MISP (core software) - Open Source Threat Intelligence and Sharing Platform
MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.
Merge remote-tracking branch 'origin/develop' into 2.4. [Christophe Vandeplas]
Merge branch 'develop' into 2.4. [iglocska]
Merge branch '2.4' into develop. [iglocska]
Merge branch 'develop' into 2.4. [iglocska]
Revert "chg: [workflows] restored 7.2 and 7.3" [iglocska]
This reverts commit 206d2af439ae22c35a41568b4dc79562f2cb29e4.
Merge branch '2.4' into develop. [iglocska]
Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem]
Merge remote-tracking branch 'origin/2.4' into develop. [Sami Mokaddem]
Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem]
Merge branch 'develop' of github.com:MISP/MISP into develop. [iglocska]
Merge branch 'develop' of github.com:MISP/MISP into develop. [Sami Mokaddem]
Feature/user login profiles2 (#9379) [Christophe Vandeplas, iglocska]
new: [userloginprofiles] start over with previous code
fix: [user_login_profiles] fixes catching up the backlog
chg: [userloginprofile] email to org_admin for suspicious login
chg: [userloginprofile] only inform new device
chg: [userloginprofiles] view_login_history instead of view_auth_history
chg: [userloginprofile] make login history visually better
chg: [userloginprofile] inform admins of malicious report
fix: [userloginprofile] cleanup
fix: [userloginprofile] fixes Attribute include in Console
fix: [userloginprofile] db schema and changes
chg: [CI] log emails
chg: [PyMISP] branch change
chg: [test] test
fix: [userloginprofile] unique rows
fix: [userloginprofile] unique rows
chg: [cleanup]
Revert "chg: [PyMISP] branch change"
This reverts commit 3f6fb46fee9745437998fc013a97af874679c87b.
fix: [userloginprofile] fix worksers with monolog=1.25 browcap=5.1
fix: [db] dump schema version
fix: [CI] newer php versions
fix: [composer] php version
fix: [php] revert to normal php7.4 tests
Merge branch '2.4' into develop. [iglocska]
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.
We currently included our first attempt at an LLM integration for report summarisation and extraction. The development is an outcome of our work with @aaronkaplan during hack.lu 2024 and relies on stochasticCTIExtractor for the extraction and interfacing with LLMs.
Expect to see more in this space in the near future!
For a sneak peak, head over to our lightning talk video on the topic.
As always, @mokaddem is hard at work in his arcane laboratory, improving the workflow tooling. This time, among a host of improvements, he's also concocted up a new IF module that makes decisions based on the number of elements (counts) matching certain criteria. For a full list of changes, have a look at the Changelog.
The edit performance when it comes to large events has been reworked to speed the process up somewhat. In addition a new "fast_update" mode has been added for special cases when no major changes are expected to an event or when additional precautions have been taken (As a main difference, validation of duplicate handling has been removed from this path).
For some benchmarks of what this means in practice for an event, assuming 20.000 attributes with a single tag being added to each and the last seen being altered:
Time taken: 171.2364685535431
Time taken (standard mode): 97.22623372077942 Time taken (fast mode): 40.74654579162598
This new method is currently exclusively used by the /events/edit endpoint, so expect it to show up in other endpoints in later releases.
Though more of an edge case, we've seen the need for some communities to be able to cross-instance automatically delegate publications, for example in the case of an ISAC republishing the data of their constituency anonymously, or an organisation providing data produced by a service provider being released under their own umbrella. If you have any such use-cases, head over to the new delegation tool and read up on how it works, what you can do with it - misp-delegation
This release also contains a security fix, a stored XSS trigerable via the event timeline widget, as reported by fukusuket(Fukusuke Takahashi). Thanks a lot for the report and we encourage the community at large to update their MISP instances to this release as well as to similarly report all their findings to us based on our Security policy.
Various improvements and inclusions of new taxonomies, such as an update to PAP, a taxonomy used by SRB-CERT as well as a taxonomy for doping-substances.
The PAP (Permissible Actions Protocol) has been updated to be inline with TLPv2. Thanks to the contribution and discussions with ANSSI-FR/CERT-FR about the marking topic.
Various fixes to a host of object templates as well as some new templates such as Crowdstrike Report objects were added in this release.
The MISP galaxy MITRE ATT&CK has been updated to the version 14. A new NAICS galaxy has been created to support North American Industry Classification System.
The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.
totp_delete
added in query builder and API documentation.orgc_id
as valid filter.includeGranularCorrelations
is now exposed in the event RestSearch.cryptocurrency-transaction
and many updates to other objects. For detailed changes, MISP objects changelog.ammunition
, firearms
and many updates in threat actor, Sigma and many other. For detailed changes, MISP galaxy changelog
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.177 released with various bugs fixed and improvements.
[tests] testing disabling the timestamp greater as old timestamp for password changes.
[tests] make em happy with re-including a filter parameter that worked before, albeit unintentionally.
[PyMISP] disable some tests.
[misp-stix] Bumped latest version.
[warning-lists] updated.
[PyMISP] Keep messing with tests.
[warning-lists] updated.
Check test files are there.
[version] bump.
[escaping] added to event ID.
Attempt to fix git clone from the test suite.
[feeds] change name to Community version.
[config:customAuth_header] Default to upper case.
[console:TrainingShell] Allow overriding existing user data.
[Console:trainingShell] Provide correct filters for wiping data.
[console:trainingShell] Added wipeUsers and wipeOrgs functions.
[posts:crud] Prevent read-only users to create posts.
[config:config.default] Disabled warning_for_all by default for new install.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.176 released with various improvements and bugs fixed. This version also includes major improvements in the misp-stix library especially on the storing relationships and the description of relationships in the MISP standard format.
debug
option is set.The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
MISP 2.4.175 released with various bugs fixed, improvements and security fixes.
start_date
and end_date
options in the MISP dashboard widgets.first_half_year
and second_half_year
timeframe.push_rules
from being required in API requests to the /server/edit
endpoint.Event
key.Thanks to BeDisruptive OSS Team and Centre for Cyber Security Belgium (CCB) for the reporting.
Also a huge thanks to all the contributors, reporters and helpers supporting the MISP project.
x-header
object template has been created to add custom HTTP or SMTP headers easily.artifact
object to better support STIX 2.1.malware
and malware-analysis
objects to better support STIX 2.1.For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
MISP-stix includes multiple improvements and bugs fixed.
For more details, the misp-stix changelog is available.
For more details, the PyMISP changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are thrilled to announce the immediate availability of MISP v2.4.174 with significant workflow improvements, accompanied by a host of quality-of-life enhancements and bug fixes.
taxii_push
script now correctly passes the standard MISP JSON format to misp-stix, avoiding any format-related problems.These updates and fixes mark a significant step forward for MISP, delivering a more efficient, secure, and reliable experience for our users. We encourage everyone to upgrade to the latest version to take advantage of these improvements. For more details and to access the release, please visit MISP v2.4.174. Thank you for your continued support and feedback, which has been instrumental in making MISP better with each release. For a more detailed overview of the MISP workflows and various MISP submodules/projects improvement check below:
We had the pleasure of being invited to participate in GeekWeek with the main objective of streamlining the identification of false positives and simplifying the process of building workflows. We developed new modules for both the enrichment and the workflow systems and introduced self-contained blueprints acting as building block to make the creation of complexe IoC curation pipeline feels like a breeze. In addition, this release includes numerous little UI/UX treats for the workflow system hoping to provide a more efficient and user-friendly experience.
Overall, the following work was carried out:
To give an idea of what these blueprints look like, let's have a look at Flag false-positive tripping over warninglists
.
In few words, here what's going on:
false_positive
are kept, the others are filtered outto_ids
flag will be disabled or kept as isIt should be noted that every curation blueprints are configurable in the sense that they might execute differently based on the tags (coming from the misp-workflow
taxonomy) attached to the event. For example, if the tag misp-workflow:mutability="allowed"
is set on the event, the workflow will modify existing data. This can be very useful for servers acting as a clearing hub or forwarding vetted data to other instances. While if the tag isn't present, data won't be touched and only local
tags will be applied if needed.
Should you be interested to check the 9 new blueprints out, the complete list can be found here: https://github.com/MISP/misp-workflow-blueprints#curation-blueprints.
Now let's have a quick look at the changes that have been integrated to speed up edition, simplify complex tasks and make things a little more intuitive.
Added support of two new operators Any value
and Any values from
, allowing OR
condition in logic blocks.
UX improvement to help users to quickly insert blocks on existing connections.
UX improvement to support smaller screens.
UX improvement and helper tool to facilitate crafting complex hash path.
UI feature to enable framing node that achieve a specific actions. Especially useful when using blueprints.
For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
MISP-stix includes multiple improvements and bugs fixed.
For more details, the misp-stix changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.173 with a new password reset feature, along with a host of quality of life improvements and fixes.
We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords.
The feature requires the user to have a valid encryption key and the lifetime of the tokens is hard-coded to be 10 minutes.
The dashboard has seen another round of improvements, with various fixes and new widgets added. 2.4.173 includes the following new widgets:
Additionally, you can now download the raw data used to feed each widget.
2 vulnerabilities have also been resolved:
Improper sanitisation of user-controlled data ending up in view titles lead to stored XSS
Huge thanks to Ulaş Deniz İlhan from Zigrin Security (absolute heroes at discovering vulnerabilities in MISP!)
Malicious administrators could trigger RCE by uploading a well crafted file as an SSL certificate for the sync connection.
Additional information on the vulnerability can be found at the excellent blog post from synacktiv
Huge thanks to @righel for finding and fixing the vulnerability!
As always, we have been diligent with including a long list of fixes, including for issues with server sync certificate handling, url encoding of spaces in search strings, CSRF errors and much more! For a detailed list of fixes, please refer to the changelog.
For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.172 with new TOTP/HTOP authentication, many improvements and bugs fixed.
New TOTP support are now included in MISP. This functionality works in two modes:
When logging in the user can enter either the TOTP or the HOTP (one time paper token) OTP attempts are also limited by the Bruteforce component. So multiple failed attempts will result in a temporary blocking. HTOP is available for recovery and also for security environment where mobile phone or electronic devices are forbidden.
User can generate TOTP through their Profile page:
A QR code is generated and they need to fill in the code once to confirm all is well: Then they get directed to the page containing their next 50 HOTP/paper tokens:
Their profile then shows they have a token, they can also check again what their paper tokens are: So does the admin page (the phone icon) (org)Admins can delete the secret of a user:
When they have their TOTP secret, after user/pass window they are prompted to enter the or the HOTP.
Logging is also generated:
The MISP.totp_required
security setting allows enforcing TOTP for the whole MISP instance.
In this case users are invited to store their TOTP at next login. They cannot access any other page until they validated the TOTP. The server wide parameter has a beforeHook to ensure the required PHP libraries are installed, as otherwise the admin might lock themselves out.
Requires 2 additional PHP libraries to be installed through composer:
TAXII integration is still in its infancy in MISP, but with the current release we aim to make the process of interacting with a TAXII server more in-depth. Prior to the current release, you could add a taxii server connection, pointing to a collection and initiate a filtered push of your MISP data - however, there was no way to view the contents of the collection nor to see your data reflected after a push.
The current release aims to complete the work on the initial TAXII push functionalities, with a TAXII browser built into the tool along with various fixes to bugs and issues that were reported to the prior implementation.
Simply add a TAXII server via the the TAXII connections interface (sync actions -> List TAXII servers)
Make sure that you configure the filters used to decide which of your events should be pushed to the given server. Creating a local tag such as "taxii_push" allows you to manually control and label events to be pushed as in the example above.
Once the basic server information has been encoded, use the wrench button on top of the API root
field to populate the dropdown with the valid options found on the TAXII server and once you've selected a root, click the wrench on top of the collection
field to populate it and select the target colleciton for the connection.
Once a connection is established, you can view the connection object and list its collections and the objects in the configured collection on the taxii_servers/view/[id] endpoint, as follows:
You can view individual collections and browse their contents, paginating through all STIX objects (the default collection is shown at the bottom of the page). By clicking view on a STIX object, you can view the STIX 2.1 JSON object in full:
Simply use the push button on the TAXII server index to initiate a push to the selected collection with the pre-defined filters.
For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.