglist] Use faster method for fetching data from Redis. - [complextype] Speedup hash parsing from CSVs and freetexts. # Many bugs fixed and small improvements A host of other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-10-16T20:54:15+00:00 MISP v2.4.134 MISP v2.4.134 2020-11-12T17:06:10+00:00 # MISP 2.4.134 released In the previous version of MISP, the new [Event Report functionality](https://www.misp-project.org/2020/10/08/Event-Reports.html) has been introduced to edit, visualise and share reports in Markdown format, which includes the ability to reference elements from within a MISP event. In the current version, the Event Report has been extended to support the automatic discovery of attributes, galaxies and tags from any website captured. <video src="https://www.misp-project.org/assets/images/misp/blog/event-report-demo-extraction-from-url2.mp4" title="Overview video of the new MISP event report functionality and discover of elements" width="800" height="450" controls autoplay loop>Video tag is not supported by your browser</video> This functionality allows the analysts to collect external reports and automatically discover information which can be used in MISP. The Event Report fetching capabilities require the [misp-modules](https://github.com/MISP/misp-modules) to be activated. # Optional A/V scanning in MISP A new feature has been added to automatically scan attachments in MISP. The functionality is completely optional and can be enabled in the global configuration. # ATT&CK sub-techniques MISP now includes the ATT&CK sub-techniques as a MISP galaxy. # Example script for direct STIX ingestion into MISP A new [Ingest STIX](https://github.com/MISP/MISP/tree/2.4/tools/ingest_stix) script is available to show how to easily ingest STIX 1 and 2 files in MISP while using the parsing functionality of MISP core. # Security fix - CVE-2020-28043 A security vulnerability [CVE-2020-28043](https://cve.circl.lu/cve/CVE-2020-28043) has been fixed. MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. - by using the full path parameter in the rest client, users could issue queries to any server - this becomes especially problematic when the MISP server is able to query other internal servers, as external users could trigger those - new server setting added that allows enabling the full path option, this is now disabled by default - new server setting added to add an override baseurl for the rest client, removing the need for the full path option in the first place (for example for the training VM with its port forwarding) - Thanks to Heitor Gouvêa for reporting this vulnerability # Many bugs fixed and small improvements - Tag index has been improved with a simple view excludes eventtags / attributetags / sightings - Many UI improvements (thanks to Jakub Onderka for his continuous effort and attention to details) A host of other improvements are documented in the [complete changelog is available](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-11-12T17:06:10+00:00 MISP v2.4.135 MISP v2.4.135 2020-12-23T19:48:24+00:00 # MISP 2.4.135 released Don’t let the minor version number change fool you, this release is a game changer for MISP and information sharing in general. Galaxy 2.0 brings about the ability to customise Galaxy clusters (threat-actors, @MITREattack or any knowledge base element) as well as to extend and share it within your community. This release also includes many new improvements such as a new authkey system to better handle your API keys in MISP. ![](https://www.misp-project.org/assets/images/galaxy2.0/1.jpeg) ![](https://www.misp-project.org/assets/images/galaxy2.0/2.jpeg) ![](https://www.misp-project.org/assets/images/galaxy2.0/3.jpeg) ![](https://www.misp-project.org/assets/images/galaxy2.0/4.jpeg) The galaxy 2.0 feature is large and provide many new features. For a complete overview, the [following slide deck](https://www.misp-project.org/misp-training/a.10-galaxy-2.0.pdf) provides a good introduction to galaxy 2.0. # New Advanced API authkeys Advanced authkeys will allow each user to create and manage a set of authkeys for themselves, each with individual expirations and comments. API keys are stored in a hashed state and can no longer be recovered from MISP. Users will be prompted to note down their key when creating a new authkey. You can generate a new set of API keys for all users on demand in the diagnostics page, or by triggering the advanced upgrade. If you upgrade your MISP, you need to enable this new feature in the security configuration (Security.advanced_authkeys). # JARM fingerprint format added MISP (and MISP standard format) now includes the support for [JARM](https://github.com/salesforce/jarm), active Transport Layer Security (TLS) server fingerprinting tool. # STIX 2 import improvements - Fixed parsing of objects mapped into galaxies for external STIX. - For objects from external STIX content that should be mapped as galaxies (such as malware, threat actor, and so on), we do not only test the perfect match with one of the galaxy names in the mapping dictionary, we also test now if the galaxy name is contained in any of the known galaxy names of the dictionary Additionally, a host of other improvements are documented in the [complete changelog](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2020-12-23T19:48:24+00:00 MISP v2.4.136 MISP v2.4.136 2021-01-18T10:28:41+00:00 # MISP 2.4.136 released Though we're rather late with the release notes, we did have some goodies to share for the winter festivities, bundled neatly into the 2.4.136 release. Apart from the usual bug fixes and usability improvements, we've also added some new features to play with. # First integration with Cerebrate [Cerebrate](https://github.com/cerebrate-project) is an up and coming tool we're developing as part of the [MeliCERTes project](https://ec.europa.eu/digital-single-market/en/news/open-platforms-collaborate-cyber-threats), aiming to ease the management of both larger sharing communities as well as a set of local tools. The tool is self-hosted and can be used to maintain information on organisations and individuals that we interact with along with sharing group metadata. We also want to use this to make the harmonisation of MISP related organisation metadata information between instances of an organisation or a community (such as UUIDs, public keys, meta-information, etc). In addition it will also act as an orchestration platform, easing the interconnections between organisations for both MISP and other tools. In this first iteration, we can use a Cerebrate instance as a lookup repository for organisation metadata in MISP, using a familiar preview/pull mechanism that we're used to in MISP. We also welcome contributions to that project, especially since the internals are aligned more and more with MISP and will act as the foundation for the next major MISP rework. For more information visit the [Cerebrate on github](https://github.com/cerebrate-project) # A host of quality of life improvements for the sharing groups The larger our communities grow, the more it becomes important to be able to quickly and accurately find the information that we're after in our sharing group repositories. Thanks to the tireless work of @JakubOnderka, we can now filter sharing groups, find events associated to a sharing group and more. # Even though testing is doubting, doubt is the origin of wisdom A new test suite was added by @JakubOnderka to enrich the CI suite with a set of tests aiming to detect potential security / ACL flaws in the system. # Installer improvements The [MISP installer](https://misp.github.io/MISP/INSTALL.ubuntu2004/) has been significantly improved especially concerning the installation of the misp-modules and various refactoring to improve the capability of replaying the install process. # Release management Finally a notice on a change we have made to our release management, we will from here on rely on an additional branch for development to ensure that half-baked features don't make their way to the 2.4 branch. Until now the recommendation was to stick to tagged releases for stability and to just track the 2.4 branch for the quickest bug fixes. This lead to both options having downsides (should I miss out on a potential bug fix or risk running non-finalised features in my system?). With the current approach, all new development will go on the "develop" branch, which we purely recommend to be used by developers, the 2.4 branch will see the features merged from develop just prior to a release after the testing and readying the release is completed. Once that is done, the usual tagging of a new version will occur. This allows us to still include hotfixes and urgent bugfixes on 2.4, without muddying the water with potentially risky new developments, as such we encourage all users to track the HEAD of the 2.4 branch from here on. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-01-18T10:28:41+00:00 MISP v2.4.137 MISP v2.4.137 2021-01-21T11:15:15+00:00 We have released 2.4.137, a security and bug fix release including a collection of fixes and improvements collected over the past month. Building tools for the security community sure has its perks - over the past week we have received two independent security test results of two separate organisations, revealing several vulnerabilities. The update to this version is therefore highly recommended. A little note on vulnerability - we always welcome organisations helping us secure MISP and our tooling in general and would hereby like to thank everyone taking part in the process! # Several vulnerabilities resolved - [CVE-2021-25324] Stored XSS via the galaxy cluster view - Discovered by Daniel Kubica of ESET, spol. s r.o. - [CVE-2021-25325] Stored XSS via the galaxy element index - Discovered by Daniel Kubica of ESET, spol. s r.o. - [CVE-2021-25323] Weak default password change request policy not requiring the entry of the current password - Discovered by Daniel Kubica of ESET, spol. s r.o. - [CVE-2021-3184] Reflected XSS via the set homepage button - Reported by an anonymous party # A long list of quality of life improvements - The synchronisation now compresses the data exchanged, improving the transfer rates during the exchange - Additional metrics and comparison tools for the sync connections - Better management of API key usage along with logging - A new tool that allows the exclusion of certain values from the correlation engine (useful to avoid having regularly observed values recurring in a large number of events generating too much noise) Along with many other fixes. A special thank you to @JakubOnderka for providing a steady stream of QoL improvements, making MISP more pleasant to use by the day! # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-01-21T11:15:15+00:00 MISP v2.4.138 MISP v2.4.138 2021-02-10T17:24:54+00:00 # MISP 2.4.138 released We have released 2.4.138, the latest release for MISP along with an update of the JSON libraries. Besides that, several usability and performance issues have been resolved along with a host of small improvements, additional API improvements, etc. Make sure that you read the [detailed changelog](https://www.misp-project.org/Changelog.txt) to see all the improvements. Improvements include the use of the threat level for the alert filtering, many bugs fixed in the event graph and many others. # Nested Galaxy Element generator (CISA.gov/AIS dynamic marking) We have a new tool that allows you to take nested JSON documents and convert it to galaxy cluster elements using a dot delimited format. If you ever want to quickly encoding existing nested data for your custom galaxies, this should make your life easier. This functionality was integrated for the support of the [Automated Indicator Sharing (AIS) from DHS/CISA.gov](https://www.cisa.gov/sites/default/files/publications/AIS%20Brokering%20Between%20the%20Non-Federal%20Entities%20Sharing%20Community%20and%20the%20Federal%20Entities%20Sharing%20Community.pdf) to include dynamic marking. The functionality can be reused for many different use-cases. ![](https://raw.githubusercontent.com/MISP/misp-training/main/a.10-galaxy-2.0/pics/json-view.png) ![](https://raw.githubusercontent.com/MISP/misp-training/main/a.10-galaxy-2.0/pics/tabular-view.png) # RSIT galaxy added with MITRE ATT&CK [Reference Security Incident Taxonomy Working Group](https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force), is a joint initiative for CSIRTs to produce a reference taxonomy for the CSIRT community. A new version of RIST has been integrated into MISP along with a complete set of relationships with MITRE ATT&CK, thanks to the [galaxy 2.0 feature](https://www.misp-project.org/2020/12/16/MISP.2.4.135.released.html) in MISP. Thanks to [Koen Van Impe](https://www.cudeso.be/) for this new updated galaxy. ![](https://www.misp-project.org/assets/images/misp/blog/rsit-3.png) ![](https://www.misp-project.org/assets/images/misp/blog/rsit-3.png) ![](https://www.misp-project.org/assets/images/misp/blog/rsit-3.png) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-02-10T17:24:54+00:00 MISP v2.4.139 MISP v2.4.139 2021-02-16T16:04:21+00:00 # MISP 2.4.139 released (Quality of life and bugfix release) ![](https://www.misp-project.org/assets/images/misp/blog/dashb.png) We have released 2.4.139, the latest release for MISP squashes a set of pretty annoying bugs, whilst also adding some shiny new features to play with, along with the usual update of the JSON libraries. Besides that, several usability and performance issues have been resolved along with a host of small improvements, additional API improvements, etc. Make sure that you read the detailed changelog to see all the improvements. # MISP modules are now Event Report aware! The Event Reports are the hot new feature of the past few weeks and we are working on ensuring that analyst reports are becoming the standard companions of the classic event format. For anyone that hasn't played with them before, have a look at the [blog post](https://www.misp-project.org/2020/10/08/Event-Reports.html) describing how you can create rich, interlinked reports to accompany your events. The main update to the Event Report system is its inclusion in the module system as of this version, so if you are building integrations with MISP or simply want to build a convenient way to incorporate reports from your favourite information sources, this feature will make your life much easier. # MISP modules can impose options for the event fetcher Want to restrict what parts of an event your module should receive from MISP? Would you like to include the decay score in your module? Pass parameters back to the fetcher so it can prepare an event that better fits your module's needs! # EventStream widget ![](https://www.misp-project.org/assets/images/misp/blog/dashb.png) The built in Dashboard system in MISP has been underutilised since its inception, partially due to its initial focus on a non CTI use-case. We have been working on remedying this over the past few months, including the addition of new widgets to monitor your instance's health as an administrator, to gain high level insights into your sharing community's sharing practices, etc. Something that has been missing for a while though was the ability to monitor ongoing trends based on your own interests, such as any new events coming in that relate to a topic that you are interested in. The EventStream widget aims to solve that, by offering a customisable event index widget. Users can set their interests in terms of organisation sources and applied tags (such as threat actor, tool and other names) to show the most recent additions that touch on the given subjects. This widget also brings a flexible reusable UI layer with itself that widget developers can reuse for a host of other use-cases. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-02-16T16:04:21+00:00 MISP v2.4.140 MISP v2.4.140 2021-03-10T17:17:24+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/ss7-example.png) # MISP 2.4.140 released We have released 2.4.140, the latest release for MISP, introducing a host of new features, including integrations with various authentication systems, various improvements to the handling of objects, CLI improvements as well as a package containing general bug fixes, along with the usual update of the JSON libraries. # Manage my identity! MISP already had a host of integration options with various IDPs, but this release will give you some additional options, in the shape of [OpenID Connect authentication](https://github.com/MISP/MISP/tree/2.4/app/Plugin/OidcAuth) and [Azure Active Directory Authentication](https://github.com/MISP/MISP/tree/2.4/app/Plugin/AadAuth) integrations. Have a look at the various authentication plugins' configuration in the MISP/app/Plugin directory. # Built in security report of your MISP instance As of this release, you can get some guidance on the security posture and potential security impacting misconfigurations and best practices via the new security audit tool, locate in the diagnostics section of the server settings. Make sure you go through the tools findings and make any changes you find appropriate from the suggestions offered. When in doubt, feel free to start a discussion on the [support chat](https://gitter.im/MISP/Support) hosted on gitter. The audit also gives you a sanity check over your CSP posture, used in junction with the new settings and tightened security measures. Massive kudos to @JakubOnderka for all this work! # Cross referencing objects across extended events Whilst extended events were the most flexible way of creating counter analyses in MISP as well as being able to provide additional information to a report, we were always lacking a crucial component to make this feature truly shine: The ability to build connected graphs of the data points contained in a set of events extending one another. This has now been added to MISP as of 2.4.140. # CLI improvements We want to make scripting and using the CLI in general a bit more straight-forward. Since the phasing out of the build in task scheduler, we find that there has been a massive uptick in the usage of these tools so expect more improvements in the future. For now, we have added tools to list the connect servers directly from the CLI, to be able to automate the sync process per connected server. Additionally, a new set of CLI tools is being built for developers, to ease our lives when trying to modify MISP. The first tool for this toolkit allows us to massage the direct feed description dumps to the expected format for easier modification. # New types added in MISP New full-name, dkim and dkim-signature attribute types were added to MISP. Associated to [DKIM objects](https://www.misp-project.org/objects.html#_dkim) were included to support tools such as Farsight Security dnsdb to add DKIM information in your investigations. # Security Vulnerability An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. Thanks to Jeroen Pinoy for the report. The vulnerability has [CVE-2021-27904](https://cvepremium.circl.lu/cve/CVE-2021-27904) assigned. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-03-10T17:17:24+00:00 MISP v2.4.141 MISP v2.4.141 2021-04-19T05:41:32+00:00 ![](https://www.misp-project.org/assets/images/misp/blog/ss7-example.png) # MISP 2.4.141 released MISP 2.4.141 released including many improvements from email notification, UI, API and installation scripts. # User-Interface - [UI] Render galaxy cluster description as markdown. - [UI] Show threat level icons on event index. - [eventgraph:viewPicture] Allow access to saved picture from the eventgraph history. - [eventGraph] Improved object coloring strategy. - [UI] fix debugon for debug = 1. fix #7131. - [UI] Show number of items in freetext feed. - [UI] Make feed event preview nicer. - [UI] It is 2021! Removed -moz and -webkit specific CSS properties. - [UI] Make some parts of MISP nicer. - [UI] Nicer pivots. - [UI] Simplify keyboard-shortcuts.js. - [UI] Use Page Visibility API. and many more updates check the [changelog for details](https://www.misp-project.org/Changelog.txt). # Email notification Email notification has been significantly improved and now support HTML emails. - [email] New setting `MISP.event_alert_metadata_only`. - [email] Command for testing generated alert email. - [email] Allow to set email subject from template. - [email] Back-end support for sending HTML emails. This release includes many updates in the local and translation of the user-interface. New default feeds were included in MISP such as the newest [DataPlane.org feeds](dataplane.org). # Installation scripts and guides Many improvement in the RHEL7, 7.9 and CentOS8Stream. We thank all the users reporting issues with RHEL. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-04-19T05:41:32+00:00 MISP v2.4.142 MISP v2.4.142 2021-04-28T16:34:37+00:00 # MISP 2.4.142 released MISP 2.4.142 released including many new features, a security fix and a long list of quality of life improvements. ![](https://www.misp-project.org/assets/images/misp/blog/new-ransomware-1.png) # Correlation changes One of the most annoying bottlenecks in how we use MISP currently is caused by low quality correlations, both in terms of usability and having a clear view on relevant relationships among data-points. These very often come from either sub-optimal strategies chosen on data creation/ingestion for certain types of attributes, but very often also on edge cases. With the current release we've included two main tools to combat this: ### Correlation exclusions We can now remove individual values from ever correlating again, so if you come across some typical noisy values (such as empty file hashes, registry values of 000000, internal IPs recurrinly encoded by your sandbox), you can add those to the exclusion list. Once added, you can execute the cleaning of the existing correlations, to retroactively execute your exclusion rules. This is a background processed task and depending on the amount of correlations you have may take quite some time (it took us around 30 minutes on 25M correlations), so just fire it off and check back later whether the job has completed. You can also comment your reason for removing an entry. In the future we plan on publishing community maintained default exclusion lists. ![Correlation exclusion in MISP](https://www.misp-project.org/assets/images/misp/blog/correlation-exclusion.png) ### Top correlations List the most correlating values in your instance - in order to evaluate which the most problematic correlations are, simply have a look at the most noisy correlations. We've had some surprising entries in our communities, so perfect time to do some spring cleaning. Just hit the delete button on a correlation and it will add a rule to your correlation exclusion list - just don't forget to run the historic cleanup from the correlation exclusion index to remove already existing correlations matching your newly added rules. # Server sync rule management rework ![MISP server sync rule management](https://www.misp-project.org/assets/images/misp/blog/pull-rules.png) One of the more painful aspects of managing servers has been the historically bad UI used to manage filter rules. This has now been completely revamped, both with a new look but familiar look and feel as well as some clever new tools to make it more usable. For example, when creating pull filters, your instance will now attempt to contact the remote instance to retrieve a list of available tags, so that you no longer have to manually enter all of the filters when creating pull rules. The JSON rule field allowing custom filters now also uses a handy JSON parsing text entry, allowing you to avoid potential mistakes. # New dashboard widgets Thanks to Jeroen Pinoy, we have some new dashboard widgets meant to give you better oversight over how your instance is being used, showing some usage statistics as well as tools to monitor the growth of the user base of the community. ![](https://www.misp-project.org/assets/images/misp/blog/evolution-usercount.png) # A bunch of other fixes including security fixes We have also a [security](https://www.misp-project.org/security/) issue (CVE-2021-31780) causing a potential misalignment of sharing groups on synced attributes, so we highly encourage everyone to update their MISP instance. Besides that we have introduced a long list of quality of life improvements as well as [many fixes](https://www.misp-project.org/Changelog.txt). # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . The MISP galaxy includes a major update in the Ransomware galaxy which now includes more than 1600 documented ransomware. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-04-28T16:34:37+00:00 MISP v2.4.143 MISP v2.4.143 2021-05-19T09:31:36+00:00 # MISP 2.4.143 released MISP 2.4.143 released including a new audit subsystem, various quality of life improvements and bug fixes. ![](https://www.misp-project.org/assets/images/misp/blog/misp-sea.png) # 10 year anniversary [MISP has, as of the 15th of May, turned 10,](https://twitter.com/MISPProject/status/1393141380369821697) to celebrate the occasion we have a celebratory MISP logo acting as a temporary replacement of the usual one for the duration of this release. It has been a long road since Christophe Vandeplas released the initial version of CyDefsig (later renamed to MISP) in 2011. We would hereby like to thank all contributors and supporters for making MISP what it is today. Looking back at how the tooling and the communities evolved over the decade, we can see how threats and threat intelligence has changed and evolved over the years, molding the platform in the process. Here's to at least another 10 years of active sharing and bringing communities together! # New audit system Thanks to @JakubOnderka, we now have a whole new audit system, storing relevant audit logs in a more concise yet easily machine-parsable way (all changes will be logged as JSON objects). This feature is disabled by default and needs to be enabled in the server settings, though keep in mind that it will not convert existing entries. Especially for new instances, we highly recommend switching to the new system! # Event republish-alert flood protection As our communities grow and we all build our own internal tooling for processing data in MISP, the more likely it is to run into some slightly frustrating issues. One such issue we've encountered recently came from a tool that seems to have regularly (and frequently!) modified certain events and republished them consecutively. This in itself is not an issue, however, it can generate a lot of noise in terms of alert emails. We have now added a protective measure to counter this, make sure you have a look at the appropriate settings to create lockout timers for alerts that can be issued for a single event. # Improvements - Event report hints autocomplete while typing in the Markdown has been improved - Server rules element improved - MISP modules results now point to the original object itself # MISP Modules Two new MISP modules were introduced: - cof2misp module to allow the import of Passive DNS in [JSON COF Format](https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html) into MISP - An improved [onyphe module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/onyphe.py) to do expansion in MISP with full MISP object support # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-05-19T09:31:36+00:00 MISP v2.4.144 MISP v2.4.144 2021-06-09T07:38:55+00:00 # MISP 2.4.144 released MISP 2.4.144 released including a massive update to the documentation along with [CyCAT.org](https://www.cycat.org/) integration, improvements and fixes including security related fixes. ![](https://www.misp-project.org/assets/images/misp/blog/misp-openapi.png) # OpenAPI integration We have a new core team member at MISP Project, Luciano (@righel), who kicked off his tenure with an impressive mapping of all the most important endpoints of MISP to OpenAPI. As of this release, the API documentation is directly available in MISP, along with example payloads and responses. You can also find [this information directly on the misp-project website](https://www.misp-project.org/documentation/openapi.html). To all integrators and developers wrangling with the API, we highly recommend you take a look at the API menu in MISP and we wish you happy and headache-free hacking! # New diagrams and descriptions Thanks to the thorough investigations of @mokaddem, we now have the entire synchronisation and authentication flows of MISP mapped in an easy to understand graph - both of these are included as of now directly in your MISP installation, so if you're in doubt about what's going on under the hood, but don't feel adventurous enough to replace your night time reading materials with a hefty chunk of PHP code, have a look at the new graphs! - [Authentication Diagram](https://github.com/MISP/MISP/tree/2.4/docs/generic/Authentication%20Diagram) - [Data visibility for Sync-users and MISP synchronisation](https://github.com/MISP/MISP/tree/2.4/docs/generic/Synchronisation) # CyCAT integration v1 ![MISP and CyCAT integration](https://www.misp-project.org/assets/images/misp/blog/cycat-misp.png) CyCAT is a new initiative built by a group of individuals with the aim of cataloguing all the techniques and libraries around cyber-security, mostly with the selfish desire to make their own confusing lives easier (along with all those that are in a similar situation). As of this release, you'll be able to enable a first version of the CyCAT integration in MISP directly, allowing you to directly see relations to your galaxy clusters via CyCAT's own relationship system, giving you an extra layer of background information with the clusters already in use. If you are interested in CyCAT and what it can do for you, head over to the [CyCAT website](https://cycat.org/). To enable the CyCAT integration, got to the Plugin settings ![](https://www.misp-project.org/assets/images/misp/blog/cycat-enabled.png) and enable the feature. # Improvements - Various quality of life improvements and bug fixes, related to synchronisation, sharing groups, event reports and more! - A security fix that would under certain circumstances result in attributes of an object being misassociated to the wrong sharing group after synchronisation. A massive thank you to Jeroen Pinoy for his diligent work in uncovering this issue! # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-06-09T07:38:55+00:00 MISP v2.4.145 MISP v2.4.145 2021-07-05T07:38:52+00:00 # MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ![](https://www.misp-project.org/assets/images/misp/blog/warning-lists.png) MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. # MISP warning-lists improvements. [Warning lists](https://github.com/misp/misp-warninglists) system has been significantly improved (thanks to Jakub Onderka). - Custom warning lists can be created and managed in the MISP user-interface - Warning lists can be now imported via the API - Warning lists changes are exported in the ZMQ channel - Warning lists include new categories to describe the scope # New features ## Summary email notification Email notifications have received a new configuration setting: New event summaries only. This feature publishes the normal alert reports excluding attributes and objects, thereby only describing a summary of the alert. This can be used when encryption cannot be enabled and organisations still require email alerting. ## Documentation New documentation has been added to describe the [session and cookie handling in MISP](https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/Authentication%20Diagram/MISP%20Authentication%20Diagram.png). ## API - Thanks to a new feature, you can now create read only authentication keys (don't forget to enable the advanced authentication key feature for this to work). # Security Fixes - Various fixes regarding XSS and potential escaping issues including [CVE-2021-35502](https://cvepremium.circl.lu/cve/CVE-2021-35502). Thanks to the reporters including Nicolas Vidal from TEHTRIS. # Various improvements - [OpenAPI] - Missing return formats added to the documentation - [server caching] only push data to redis / logs if there's something to push - [attribute] validation tightened for empty strings. A value containing only control characters will now be blocked from entry. - [feeds] Added 3 daily feeds (ssh bruteforce, telnet bruteforce, URLs seen) from the APNIC Community Honeynet Project # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-07-05T07:38:52+00:00 MISP v2.4.146 MISP v2.4.146 2021-07-05T07:39:16+00:00 # MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ![](https://www.misp-project.org/assets/images/misp/blog/warning-lists.png) MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. # MISP warning-lists improvements. [Warning lists](https://github.com/misp/misp-warninglists) system has been significantly improved (thanks to Jakub Onderka). - Custom warning lists can be created and managed in the MISP user-interface - Warning lists can be now imported via the API - Warning lists changes are exported in the ZMQ channel - Warning lists include new categories to describe the scope # New features ## Summary email notification Email notifications have received a new configuration setting: New event summaries only. This feature publishes the normal alert reports excluding attributes and objects, thereby only describing a summary of the alert. This can be used when encryption cannot be enabled and organisations still require email alerting. ## Documentation New documentation has been added to describe the [session and cookie handling in MISP](https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/Authentication%20Diagram/MISP%20Authentication%20Diagram.png). ## API - Thanks to a new feature, you can now create read only authentication keys (don't forget to enable the advanced authentication key feature for this to work). # Security Fixes - Various fixes regarding XSS and potential escaping issues including [CVE-2021-35502](https://cvepremium.circl.lu/cve/CVE-2021-35502). Thanks to the reporters including Nicolas Vidal from TEHTRIS. # Various improvements - [OpenAPI] - Missing return formats added to the documentation - [server caching] only push data to redis / logs if there's something to push - [attribute] validation tightened for empty strings. A value containing only control characters will now be blocked from entry. - [feeds] Added 3 daily feeds (ssh bruteforce, telnet bruteforce, URLs seen) from the APNIC Community Honeynet Project # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-07-05T07:39:16+00:00 MISP v2.4.147 MISP v2.4.147 2021-07-27T13:33:56+00:00 # MISP 2.4.147 released MISP 2.4.147 released including a massive number of small improvements, bug and security fixes. We strongly recommend all MISP users to upgrade as soon as possible. This release fixes [CVE-2021-37534](https://cvepremium.circl.lu/cve/CVE-2021-37534). ![](https://www.misp-project.org/assets/images/misp/blog/misp-openapi.png) # Sync improvements Many improvements were done in the synchronisation such as: - When saving sightings, only push the new sightings. - Filter out existing sightings if remote sever supports that method. - Check if event exists before pushing. - Check event existence before pushing sightings. - Optimise event filtering. # API/CLI Many improvements in the API and CLI. This release also includes refactoring of various forms to support future major improvements in MISP. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-07-27T13:33:56+00:00 MISP v2.4.148 MISP v2.4.148 2021-08-09T10:15:54+00:00 # MISP 2.4.148 released ![](https://www.misp-project.org/assets/images/misp/blog/misp-openapi.png) MISP 2.4.148 released including many bugs fixed along with security fixes. This release fixes [CVE-2021-37742](https://cvepremium.circl.lu/cve/CVE-2021-37742) and [CVE-2021-37743](https://cvepremium.circl.lu/cve /CVE-2021-37743). # New feature - added option to block organisation changes at login on ApacheShibbAuth - Open data export has been refactored - Fix Suricata export concerning sticky buffers - ZMQ now includes misp_json_warninglist topic in the pub-sub channels # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-08-09T10:15:54+00:00 MISP v2.4.149 MISP v2.4.149 2021-10-12T12:44:49+00:00 # MISP 2.4.149 released (Autumn care-package - STIX 2.1 support and Cerebrate integration) ![](https://www.misp-project.org/assets/images/misp-long.png) MISP 2.4.149 released including many bugs fixed along with some new and improved functionalities # New features - First stage of a massive rework of our STIX integration - Various improvements to the integration with Cerebrate # New STIX libraries - The first version of a long ongoing project to rework our entire STIX integration has finally been merged, thanks to the tireless work of @chrisr3d - Our converter libraries have embarked on a path of their own, becoming a standalone repository included by default in MISP, but also serving as a useful tool for anyone looking for a clean way of converting between the [MISP standard format](https://www.misp-standard.org/) and various STIX versions (1.1.1, 1.2, 2.0, 2.1). - The libraries are still work in progress, but continuously improved, follow [misp-stix](https://github.com/MISP/misp-stix) - Included is also a detailed documentation, which also serves as a knowledge base for the mapping between the two formats, available under the [documentation](https://github.com/MISP/misp-stix/tree/main/documentation) sub-directory - From this release on, you have more control over which STIX version is used when exporting STIX data from MISP, by specifying the "stix_version" to be returned (supported versions for STIX 1: 1.1.1 and 1.2. For STIX 2: 2.0 and 2.1) # Cerebrate integration - Allow the fetching of sharing group data from Cerebrate instances, our new open source tool in development aiming to solve a host of issues revolving around community management and orchestration. Our first official release of the tool is scheduled for the MISP summit coming up this month - To follow the cerebrate project, head over to its [github page](https://github.com/cerebrate-project/cerebrate) - For the MISP summit to be held on the 21st of October, don't forget to watch the [misp-summit](https://www.misp-project.org/misp-summit). You can still apply for the [Call-for-Presentation](https://cfp.hack.lu/misp-2021/cfp). # mail2misp release 1.0 First [official release 1.0 of mail2misp](https://github.com/MISP/mail_to_misp/releases/tag/v1.0), it's a tool to connect your mail infrastructure to MISP to create events based on the information contained within mail. The solution can be also used to feed MISP instance with honeypot receiving emails. # Various improvements - A long list of improvements, massive thanks to @JakubOnderka for the continuous stream of improvements and quality of life changes - Thanks to the work of @righel, our [OpenAPI documentation](https://www.misp-project.org/documentation/openapi.html) is becoming more and more complete, now covering a long list of the more exotic endpoints and options # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-10-12T12:44:49+00:00 MISP v2.4.150 MISP v2.4.150 2021-11-23T10:01:11+00:00 # MISP 2.4.150 released MISP 2.4.150 released, including a new CA bundle to combat the issues with the Letsencrypt root CA expiration. This is a follow-up release to 2.4.149 and has no other major changes besides pointing to our own repository of the framework that includes the new CA bundle. # Sync issues due to the expiration of a Letsencrypt root CA As described in their [blog post](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/#:~:text=On%20September%2030%202021%2C%20there,accept%20your%20Let's%20Encrypt%20certificate), Letsencrpyt had to retire an old Root CA, meaning that that SSL connections when synchronising MISP with other instances would fail if the remote side used letsencrypt. This update includes a new CA bundle that should help you avoid any issues with this. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-11-23T10:01:11+00:00 MISP v2.4.151 MISP v2.4.151 2021-11-23T13:47:51+00:00 # MISP 2.4.151 released ![](https://www.misp-project.org/assets/images/misp/blog/graph-syria.png) MISP 2.4.151 released including a host of bug fixes and a bunch of new features. # New features - New background processor by @righel - Improvements to the CLI tools - Bug fixes and improvements # New background processor - MISP has been using CakeResque for its background jobs for the better part of a decade. Whilst it has served us well, the library has been stale for a long time and carries a (for us) unnecessary complexity and is generally the most difficult part of the application to debug - Luciano "@righel" Righetti has implemented a completely new, compatible background processing engine using Supervisord - Queue and execute jobs the same way as you are used to from before, monitor worker progress via the tools provided by supervisord in addition to MISP - No scheduling capabilities, these were an unnecessary overhead for us before as we relied on corn jobs as our preferred scheduling mechanism anyway - Expect more improvements to this library over the course of the next months, but feel free to switch to using it already now - Currently it is completely optional and the old background processor will still be supported for a while - Be aware that manual setup steps are required to get the new processor working, refer to [the upgrade guide](https://gist.github.com/righel/8ebc6c84341f2aea7d0bfa124e535ef8) on the procedure, if you decide to start using it already now # Various CLI changes - Jakub Onderka has been doing a fair bit of refactoring and improvement of the CLI libraries - additional administrative tools added to help monitor and manage your MISP instance (such as redis memory diagnostics, mysql table optimisation tool, etc) # Option to move the system settings to the database - Traditionally all system config settings were stored in the config.php file, with a new configuration thanks to Jakub Onderka's implementation the settings can be moved to the database rather than the file. - This should help with persistence for containerised installations # Various improvements - The previous version introduced a new STIX library as a replacement for the old one. This change did end up causing some update issues for some installations, the built in updater is now aware of this change and should allow you to easily update via the UI/API updater, with the new STIX library working as intended - A long list of improvements, thanks to all contributors! For a detailed list of changes, head over to the [changelog](https://www.misp-project.org/Changelog.txt) # MISP Modules - New [Passive SSH expansion](https://github.com/D4-project/passive-ssh) expansion module. - Updated [Recorded Future](https://misp.github.io/misp-modules/expansion/#recordedfuture) expansion module included links and related data. - New [CIRCL hashlookup expansion](https://circl.lu/services/hashlookup/) module added. The [MISP modules changelog is available](https://www.misp-project.org/Changelog-misp-modules.txt). # MISP Taxonomies - Updated taxonomies for [Interactive Cyber Training setup and environment](https://www.misp-project.org/taxonomies.html#_interactive_cyber_training_audience). - Updated [fr-classification](https://www.misp-project.org/taxonomies.html#_fr_classif) to match IGI1300. [MISP Taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # MISP Galaxy - Updated to MITRE ATT&CK version 10. - Multiple updates in malpedia, threat actor galaxy and Office 365 techniques. [MISP Galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) # MISP Objects - New JA3 server object added. - New Security playbook object added. - New submarine object added - New Passive SSH object added. - Updated device object. - New hashlookup object added. - New edr-report object added. [MISP objects changelog](https://www.misp-project.org/Changelog-misp-objects.txt) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements. 2021-11-23T13:47:51+00:00 MISP v2.4.152 MISP v2.4.152 2021-12-22T16:38:02+00:00 # MISP 2.4.152 released ![](https://www.misp-project.org/assets/images/misp/blog/timeline-improvement.png) MISP 2.4.152 released with timeline improvements, optional filtering on sync, LinOTP improvements and more. The LinOTP authentication module has been improved to include a mixed mode where both OTP and MISP's usual password authentication can be used together. The timelining has been improved in several ways, such as the inclusion of images from objects, as well as various improvements in the timeline's sighting view. Several bugs were affecting this feature have also been fixed. A new optional synchronisation filtering has been added to allow for the removal of specific attribute or object types when syncing. The functionality is meant to be used by the final recipient organisations of a synchronisation chain, in order to filter out specific types of information due to legal or specific internal policies. The filtering feature is disabled by default and needs to be enabled in the general configuration. This feature is for ISACs or consumer organisations, not redistributing information to other MISP communities. A new STIX 1 and 2 export for attribute restSearch has been added in complement to the existing event export in STIX 1 and 2. The export works just like the other event level STIX export, all you need to do is specify the given STIX format as the return type when querying the attribute restSearch endpoint. Many internal improvements and bugs fixed. # MISP Modules - New [Qintel sentry module](https://misp.github.io/misp-modules/expansion/#qintel_qsentry) added. - [CIRCL hashlookup expansion](https://circl.lu/services/hashlookup/) SHA-256 support added. The [MISP modules changelog is available](https://www.misp-project.org/Changelog-misp-modules.txt). # MISP Taxonomies - New [political spectrum taxonomy](https://www.misp-project.org/taxonomies.html#_political_spectrum) added. - Improvement in exercise taxonomy. - New [deception taxonomy](https://www.misp-project.org/taxonomies.html#_deception) added. [MISP Taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # MISP Galaxy - New matrix [CONCORDIA Mobile Modelling Framework - Attack Pattern](https://www.misp-project.org/galaxy.html#_concordia_mobile_modelling_framework_attack_pattern) added (thanks to [Concordia H2020 project](https://www.concordia-h2020.eu/)). - Many update in threat actor, RAT and tools galaxy. [MISP Galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) # MISP Objects - New Concordia intrusion set object. - New temporal event object. - Many improvements in user, person, postal-address, email object. - New relationships added such as `found-in`, `works-with`, `drives`. [MISP objects changelog](https://www.misp-project.org/Changelog-misp-objects.txt) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . 2021-12-22T16:38:02+00:00 MISP v2.4.153 MISP v2.4.153 2022-02-04T16:13:01+00:00 # MISP 2.4.153 released ![](https://www.misp-project.org/img/blog/timeline-improvement.png) - MISP UI translation in Thai added. - Improved the debugging of the synchronisation, including more meaningful messages in debug logs. - Significant improvements in the [misp-stix library](https://github.com/MISP/misp-stix), to support additional import coverage of files along with improvements to the STIX export. - Improved debugging in the TLS handshake for synchronisation. - Additional CLI tests for security. - Markdown-IT library updated to the latest version, including security fixes to version 12.3.2. - Improvements in the various MISP install scripts. Many internal improvements and bug fixes. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. # MISP Modules - New [VirusTotal collection export](https://misp.github.io/misp-modules/export_mod/#virustotal_collections) module added. - Improved i[Crowdstrike falcon expansion](https://misp.github.io/misp-modules/expansion/#crowdstrike_falcon) module. - [Censys enrich module](https://misp.github.io/misp-modules/expansion/#censys_enrich) updated for the new API of Censys. - [New MWDB push module](https://misp.github.io/misp-modules/expansion/#mwdb) for malware sample in MISP. - Various fixes to existing modules. The [MISP modules changelog is available](https://www.misp-project.org/Changelog-misp-modules.txt). # MISP Taxonomies - New [State responsibility taxonomy](https://www.misp-project.org/taxonomies.html#_state_responsibility) added. - [Workflow taxonomy](https://www.misp-project.org/taxonomies.html#_workflow) improved. - [runtime-packers](https://www.misp-project.org/taxonomies.html#_runtime_packer) taxonomy improved. - New [Unified Kill Chain taxonomy](https://www.misp-project.org/taxonomies.html#_unified_kill_chain) added. [MISP Taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # MISP Galaxy - New surveillance group added "Cytrox". - New [threat-actor](https://www.misp-project.org/galaxy.html#_threat_actor) such as SideCopy, AQUATIC PANDA and others. - Many updates. [MISP Galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) # MISP Objects - New social and personal relationships for MISP objects based on [FOAF relationships](https://www.perceive.net/schemas/20020722/relationship/). - [Probabilistic data structure object](https://www.misp-project.org/objects.html#_probabilistic_data_structure) added and describes a space-efficient data structure such as Bloom filter or similar structure. - Many improvements in GTP, diameter and SS7 attack template objects. - New STIX 2.1 objects such artifact and identity available as MISP template object. - Many improvements to different MISP object templates. [MISP objects changelog](https://www.misp-project.org/Changelog-misp-objects.txt) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html) . 2022-02-04T16:13:01+00:00 MISP v2.4.154 MISP v2.4.154 2022-03-18T11:52:08+00:00 MISP 2.4.154 released with a host of new features and fixes, including some new tools that help us navigate the current geo-political landscape when sharing information. # Sharing group blueprints Difficult times often call for radical measures, with the recent world events we've seen more and more communities rapidly reorganising as well as new large communities being established. Sharing information with only subsets of communities has become ever more important and whilst we've had the tools to facilitate this in MISP for a long time, rapidly managing different, often overlapping groups has been difficult. Sharing group blueprints allow us to programmatically define reusable blueprints for generating sharing groups, based on inheritance and various filters to automate the task of maintaining the groups. Sharing group blueprints accept JSON objects based on which they generate a sharing group each, where various filters can be set for the decision making. The syntax allows for boolean operators as well as the use of organisation metadata and existing sharing group inheritance. This can also be used to create derivative groups with certain members being excluded, for example the below would be such an example: ``` { "AND": { "OR": { "org_sector": "Financial", "sharing_group_id": 127 }, "NOT": { "org_nationality": [ "Russia", "Russian Federation", "Belarus", "Republic of Belarus" ] } } } ``` The above would generate a sharing group out of all organisations present in sharing group 127, any organisation that has "Financial" as its type, but excluding any of the specifically negated countries' orgnaisations. This system thrives on well maintained organisation lists, so make sure that you put in the extra effort of contextualising your organisations! Once a blueprint is created, you can review the organisations to be included and if you are satisfied, create the actual sharing group by clicking on (re)generate sharing group. ![sharing-group-blueprint](https://user-images.githubusercontent.com/3668672/158998299-52bfc259-ad7a-43a7-8287-a1f368cc9845.png) One of the advantages of this system is that the regeneration can be run at any time, for a single sharing group or for all, via the interface or the API. This means that creating a cron job that updates all sharing groups based on the rules regularly is trivial, ensuring that for example inherited organisations via updated child sharing groups are updated continuously. # Populate events using MISP JSON elements There's a new way to populate an individual, existing event: by uploading a JSON file containing MISP elements (such as attributes, objects, tags, galaxies, etc), one can now easily paste JSON blobs into a form that an be accessed by clicking on "Populate from..." and selecting "Populate using a JSON file containing MISP event content data". # Improvements to the OIDC authentication A host of improvements and fixes, including the switch to a new library, developed by Jakub Onderka. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-03-18T11:52:08+00:00 MISP v2.4.155 MISP v2.4.155 2022-03-18T12:41:30+00:00 This release is a rapid follow up to v2.4.154, addressing several rather annoying issues # Bugfixes - Various bugfixes to the sharing group blueprint system (especially to it being more restrictive than intended) - Updating the DB schema to avoid the diagnostics complaining - Fixed an issue with organisation meta fields defaulting to null rather than '' (causing the blueprint issue mentioned above) - Rework of the DB schema dumper - Fixes to the Kali Linux installer # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-03-18T12:41:30+00:00 MISP v2.4.156 MISP v2.4.156 2022-03-18T16:22:37+00:00 We are pleased to announce the immediate availability of MISP v2.4.156 - a release bringing several new features and fixes two critical vulnerabilities. **We highly encourage everyone to update to this version as soon as possible**. # Protected mode - cryptographic signing of synchronisation With the current tensions, information assurance in many ways is becoming more and more important across the different MISP communities. Whilst foul play is often quickly discovered and leads to the ejection from a sharing community, leading to an inherent self-healing mechanism of the different networks, in some cases due to information's criticality, more active measures are needed. By design, MISP's sharing mechanisms rely on trust relationships between the different interconnected nodes in the various MISP networks. This means that in a mesh network of MISP nodes, information can travel via trusted synchronisation users, the information's veracity being ensured by the various site administrators of the different instances. In some cases this is not enough, especially when exchanging data that is meant to be adhered to blindly in a highly automated fashion. Vetted block lists for example affecting large constituencies and the automatic blocking of traffic for service providers for example. To support this use-case, MISP as of v2.4.156 has a new mechanism that allows event creators to attach a set of PGP instance signing keys to an event, which are used to sign the events on each hop of the synchronisation. This allows recipient MISPs to discard any updates coming from nodes that cannot produce a valid signature with one of the initial signing keys. ## An example Alice and Bob each have their own MISP instances, with Alice feeding Bob with critical information. Bob trusts this information immediately and blindly. Eвa, wanting to remove data points or diluting the information from Alice's stream, is also part of their broader network. Traditionally, Alice sharing an event to the network would propagate to both Bob's and Eвa's instance. Eвa could in this case abuse her administrative privileges to modify the event, perhaps injecting disinformation and removing valid data. By synchronising this back to Bob, Bob's instance would see an incoming synchronised edit, which in a mesh network could be legitimate and as such it would accept the change. Propagating it further back to Alice would be blocked by MISP's protection against remote modifications to data at origin. ![unprotected_sync_mode](https://user-images.githubusercontent.com/3668672/159035794-918f9c33-74dc-44e2-84db-34fdb1ba726a.png) With protected mode enabled, this situation changes drastically. Alice could add her own signing key as well as Bob's to the event, ensuring that the only parties able to relay modifications to the event would be Alice and Bob. When leaving Alice's instance, the event would get signed with Alice's signing key. Since the event contains both Alice's and Bob's key, any subsequent modifications from Alice would be accepted by Bob's instance. Incoming edits would be signed by Alice's key, meaning that Bob would validate the package with its locally stored public key of from the initial exchange. This means that Eвa modifying the event and attempting to share it with Bob would get rejected, as Eвa, lacking the private keys of Alice and Bob, can only sign it with her own key, which Bob's instance would immediately flag as suspicious and ultimately reject it. ![protected_sync_mode](https://user-images.githubusercontent.com/3668672/159036489-f2d457aa-cb23-42a8-b10b-6d9e9a02e7f9.png) ## Usage To get started with the feature, simply use the new protected mode field in the event view, you can convert any event into protected mode: ![protected1](https://user-images.githubusercontent.com/3668672/159038886-d82a516b-1281-4649-ac2d-ea456f7468ed.png) At which point you can start adding individual keys: ![protected2](https://user-images.githubusercontent.com/3668672/159039506-e896ca51-7a96-4f3f-a46b-718df9e0072c.png) Keep in mind that you can add multiple instance signing keys if you wish for your trusted partners (or your own instances, for example if you have an internal and a sharing MISP in the DMZ). ![protected3](https://user-images.githubusercontent.com/3668672/159039670-eb1e3b3d-8089-45c0-9511-aaf0ffc80b89.png) As a caveat, keep in mind that this mechanism limits the distribution of data inadvertently. Even if the distribution level would allow it, the synchronisation will be limited by who can sign the event for further propagation, so use this new functionality when the use-case really calls for it. A massive thank you to our good friend [Trey Darley](https://twitter.com/treyka) (@treyka) of Cert.be for the brainstorming session that lead to the implementation of this feature! # Context summary export A new export format was added that generates an HTML representation of a summary of all context information from a set of filtered data. One could for example use restsearch to generate all context from any event that is attributed to a threat actor. The resulting HTML will include the Mitre ATT&CK matrix of all leveraged techniques in the selected events as well as any other labelling and context. # Event warning system The new warning system warns users about potential improvements to an event they could be making, such as resolving tagging issues, improving the quality of the event, etc. The system comes with a plugable module system, easily build and deploy your own warning system. ![warning_system](https://user-images.githubusercontent.com/3668672/159040894-99d951e3-a076-40c7-9bbd-9ff619df2e5c.png) # Internal reworks @JakubOnderka continues his massive crusade against ugly spaghetti code, with a continuous stream of refactorings, this time massively improving the code-base of the synchronisation mechanism. # Pentest - Several security issues resolved We would like to thank Ianis BERNARD of NATO Cyber Security Centre. Based on the findings of their pentest we were able to resolve several security vulnerabilities and as such we highly encourage everyone to update to v2.4.156 ASAP. ## Security fixes resolved Four security vulnerabilities were fixed in this release. We strongly recommend everyone to install this version as soon as possible. - CVE-2022-27245 - [Potential SSRF attacks fixed](https://github.com/MISP/MISP/commit/8dcf414340c5ddedfebbc972601646d38e1d0717) on generateServerSettings(), the interface is now restricted to the cli interface only. - CVE-2022-27243 - [Potential LFI attack fixed](https://github.com/MISP/MISP/commit/8cc93687dcd68e1774b55a5c4e8125c0c8ddc288) via custom file setting. - CVE-2022-27246 - [Restrict SVG logo](https://github.com/MISP/MISP/commit/08a07a38ae81f3b55d81cfcd4501ac1eb1c9c4dc) upload for organisation by default and make it optional to limit potential risk of SVG with active payload. - CVE-2022-27244 - [Stored XSS in the user add/edit forms fixed](https://github.com/MISP/MISP/commit/61d4d3670593b78e4dab7a11eb620b7a372f30e6) in custom auth name with a potential malicious administrator. # LinOTP auth improvements Thanks to the lovely work submitted by @andurin, the LinOTP authentication subsystem now includes several improvements, amongst others the ability to conveniently manage and disable the subsystem directly via the system settings. Originally, the only way to disable the LinOTP authentication was to purge the related settings from the configuration files. In order not to break the expected functionality for users that already have LinOTP configured, the default behaviour for the new "LinOTP.enable" setting behaves a bit different from other similar settings: When no value was assigned by an administrator, the module is enabled by default if the LinOTP configuration keys exist in the configuration file. That means, if you've had it configured from before, by default it will be enabled. Other than that it will be disabled. Confirming the setting as either enabled or disabled by an administrator will override this behaviour with the selected setting. # A long list of other improvements We have received a massive list of pull requests for enhancements and fixes. Make sure you check out the [changelog](https://www.misp-project.org/Changelog.txt) for further details. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-03-18T16:22:37+00:00 MISP v2.4.157 MISP v2.4.157 2022-03-25T14:21:20+00:00 We are pleased to announce the immediate availability of MISP v2.4.157, following a series of bug fixes as a quick follow up to 2.4.156. As a reminder, MISP v2.4.156 included several critical vulnerability fixes, as such, **we highly encourage everyone to update to this version as soon as possible**. It also brought several new important features that help communities ensure the veracity of their most critical shared data. # Fixes to the authkey handling Manage auth keys of your team as an org admin, until now this feature was broken and org admins had to log in as their automation / sync users in order to generate new keys. This is no longer the case, simply view the user you wish to create a new key for and do it directly from the interface or via the API. Keep in mind that org admins can only create keys for non administrator users. Thank you to @oivindoh for pointing this shortcoming out. # Fix to a breaking bug with event publishing Due to a bug introduced by a regression in 2.4.156, publishing events ended up not pushing events with sharing groups to remote instances. This is now resolved and for this in itself we already highly recommend updating to this version. Full instance pushes and pulls were not affected. Neither were events that didn't rely on sharing groups as their distribution model. Thank you to @treyka for finding the bug. # New setting introduced to disable event lock checks Sometimes the addition of certain features, whilst having good intentions, ends up being more annoying that useful. In these cases, unless it's something absolutely hindering, we still do not want to modify the default behaviour of MISP over night. Such is the case with the event lock checks, which provide warnings on the event view that another user is also editing the event, a simple warning to users that their event's state may be outdated. This functionality is rather verbose when it comes to logging, gets in the way of debugging and can cause session persistence issues in certain cases. As such we've introduced a new setting to disable the functionality and unless you or your community are especially attached to it, we recommend heading over to the server settings and disabling it via the `MISP.disable_event_locks` setting. Thanks to @github-germ and @packet-rat for pointing the annoying nature of this feature out. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-03-25T14:21:20+00:00 MISP v2.4.158 MISP v2.4.158 2022-04-20T07:43:37+00:00 We are pleased to announce the immediate availability of MISP v2.4.158. This release includes a series of security fixes and as such **we highly encourage everyone to update to this version as soon as possible**. Thanks to Dawid Czarnecki of Zigrin Security for the in-depth penetration test and its findings and thanks to the Luxembourg Army for financing the penetration test. This is the follow up to the Cerebrate penetration test also conducted by Zigrin Security on behalf of the Luxembourg Army, as described [here](https://www.cerebrate-project.org/2022/01/27/Cerebate-version-1.4-released.html). # Security fixes Several security issues have been resolved, head over to [the security page](https://www.misp-project.org/security/) for a detailed break-down of the advisories including the associated CVEs. Whilst most of the vulnerabilities listed are mitigated by requiring compromised high privilege accounts, we nevertheless advise all users to update their instances as soon as possible. - Phar deserialisation - [Global fix](https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e) - [Individual additional mitigations](https://github.com/MISP/MISP/commit/93821c0de6a7dd32262ce62212773f43136ca66e) - [XSS in LinOTP login](https://github.com/MISP/MISP/commit/9623de2f5cca011afc581d55cfa5ce87682894fd) - [XSS in Galaxy clusters](https://github.com/MISP/MISP/commit/107e271d78c255d658ce998285fe6f6c4f291b41) - [XSS in organisation fetchSGOrgRow](https://github.com/MISP/MISP/commit/ce6bc88e330f5ef50666b149d86c0d94f545f24e) - [XSS in Event graph via tags](https://github.com/MISP/MISP/commit/bb3b7a7e91862742cae228c43b3091bad476dcc0) - [XSS in Cerebrate view](https://github.com/MISP/MISP/commit/60c85b80e3ab05c3ef015bca5630e95eddbb1436) - [Password confirmation bypass](https://github.com/MISP/MISP/commit/01120163a6b4d905029d416e7305575df31df8af) ## Announcement of a silent fix of phar deserialisation RCE in a previous release (v2.4.156) As of the previous security release (v2.4.156), based on the pentest conducted by Ianis BERNARD of the NATO Cyber Security Centre, a high criticality vulnerability was also identiefied. We have opted for a silent fix to the critical vulnerability whilst upgrading the announced criticality of the other security fixes included in the release. This is an extreme measure that we take whenever we want to ensure that the community is both aware that they do need to update as soon as possible whilst not drawing attention to the actual critical vulnerability. If you have followed our guidance over the past month to update you are already safe - if you are running a MISP instance below 2.4.156 **we highly encourage you to update to the latest version as soon as possible**. - [Phar deserialisation silent fix](https://github.com/MISP/MISP/commit/8eff854fce1fea1521f33fffc2440df5b7e5c410) # Custom email templates Added the ability to override some of the standard e-mail templates with custom ones, just drop the templates mirroring the naming convention of the existing ones in `/var/www/MISP/app/View/Email/text` and `/var/www/MISP/app/View/Email/html` into `/var/www/MISP/app/View/Email/text/Custom/` and `/var/www/MISP/app/View/Email/html/Custom/`. Currently supported templates: alert, password_reset. # RestSearch improvements Fixing a baffling oversight on our side, thanks to Tom King we can now search by sharing groups besides just distribution levels. # A long list of refactors and bugfixes Massive thanks to Jakub Onderka for the continuous refactoring, simplifying and cleaning up of the code-base. For a full list of all the improvements that are part of this herculean effort, refer to the [changelog](https://www.misp-project.org/Changelog.txt) # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-04-20T07:43:37+00:00 MISP v2.4.159 MISP v2.4.159 2022-05-30T17:05:38+00:00 We are pleased to announce the immediate availability of MISP v2.4.159. This releases includes many improvements, bugs fixing and improvement concerning performance on large dataset. ![](https://www.misp-project.org/img/blog/graph-syria.png) # Performance Improvements - [DB] Add MysqlExtended DboSource to support index query hints. - [Query] Add new setting to disable taxonomy checks when browsing data. - We discovered that some MISP users are still using slow file-based session handling in PHP. Now, we added in the diagnostic, if session is file based. We recommend everyone to use the Redis session. - Many additional speed-up and faster functions in the MISP internals. - Reduce memory usage when generating all correlations. # Improvements - [Feed] Allow option to disable correlations for all events coming from a feed. This can be useful when correlation requires to be disabled for an imported feed. - [UI] Allow to upload MISP event by pasting data to textarea in addition to the file upload. - An optional feature `clusters:attachMultipleClusters` is now available to allow the mirroring of attribute clusters to event. - [auditlog] Support for fetch event changes from specific time. - [UI] Allow to filter attributes from Related Events box. - [UI] Allow to filter attributes from warninglist box. - [UI] Many UI improvements to make the interface easier to read. - [UI] Disable correlation checkbox for non correlating types. - [STIX 2 import] Better Galaxies parsing by looking for the ATT&CK technique id. - [API] Enable sharing group filter for Event controller not just attribute. # Fixes - [STIX] Avoiding non RFC-4122 UUIDs to be imported (and therefore skipped) - [STIX 1 import] Save process network connections. - [STIX 1 import] Fixed galaxy tag_names fetching from TTP names. # Knowledge Bases ## MISP Taxonomies - [dga] First version of the DGA taxonomy based on https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf. - GrayZone of Active Defense, originaly published by Washington University, v2 created and updated by DCG420 - Various fixes to existing taxonomies. ## MISP Objects Template - A new PaloAlto Threat Event object template has been added. - A updated security playbook has been added. - A new ransom negotiation object has been added. - An improved Passive SSH template object. - Various fixes and improvements to different object templates such as email, virustotal-submissions and others. ## MISP Galaxy - Improved Cryptominers galaxy. - Improved backdoors galaxy. - Threat Actor galaxy updated and extended with new threat-actors. - MISP Galaxy updated for MITRE ATT&CK v11.2. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. Additional changelogs are available for [misp galaxy](https://www.misp-project.org/Changelog-misp-galaxy.txt), [misp-taxonomies](https://www.misp-project.org/Changelog-misp-taxonomies.txt), [misp-objects](https://www.misp-project.org/Changelog-misp-objects.txt) and [misp-modules](https://www.misp-project.org/Changelog-misp-modules.txt) 2022-05-30T17:05:38+00:00 MISP v2.4.160 MISP v2.4.160 2022-08-08T12:32:32+00:00 We are pleased to announce the immediate availability of MISP v2.4.160. With the August summer-holiday season kicking into high gear, we have a very special release for you all, containing a long list of major new features, improvements and general quality of life improvements. Unlike we do normally, this time around we're preparing separate blog posts for some of those major features, so follow the links below to read up on in-depth descriptions of each. # Workflows Something that has been in the works for quite some time now is finally hitting a release version of MISP, as of 2.4.160, we have the first release of the built in workflow system released. This system allows you to use an easy to use, yet extremely powerful graphical interface to modify how MISP handles certain tasks such as event publishing, user enrollment, synchronisation, etc., by adding additional logical steps in their respective executions, utilising a module system similar to what was already common to MISP from enrichment subsystems, exports as well as imports. This is merely the first step (or leap rather) towards customising and sharing custom workflows, stay tuned for new features, improvements as well as triggers and modules in the near future. Head over to the [README](https://github.com/MISP/misp-workflow-blueprints/blob/main/README.md) as well as a nifty [slide deck](https://www.misp-project.org/misp-training/a.12-misp-workflows.pdf), to find out what this incredibly powerful can do for you and your community. # New correlation engine One of the biggest pain points as of recently has been our dated and rather bloated correlation engine, which could easily bring a long running MISP instance to its knees when certain highly correlated data sources were synchronised. As of 2.4.160, we now have 2 brand new correlation engines at your disposal, with the old engine being retired immediately. Please be aware that upgrading to the current version will regenerate your correlations using the new engine, something that can take quite a long time (on our largest instance it took a whopping 40 hours!). With that said, we can assure you it's well worth the wait and should resolve several long standing performance bottlenecks as well as heavily cut down on the space requirements for your data. For more information, on the new engines, their differences, the various new support tools as well as what benefits you should expect, head over to the [dedicated blog post](https://github.com/MISP/MISP/blob/2.4/docs/correlations.rework.md). # STIX 2 library reworks There has been a massive amount of work going into the STIX 2.x library rework, bringing us closer and closer to having a full mapping of everything expressable. We're collaborating with CISA and Mitre to ensure that MISP can both express and understand STIX to its fullest extent. For more information, head over to the [release notes](https://github.com/MISP/misp-stix/releases/tag/v2.4.160) over on the MISP STIX library's repo. # Mermaid support for Event reports added Writing custom reports has become more and more popular, but one annoyance has been the lack of a way to depict graphs and flow charts without relying on external tools to create those (and share them as images for example). Using Mermaid, you now have a nifty tool to build graphs out of simple markdown directly in the event report editor. # Various other improvements A long list of other improvements, affecting the performance and stability of the platform as well as improvements to existing features. Head over to the changelog for a detailed list of changes. # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in [misp-objects](https://www.misp-project.org/objects.html), [misp-taxonomies](https://www.misp-project.org/taxonomies.html) and [misp-galaxy](https://www.misp-project.org/galaxy.html). As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. Additional changelogs are available for [misp galaxy](https://www.misp-project.org/Changelog-misp-galaxy.txt), [misp-taxonomies](https://www.misp-project.org/Changelog-misp-taxonomies.txt), [misp-objects](https://www.misp-project.org/Changelog-misp-objects.txt) and [misp-modules](https://www.misp-project.org/Changelog-misp-modules.txt) 2022-08-08T12:32:32+00:00 MISP v2.4.161 MISP v2.4.161 2022-08-11T15:30:58+00:00 We are pleased to announce the immediate availability of [MISP v2.4.161](https://github.com/MISP/MISP/releases/tag/v2.4.161). ![](https://www.misp-project.org//img/blog/workflow.png) # Small improvements - A new option added to log the last API request of an API key. (Thanks to Tom King for the contribution) - Overcorrelation features have some new improvements such as: - A new tool to generate occurrence counts (real numbers this time) - A hook to truncate the over-correlating value table on recorrelation - We no longer store the partial counts as occurrences when generating correlations - Performance improvements in event fetching - Various performance tuning in the new correlation engine including the full recorrelation # Bugs fixed - `tlp:amber+strict` and `tlp:clear` are now valid tags - [stix2 import] Better `external_references` parsing for attack patterns objects Thanks to all the contributors and users reporting bugs to make the software better. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. 2022-08-11T15:30:58+00:00 MISP v2.4.162 MISP v2.4.162 2022-09-13T08:42:19+00:00 ![](https://www.misp-project.org/img/blog/workflow.png ) We are pleased to announce the immediate availability of [MISP v2.4.162](https://github.com/MISP/MISP/releases/tag/v2.4.162) with a new periodic notification system, workflow updates and many improvements. In addition to the MISP v2.4.162 release, [misp-guard](https://github.com/MISP/misp-guard) has been released which is a [mitmproxy](https://mitmproxy.org/) addon that inspects the events that MISP is attempting to synchronize with external MISP instances via `PUSH` or `PULL` and applies a set of customizable rules defined in a JSON file. This is a complementary tool to support MISP users having to interconenct MISP instances between highly sensitive networks. # Periodic notification system As of version 2.4.162, MISP includes a **periodic summary** feature allowing users to consult a summary based on a requested time-frame for data the user has access to. Currently, the summaries can be generated for 3 different periods: `daily`, `weekly` and `monthly` and then sent to all users that subscribed one of these periods. In addition to choose which period users want to subscribed to, they can also specify filtering options such as tags or distribution level to be used to generate the summary. The summary can be sent via email in addition to the User-Interface view. ![Periodic summary](https://www.misp-project.org/img/blog/periodic-summary/periodic-summary-2.png) ![Periodic summary](https://www.misp-project.org/img/blog/periodic-summary/periodic-summary-3.png) For more information, check out the [Periodic summaries - Visualize summaries of MISP data](/2022/09/12/2022-09-12_periodic_notifications.html/) blog. # Workflow improvements - Added diagnostic support and support of arbitrary URL for webhook module. - New Microsoft teams module based on the webhook module. - New email notification module to send email to a list of MISP users including [Jinja templating](https://jinja.palletsprojects.com/en/3.1.x/). - Tag name can now be used in workflows. For more details about MISP Workflow, check out the [training materials](https://www.misp-project.org/misp-training/a.12-misp-workflows.pdf). # MISP core improvements - Allow option to delete tags on event sync prior to soft-delete tag implementation. - API/[Event:restSearch] Added option `event_tags` to filter for eventTag only. - API/RestSearch - Added support of `static` parameter to produce a static HTML output. - Syslog/logging for certain log entries vital information was omitted by the syslog. If no custom message is specifically set for the log entry, the change field is included. - Enforce UUIDs uniqueness on MISP data back-end. # Bugs fixed - [correlations] save the distribution state of the event before/after saving it, fixes #8528. - [attribute tags] removal broken, fixes #8567. - Class 'Folder' not found #8544. - Create unique SIDs for email attributes in NIDS export. Thanks to all the contributors and users reporting bugs to make the software better. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. Many improvements in the MISP galaxy and especially the threat-actor galaxy. There is a detailed [changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt). Improvement in the `false-positive` taxonomy and many other taxonomies. There is a detailed [changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt). Multiple objects were updated and added, for [more details](https://www.misp-project.org/Changelog-misp-objects.txt). 2022-09-13T08:42:19+00:00 MISP v2.4.163 MISP v2.4.163 2022-09-26T14:12:21+00:00 ![](https://www.misp-project.org/img/blog/periodic-summary/periodic-summary-2.png ) We are pleased to announce the immediate availability of [MISP v2.4.163](https://github.com/MISP/MISP/releases/tag/v2.4.163) with an updated [periodic notification system](https://www.misp-project.org/2022/09/12/2022-09-12_periodic_notifications.html/) and many improvements. # Updated periodic notification system - A new option has been added to set the number of days for the trending calculation. - New correlation are now showed in the periodic notification. - Only the top 10 MITRE ATT&CK techniques are displayed and sorted by number of occurrences. - Layout has been improved in the UI and also in the static email rendering. - Only show data in the chart for tags having changes over time. For more information, check out the [Periodic summaries - Visualize summaries of MISP data](https://www.misp-project.org/2022/09/12/2022-09-12_periodic_notifications.html/) blog. # Fixes - MISP [OpenAPI description file](https://www.misp-project.org/openapi/) has been improved. - [community] Clarification concerning the NATO process. - [ssdeep] Check if the ssdeep contains newline characters. - Many code clean-up and speed-up included. - Improvements and bugs fixed in the correlation engine. - Many bugs fixed. Thanks to all the contributors and users reporting bugs to make the software better. As always, a detailed and [complete changelog is available](https://www.misp-project.org/Changelog.txt) with all the fixes, changes and improvements in MISP core. # misp-stix v.2.4.163 misp-stix has been released too and now in-line with the MISP release schedule. The full [changelog is available](https://www.misp-project.org/Changelog-misp-stix.txt). Many improvements in the MISP galaxy and especially the threat-actor galaxy, [360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360_net_threat_actors) added. There is a detailed [changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt). New `financial` taxonomy and many other taxonomies. There is a detailed [changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt). Multiple objects were updated and added, for [more details](https://www.misp-project.org/Changelog-misp-objects.txt). Various fixes in [misp-modules](https://misp.github.io/misp-modules/) for more [details](https://www.misp-project.org/Changelog-misp-modules.txt). 2022-09-26T14:12:21+00:00 MISP v2.4.164 MISP v2.4.164 2022-10-10T14:45:54+00:00 ![](https://www.misp-project.org/img/blog/periodic-summary/periodic-summary-2.png) We are pleased to announce the immediate availability of [MISP v2.4.164](https://github.com/MISP/MISP/releases/tag/v2.4.164) with a new tag relationship features, many improvements and a security fix. # New tag relationship feature Relationship can now be added to any attribute tag or event tag. This works with tags and galaxy clusters. The new feature is available in event view. The tag relationship feature is also exposed in the API under the endpoint `/tags/modifyTagRelationship/[scope]/[id]` where `scope` is the attribute/event and `id` is the id of the EventTag / AttributeTag object. # Improvements and bug fixes - [periodic_report] Added security recommendations section showing course of actions related to attack techniques. - [workflow] add support for `local` and `relationship` in workflow. - [API/galaxyCluster/restSearch] Allow multiple filtering conditions to be used at once. - [EventGraph] Added entity comment in the graph as tooltip and support of comment in searches. - [UI] Many improvements and optimisation. # CVE-2022-42724 This release fix a security vulnerabilities ([CVE-2022-42724](https://cvepremium.circl.lu/cve/CVE-2022-42724)) which allows org admin to discover role names which should have been restricted to site admin. We strongly recommend MISP administrator to update to this latest version. For a more detailed changelog, please see the online [Changelog](https://www.misp-project.org/Changelog.txt). 2022-10-10T14:45:54+00:00 MISP v2.4.165 MISP v2.4.165 2022-11-22T09:28:31+00:00 ![](https://www.misp-project.org/img/blog/workflow.png) We are pleased to announce the immediate availability of [MISP v2.4.165](https://github.com/MISP/MISP/releases/tag/v2.4.165) with many improvements to the workflow subsystem along with various performance improvements. # Improvements - [workflow] Module to toggle/remove the to_ids flag - [workflow] Added generic module to support attribute edition - [workflow] [triggers:event_after_save_new] Added 2 new triggers for new events and new events from pull. - [workflow:execute_module] Allow to ignore format conversion before executing module. - [workflows:triggers] Added filtering capability on the index - [CLI] Feed management added - [CLI] Pretty and JSON output added in list and view feeds - [Auth] OpenID connect improved - [freetext] Fetch security vendor domains from [warninglist](https://github.com/MISP/misp-warninglists) - [UI] Allow to disable PGP key fetching - [UI] Show warning if user don't have permission to use API - [tool:evengraph] Include relationships when using pivot key - [UI] Show servers where event will be pushed # Performance improvements - [feed] Store freetext feed compressed in cache - [internal] Store some data in Redis compressed to save memory - [correlation] Do not correlate over correlating value again for full correlation - [internal] Add support for [simdjson](https://github.com/simdjson/simdjson) extension - [warninglist] Load warninglist from Redis for TLDs and security vendors # Bugs fixed - [tags] not passing name, filter, search all together would lead to the search not working # Security issues - [security] Permission for tag collections - [security] Check user permission when attaching clusters We strongly recommend MISP administrators to update to this latest version. For a more detailed changelog, please see the online [Changelog](https://www.misp-project.org/Changelog.txt). # New workflow blueprints available New [workflow blueprints](https://github.com/MISP/misp-workflow-blueprints/) were added to support new use-cases. - [Attach `tlp:clear` on `tlp:white`](./blueprints/blueprint_attach-tlp_clear-on-tlp_white_1661328256.json) - Attach the `tlp:clear` tag on elements having the `tlp:white` tag. - [`PAP:RED` and `tlp:red` Blocking](./blueprints/blueprint_pap_red-and-tlp_red-blocking_1661328258.json) - Block actions if any attributes have the `PAP:RED` or `tlp:red` tag. - [Remote `to_ids` flag if the indicator appears in known file list](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_disable-to_ids-flag-for-existing-hash-in-hashlookup_1667228944.json) - Disable to_ids flag for existing hash in [hashlookup](https://www.hashlookup.io/). - [Set tag based on BGP Ranking maliciousness level](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_set-tag-based-on-bgp-ranking-maliciousness-level_1668498668.json) - Set tag based on [BGP Ranking](https://bgpranking.circl.lu) maliciousness level. # New MISP modules - [expansion] Added extract_url_components module to create an object from an URL attribute. - [expansion] New [crowdsec](https://www.crowdsec.net/) expansion module added. - [expansion] New [VARIoT IoT exploits database](https://www.variotdbs.pl/exploits/) expansion module added. - [expansion] Updates on hyasinsight expansion module. # MISP taxonomies - new misp-workflow taxonomy to have a consistent tag message for the MISP workflow. - Taxonomy in support of integrating MISP with Sentinel. Sentinel indicator threat types added. For more [details](https://www.misp-project.org/Changelog-misp-taxonomies.txt). # MISP galaxy - Many updates to the threat actor database. - Update to the MITRE ATT&CK framework to version 12.0. For more [details](https://www.misp-project.org/Changelog-misp-galaxy.txt). # MISP objects - New object to describe Telegram bots. - Updated exploit object. For more [details](https://www.misp-project.org/Changelog-misp-objects.txt). # Social network - Mastodon MISP project is also now reachable via Mastodon. Feel free to follow us at @misp@misp-community.org 2022-11-22T09:28:31+00:00 MISP v2.4.166 MISP v2.4.166 2022-11-30T17:21:47+00:00 ![Workflow screenshot](https://www.misp-project.org/img/blog/workflow.png) We are pleased to announce the immediate availability of [MISP v2.4.166](https://github.com/MISP/MISP/releases/tag/v2.4.166) with new features and fixes, including two critical security fixes. # TAXII 2.1 server push integration With the collaboration of CISA and MITRE, we have included the first version of the [TAXII](https://docs.oasis-open.org/cti/taxii/v2.1/taxii-v2.1.html) integration in MISP, allowing administrators to configure their MISPs to push content to TAXII 2.1 servers. For more informatia new dedicated will be posted soon. On server side, the [taxii2-client Python library](https://pypi.org/project/taxii2-client/) is required to be installed. The conversion is performed by the wonderful and efficient [misp-stix library](https://github.com/MISP/misp-stix). # Logging rework The logging of MISP has been severely reworked by Jakub Onderka, including a separate Access log subsystem as well as multiple improvements and cleanups to the system at large. # Security fixes Two critical vulnerabilities have been patched allowing for the tampering with data shared in the community via galaxy clusters and tags. It is **HIGHLY** recommended to update to 2.4.166 as soon as possible to avoid information tampering. We also encourage everyone to consider informing peered MISP instance owners to do the same. CVEs have been requested and are pending for both. Thanks to Jakub Onderka for discovering and fixing the vulnerabilities. # Allowing for working around the edge cases introduced by TLP v2.0 Even though [TLP 2.0](https://www.first.org/tlp/) has been supported by MISP for a while, in order to cope with both tools old and new as well as older information sources, we see the need to often attach both TLP:WHITE and TLP:CLEAR to data points. This has however been blocked by the taxonomy exclusivity rules - something that we've now added exceptions for. Let's hope that we can avoid similar surprises in the future. For more [details](https://www.misp-project.org/Changelog.txt) about changes in the MISP core software. # Other updates and changes ## MISP Objects - [passport object] Updated to include passport-creation field. ## MISP Galaxy - MITRE ATT&CK updated and fixing the missing reference - Many improvements and fixes in all the meta fields - Tool galaxy updated - [Ransomware groups](https://www.misp-project.org/galaxy.html#_ransomware) updated 2022-11-30T17:21:47+00:00 MISP v2.4.167 MISP v2.4.167 2022-12-26T14:41:06+00:00 We are pleased to announce the immediate availability of [MISP v2.4.167](https://github.com/MISP/MISP/releases/tag/v2.4.167) with new features and fixes, bugs fixed and a security fix. # New features ## Timeline improvements for large events ![](https://www.misp-project.org/img/blog/time-occurence.png ) Timeline is a convenient way to display the different attributes and objects over the time. Events with a large set of attributes or objects (more than 500) cannot display a human readable timeline. Nevertheless there are still a lot of valuable information in such event especially concerning the occurences over time. A new feature has been added in 2.4.167 to display the overall occurrences over the time and display the overall sighting trend. ## Taxonomy highlight For MISP users and organisations, it's important to show the important contextualised information and especially the [taxonomies](https://www.misp-project.org/taxonomies.html) which are important to your use-case. We introduced a new feature to highlight the important taxonomy in a MISP instance. The site admin user can select the important taxonomies in the taxonomy list: ![](https://www.misp-project.org/img/blog/highlight.png) and then the taxonomy namespace will appear in a visible box: ![](https://www.misp-project.org/img/blog/highlight2.png) ![](https://www.misp-project.org/img/blog/highlight3.png) ## Create objects from free-text import The free-text import in MISP is very nifty for analysts willing to enter quickly new attributes. This functionality was initially used for attributes only. In 2.4.167, MISP objects can be created from the free-text import directly too. ![](https://www.misp-project.org/img/blog/free-text-create.png) ## API - A new endpoint session kill-switch has been added for the support and integration with MeliCERTes project. ## UI - Clarify the exclusivity issue in the UI when exclusive tags are used in the TLP namespace. - [dashboard] sort dashboard widgets. Many UI improvements and a special thank to Jakub Onderka for the attention to details in the UI. # Security fix A security XSS vulnerability has been fixed in this release and tracked under [CVE-2022-47928](https://cvepremium.circl.lu/cve/CVE-2022-47928). We recommend every users to update to the latest version. A huge thanks to all the contributors and supporters of the MISP project. This release won't be possible by all the organisations and people supporting us to make MISP a reality. For more [details](https://www.misp-project.org/Changelog.txt) about changes in the MISP core software. # Other updates and changes ## MISP Objects - New thaicert-group-cards, Palantir ADS and [persnona](https://itk.mitre.org/toolkit-tools/personas/). - Invalid UUID object templates fixed including mactim-timeline-analysis and fail2ban. ## MISP Galaxy - New threat-actor such as TAG-53, Malteiro and others added. - RAT group updated. - [Ransomware groups](https://www.misp-project.org/galaxy.html#_ransomware) updated. ## MISP taxonomies - A new [aviation](https://www.misp-project.org/taxonomies.html#_aviation) has been added. Thanks to [European Air Traffic Management Computer Emergency Response Team ](https://www.eurocontrol.int/service/european-air-traffic-management-computer-emergency-response-team). # Don't forget to follow us on Mastodon MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) and don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if you want an account. 2022-12-26T14:41:06+00:00 MISP v2.4.168 MISP v2.4.168 2023-02-16T14:41:01+00:00 ![](https://www.misp-project.org/img/blog/graph-syria.png) We are pleased to announce the immediate availability of [MISP v2.4.168](https://github.com/MISP/MISP/releases/tag/v2.4.168) with bugs fixed and various security fixes. It includes a rather substantial [release](https://www.misp-project.org/Changelog-misp-stix.txt) of [misp-stix](https://github.com/MISP/misp-stix), the core Python library for importing and exporting STIX (1, 2.0 and 2.1). # Fixes - Improvements to the indexTable - allow site admins ability to view event_creator_email for all events in export - [shadowAttribute:accept] Restored accepting functionality for the proposals - [feed:edit] Make sure to keep orgc_id to its saved value - [tags:relationship] Fixed synchronisation of relationship_type # Security fixes - [CVE-2023-24070](https://cvepremium.circl.lu/cve/CVE-2023-24070) < MISP 2.4.168 - app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. - [CVE-2023-24026](https://cvepremium.circl.lu/cve/CVE-2023-24026) < MISP 2.4.168 - In app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. - [CVE-2023-24027](https://cvepremium.circl.lu/cve/CVE-2023-24027) < MISP 2.4.168 - In app/webroot/js/action_table.js allows XSS via a network history name. - [CVE-2023-24028](https://cvepremium.circl.lu/cve/CVE-2023-24028) < MISP 2.4.168 - In app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. Thanks to the reporter Cyber Controls from SIX Group and Dawid Czarnecki of Zigrin Security. A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality. Go to the detailed [changelog](https://www.misp-project.org/Changelog.txt) for more details about the changes to the MISP core software. # Other updates and changes in the MISP project ## MISP Objects - A new MISP object has been created for [typosquatting-finder](https://typosquatting-finder.circl.lu/) output. ## MISP Galaxy - New Sigma Galaxy including all [Sigma rule](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json) and their ATT&CK relationships - [import script](https://github.com/MISP/misp-galaxy/blob/main/tools/sigma/sigma-to-galaxy.py) added - Many updates to the threat-actor and ransomware MISP galaxy - Improvements to the country galaxy ## MISP taxonomies - Improvements to the aviation taxonomy ## MISP warning-lists - New generator added for the Cached Chrome Top Million Websites - Improved generator for gzip files source - VPN list generator fixed # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. 2023-02-16T14:41:01+00:00 MISP v2.4.169 MISP v2.4.169 2023-03-14T20:45:17+00:00 ![](https://www.misp-project.org/img/blog/graph-syria.png) We are pleased to announce the immediate availability of [MISP v2.4.169](https://github.com/MISP/MISP/releases/tag/v2.4.169) with various improvements and bug fixes. It includes many improvement [release](https://github.com/MISP/misp-stix/releases/tag/v2.4.169) of [misp-stix](https://github.com/MISP/misp-stix), the core Python library for importing and exporting STIX (1, 2.0 and 2.1). # Improvements - New MISP workflow module to support Splunk HEC export. - Sighting ReSTsearch reworked to make it faster. - dashboard-widget:TrendingTags improved with new filtering and over time functionalities. - New ApacheSecureAuth authentication scheme added. # Fixes - TAXII servers invalid baseurl field type fixed. - Restore bro export (temporary fix until a complete rework of the bro export in ReSTsearch). A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality. Go to the detailed [changelog](https://www.misp-project.org/Changelog.txt) for more details about the changes to the MISP core software. # Other updates and changes in the MISP project ## MISP Objects - A new MISP object `ransomware-group-post` has been created to support [ransomlook.io](https://www.ransomlook.io/). - Improved `victim` object. - A new MISP object `transport-ticket` has been created to share information about transports in MISP. - Various improvements to `network-connection`, `network-socket`. - A new MISP object `registry-key-value` For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - A new MISP galaxy `first-dns` matrix describing DNS abuse techniques has been added. - Various improvements in different galaxy such as `threat-actors`, `sigma`, `stealer`, `tools`, `region`, `360net`, MITRE ATT&CK. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - New `captive-portals` warning list added. - New `parking` page warning list added. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-03-14T20:45:17+00:00 MISP v2.4.170 MISP v2.4.170 2023-04-13T12:16:50+00:00 We are pleased to announce the immediate availability of [MISP v2.4.170](https://github.com/MISP/MISP/releases/tag/v2.4.170) with new features, workflow improvements and bugs fixed. It includes many improvement [release](https://github.com/MISP/misp-stix/releases/tag/v2.4.170) of [misp-stix](https://github.com/MISP/misp-stix), the core Python library for importing and exporting STIX (1, 2.0 and 2.1). ![](https://www.misp-project.org/img/blog/workflow-2023.png) # Workflow - A new feature has been added to the "misp-workflow-modules" module. It is an event threat level `if logic` module. - The "workflow-module:send_mail" module now allows org admins to receive send_log_mail. - The "workflow-module:send_mail" module now allows all admins to use it. - The "workflow:tag_if" module now correctly compares cluster tags. - The "workflow-module:enrich_event" module now does not run enrichment if no filtered elements are found. If a filtering condition was set and no item were matched, the whole event was enriched. Now nothing happens. - The "workflow-module:tag_if" module now supports galaxy clusters. This fixes issue #8959. - The data type of the workflows.data column has been changed from TEXT to LONGTEXT in the "db:workflows" module. This should fix issue #8979. - The "workflows" module now requires misp-modules for email. # New security features - Improve security of the API authentication to pin IP in a single click. - Seen IP addresses per API key added. # Fixes - Add support for a `breakOnDuplicate` named parameter on `/attributes/add` endpoint, default value is `true` which keeps the current behavior of throwing an error when the user tries to add duplicate attribute to an event. When set to `false` the endpoint will work as an upsert, updating the attributes `timestamp` and any other properties provided in the payload, no error logs will be written. - The "'sharing_group_id' doesn't have a default value error" error when importing an OpenIOC file has been fixed. # Security fix - [app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. ](https://cvepremium.circl.lu/cve/CVE-2023-28884) A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality. Go to the detailed [changelog](https://www.misp-project.org/Changelog.txt) for more details about the changes to the MISP core software. # Other updates and changes in the MISP project ## MISP Objects and Relationships - New [Greynoise](https://www.greynoise.io/)-ip object. - [network-socket] Added MAC address attributes. - New relationships `rewrite` added. For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - Sigma galaxy updated to the latest version. - Threat actor galaxies updated with new threat actors and improved. - Ransomware group updated to be inline with [ransomlook.io](https://www.ransomlook.io/). - Stealer galaxy updated. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - New warning-lists added for Google Bot. - Updated warning-lists for all sources. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-04-13T12:16:50+00:00 MISP v2.4.171 MISP v2.4.171 2023-05-18T07:46:20+00:00 We are pleased to announce the immediate availability of [MISP v2.4.171](https://github.com/MISP/MISP/releases/tag/v2.4.171) with a long list of fixes, major STIX 2 improvements and an overhaul over the dashboard widget toolkit. ![image](https://github.com/MISP/MISP/assets/3668672/2fb13c67-e90f-4a4f-8707-f6717edcedb5) # Dashboard rework - In order to support communities' need to monitor ongoing trends, community growth and sharing activities in general, we've added and reworked a host of dashboard widgets. - A large focus of the improvements was making the widgets more configurable, especially in terms of being able to create dashboards showing individual data per groups of organisations. Groupings happen on the metadata of organisations, such as country, sector or the adaptable "type" field, allowing administrators to lump organisations into buckets based on commonalities in their community, such as membership status, sub-groups, etc. ![image](https://github.com/MISP/MISP/assets/3668672/fadabded-fcaf-4f32-a96b-bb70b323cc81) - Additionally time range definitions have been added for a host of the new and reworked widgets, allowing to see changes in the current month, past x days or the current year. - New widgets include: - A new, filterable **organisation evolution** line-chart widget - **World map** showing country representation of the given community - A ticker showing the **latest Users** being enrolled in the system - A ticker showing the **latest organisations** being enrolled in the system - List of **UI login counts** for the configured timeframe - List of **UI authentications** for the configured timeframe - **Published event** line-chart - Contributing **organisation** and **user top lists** (the latter requires the enabling of a security setting) - Filterable **trending attribute values** widget # Workflows - Work has begun on a larger rework allowing the creation of filtered paths in workflows, allowing the workflow creator to temporarily restrict the data in individual paths based on custom, configurable filtering. - This will further allow administrators to configure workflow execution paths that only trigger on more refined subsets of the data, rather than on anything passing through - As always, workflows are still heavily a work in progress and are becoming tighter integrated with the core MISP functionalities with each release. # STIX 2.1 and TAXII integration improvements - We would like to thank all users reporting unexpected misalignments in the STIX 2.1 conversion, we're striving for a 100% coverage of the standard and at times removing the ambiguity created by such a large standard can be difficult to catch until we see those edge cases actually used by the various implementations. - We appreciate the submission of any (sanitised) STIX 2.1 samples that cause unwanted results when ingested in MISP or any (sanitised) MISP events that cause incorrect or inconsistently mapped STIX 2.1 to be generated - This release addresses a host of the bugs and misalignments reported, thanks to the tireless work of @chrisr3d - TAXII integration is still in its infancy and currently only supporting a subset of tested target tools. Please let us know about anything that doesn't work for you or if you have (successfully or unsuccessfully) integrated a taxii server with MISP using the new feature. # Fixes - A long list of fixes affecting: - the workflows - the event index search, including the ability to search for attributes via performant full string searches - STIX 2.1 - TAXII - PyMISP For a detailed list of changes affecting the MISP core in this release, head over to the [changelog](https://www.misp-project.org/Changelog.txt). # Other updates and changes in the MISP project ## MISP Objects and Relationships - New risk-assessment-report object to share risk assessment report such as the ones generated by [MONARC](https://www.monarc.lu/). - New object template for [AI chat prompt](https://www.misp-project.org/objects.html#_ai_chat_prompt) such as ChatGPT. For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - MITRE ATT&CK galaxy updated to version 13. - Sigma galaxy updated to the latest version. - Threat actor galaxies updated with new threat actors and improved. - Major improvements in the list of relationship between the threat-actor galaxy and the other galaxies. - Microsoft new threat-actor taxonomy added along with the relationships from the previous microsoft naming. - Improve tooling to manage relationships between the different galaxy clusters. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - Updated warning-lists for all sources. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. ## MISP taxonomies - Updated and expanded dark-web taxonomy. For more details, the [misp-taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow [@misp@misp-community.org ](https://misp-community.org/@misp) on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-05-18T07:46:20+00:00 MISP v2.4.172 MISP v2.4.172 2023-06-13T10:01:14+00:00 We are pleased to announce the immediate availability of [MISP v2.4.172](https://github.com/MISP/MISP/releases/tag/v2.4.172) with new TOTP/HTOP authentication, many improvements and bugs fixed. # Time-based and Single Use One-time password support (TOTP / HOTP) New TOTP support are now included in MISP. This functionality works in two modes: - (default) optional (T/H)OTP for users (when required libraries are installed) - (optional) mandatory (T/H)OTP for all users When logging in the user can enter either the TOTP or the HOTP (one time paper token) OTP attempts are also limited by the Bruteforce component. So multiple failed attempts will result in a temporary blocking. HTOP is available for recovery and also for security environment where mobile phone or electronic devices are forbidden. User can generate TOTP through their Profile page: ![image](https://github.com/MISP/MISP/assets/1073662/ceba1dba-694d-4c77-bc08-232766e6dd00) A QR code is generated and they need to fill in the code once to confirm all is well: ![image](https://github.com/MISP/MISP/assets/1073662/69e5362c-02f5-4707-b429-6797683d9bdf) Then they get directed to the page containing their next 50 HOTP/paper tokens: ![image](https://github.com/MISP/MISP/assets/1073662/22cd6bdd-5309-4e53-9411-b6cb19ff73c6) Their profile then shows they have a token, they can also check again what their paper tokens are: ![image](https://github.com/MISP/MISP/assets/1073662/faeb286f-eddb-4e98-ba91-ec315f198b14) So does the admin page (the phone icon) ![image](https://github.com/MISP/MISP/assets/1073662/0a9af5cd-99cb-467e-af4a-36a8d57438c3) (org)Admins can delete the secret of a user: ![image](https://github.com/MISP/MISP/assets/1073662/90c5977d-c6e9-445d-bc5f-81e9ac0ed35a) When they have their TOTP secret, after user/pass window they are prompted to enter the or the HOTP. ![image](https://github.com/MISP/MISP/assets/1073662/4dc4fbc2-ad7b-4b90-a83b-9a6034e9f64f) Logging is also generated: ![image](https://github.com/MISP/MISP/assets/1073662/4952cf9b-8605-46f3-9aba-bfe2b1a179b5) The `MISP.totp_required` security setting allows enforcing TOTP for the whole MISP instance. In this case users are invited to store their TOTP at next login. They cannot access any other page until they validated the TOTP. The server wide parameter has a beforeHook to ensure the required PHP libraries are installed, as otherwise the admin might lock themselves out. Requires 2 additional PHP libraries to be installed through composer: - "spomky-labs/otphp" - "bacon/bacon-qr-code" # TAXII preview TAXII integration is still in its infancy in MISP, but with the current release we aim to make the process of interacting with a TAXII server more in-depth. Prior to the current release, you could add a taxii server connection, pointing to a collection and initiate a filtered push of your MISP data - however, there was no way to view the contents of the collection nor to see your data reflected after a push. The current release aims to complete the work on the initial TAXII push functionalities, with a TAXII browser built into the tool along with various fixes to bugs and issues that were reported to the prior implementation. ## Adding a TAXII connection Simply add a TAXII server via the the TAXII connections interface (sync actions -> List TAXII servers) ![image](https://github.com/MISP/MISP/assets/3668672/7ba0b218-bc3f-49f0-83d5-74e1bcd6abc5) Make sure that you configure the filters used to decide which of your events should be pushed to the given server. Creating a local tag such as "taxii_push" allows you to manually control and label events to be pushed as in the example above. Once the basic server information has been encoded, use the wrench button on top of the `API root` field to populate the dropdown with the valid options found on the TAXII server and once you've selected a root, click the wrench on top of the `collection` field to populate it and select the target colleciton for the connection. ![image](https://github.com/MISP/MISP/assets/3668672/ac855fb5-18ff-48a2-8925-f1e3087879bc) ## Viewing the connection and browsing the contents Once a connection is established, you can view the connection object and list its collections and the objects in the configured collection on the taxii_servers/view/[id] endpoint, as follows: ![image](https://github.com/MISP/MISP/assets/3668672/dd294504-abf6-4a74-9b8c-ddde16e4c5f9) You can view individual collections and browse their contents, paginating through all STIX objects (the default collection is shown at the bottom of the page). By clicking view on a STIX object, you can view the STIX 2.1 JSON object in full: ![image](https://github.com/MISP/MISP/assets/3668672/31fa49c9-e1ad-43b8-96e1-b88acaee1fe6) Simply use the push button on the TAXII server index to initiate a push to the selected collection with the pre-defined filters. # Other updates and changes in the MISP project ## Roles and permission - [role permission] updated for viewing feed correlations - added additional role permission - allows hiding feed correlations from users - main purpose is with very large instances, to reduce the load on redis ## Dashboard - [usage data widget] added a global caching for attribute counts. ## Bugs/performance - [performance] fix for events with large numbers of attributes and multiple tags from the same taxonomy. [iglocska] - the taxonomy conflict checks were causing multiple issues: - non taxonomy tags were counted as a taxonomy with namespace '' - once we identified a tag pair that could cause a conflict (same taxonomy) we loaded the taxonomy into redis - however, in order to see if we already have the taxonomy loaded, we went to redis to do a GET - In the case of 1 million attributes with at least 1 tag pair, at the minimum this means 1 million GETs on reddit with an event - Resolution - remove the checks for non taxonomy tags - store the identified taxonomies temporarily on the model itself in memory - only go to redis when the model doesn't have the taxonomy cached in memory - still using the old approach when dealing with multiple small events - thanks to @github-germ for flagging the issue ## MISP Objects and Relationships - New object for [scanning result](https://www.misp-project.org/objects.html#_scan_result) (network and local). - New object for [CrowdSec Threat Intelligence - IP CTI search.](https://www.misp-project.org/objects.html#_crowdsec_ip_context). - New object for [Cobalt Strike Beacon Config](https://www.misp-project.org/objects.html#_cs_beacon_config) For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - Updated [attck4fraud](https://github.com/MISP/misp-galaxy/blob/main/clusters/attck4fraud.json) updated with [EAST data](https://www.association-secure-transactions.eu/). - Updated [Malpedia](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json) information. - Updated [Threat actor](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json) database. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - Updated warning-lists for all sources. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. ## MISP taxonomies - Updated [workflow taxonomy](https://www.misp-project.org/taxonomies.html#_workflow). - Added [information-origin](https://www.misp-project.org/taxonomies.html#_information_origin) Taxonomy for tagging information by its origin: human-generated or AI-generated. - Added [crowdsec](https://www.misp-project.org/taxonomies.html#_crowdsec) - Crowdsec IP address classifications and behaviors taxonomy. For more details, the [misp-taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-06-13T10:01:14+00:00 MISP v2.4.173 MISP v2.4.173 2023-07-11T07:00:01+00:00 --- title: MISP 2.4.173 released with various bugfixes and improvements date: 2023-07-11 layout: post --- We are pleased to announce the immediate availability of [MISP v2.4.173](https://github.com/MISP/MISP/releases/tag/v2.4.173) with a new password reset feature, along with a host of quality of life improvements and fixes. # Password reset self-service We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords. The feature requires the user to have a valid encryption key and the lifetime of the tokens is hard-coded to be 10 minutes. ![image](https://github.com/MISP/MISP/assets/3668672/9ca9953b-d0a6-4fdb-a262-d6481e698bd7) # New dashboard widgets The dashboard has seen another round of improvements, with various fixes and new widgets added. 2.4.173 includes the following new widgets: - Logarithmic events/org chart (Thanks @vincenzocaputo) - ATT&CK heatmap widget Additionally, you can now download the raw data used to feed each widget. ![image](https://github.com/MISP/MISP/assets/3668672/e91159db-00cd-407d-a302-7a0221f5179f) # Security fixes 2 vulnerabilities have also been resolved: ## Stored XSS via select page titles Improper sanitisation of user-controlled data ending up in view titles lead to stored XSS Huge thanks to Ulaş Deniz İlhan from Zigrin Security (absolute heroes at discovering vulnerabilities in MISP!) [CVE-2023-37307](https://cve.circl.lu/cve/CVE-2023-37307) ## RCE via uploaded certificates Malicious administrators could trigger RCE by uploading a well crafted file as an SSL certificate for the sync connection. [CVE-2023-37306](https://cvepremium.circl.lu/cve/CVE-2023-37306) Additional information on the vulnerability can be found at the excellent [blog post from synacktiv](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) Huge thanks to @righel for finding and fixing the vulnerability! # A long list of fixes As always, we have been diligent with including a long list of fixes, including for issues with server sync certificate handling, url encoding of spaces in search strings, CSRF errors and much more! For a detailed list of fixes, please refer to the [changelog](https://www.misp-project.org/Changelog.txt). ## MISP Objects and Relationships - Updated relationships to include the ones used by [LookyLoo](https://lookyloo.circl.lu) - Many improvements following [OASIS STIX TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti) For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - Updated threat actor database to include Budapest Convention relation. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - New warning list digitalSide.IT warninglist added. - Updated warning-lists for all sources. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. ## MISP taxonomies For more details, the [misp-taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-07-11T07:00:01+00:00 MISP v2.4.174 MISP v2.4.174 2023-07-31T14:29:26+00:00 ![](https://www.misp-project.org/img/blog/2.4.174/blueprint-falsepositive-warninglist.png) We are thrilled to announce the immediate availability of [MISP v2.4.174](https://github.com/MISP/MISP/releases/tag/v2.4.174) with significant workflow improvements, accompanied by a host of quality-of-life enhancements and bug fixes. ## General Improvements - [Authkeys] We have added a new setting that allows the mandate of IP allowlist for advanced authkeys, providing an extra layer of security. - [event:publishSightingsRouter] We have changed this from prio worker to default, resulting in better performance and reliability. ## Sync Fixes and Improvements - [proposal] Sync fixes have been implemented, including the option to disable correlation/proposal to delete fields in the proposal index. This change ensures that the fields are included during pulls, preventing any discrepancies. - [proposal accept] The issue related to deletions has been fixed, ensuring smooth proposal acceptance. - [sightings] Now, sightings are only pushed via full push to avoid congestion, optimizing the syncing process. ## Bug Fixes - [stix export] We have resolved issues related to empty inputs during STIX export, ensuring accurate and consistent results. - [taxii_push] The `taxii_push` script now correctly passes the standard MISP JSON format to misp-stix, avoiding any format-related problems. - [security] We now reset otp_secret on logout, enhancing security measures. - [authkeys] The admin read-only key is now allowed to access audit logs (#9191), improving access control. These updates and fixes mark a significant step forward for MISP, delivering a more efficient, secure, and reliable experience for our users. We encourage everyone to upgrade to the latest version to take advantage of these improvements. For more details and to access the release, please visit [MISP v2.4.174](https://github.com/MISP/MISP/releases/tag/v2.4.174). Thank you for your continued support and feedback, which has been instrumental in making MISP better with each release. For a more detailed overview of the MISP workflows and various MISP submodules/projects improvement check below: # MISP Workflows improvements overview We had the pleasure of being invited to participate in [GeekWeek](https://www.cyber.gc.ca/en/geekweek/geekweek-8) with the main objective of streamlining the identification of false positives and simplifying the process of building workflows. We developed new modules for both the enrichment and the workflow systems and introduced self-contained blueprints acting as building block to make the creation of complexe IoC curation pipeline feels like a breeze. In addition, this release includes numerous little UI/UX treats for the workflow system hoping to provide a more efficient and user-friendly experience. Overall, the following work was carried out: - 5 new workflows modules related to tagging enrichment & curation - 3 new [enrichment modules](https://github.com/MISP/misp-modules/) to improve false-positive detection from different services - Many thanks to [TinyHouseHippos](https://github.com/TinyHouseHippos) for adding support of [Google Safe Browsing](https://safebrowsing.google.com/) and [AbuseIPDB](https://www.abuseipdb.com/)! - 9 new workflow-blueprints using the above module to make the curation of incoming data a simple task - Many quality of life improvements for the workflow editor interface ## Curation blueprints To give an idea of what these blueprints look like, let's have a look at `Flag false-positive tripping over warninglists`. ![Blueprint `Flag false-positive tripping over warninglists`](https://www.misp-project.org/img/blog/2.4.174/blueprint-falsepositive-warninglist.png) In few words, here what's going on: 1. The system integrates warninglist hits in the data 2. Attributes having a hit on a warninglist of type `false_positive` are kept, the others are filtered out 3. Depending on the configuration, the `to_ids` flag will be disabled or kept as is 4. Tags are attached accordingly marking matching IoCs as false-positive It should be noted that every curation blueprints are configurable in the sense that they might execute differently based on the tags (coming from the [`misp-workflow` taxonomy](https://github.com/MISP/misp-taxonomies/blob/59ec473a5f7a44755a6098890a1ee290487bfc53/misp-workflow/machinetag.json)) attached to the event. For example, if the tag `misp-workflow:mutability="allowed"`is set on the event, the workflow will modify existing data. This can be very useful for servers acting as a clearing hub or forwarding vetted data to other instances. While if the tag isn't present, data won't be touched and only `local` tags will be applied if needed. Should you be interested to check the 9 new blueprints out, the complete list can be found here: https://github.com/MISP/misp-workflow-blueprints#curation-blueprints. ## Workflow editor improvements Now let's have a quick look at the changes that have been integrated to speed up edition, simplify complex tasks and make things a little more intuitive. ##### Multiple values in filtering Added support of two new operators `Any value` and `Any values from`, allowing `OR` condition in logic blocks. ![](https://www.misp-project.org/img/blog/2.4.174/wf-multiple-values.gif) ##### Quick insert on existing links UX improvement to help users to quickly insert blocks on existing connections. ![](https://www.misp-project.org/img/blog/2.4.174/wf-quick-insert.gif) ##### Collapsible sidebar UX improvement to support smaller screens. ![](https://www.misp-project.org/img/blog/2.4.174/wf-collapsible-sidebar.gif) ##### Hash-path picker UX improvement and helper tool to facilitate crafting complex hash path. ![](https://www.misp-project.org/img/blog/2.4.174/wf-hashpath-picker.gif) ##### Frame nodes UI feature to enable framing node that achieve a specific actions. Especially useful when using blueprints. ![](https://www.misp-project.org/img/blog/2.4.174/wf-frame-node.gif) ## MISP Objects and Relationships - New object to support [hhhash format](https://github.com/adulau/HHHash). - Improved [scan-results](https://www.misp-project.org/objects.html#_scan_result) object. - Improved [ja3s](https://www.misp-project.org/objects.html#_ja3s) object. - [relationships] Added some relationships defined in STIX 2.1 & updated some opposite relationships in consequence. - New object templates to support [STIX 2.1 incident extension](https://github.com/MISP/misp-objects/pull/396). - New object template for [AbuseIPDB](https://www.misp-project.org/objects.html#_abuseipdb). - new object template for [Google Safe Browsing](https://www.misp-project.org/objects.html#_google_safe_browsing). For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - Various updates in the [threat actor MISP galaxy](https://www.misp-project.org/galaxy.html#_threat_actor). - Various automatic updates from Sigma galaxy. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - Improvement in the [CRL generation list](https://github.com/MISP/misp-warninglists/blob/main/tools/generate-crl-ip-domains.py). - All the lists have been updated. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. ## MISP taxonomies - Minor improvements in the [cryptocurrency threat](https://www.misp-project.org/taxonomies.html#_cryptocurrency_threat) taxonomy and workflow taxonomy to support the new workflow features. For more details, the [misp-taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. ## MISP-stix MISP-stix includes multiple improvements and bugs fixed. For more details, the [misp-stix changelog](https://www.misp-project.org/Changelog-misp-stix.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-07-31T14:29:26+00:00 MISP v2.4.175 MISP v2.4.175 2023-08-24T14:17:26+00:00 ![SigMF](https://www.misp-project.org/img/blog/sigint.png) MISP 2.4.175 released with various bugs fixed, improvements and security fixes. # Improvements - Added support of `start_date` and `end_date` options in the MISP dashboard widgets. - In the user periodic reporting, allow users to set the number of days to include in the reporting (UI). - In the MISP dashboard org Widget, added support for `first_half_year` and `second_half_year` timeframe. - New enrich object functionality added, in order to allow for the enrichment of a complete MISP object. Used by the [SigMF module](https://www.misp-project.org/2023/08/23/MISP_now_supports_Signal_Metadata_Format_Specification_SigMF.html/) but this can be used with any expansion modules supporting objects. - New feeds added. - Improve the diagnostics when an instance does not have internet access or does not use the self-update feature # Bugs fixed - Update the CA bundle of the CakePHP submodule maintained by the MISP project. - IndexFilter: correct index page filtering is now fixed for ReST requets. - Prevent `push_rules` from being required in API requests to the `/server/edit` endpoint. - The annoying MISP event import bug from JSON has been fixed, you can now import MISP JSON events without the `Event` key. - Various fixes in the MISP dashboard interface. - Fix # Security fixes - [CVE-2023-40224](https://cvepremium.circl.lu/cve/CVE-2023-40224) <= MISP 2.4.174 - allows XSS in app/View/Events/index.ctp. (reported by BeDisruptive OSS Team) - [CVE-2023-41098](https://cvepremium.circl.lu/cve/CVE-2023-41098) <= MISP 2.4.174 - In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. Thanks to BeDisruptive OSS Team and Centre for Cyber Security Belgium (CCB) for the reporting. Also a huge thanks to all the contributors, reporters and helpers supporting the MISP project. ## MISP Objects and Relationships - A new generic `x-header` object template has been created to add custom HTTP or SMTP headers easily. - [SigMF object templates](https://www.misp-project.org/2023/08/23/MISP_now_supports_Signal_Metadata_Format_Specification_SigMF.html/) added. - Updated `artifact` object to better support [STIX 2.1](https://github.com/MISP/misp-stix). - New `malware` and `malware-analysis` objects to better support [STIX 2.1](https://github.com/MISP/misp-stix). For more details, the [misp-object changelog](https://www.misp-project.org/Changelog-misp-objects.txt) is available. ## MISP Galaxy - Various updates in the [threat actor MISP galaxy](https://www.misp-project.org/galaxy.html#_threat_actor) and tool cluster. - Various automatic updates to the Sigma galaxy. For more details, the [misp-galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) is available. ## MISP warning-lists - New [Zscaler IP address generator](https://github.com/MISP/misp-warninglists/blob/main/tools/generate-zscaler.py) added. - New OpenAI chatgpt crawler IP sources added. - All the lists have been updated. For more details, the [misp-warninglists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt) is available. ## MISP taxonomies For more details, the [misp-taxonomies changelog](https://www.misp-project.org/Changelog-misp-taxonomies.txt) is available. ## MISP-stix MISP-stix includes multiple improvements and bugs fixed. For more details, the [misp-stix changelog](https://www.misp-project.org/Changelog-misp-stix.txt) is available. ## PyMISP - Bug fix for updating sharing group. - Improved msg-extract function. For more details, the [PyMISP changelog](https://www.misp-project.org/Changelog-PyMISP.txt) is available. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-08-24T14:17:26+00:00 MISP v2.4.176 MISP v2.4.176 2023-09-15T09:13:11+00:00 MISP 2.4.176 released with various improvements and bugs fixed. This version also includes major improvements in the [misp-stix](https://github.com/MISP/misp-stix/releases/tag/v2.4.176) library especially on the storing relationships and the description of relationships in the MISP standard format. ![A LookyLoo event in MISP](https://www.misp-project.org/img/blog/lookyloo-misp.png) # Improvements - [logs] add time based filter. Quite useful when you have a large set of logs. - [audit] add last password change timestamp for users. - [UI] show which attributes/objects are new and awaiting publication still. - [console:TrainingShell] Added deleteAllSyncs function. - [feeds] add Ellio threat list. # Bugs fixed - [internal] improved parameter parsing. - Properly filter out query parameters. - Method call on null. - Fixed invalid ordering errors. - Do not require jobId for AdminShell jobGenerateCorrelation, create a new job if jobId is null. fixes #9206. - [dashboard:organisationMapWidget] Do not require the config to have start and end date. - [restSearch] exact match for values starting with %, fixes #9258. - Unable to enrich individual shadow attribute. - Unable to enrich individual attribute, fixes #9267. - [stix2 import] Fixed debugging message for errors and warnings when the `debug` option is set. - Unable to enrich individual shadow attribute. - Unable to enrich individual attribute, fixes #9267. - Disable submodule update section when MISP.self_update is disabled, to allow not carrying git dependencies in docker. # misp-objects updates - Various fixes to MISP objects such as [email](https://www.misp-project.org/objects.html#_email), [virustotal-report](https://www.misp-project.org/objects.html#_virustotal_report) and [relationships](https://www.misp-project.org/objects.html#_relationships). # misp-galaxy updates - Update of target sectors in threat-actor database. This now includes the known target sectors as meta. - Various updates to the threat-actor database. # misp-warning-lists updates - [Cisco umbrella block pages](https://github.com/MISP/misp-warninglists/blob/main/lists/umbrella-blockpage-hostname/list.json) added to the MISP warning-lists. - [Censys scanning IP address space](https://github.com/MISP/misp-warninglists/blob/main/lists/censys-scanning/list.json) added. - Various improvements to the generation tools. # misp-modules - Fix the url of the VirusTotal collection in the VirusTotal expansion module. # PyMISP - Various bugs fixed where fixed in PyMISP. For more details, [PyMISP changelog](https://www.misp-project.org/Changelog-PyMISP.txt). # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # Training video The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available [on YouTube](https://www.youtube.com/watch?v=2tmjLsPrQkI). # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-09-15T09:13:11+00:00 MISP v2.4.177 MISP v2.4.177 2023-09-27T08:49:56+00:00 **MISP 2.4.177 released with various bugs fixed and improvements**. ![](https://www.misp-project.org/img/blog/lookyloo-misp.png) # Improvements - [dev] added a shell script to generate the restsearch parameters. - [CLI] add command to expire active AuthKeys that do not have an IP allowlist set. - [cli] Add command to trigger password change on next login for users with old pw. - [Users] add last password change timestamp for users. - [workflowModules:event_distribution_operation] Added action module. # Changes - [tests] testing disabling the timestamp greater as old timestamp for password changes. - [tests] make em happy with re-including a filter parameter that worked before, albeit unintentionally. - [PyMISP] disable some tests. - [misp-stix] Bumped latest version. - [warning-lists] updated. - [PyMISP] Keep messing with tests. - [warning-lists] updated. - Check test files are there. - [version] bump. - [escaping] added to event ID. - Attempt to fix git clone from the test suite. - [feeds] change name to Community version. - [config:customAuth_header] Default to upper case. - See $_SERVER make passed headers upper case - [console:TrainingShell] Allow overriding existing user data. - [Console:trainingShell] Provide correct filters for wiping data. - [console:trainingShell] Added wipeUsers and wipeOrgs functions. - [posts:crud] Prevent read-only users to create posts. - [config:config.default] Disabled warning_for_all by default for new install. # Fixes - [misp-stix] Bumped latest version with a fix on the file patterns parsing. - [tests] added some sleeps to avoid timestamps of follow up tests being within 1 second of the previous test. - [API] filter parameters added. - [PyMISP/CI] Disavle search logs for now. - [restsearch] parameters fixed. - [taxonomy] enable/disable creating junk taxonomies on invalid ID, fixes #9273. - [console:trainingShell] More typo in model name. - [console:trainingShell] Typos in model names. - [RestSearch] allow filtering on eventinfo for events and attributes. # Other improvements - Show object's attributes if they are tagged. - Fix event graph tag scope view. - Fix event hyperlink in discussion view page. # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # Training video The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available [on YouTube](https://www.youtube.com/watch?v=2tmjLsPrQkI). # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-09-27T08:49:56+00:00 MISP v2.4.178 MISP v2.4.178 2023-10-30T13:25:42+00:00 MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed. ![A sample MISP workflow](https://www.misp-project.org/img/blog/workflow-blue.png) # Improvements - [workflow] Added option to provide a custom JSON in the hashpath picker helper. - [workflow] New action modules (blocklist, warninglist, counter...) to add event in the blocklist. - [workflow] New trigger event before save. - [workflow] Various improvements in the quick hashpath filter. - [workflow] Improved webhook to support HTTP request method, headers, payload. It also now supports self-signed certificates. - [workflow] Many improvements in debugging and workflow logging. - [RestClient/OpenAPI] `totp_delete` added in query builder and API documentation. - [STIX upload] Improved in the galaxies handling including more detailed option while importing STIX 2 and creating galaxies/clusters. # Changes - [dashboard-widget:worldmap] Added support of custom scale in widget config. - [API even:restSearch] Added support of `orgc_id` as valid filter. - [Auditing] API access time is now stored once per hour by default. - [API] `includeGranularCorrelations` is now exposed in the event RestSearch. # Fixes - [API] Add sharinggroup as an allowed parameter in attribute search. - [objects:edit] Restored behavior of upgrading object to newer template. - Many other fixes check the [ChangeLog for detailed changes](https://www.misp-project.org/Changelog.txt). # Other improvements ## MISP Objects - New objects added such as `cryptocurrency-transaction` and many updates to other objects. For detailed changes, [MISP objects changelog](https://www.misp-project.org/Changelog-misp-objects.txt). ## MISP Galaxy - Many new objects such as `ammunition`, `firearms` and many updates in threat actor, Sigma and many other. For detailed changes, [MISP galaxy changelog](https://www.misp-project.org/Changelog-misp-galaxy.txt) ## MISP warning-lists - Warning-lists updated to the latest version. New warning list with known hostname for lookup source IP of the DNS resolver. [MISP warning-lists changelog](https://www.misp-project.org/Changelog-misp-warninglists.txt). # Don't forget to follow us on Mastodon The MISP projet has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # Training video The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available [on YouTube](https://www.youtube.com/watch?v=2tmjLsPrQkI). # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-10-30T13:25:42+00:00 MISP v2.4.179 MISP v2.4.179 2023-11-26T08:45:58+00:00 MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ## First baby steps taken towards LLM integration We currently included our first attempt at an LLM integration for report summarisation and extraction. The development is an outcome of our work with @aaronkaplan during hack.lu 2024 and relies on [stochasticCTIExtractor](https://github.com/aaronkaplan/stochasticCTIExtractor) for the extraction and interfacing with LLMs. Expect to see more in this space in the near future! For a sneak peak, head over to our [lightning talk](https://www.youtube.com/watch?v=PzPJc0LdlC4) video on the topic. ## Workflow improvements As always, @mokaddem is hard at work in his arcane laboratory, improving the workflow tooling. This time, among a host of improvements, he's also concocted up a new IF module that makes decisions based on the number of elements (counts) matching certain criteria. For a full list of changes, have a look at the [Changelog](https://www.misp-project.org/Changelog.txt). # Performance improvements for large event edits The edit performance when it comes to large events has been reworked to speed the process up somewhat. In addition a new "fast_update" mode has been added for special cases when no major changes are expected to an event or when additional precautions have been taken (As a main difference, validation of duplicate handling has been removed from this path). For some benchmarks of what this means in practice for an event, assuming 20.000 attributes with a single tag being added to each and the last seen being altered: #### MISP 2.4.178 **Time taken**: 171.2364685535431 #### MISP 2.4.179 **Time taken (standard mode)**: 97.22623372077942 **Time taken (fast mode)**: 40.74654579162598 This new method is currently exclusively used by the /events/edit endpoint, so expect it to show up in other endpoints in later releases. ## A new tool for remote delegations Though more of an edge case, we've seen the need for some communities to be able to cross-instance automatically delegate publications, for example in the case of an ISAC republishing the data of their constituency anonymously, or an organisation providing data produced by a service provider being released under their own umbrella. If you have any such use-cases, head over to the new delegation tool and read up on how it works, what you can do with it - [misp-delegation](https://github.com/MISP/MISP/tree/2.4/tools/misp-delegation) ## Security: XSS fixed in the event timeline This release also contains a security fix, a stored XSS trigerable via the event timeline widget, as reported by fukusuket(Fukusuke Takahashi). Thanks a lot for the report and we encourage the community at large to update their MISP instances to this release as well as to similarly report all their findings to us based on our [Security](https://www.misp-project.org/security/) policy. ## Other improvements ### MISP Taxonomies Various improvements and inclusions of [new taxonomies](https://www.misp-project.org/taxonomies.html), such as an update to PAP, a taxonomy used by SRB-CERT as well as a taxonomy for doping-substances. The [PAP (Permissible Actions Protocol)](https://www.misp-project.org/taxonomies.html#_pap) has been updated to be inline with TLPv2. Thanks to the [contribution and discussions with ANSSI-FR/CERT-FR about the marking topic](https://www.cert.ssi.gouv.fr/csirt/sharing-policy/). ### MISP Objects Various fixes to a host of [object templates](https://www.misp-project.org/objects.html) as well as some new templates such as Crowdstrike Report objects were added in this release. ### MISP Galaxy - A host of new clusters were added, mostly targeting the threat-actors galaxy library - a huge thanks goes to @Mathieu4141 for all the diligent work. Automatically ingested galaxies, such as the global sigma rule library have also been updated. The MISP galaxy MITRE ATT&CK has been updated to the version 14. A new NAICS galaxy has been created to support [North American Industry Classification System](https://www.census.gov/naics/). ### MISP warning-lists - Warning-lists updated to the latest version. Several warninglists have been brought up to the latest release as well as new warninglists such as the findip-host warninglist have been added. ## For all other changes, please refer to the [Changelog](https://www.misp-project.org/Changelog.txt). ## Don't forget to follow us on Mastodon The MISP project has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. ## MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-11-26T08:45:58+00:00 MISP v2.4.180 MISP v2.4.180 2023-12-22T14:28:11+00:00 MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements. v2.4.180 (2023-11-30) --------------------- # New - [api] added X-MISP-AUTH as an alternative header to Authorization, fixes #9418. [iglocska] # Changes - [VERSION] bump. [iglocska] - [workflows] restored 7.2 and 7.3. [iglocska] - [user login profile] old version compatibility. [iglocska] - [event index] hover over ID will show the info field, generally more useful than the threat level. [iglocska] # Fix - [login] fixes bad fix and catches first login after update. [Christophe Vandeplas] - [revert] dumb check. [iglocska] - [compatibility] make the ancient gods happy. [iglocska] - [user login profile] skip checks for ancient php versions. [iglocska] - [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem] - [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem] - [attributes] type field added to editable fields. [iglocska] - [RPZ] export custom parameters ingored, fixes #9420. [iglocska] - [Attribute:editPostProcessing] Fixed sighting capture. [Sami Mokaddem] - [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem] - [attribute:validation] Typo in function name. [Sami Mokaddem] - [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem] # Other - Merge remote-tracking branch 'origin/develop' into 2.4. [Christophe Vandeplas] - Merge branch 'develop' into 2.4. [iglocska] - Merge branch '2.4' into develop. [iglocska] - Merge branch 'develop' into 2.4. [iglocska] - Revert "chg: [workflows] restored 7.2 and 7.3" [iglocska] This reverts commit 206d2af439ae22c35a41568b4dc79562f2cb29e4. - Merge branch '2.4' into develop. [iglocska] - Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem] - Merge remote-tracking branch 'origin/2.4' into develop. [Sami Mokaddem] - Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem] - Merge branch 'develop' of github.com:MISP/MISP into develop. [iglocska] - Merge branch 'develop' of github.com:MISP/MISP into develop. [Sami Mokaddem] - Feature/user login profiles2 (#9379) [Christophe Vandeplas, iglocska] * new: [userloginprofiles] start over with previous code * fix: [user_login_profiles] fixes catching up the backlog * chg: [userloginprofile] email to org_admin for suspicious login * chg: [userloginprofile] only inform new device * chg: [userloginprofiles] view_login_history instead of view_auth_history * chg: [userloginprofile] make login history visually better * chg: [userloginprofile] inform admins of malicious report * fix: [userloginprofile] cleanup * fix: [userloginprofile] fixes Attribute include in Console * fix: [userloginprofile] db schema and changes * chg: [CI] log emails * chg: [PyMISP] branch change * chg: [test] test * fix: [userloginprofile] unique rows * fix: [userloginprofile] unique rows * chg: [cleanup] * Revert "chg: [PyMISP] branch change" This reverts commit 3f6fb46fee9745437998fc013a97af874679c87b. * fix: [userloginprofile] fix worksers with monolog=1.25 browcap=5.1 * fix: [db] dump schema version * fix: [CI] newer php versions * fix: [composer] php version * fix: [php] revert to normal php7.4 tests --------- - Merge branch '2.4' into develop. [iglocska] 2023-12-22T14:28:11+00:00 MISP v2.4.181 MISP v2.4.181 2023-12-22T14:31:58+00:00 # MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes. # Changes - [tools:misp-delegation] Do not use self-documented expression in f-string anymore. [Sami Mokaddem] - [version] bump. [iglocska] - [warning-lists] updated to the latest version. [Alexandre Dulaunoy] - [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy] - [tests] search for errors in logs. [Christophe Vandeplas] - [warning-lists] updated to the latest version. [Alexandre Dulaunoy] - [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy] # Fix - [Alert on suspicious logins] disabled by default. [iglocska] - requires logs table to be better indexed currently to not be a bottleneck (user_id and action fields) - Will be made default in an upcoming version once the performance issues are resolved - [tests] fix path in logs_tests.sh. [Christophe Vandeplas] - [tests] fixes path of logs_tests. [Christophe Vandeplas] - [userloginprofiles] undefined variable #9424. [Christophe Vandeplas] - [customauth] missing Class init fixes #9425. [Christophe Vandeplas] 2023-12-22T14:31:58+00:00 MISP v2.4.182 MISP v2.4.182 2023-12-22T14:47:58+00:00 MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix. # MISP Core ## New Features - [event:view] Added new option `show_server_correlations_for_all_users` allowing non-privileged users to view server correlations. [Sami Mokaddem] ## Changes - [Version] bump. [iglocska] - [misp-objects] updated to the latest version. [Alexandre Dulaunoy] - [misp-stix] Bumped latest version. [Christian Studer] - [warning-lists] updated to the latest version. [Alexandre Dulaunoy] - [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy] - [Geo-Open] updated to the latest version. [Alexandre Dulaunoy] - [PyMISP] Bump. [Raphaël Vinot] - [CLI] runUpdates updated to purge any pending db lock first. [iglocska] - [event reports] content field size changed to mediumtext. [Andras Iklody] - [logging] fail silently if logging entry can't be saved. [iglocska] - can happen when the log change is too large for example - no need to roll back / break sync for example if a log entry is too large, just fail silently. - [events:event-graph] Allow expansion of nodes by double-clicking. [Sami Mokaddem] In response to significant demand from Terrtia and subsequent evaluation by adulau - [feed:attachFeedCorrelations] Added comment. [Sami Mokaddem] - [event:view] Show feed meta-information as popup. [Sami Mokaddem] - [misp-stix] Bump. [Jakub Onderka] ## Fix - [db_schema] dump. [iglocska] - [correlation] exclusion cleaning was broken for noacl correlations, fixes #8899. [iglocska] - [eventReport:editReport] Generate an UUID if new report added from pull. [Sami Mokaddem] - [workflows:editor] Prepend baseurl to url. [Lukasz Rzasik] - [TOTP] allow deletion of TOTP from edit page. [Christophe Vandeplas] - [security] new audit logs lack of ACL controls. [iglocska] - added proper ACL handling to the new audit logs - as reported by fukusuket(Fukusuke Takahashi) - Assigned [CVE-2023-50918](https://cvepremium.circl.lu/cve/CVE-2023-50918) for this vulnerability. The new audit log is not enabled by default. - [case sensitivity] fix. [iglocska] - [login_history] fixes str_contains #9433. [Christophe Vandeplas] - [login_history] fixes str_contains #9433. [Christophe Vandeplas] - [password reset] required current password for token based reset. [iglocska] - [diag] diagnostics page loading issue. [Michael Hirt] - [openapi] add version to match spec. fixes #9058. [Luciano Righetti] - [caching] remove uuid validation from the feed caching. [iglocska] - not really needed and it breaks the entire caching if a single old event has an invalid uuid - [attribute bulk update] separate out tag deletion as it builds a ridiculously large query at times. [iglocska] - [caching] remove uuid validation from the feed caching. [iglocska] - not really needed and it breaks the entire caching if a single old event has an invalid uuid # MISP project knowledge bases ## MISP Objects Improved [shadowserver-malware-url-report](https://www.misp-project.org/objects.html#_shadowserver_malware_url_report) and [cs-beacon-config](https://www.misp-project.org/objects.html#_cs_beacon_config) object template. Updates in the [victim object template](https://www.misp-project.org/objects.html#_victim) and [report object template](https://www.misp-project.org/objects.html#_report). ## MISP Galaxy Improved [Sigma rules galaxy](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json), [threat-actors database](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json) with many new threat-actors ## MISP warning-lists [Warning-lists updated](https://github.com/MISP/misp-warninglists) to the latest version from the different sources. # Don't forget to follow us on Mastodon The MISP project has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2023-12-22T14:47:58+00:00 MISP v2.4.183 MISP v2.4.183 2024-01-09T17:33:32+00:00 ![MISP screenshot](https://www.misp-project.org/img/blog/lookyloo-misp.png) MISP 2.4.183 released with a new ECS log feature, improvements and bugs fixed. - MISP now supports Elastic Common Schema (ECS) security logging. A new option has been added `Security.ecs_log` to enable this new functionality. A new `Security.alert_on_suspicious_logins` to security audit has been added. - The sync configuration in MISP now supports sharing group blueprints for a simple creation of filter rules based on dynamically updated organisation lists. - Major improvement to STIX import handling and especially the [misp-stix library](https://github.com/MISP/misp-stix) such as Parsing PE binary extensions within File observable objects and many more improvements/fixes. - API add tag functions updated to also work with uuids, rather than just local IDs. - [event:view] Added option to mass local cluster tag. Many bugs fixed and minor improvements. Feel free to read the detailed [changelog](https://www.misp-project.org/Changelog.txt) # MISP project knowledge bases ## MISP Objects - New [flowintel CM](https://github.com/flowintel/flowintel-cm) object added. ## MISP Galaxy A [new dedicated website has been developed](https://www.misp-galaxy.org/) to easily reference galaxy outside MISP. - Improved [Sigma rules galaxy](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json), [threat-actors database](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json) with many new threat-actors - New [disarm](https://www.disarm.foundation/) galaxy is now available. Including [Actor Types](https://www.misp-galaxy.org/disarm-actortypes/), [Countermeasures](https://www.misp-galaxy.org/disarm-countermeasures/), [Detections](https://www.misp-galaxy.org/disarm-detections/) and [Techniques](https://www.misp-galaxy.org/disarm-techniques/). - New MITRE Atlas framework added. [MITRE ATLAS Attack Pattern](https://www.misp-galaxy.org/mitre-atlas-attack-pattern/), [MITRE ATLAS Course of Action](https://www.misp-galaxy.org/mitre-atlas-course-of-action/) ## MISP warning-lists [Warning-lists updated](https://github.com/MISP/misp-warninglists) to the latest version from the different sources. # Don't forget to follow us on Mastodon The MISP project has its own Mastodon server [misp-community.org](https://misp-community.org/) - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account. # MISP Professional Services [MISP Professional Services (MPS)](https://www.misp-project.org/professional-services/) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services. 2024-01-09T17:33:32+00:00