MISP 2.4.181 hot fix release to disable by default the alert on suspicious login plus some minor fixes.

Changes

• [tools:misp-delegation] Do not use self-documented expression in f-string anymore. [Sami Mokaddem]
• [version] bump. [iglocska]
• [warning-lists] updated to the latest version. [Alexandre Dulaunoy]
• [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]
• [tests] search for errors in logs. [Christophe Vandeplas]
• [warning-lists] updated to the latest version. [Alexandre Dulaunoy]
• [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]

Fix

• [Alert on suspicious logins] disabled by default. [iglocska]
  • requires logs table to be better indexed currently to not be a bottleneck (user_id and action fields)
  • Will be made default in an upcoming version once the performance issues are resolved
• [tests] fix path in logs_tests.sh. [Christophe Vandeplas]
• [tests] fixes path of logs_tests. [Christophe Vandeplas]
• [userloginprofiles] undefined variable #9424. [Christophe Vandeplas]
• [customauth] missing Class init fixes #9425. [Christophe Vandeplas]

MISP 2.4.180 released with a new security user login profile feature, bugs fixed and many improvements.

v2.4.180 (2023-11-30)

New

• [api] added X-MISP-AUTH as an alternative header to Authorization, fixes #9418. [iglocska]

Changes

• [VERSION] bump. [iglocska]
• [workflows] restored 7.2 and 7.3. [iglocska]
• [user login profile] old version compatibility. [iglocska]
• [event index] hover over ID will show the info field, generally more useful than the threat level. [iglocska]

Fix

• [login] fixes bad fix and catches first login after update. [Christophe Vandeplas]
• [revert] dumb check. [iglocska]
• [compatibility] make the ancient gods happy. [iglocska]
• [user login profile] skip checks for ancient php versions. [iglocska]
• [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
• [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]
• [attributes] type field added to editable fields. [iglocska]
• [RPZ] export custom parameters ingored, fixes #9420. [iglocska]
• [Attribute:editPostProcessing] Fixed sighting capture. [Sami Mokaddem]
• [Attribute:EditPostProcessing] Make sure the ID is set. [Sami Mokaddem]
• [attribute:validation] Typo in function name. [Sami Mokaddem]
• [attribute:editPostProcessing] Fixed typo in condition preventing tags to be detached. [Sami Mokaddem]

Other

• Merge remote-tracking branch 'origin/develop' into 2.4. [Christophe Vandeplas]

• Merge branch 'develop' into 2.4. [iglocska]

• Merge branch '2.4' into develop. [iglocska]

• Merge branch 'develop' into 2.4. [iglocska]

• Revert "chg: [workflows] restored 7.2 and 7.3" [iglocska]

  This reverts commit 206d2af439ae22c35a41568b4dc79562f2cb29e4.

• Merge branch '2.4' into develop. [iglocska]

• Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem]

• Merge remote-tracking branch 'origin/2.4' into develop. [Sami Mokaddem]

• Merge branch '2.4' of github.com:MISP/MISP into develop. [Sami Mokaddem]

• Merge branch 'develop' of github.com:MISP/MISP into develop. [iglocska]

• Merge branch 'develop' of github.com:MISP/MISP into develop. [Sami Mokaddem]

• Feature/user login profiles2 (#9379) [Christophe Vandeplas, iglocska]

  • new: [userloginprofiles] start over with previous code

  • fix: [user_login_profiles] fixes catching up the backlog

  • chg: [userloginprofile] email to org_admin for suspicious login

  • chg: [userloginprofile] only inform new device

  • chg: [userloginprofiles] view_login_history instead of view_auth_history

  • chg: [userloginprofile] make login history visually better

  • chg: [userloginprofile] inform admins of malicious report

  • fix: [userloginprofile] cleanup

  • fix: [userloginprofile] fixes Attribute include in Console

  • fix: [userloginprofile] db schema and changes

  • chg: [CI] log emails

  • chg: [PyMISP] branch change

  • chg: [test] test

  • fix: [userloginprofile] unique rows

  • fix: [userloginprofile] unique rows

  • chg: [cleanup]

  • Revert "chg: [PyMISP] branch change"

  This reverts commit 3f6fb46fee9745437998fc013a97af874679c87b.

  • fix: [userloginprofile] fix worksers with monolog=1.25 browcap=5.1

  • fix: [db] dump schema version

  • fix: [CI] newer php versions

  • fix: [composer] php version

  • fix: [php] revert to normal php7.4 tests

  ---

• Merge branch '2.4' into develop. [iglocska]

MISP 2.4.179 released with a host of improvements a security fix and some new tooling.

First baby steps taken towards LLM integration

We currently included our first attempt at an LLM integration for report summarisation and extraction. The development is an outcome of our work with @aaronkaplan during hack.lu 2024 and relies on stochasticCTIExtractor for the extraction and interfacing with LLMs.

Expect to see more in this space in the near future!

For a sneak peak, head over to our lightning talk video on the topic.

Workflow improvements

As always, @mokaddem is hard at work in his arcane laboratory, improving the workflow tooling. This time, among a host of improvements, he's also concocted up a new IF module that makes decisions based on the number of elements (counts) matching certain criteria. For a full list of changes, have a look at the Changelog.

Performance improvements for large event edits

The edit performance when it comes to large events has been reworked to speed the process up somewhat. In addition a new "fast_update" mode has been added for special cases when no major changes are expected to an event or when additional precautions have been taken (As a main difference, validation of duplicate handling has been removed from this path).

For some benchmarks of what this means in practice for an event, assuming 20.000 attributes with a single tag being added to each and the last seen being altered:

MISP 2.4.178

Time taken: 171.2364685535431

MISP 2.4.179

Time taken (standard mode): 97.22623372077942 Time taken (fast mode): 40.74654579162598

This new method is currently exclusively used by the /events/edit endpoint, so expect it to show up in other endpoints in later releases.

A new tool for remote delegations

Though more of an edge case, we've seen the need for some communities to be able to cross-instance automatically delegate publications, for example in the case of an ISAC republishing the data of their constituency anonymously, or an organisation providing data produced by a service provider being released under their own umbrella. If you have any such use-cases, head over to the new delegation tool and read up on how it works, what you can do with it - misp-delegation

Security: XSS fixed in the event timeline

This release also contains a security fix, a stored XSS trigerable via the event timeline widget, as reported by fukusuket(Fukusuke Takahashi). Thanks a lot for the report and we encourage the community at large to update their MISP instances to this release as well as to similarly report all their findings to us based on our Security policy.

Other improvements

MISP Taxonomies

Various improvements and inclusions of new taxonomies, such as an update to PAP, a taxonomy used by SRB-CERT as well as a taxonomy for doping-substances.

The PAP (Permissible Actions Protocol) has been updated to be inline with TLPv2. Thanks to the contribution and discussions with ANSSI-FR/CERT-FR about the marking topic.

MISP Objects

Various fixes to a host of object templates as well as some new templates such as Crowdstrike Report objects were added in this release.

MISP Galaxy

• A host of new clusters were added, mostly targeting the threat-actors galaxy library - a huge thanks goes to @Mathieu4141 for all the diligent work. Automatically ingested galaxies, such as the global sigma rule library have also been updated.

The MISP galaxy MITRE ATT&CK has been updated to the version 14. A new NAICS galaxy has been created to support North American Industry Classification System.

MISP warning-lists

• Warning-lists updated to the latest version. Several warninglists have been brought up to the latest release as well as new warninglists such as the findip-host warninglist have been added.

For all other changes, please refer to the Changelog.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed.

Improvements

• [workflow] Added option to provide a custom JSON in the hashpath picker helper.
• [workflow] New action modules (blocklist, warninglist, counter...) to add event in the blocklist.
• [workflow] New trigger event before save.
• [workflow] Various improvements in the quick hashpath filter.
• [workflow] Improved webhook to support HTTP request method, headers, payload. It also now supports self-signed certificates.
• [workflow] Many improvements in debugging and workflow logging.
• [RestClient/OpenAPI] totp_delete added in query builder and API documentation.
• [STIX upload] Improved in the galaxies handling including more detailed option while importing STIX 2 and creating galaxies/clusters.

Changes

• [dashboard-widget:worldmap] Added support of custom scale in widget config.
• [API even:restSearch] Added support of orgc_id as valid filter.
• [Auditing] API access time is now stored once per hour by default.
• [API] includeGranularCorrelations is now exposed in the event RestSearch.

Fixes

• [API] Add sharinggroup as an allowed parameter in attribute search.
• [objects:edit] Restored behavior of upgrading object to newer template.
• Many other fixes check the ChangeLog for detailed changes.

Other improvements

MISP Objects

• New objects added such as cryptocurrency-transaction and many updates to other objects. For detailed changes, MISP objects changelog.

MISP Galaxy

• Many new objects such as ammunition, firearms and many updates in threat actor, Sigma and many other. For detailed changes, MISP galaxy changelog

MISP warning-lists

• Warning-lists updated to the latest version. New warning list with known hostname for lookup source IP of the DNS resolver. MISP warning-lists changelog.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

Training video

The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.177 released with various bugs fixed and improvements.

Improvements

• [dev] added a shell script to generate the restsearch parameters.
• [CLI] add command to expire active AuthKeys that do not have an IP allowlist set.
• [cli] Add command to trigger password change on next login for users with old pw.
• [Users] add last password change timestamp for users.
• [workflowModules:event_distribution_operation] Added action module.

Changes

• [tests] testing disabling the timestamp greater as old timestamp for password changes.

• [tests] make em happy with re-including a filter parameter that worked before, albeit unintentionally.

• [PyMISP] disable some tests.

• [misp-stix] Bumped latest version.

• [warning-lists] updated.

• [PyMISP] Keep messing with tests.

• [warning-lists] updated.

• Check test files are there.

• [version] bump.

• [escaping] added to event ID.

• Attempt to fix git clone from the test suite.

• [feeds] change name to Community version.

• [config:customAuth_header] Default to upper case.

  • See $_SERVER make passed headers upper case

• [console:TrainingShell] Allow overriding existing user data.

• [Console:trainingShell] Provide correct filters for wiping data.

• [console:trainingShell] Added wipeUsers and wipeOrgs functions.

• [posts:crud] Prevent read-only users to create posts.

• [config:config.default] Disabled warning_for_all by default for new install.

Fixes

• [misp-stix] Bumped latest version with a fix on the file patterns parsing.
• [tests] added some sleeps to avoid timestamps of follow up tests being within 1 second of the previous test.
• [API] filter parameters added.
• [PyMISP/CI] Disavle search logs for now.
• [restsearch] parameters fixed.
• [taxonomy] enable/disable creating junk taxonomies on invalid ID, fixes #9273.
• [console:trainingShell] More typo in model name.
• [console:trainingShell] Typos in model names.
• [RestSearch] allow filtering on eventinfo for events and attributes.

Other improvements

• Show object's attributes if they are tagged.
• Fix event graph tag scope view.
• Fix event hyperlink in discussion view page.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

Training video

The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.176 released with various improvements and bugs fixed. This version also includes major improvements in the misp-stix library especially on the storing relationships and the description of relationships in the MISP standard format.

Improvements

• [logs] add time based filter. Quite useful when you have a large set of logs.
• [audit] add last password change timestamp for users.
• [UI] show which attributes/objects are new and awaiting publication still.
• [console:TrainingShell] Added deleteAllSyncs function.
• [feeds] add Ellio threat list.

Bugs fixed

• [internal] improved parameter parsing.
• Properly filter out query parameters.
• Method call on null.
• Fixed invalid ordering errors.
• Do not require jobId for AdminShell jobGenerateCorrelation, create a new job if jobId is null. fixes #9206.
• [dashboard:organisationMapWidget] Do not require the config to have start and end date.
• [restSearch] exact match for values starting with %, fixes #9258.
• Unable to enrich individual shadow attribute.
• Unable to enrich individual attribute, fixes #9267.
• [stix2 import] Fixed debugging message for errors and warnings when the debug option is set.
• Unable to enrich individual shadow attribute.
• Unable to enrich individual attribute, fixes #9267.
• Disable submodule update section when MISP.self_update is disabled, to allow not carrying git dependencies in docker.

misp-objects updates

• Various fixes to MISP objects such as email, virustotal-report and relationships.

misp-galaxy updates

• Update of target sectors in threat-actor database. This now includes the known target sectors as meta.
• Various updates to the threat-actor database.

misp-warning-lists updates

• Cisco umbrella block pages added to the MISP warning-lists.
• Censys scanning IP address space added.
• Various improvements to the generation tools.

misp-modules

• Fix the url of the VirusTotal collection in the VirusTotal expansion module.

PyMISP

• Various bugs fixed where fixed in PyMISP. For more details, PyMISP changelog.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

Training video

The latest video of MISP Training - Advanced, Developer session, from API to MISP internals is now available on YouTube.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.175 released with various bugs fixed, improvements and security fixes.

Improvements

• Added support of start_date and end_date options in the MISP dashboard widgets.
• In the user periodic reporting, allow users to set the number of days to include in the reporting (UI).
• In the MISP dashboard org Widget, added support for first_half_year and second_half_year timeframe.
• New enrich object functionality added, in order to allow for the enrichment of a complete MISP object. Used by the SigMF module but this can be used with any expansion modules supporting objects.
• New feeds added.
• Improve the diagnostics when an instance does not have internet access or does not use the self-update feature

Bugs fixed

• Update the CA bundle of the CakePHP submodule maintained by the MISP project.
• IndexFilter: correct index page filtering is now fixed for ReST requets.
• Prevent push_rules from being required in API requests to the /server/edit endpoint.
• The annoying MISP event import bug from JSON has been fixed, you can now import MISP JSON events without the Event key.
• Various fixes in the MISP dashboard interface.
• Fix

Security fixes

• CVE-2023-40224 <= MISP 2.4.174 - allows XSS in app/View/Events/index.ctp. (reported by BeDisruptive OSS Team)
• CVE-2023-41098 <= MISP 2.4.174 - In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.

Thanks to BeDisruptive OSS Team and Centre for Cyber Security Belgium (CCB) for the reporting.

Also a huge thanks to all the contributors, reporters and helpers supporting the MISP project.

MISP Objects and Relationships

• A new generic x-header object template has been created to add custom HTTP or SMTP headers easily.
• SigMF object templates added.
• Updated artifact object to better support STIX 2.1.
• New malware and malware-analysis objects to better support STIX 2.1.

For more details, the misp-object changelog is available.

MISP Galaxy

• Various updates in the threat actor MISP galaxy and tool cluster.
• Various automatic updates to the Sigma galaxy.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• New Zscaler IP address generator added.
• New OpenAI chatgpt crawler IP sources added.
• All the lists have been updated.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

For more details, the misp-taxonomies changelog is available.

MISP-stix

MISP-stix includes multiple improvements and bugs fixed.

For more details, the misp-stix changelog is available.

PyMISP

• Bug fix for updating sharing group.
• Improved msg-extract function.

For more details, the PyMISP changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are thrilled to announce the immediate availability of MISP v2.4.174 with significant workflow improvements, accompanied by a host of quality-of-life enhancements and bug fixes.

General Improvements

• [Authkeys] We have added a new setting that allows the mandate of IP allowlist for advanced authkeys, providing an extra layer of security.
• [event:publishSightingsRouter] We have changed this from prio worker to default, resulting in better performance and reliability.

Sync Fixes and Improvements

• [proposal] Sync fixes have been implemented, including the option to disable correlation/proposal to delete fields in the proposal index. This change ensures that the fields are included during pulls, preventing any discrepancies.
• [proposal accept] The issue related to deletions has been fixed, ensuring smooth proposal acceptance.
• [sightings] Now, sightings are only pushed via full push to avoid congestion, optimizing the syncing process.

Bug Fixes

• [stix export] We have resolved issues related to empty inputs during STIX export, ensuring accurate and consistent results.
• [taxii_push] The taxii_push script now correctly passes the standard MISP JSON format to misp-stix, avoiding any format-related problems.
• [security] We now reset otp_secret on logout, enhancing security measures.
• [authkeys] The admin read-only key is now allowed to access audit logs (#9191), improving access control.

These updates and fixes mark a significant step forward for MISP, delivering a more efficient, secure, and reliable experience for our users. We encourage everyone to upgrade to the latest version to take advantage of these improvements. For more details and to access the release, please visit MISP v2.4.174. Thank you for your continued support and feedback, which has been instrumental in making MISP better with each release. For a more detailed overview of the MISP workflows and various MISP submodules/projects improvement check below:

MISP Workflows improvements overview

We had the pleasure of being invited to participate in GeekWeek with the main objective of streamlining the identification of false positives and simplifying the process of building workflows. We developed new modules for both the enrichment and the workflow systems and introduced self-contained blueprints acting as building block to make the creation of complexe IoC curation pipeline feels like a breeze. In addition, this release includes numerous little UI/UX treats for the workflow system hoping to provide a more efficient and user-friendly experience.

Overall, the following work was carried out:

• 5 new workflows modules related to tagging enrichment & curation
• 3 new enrichment modules to improve false-positive detection from different services
  • Many thanks to TinyHouseHippos for adding support of Google Safe Browsing and AbuseIPDB!
• 9 new workflow-blueprints using the above module to make the curation of incoming data a simple task
• Many quality of life improvements for the workflow editor interface

Curation blueprints

To give an idea of what these blueprints look like, let's have a look at Flag false-positive tripping over warninglists.

In few words, here what's going on:

1. The system integrates warninglist hits in the data
2. Attributes having a hit on a warninglist of type false_positive are kept, the others are filtered out
3. Depending on the configuration, the to_ids flag will be disabled or kept as is
4. Tags are attached accordingly marking matching IoCs as false-positive

It should be noted that every curation blueprints are configurable in the sense that they might execute differently based on the tags (coming from the misp-workflow taxonomy) attached to the event. For example, if the tag misp-workflow:mutability="allowed"is set on the event, the workflow will modify existing data. This can be very useful for servers acting as a clearing hub or forwarding vetted data to other instances. While if the tag isn't present, data won't be touched and only local tags will be applied if needed.

Should you be interested to check the 9 new blueprints out, the complete list can be found here: https://github.com/MISP/misp-workflow-blueprints#curation-blueprints.

Workflow editor improvements

Now let's have a quick look at the changes that have been integrated to speed up edition, simplify complex tasks and make things a little more intuitive.

Multiple values in filtering

Added support of two new operators Any value and Any values from, allowing OR condition in logic blocks.

Quick insert on existing links

UX improvement to help users to quickly insert blocks on existing connections.

Collapsible sidebar

UX improvement to support smaller screens.

Hash-path picker

UX improvement and helper tool to facilitate crafting complex hash path.

Frame nodes

UI feature to enable framing node that achieve a specific actions. Especially useful when using blueprints.

MISP Objects and Relationships

• New object to support hhhash format.
• Improved scan-results object.
• Improved ja3s object.
• [relationships] Added some relationships defined in STIX 2.1 & updated some opposite relationships in consequence.
• New object templates to support STIX 2.1 incident extension.
• New object template for AbuseIPDB.
• new object template for Google Safe Browsing.

For more details, the misp-object changelog is available.

MISP Galaxy

• Various updates in the threat actor MISP galaxy.
• Various automatic updates from Sigma galaxy.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• Improvement in the CRL generation list.
• All the lists have been updated.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

• Minor improvements in the cryptocurrency threat taxonomy and workflow taxonomy to support the new workflow features.

For more details, the misp-taxonomies changelog is available.

MISP-stix

MISP-stix includes multiple improvements and bugs fixed.

For more details, the misp-stix changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

---

title: MISP 2.4.173 released with various bugfixes and improvements date: 2023-07-11 layout: post

We are pleased to announce the immediate availability of MISP v2.4.173 with a new password reset feature, along with a host of quality of life improvements and fixes.

Password reset self-service

We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords.

The feature requires the user to have a valid encryption key and the lifetime of the tokens is hard-coded to be 10 minutes.

New dashboard widgets

The dashboard has seen another round of improvements, with various fixes and new widgets added. 2.4.173 includes the following new widgets:

• Logarithmic events/org chart (Thanks @vincenzocaputo)
• ATT&CK heatmap widget

Additionally, you can now download the raw data used to feed each widget.

Security fixes

2 vulnerabilities have also been resolved:

Stored XSS via select page titles

Improper sanitisation of user-controlled data ending up in view titles lead to stored XSS

Huge thanks to Ulaş Deniz İlhan from Zigrin Security (absolute heroes at discovering vulnerabilities in MISP!)

CVE-2023-37307

RCE via uploaded certificates

Malicious administrators could trigger RCE by uploading a well crafted file as an SSL certificate for the sync connection.

CVE-2023-37306

Additional information on the vulnerability can be found at the excellent blog post from synacktiv

Huge thanks to @righel for finding and fixing the vulnerability!

A long list of fixes

As always, we have been diligent with including a long list of fixes, including for issues with server sync certificate handling, url encoding of spaces in search strings, CSRF errors and much more! For a detailed list of fixes, please refer to the changelog.

MISP Objects and Relationships

• Updated relationships to include the ones used by LookyLoo
• Many improvements following OASIS STIX TC

For more details, the misp-object changelog is available.

MISP Galaxy

• Updated threat actor database to include Budapest Convention relation.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• New warning list digitalSide.IT warninglist added.
• Updated warning-lists for all sources.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

For more details, the misp-taxonomies changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate availability of MISP v2.4.172 with new TOTP/HTOP authentication, many improvements and bugs fixed.

Time-based and Single Use One-time password support (TOTP / HOTP)

New TOTP support are now included in MISP. This functionality works in two modes:

• (default) optional (T/H)OTP for users (when required libraries are installed)
• (optional) mandatory (T/H)OTP for all users

When logging in the user can enter either the TOTP or the HOTP (one time paper token) OTP attempts are also limited by the Bruteforce component. So multiple failed attempts will result in a temporary blocking. HTOP is available for recovery and also for security environment where mobile phone or electronic devices are forbidden.

User can generate TOTP through their Profile page:

A QR code is generated and they need to fill in the code once to confirm all is well: Then they get directed to the page containing their next 50 HOTP/paper tokens:

Their profile then shows they have a token, they can also check again what their paper tokens are: So does the admin page (the phone icon) (org)Admins can delete the secret of a user:

When they have their TOTP secret, after user/pass window they are prompted to enter the or the HOTP.

Logging is also generated:

The MISP.totp_required security setting allows enforcing TOTP for the whole MISP instance.

In this case users are invited to store their TOTP at next login. They cannot access any other page until they validated the TOTP. The server wide parameter has a beforeHook to ensure the required PHP libraries are installed, as otherwise the admin might lock themselves out.

Requires 2 additional PHP libraries to be installed through composer:

• "spomky-labs/otphp"
• "bacon/bacon-qr-code"

TAXII preview

TAXII integration is still in its infancy in MISP, but with the current release we aim to make the process of interacting with a TAXII server more in-depth. Prior to the current release, you could add a taxii server connection, pointing to a collection and initiate a filtered push of your MISP data - however, there was no way to view the contents of the collection nor to see your data reflected after a push.

The current release aims to complete the work on the initial TAXII push functionalities, with a TAXII browser built into the tool along with various fixes to bugs and issues that were reported to the prior implementation.

Adding a TAXII connection

Simply add a TAXII server via the the TAXII connections interface (sync actions -> List TAXII servers)

Make sure that you configure the filters used to decide which of your events should be pushed to the given server. Creating a local tag such as "taxii_push" allows you to manually control and label events to be pushed as in the example above.

Once the basic server information has been encoded, use the wrench button on top of the API root field to populate the dropdown with the valid options found on the TAXII server and once you've selected a root, click the wrench on top of the collection field to populate it and select the target colleciton for the connection.

Viewing the connection and browsing the contents

Once a connection is established, you can view the connection object and list its collections and the objects in the configured collection on the taxii_servers/view/[id] endpoint, as follows:

You can view individual collections and browse their contents, paginating through all STIX objects (the default collection is shown at the bottom of the page). By clicking view on a STIX object, you can view the STIX 2.1 JSON object in full:

Simply use the push button on the TAXII server index to initiate a push to the selected collection with the pre-defined filters.

Other updates and changes in the MISP project

Roles and permission

• [role permission] updated for viewing feed correlations
  • added additional role permission
  • allows hiding feed correlations from users
    • main purpose is with very large instances, to reduce the load on redis

Dashboard

• [usage data widget] added a global caching for attribute counts.

Bugs/performance

• [performance] fix for events with large numbers of attributes and multiple tags from the same taxonomy. [iglocska]
  • the taxonomy conflict checks were causing multiple issues:
  • non taxonomy tags were counted as a taxonomy with namespace ''
  • once we identified a tag pair that could cause a conflict (same taxonomy) we loaded the taxonomy into redis
    • however, in order to see if we already have the taxonomy loaded, we went to redis to do a GET
    • In the case of 1 million attributes with at least 1 tag pair, at the minimum this means 1 million GETs on reddit with an event
  • Resolution
    • remove the checks for non taxonomy tags
    • store the identified taxonomies temporarily on the model itself in memory
      • only go to redis when the model doesn't have the taxonomy cached in memory
      • still using the old approach when dealing with multiple small events
  • thanks to @github-germ for flagging the issue

MISP Objects and Relationships

• New object for scanning result (network and local).
• New object for CrowdSec Threat Intelligence - IP CTI search..
• New object for Cobalt Strike Beacon Config

For more details, the misp-object changelog is available.

MISP Galaxy

• Updated attck4fraud updated with EAST data.
• Updated Malpedia information.
• Updated Threat actor database.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• Updated warning-lists for all sources.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

• Updated workflow taxonomy.
• Added information-origin Taxonomy for tagging information by its origin: human-generated or AI-generated.
• Added crowdsec - Crowdsec IP address classifications and behaviors taxonomy.

For more details, the misp-taxonomies changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.