MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Security Enhancements:
Logging and Tracking:
User Interface Improvements:
Performance and Functionality Improvements:
Configuration and Security Settings:
Security and Stability Fixes:
Optimization and Error Corrections:
For a complete list of updates, please refer to the changelog pages.
We have released 2.4.191 in rapid succession after 2.4.190 to resolve an issue introduced to the event index filtering
Event index filtering: A new feature introducing ANDed tags on the event index has introduced a regression with the way we handle multiple tags in the filters. This issue is now resolved and the new feature has been postponed to 2.4.192 to ensure that it is up to snuff with the expectations.
Set OIDC issuer: It is now possible to set the issuer in the OIDC authentication subsystem.
For a complete list of updates, please refer to the changelog pages.
We are excited to announce the release of MISP v2.4.190. This latest version introduces a slew of new features, improvements, and fixes designed to streamline operations and enhance security measures for our users.
Advanced Tag Collection for Events: Users can now specify collections of tags to apply to events automatically when using the [feed:pullEvents] feature. This allows for more precise and organized tagging, leading to better event categorization and retrieval.
Conditional Execution Stopping in Workflows: The new [workflowModules:stop-execution] feature lets users provide a specific reason for stopping a workflow. This is crucial for auditing and maintaining records of why certain processes were halted.
Unpublished Event Settings: The [feed] functionality now includes an option to keep all pulled events in an unpublished state, helping maintain privacy and control over event visibility until ready for disclosure.
Benchmarking Suite: A comprehensive new benchmarking suite has been added to continuously collect and analyze performance metrics such as memory usage and query counts for individual users, endpoints and user-agents. This data is crucial for optimising MISP's performance and reliability as well as identifying misbehaving tools/users/integrations.
Updated Components: Major components such as PyMISP, misp-galaxy, and various taxonomy lists have been updated to their latest versions to ensure users have access to the most current data and features.
Improved System Logging and Handling: Several changes have been made to improve how MISP logs and handles data. These include modifications to syslog outputs to avoid line breaks and ensure consistent field counts, enhancing the overall stability and readability of logs.
Bug Fixes: This update addresses several bugs, including issues with tag collection permissions, HTML rendering in analyst data threads, and event report imports from URLs.
Performance Enhancements: Numerous tweaks have been made to reduce memory usage and improve performance across various functions, particularly those involving synchronization and event handling.
Accessibility Improvements: The update includes enhancements to the user interface's accessibility, such as enabling keyboard focus on certain elements to aid users who rely on keyboard navigation.
API Extensions: New OpenAPI functionalities have been exposed (it was present but not documented), such as allowing data encapsulation in requests and extending STIX export capabilities to attribute levels.
This version of MISP not only introduces new capabilities but also builds on the existing features to provide a more robust, efficient, and user-friendly platform for handling cybersecurity data and events. We encourage all users to upgrade to take full advantage of these improvements.
For a complete list of updates and detailed instructions on how to implement these new features, please visit our official MISP documentation and changelog pages.
Sightings were something initially intended as a system of pinpointing the continued prevalence of indicators as seen by our communities, but as it happens with ever growing, interconnected communities, new use-cases do emerge. Some of those use-cases involve the collection of "bulk sightings" - for example by directly using a SIEM or IDS to feed your sighting collection.
Whilst this has many potential applications, especially for internal use-cases, it can easily get out of hand when such massive data amounts are shared across larger communities, easily going into the billions of sightings rather rapidly.
We have therefore introduced a new blocklist system that allows MISP administrators to filter out organisations with such use cases from their sighting sync use-cases. Make sure to use the new subsystem if you feel overwhelmed by such sighting strategies.
When synchronising with peers running MISP 2.4.189+, the filtering already happens during the negotiation phase, drastically reducing the time it takes to synchronise instances.
This development is an outcome of the JTAN (Joint Threat Analysis Network) project hackathon and workshop organised in Luxembourg.
Analyst data is still a very fresh feature, allowing the community to further elaborate on, share their points of view on or to interlink the various data points in MISP. Especially the latter pillar of the new system had, as pointed out by some community members, a pretty massive flaw in the first implementation. Users could create and quantify relationships between data points, but the relationships would only be visible unidirectionally on the source object. This has now been resolved and data-points being referenced by others are now properly highlighted.
In hindsight, this seems like a massive oversight, but better late than never: We now have an "integer" attribute type, something that we until recently used the "count" type for, though it always felt like ramming a round peg through a square hole. If you are using your own object templates, make sure you revise them for the next iteration - whilst "count" is often the right choice, a generic integer may be more accurate in some of those cases.
This is yet another rapid release for a set of planned performance improvements, expect more frequent releases in the next few weeks as we resolve bottlenecks.
Please refer to the full changelog for a full list of fixes and improvements. Many thanks to all the diligent contributors that ensure that MISP keeps improving rapidly!
ignoreIndexHint
parameter (mysqlExtended
, mysqlObserverExtended
).forceIndexHint
.restsearch
and /events/view
endpoints). This helps with performance issues caused by large sighting data sets.BadRequestException
as fail log in CI.misp-galaxy
, misp-object
, and warning-lists
.analyst-data
and event-reports
.sightings:getLastSighting
.includeDecayScore
by a factor of 5.unpublishedprivate
directive.CURLOPT_NOBODY
for HEAD requests.redisReady
in dragonfly.Exception
to Throwable
in ECS.MISP.email_reply_to
to server config.misp-stix
, attachment scan error handling, OIDC default org handling, alert email titles, shadow attribute handling, and community additions (ICS-CSIRT.io).MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
org list
to shell commands.OidcAuth.update_user_role
to disable role changes from OIDC.ext-zstd
to suggested PHP extensions.removeTagFromObject()
.MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate release of MISP 2.4.186, which includes two major new feature called "Analyst Data" and "Collections" along with an extension to the MISP standard format.
The Analyst Data 🧑🔬 feature is an extended and shareable set of capabilities that allows analysts to share and add their own analysis to any MISP event.
The Analyst Data feature comprises three main new features:
This enhancement provides highly flexible capabilities for analysts to describe information about specific details. Analyst Data, similarly to Events and Galaxy clusters, are first class citizens, respecting ownership and distribution mechanisms as well as being synchronisable between MISP instances.
For a quick overview, the below screencast can give you an idea of the analyst data feature in action:
The new collection feature allows users to create collections for organising data shared by the community. These collections can be categorised based on commonalities or as part of the research process. Collections are treated as first-class citizens and adhere to the same sharing rules as, for example, events do. You can create your own collection and share it with your partners on the same MISP instance.
Details changes are available in Changelog.
The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
Major improvement were performed in the MISP galaxy including major updates in the threat-actor knowledge-base, the surveillance vendors. Additional updates were done to add the relationships in the MISP galaxy public website.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are happy to announce the immediate availability of MISP 2.4.185. This is mainly a bug fix release resolving several issues as well as tightening the security posture of the org image handling.
We have moved the organisation images out of the webroot to avoid a rogue administrator from being able to upload a crafted, malicious organisation image and for unsuspecting users to be redirected to a malicious direct link of the image. Whilst this vulnerability is highly unlikely, requiring a compromised/rogue site administrator as a premise, the issue is valid and has been fixed.
Thanks to Yusuke Nakajima and Andrei Agape of Teliacompany for both delivering reports of this issue.
Various fixes affecting the API, proxy settings, sighting synchronisation. The synchronisation bug in particular could easily bring large, sighting rich instances (such as our own) to its knees when a remote instance tried to synchronise via a pull.
We would hereby like to again thank for our active community for supplying fixes, bug reports, vulnerability reports and suggestions for the continuous improvement of MISP, the tool definitely wouldn't be what it is today without all your help!
Details changes are available in Changelog.
The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
Major improvement were performed in the MISP galaxy including major updates in the threat-actor knowledge-base, the surveillance vendors. Additional updates were done to add the relationships in the MISP galaxy public website.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.184 released with performance improvements, security and bugs fixes.
MISP.disable_cached_exports
enabled by default. Since the /events/export has been marked deprecated for a years, we are starting the process to phase it out by first disabling the endpoint by default. The MISP ReST search API is the API to be used in the future if you still have very old scripts relying on export. We recommend to start making plans to rework those scripts.A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances.
CVE assignments are pending and will be published on the security page.
Many bugs fixed and minor improvements. Feel free to read the detailed changelog
Many improvements in PyMISP including faster JSON parsing with orjson. Feel free to read the detailed changelog
payload_bin
attribute to attachment type.A new dedicated website has been developed to easily reference galaxy outside MISP.
Warning-lists updated to the latest version from the different sources.
The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.183 released with a new ECS log feature, improvements and bugs fixed.
Security.ecs_log
to enable this new functionality. A new Security.alert_on_suspicious_logins
to security audit has been added.Many bugs fixed and minor improvements. Feel free to read the detailed changelog
A new dedicated website has been developed to easily reference galaxy outside MISP.
Warning-lists updated to the latest version from the different sources.
The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.