We are pleased to announce the immediate availability of MISP v2.4.172 with new TOTP/HTOP authentication, many improvements and bugs fixed.

Time-based and Single Use One-time password support (TOTP / HOTP)

New TOTP support are now included in MISP. This functionality works in two modes:

• (default) optional (T/H)OTP for users (when required libraries are installed)
• (optional) mandatory (T/H)OTP for all users

When logging in the user can enter either the TOTP or the HOTP (one time paper token) OTP attempts are also limited by the Bruteforce component. So multiple failed attempts will result in a temporary blocking. HTOP is available for recovery and also for security environment where mobile phone or electronic devices are forbidden.

User can generate TOTP through their Profile page:

A QR code is generated and they need to fill in the code once to confirm all is well: Then they get directed to the page containing their next 50 HOTP/paper tokens:

Their profile then shows they have a token, they can also check again what their paper tokens are: So does the admin page (the phone icon) (org)Admins can delete the secret of a user:

When they have their TOTP secret, after user/pass window they are prompted to enter the or the HOTP.

Logging is also generated:

The MISP.totp_required security setting allows enforcing TOTP for the whole MISP instance.

In this case users are invited to store their TOTP at next login. They cannot access any other page until they validated the TOTP. The server wide parameter has a beforeHook to ensure the required PHP libraries are installed, as otherwise the admin might lock themselves out.

Requires 2 additional PHP libraries to be installed through composer:

• "spomky-labs/otphp"
• "bacon/bacon-qr-code"

TAXII preview

TAXII integration is still in its infancy in MISP, but with the current release we aim to make the process of interacting with a TAXII server more in-depth. Prior to the current release, you could add a taxii server connection, pointing to a collection and initiate a filtered push of your MISP data - however, there was no way to view the contents of the collection nor to see your data reflected after a push.

The current release aims to complete the work on the initial TAXII push functionalities, with a TAXII browser built into the tool along with various fixes to bugs and issues that were reported to the prior implementation.

Adding a TAXII connection

Simply add a TAXII server via the the TAXII connections interface (sync actions -> List TAXII servers)

Make sure that you configure the filters used to decide which of your events should be pushed to the given server. Creating a local tag such as "taxii_push" allows you to manually control and label events to be pushed as in the example above.

Once the basic server information has been encoded, use the wrench button on top of the API root field to populate the dropdown with the valid options found on the TAXII server and once you've selected a root, click the wrench on top of the collection field to populate it and select the target colleciton for the connection.

Viewing the connection and browsing the contents

Once a connection is established, you can view the connection object and list its collections and the objects in the configured collection on the taxii_servers/view/[id] endpoint, as follows:

You can view individual collections and browse their contents, paginating through all STIX objects (the default collection is shown at the bottom of the page). By clicking view on a STIX object, you can view the STIX 2.1 JSON object in full:

Simply use the push button on the TAXII server index to initiate a push to the selected collection with the pre-defined filters.

Other updates and changes in the MISP project

Roles and permission

• [role permission] updated for viewing feed correlations
  • added additional role permission
  • allows hiding feed correlations from users
    • main purpose is with very large instances, to reduce the load on redis

Dashboard

• [usage data widget] added a global caching for attribute counts.

Bugs/performance

• [performance] fix for events with large numbers of attributes and multiple tags from the same taxonomy. [iglocska]
  • the taxonomy conflict checks were causing multiple issues:
  • non taxonomy tags were counted as a taxonomy with namespace ''
  • once we identified a tag pair that could cause a conflict (same taxonomy) we loaded the taxonomy into redis
    • however, in order to see if we already have the taxonomy loaded, we went to redis to do a GET
    • In the case of 1 million attributes with at least 1 tag pair, at the minimum this means 1 million GETs on reddit with an event
  • Resolution
    • remove the checks for non taxonomy tags
    • store the identified taxonomies temporarily on the model itself in memory
      • only go to redis when the model doesn't have the taxonomy cached in memory
      • still using the old approach when dealing with multiple small events
  • thanks to @github-germ for flagging the issue

MISP Objects and Relationships

• New object for scanning result (network and local).
• New object for CrowdSec Threat Intelligence - IP CTI search..
• New object for Cobalt Strike Beacon Config

For more details, the misp-object changelog is available.

MISP Galaxy

• Updated attck4fraud updated with EAST data.
• Updated Malpedia information.
• Updated Threat actor database.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• Updated warning-lists for all sources.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

• Updated workflow taxonomy.
• Added information-origin Taxonomy for tagging information by its origin: human-generated or AI-generated.
• Added crowdsec - Crowdsec IP address classifications and behaviors taxonomy.

For more details, the misp-taxonomies changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate availability of MISP v2.4.171 with a long list of fixes, major STIX 2 improvements and an overhaul over the dashboard widget toolkit.

Dashboard rework

• In order to support communities' need to monitor ongoing trends, community growth and sharing activities in general, we've added and reworked a host of dashboard widgets.

• A large focus of the improvements was making the widgets more configurable, especially in terms of being able to create dashboards showing individual data per groups of organisations. Groupings happen on the metadata of organisations, such as country, sector or the adaptable "type" field, allowing administrators to lump organisations into buckets based on commonalities in their community, such as membership status, sub-groups, etc.

• Additionally time range definitions have been added for a host of the new and reworked widgets, allowing to see changes in the current month, past x days or the current year.

• New widgets include:

  • A new, filterable organisation evolution line-chart widget
  • World map showing country representation of the given community
  • A ticker showing the latest Users being enrolled in the system
  • A ticker showing the latest organisations being enrolled in the system
  • List of UI login counts for the configured timeframe
  • List of UI authentications for the configured timeframe
  • Published event line-chart
  • Contributing organisation and user top lists (the latter requires the enabling of a security setting)
  • Filterable trending attribute values widget

Workflows

• Work has begun on a larger rework allowing the creation of filtered paths in workflows, allowing the workflow creator to temporarily restrict the data in individual paths based on custom, configurable filtering.
  • This will further allow administrators to configure workflow execution paths that only trigger on more refined subsets of the data, rather than on anything passing through
• As always, workflows are still heavily a work in progress and are becoming tighter integrated with the core MISP functionalities with each release.

STIX 2.1 and TAXII integration improvements

• We would like to thank all users reporting unexpected misalignments in the STIX 2.1 conversion, we're striving for a 100% coverage of the standard and at times removing the ambiguity created by such a large standard can be difficult to catch until we see those edge cases actually used by the various implementations.
  • We appreciate the submission of any (sanitised) STIX 2.1 samples that cause unwanted results when ingested in MISP or any (sanitised) MISP events that cause incorrect or inconsistently mapped STIX 2.1 to be generated
• This release addresses a host of the bugs and misalignments reported, thanks to the tireless work of @chrisr3d
• TAXII integration is still in its infancy and currently only supporting a subset of tested target tools. Please let us know about anything that doesn't work for you or if you have (successfully or unsuccessfully) integrated a taxii server with MISP using the new feature.

Fixes

• A long list of fixes affecting:
  • the workflows
  • the event index search, including the ability to search for attributes via performant full string searches
  • STIX 2.1
  • TAXII
  • PyMISP

For a detailed list of changes affecting the MISP core in this release, head over to the changelog.

Other updates and changes in the MISP project

MISP Objects and Relationships

• New risk-assessment-report object to share risk assessment report such as the ones generated by MONARC.
• New object template for AI chat prompt such as ChatGPT.

For more details, the misp-object changelog is available.

MISP Galaxy

• MITRE ATT&CK galaxy updated to version 13.
• Sigma galaxy updated to the latest version.
• Threat actor galaxies updated with new threat actors and improved.
• Major improvements in the list of relationship between the threat-actor galaxy and the other galaxies.
• Microsoft new threat-actor taxonomy added along with the relationships from the previous microsoft naming.
• Improve tooling to manage relationships between the different galaxy clusters.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• Updated warning-lists for all sources.

For more details, the misp-warninglists changelog is available.

MISP taxonomies

• Updated and expanded dark-web taxonomy.

For more details, the misp-taxonomies changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate availability of MISP v2.4.170 with new features, workflow improvements and bugs fixed.

It includes many improvement release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).

Workflow

• A new feature has been added to the "misp-workflow-modules" module. It is an event threat level if logic module.
• The "workflow-module:send_mail" module now allows org admins to receive send_log_mail.
• The "workflow-module:send_mail" module now allows all admins to use it.
• The "workflow:tag_if" module now correctly compares cluster tags.
• The "workflow-module:enrich_event" module now does not run enrichment if no filtered elements are found. If a filtering condition was set and no item were matched, the whole event was enriched. Now nothing happens.
• The "workflow-module:tag_if" module now supports galaxy clusters. This fixes issue #8959.
• The data type of the workflows.data column has been changed from TEXT to LONGTEXT in the "db:workflows" module. This should fix issue #8979.
• The "workflows" module now requires misp-modules for email.

New security features

• Improve security of the API authentication to pin IP in a single click.
• Seen IP addresses per API key added.

Fixes

• Add support for a breakOnDuplicate named parameter on /attributes/add endpoint, default value is true which keeps the current behavior of throwing an error when the user tries to add duplicate attribute to an event. When set to false the endpoint will work as an upsert, updating the attributes timestamp and any other properties provided in the payload, no error logs will be written.
• The "'sharing_group_id' doesn't have a default value error" error when importing an OpenIOC file has been fixed.

Security fix

• app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.

A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.

Go to the detailed changelog for more details about the changes to the MISP core software.

Other updates and changes in the MISP project

MISP Objects and Relationships

• New Greynoise-ip object.
• [network-socket] Added MAC address attributes.
• New relationships rewrite added.

For more details, the misp-object changelog is available.

MISP Galaxy

• Sigma galaxy updated to the latest version.
• Threat actor galaxies updated with new threat actors and improved.
• Ransomware group updated to be inline with ransomlook.io.
• Stealer galaxy updated.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• New warning-lists added for Google Bot.
• Updated warning-lists for all sources.

For more details, the misp-warninglists changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate availability of MISP v2.4.169 with various improvements and bug fixes.

It includes many improvement release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).

Improvements

• New MISP workflow module to support Splunk HEC export.
• Sighting ReSTsearch reworked to make it faster.
• dashboard-widget:TrendingTags improved with new filtering and over time functionalities.
• New ApacheSecureAuth authentication scheme added.

Fixes

• TAXII servers invalid baseurl field type fixed.
• Restore bro export (temporary fix until a complete rework of the bro export in ReSTsearch).

A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.

Go to the detailed changelog for more details about the changes to the MISP core software.

Other updates and changes in the MISP project

MISP Objects

• A new MISP object ransomware-group-post has been created to support ransomlook.io.
• Improved victim object.
• A new MISP object transport-ticket has been created to share information about transports in MISP.
• Various improvements to network-connection, network-socket.
• A new MISP object registry-key-value

For more details, the misp-object changelog is available.

MISP Galaxy

• A new MISP galaxy first-dns matrix describing DNS abuse techniques has been added.
• Various improvements in different galaxy such as threat-actors, sigma, stealer, tools, region, 360net, MITRE ATT&CK.

For more details, the misp-galaxy changelog is available.

MISP warning-lists

• New captive-portals warning list added.
• New parking page warning list added.

For more details, the misp-warninglists changelog is available.

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes.

It includes a rather substantial release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).

Fixes

• Improvements to the indexTable
• allow site admins ability to view event_creator_email for all events in export
• [shadowAttribute:accept] Restored accepting functionality for the proposals
• [feed:edit] Make sure to keep orgc_id to its saved value
• [tags:relationship] Fixed synchronisation of relationship_type

Security fixes

• CVE-2023-24070 < MISP 2.4.168 - app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
• CVE-2023-24026 < MISP 2.4.168 - In app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
• CVE-2023-24027 < MISP 2.4.168 - In app/webroot/js/action_table.js allows XSS via a network history name.
• CVE-2023-24028 < MISP 2.4.168 - In app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

Thanks to the reporter Cyber Controls from SIX Group and Dawid Czarnecki of Zigrin Security.

A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.

Go to the detailed changelog for more details about the changes to the MISP core software.

Other updates and changes in the MISP project

MISP Objects

• A new MISP object has been created for typosquatting-finder output.

MISP Galaxy

• New Sigma Galaxy including all Sigma rule and their ATT&CK relationships - import script added
• Many updates to the threat-actor and ransomware MISP galaxy
• Improvements to the country galaxy

MISP taxonomies

• Improvements to the aviation taxonomy

MISP warning-lists

• New generator added for the Cached Chrome Top Million Websites
• Improved generator for gzip files source
• VPN list generator fixed

Don't forget to follow us on Mastodon

The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

We are pleased to announce the immediate availability of MISP v2.4.167 with new features and fixes, bugs fixed and a security fix.

New features

Timeline improvements for large events

Timeline is a convenient way to display the different attributes and objects over the time. Events with a large set of attributes or objects (more than 500) cannot display a human readable timeline. Nevertheless there are still a lot of valuable information in such event especially concerning the occurences over time. A new feature has been added in 2.4.167 to display the overall occurrences over the time and display the overall sighting trend.

Taxonomy highlight

For MISP users and organisations, it's important to show the important contextualised information and especially the taxonomies which are important to your use-case. We introduced a new feature to highlight the important taxonomy in a MISP instance.

The site admin user can select the important taxonomies in the taxonomy list:

and then the taxonomy namespace will appear in a visible box:

Create objects from free-text import

The free-text import in MISP is very nifty for analysts willing to enter quickly new attributes. This functionality was initially used for attributes only. In 2.4.167, MISP objects can be created from the free-text import directly too.

API

• A new endpoint session kill-switch has been added for the support and integration with MeliCERTes project.

UI

• Clarify the exclusivity issue in the UI when exclusive tags are used in the TLP namespace.
• [dashboard] sort dashboard widgets.

Many UI improvements and a special thank to Jakub Onderka for the attention to details in the UI.

Security fix

A security XSS vulnerability has been fixed in this release and tracked under CVE-2022-47928. We recommend every users to update to the latest version.

A huge thanks to all the contributors and supporters of the MISP project. This release won't be possible by all the organisations and people supporting us to make MISP a reality.

For more details about changes in the MISP core software.

Other updates and changes

MISP Objects

• New thaicert-group-cards, Palantir ADS and persnona.
• Invalid UUID object templates fixed including mactim-timeline-analysis and fail2ban.

MISP Galaxy

• New threat-actor such as TAG-53, Malteiro and others added.
• RAT group updated.
• Ransomware groups updated.

MISP taxonomies

• A new aviation has been added. Thanks to European Air Traffic Management Computer Emergency Response Team .

Don't forget to follow us on Mastodon

MISP projet has its own Mastodon server misp-community.org and don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if you want an account.

We are pleased to announce the immediate availability of MISP v2.4.166 with new features and fixes, including two critical security fixes.

TAXII 2.1 server push integration

With the collaboration of CISA and MITRE, we have included the first version of the TAXII integration in MISP, allowing administrators to configure their MISPs to push content to TAXII 2.1 servers. For more informatia new dedicated will be posted soon. On server side, the taxii2-client Python library is required to be installed. The conversion is performed by the wonderful and efficient misp-stix library.

Logging rework

The logging of MISP has been severely reworked by Jakub Onderka, including a separate Access log subsystem as well as multiple improvements and cleanups to the system at large.

Security fixes

Two critical vulnerabilities have been patched allowing for the tampering with data shared in the community via galaxy clusters and tags. It is HIGHLY recommended to update to 2.4.166 as soon as possible to avoid information tampering. We also encourage everyone to consider informing peered MISP instance owners to do the same. CVEs have been requested and are pending for both. Thanks to Jakub Onderka for discovering and fixing the vulnerabilities.

Allowing for working around the edge cases introduced by TLP v2.0

Even though TLP 2.0 has been supported by MISP for a while, in order to cope with both tools old and new as well as older information sources, we see the need to often attach both TLP:WHITE and TLP:CLEAR to data points. This has however been blocked by the taxonomy exclusivity rules - something that we've now added exceptions for.

Let's hope that we can avoid similar surprises in the future.

For more details about changes in the MISP core software.

Other updates and changes

MISP Objects

• [passport object] Updated to include passport-creation field.

MISP Galaxy

• MITRE ATT&CK updated and fixing the missing reference
• Many improvements and fixes in all the meta fields
• Tool galaxy updated
• Ransomware groups updated

We are pleased to announce the immediate availability of MISP v2.4.165 with many improvements to the workflow subsystem along with various performance improvements.

Improvements

• [workflow] Module to toggle/remove the to_ids flag
• [workflow] Added generic module to support attribute edition
• [workflow] [triggers:event_after_save_new] Added 2 new triggers for new events and new events from pull.
• [workflow:execute_module] Allow to ignore format conversion before executing module.
• [workflows:triggers] Added filtering capability on the index
• [CLI] Feed management added
• [CLI] Pretty and JSON output added in list and view feeds
• [Auth] OpenID connect improved
• [freetext] Fetch security vendor domains from warninglist
• [UI] Allow to disable PGP key fetching
• [UI] Show warning if user don't have permission to use API
• [tool:evengraph] Include relationships when using pivot key
• [UI] Show servers where event will be pushed

Performance improvements

• [feed] Store freetext feed compressed in cache
• [internal] Store some data in Redis compressed to save memory
• [correlation] Do not correlate over correlating value again for full correlation
• [internal] Add support for simdjson extension
• [warninglist] Load warninglist from Redis for TLDs and security vendors

Bugs fixed

• [tags] not passing name, filter, search all together would lead to the search not working

Security issues

• [security] Permission for tag collections
• [security] Check user permission when attaching clusters

We strongly recommend MISP administrators to update to this latest version.

For a more detailed changelog, please see the online Changelog.

New workflow blueprints available

New workflow blueprints were added to support new use-cases.

• Attach tlp:clear on tlp:white - Attach the tlp:clear tag on elements having the tlp:white tag.
• PAP:RED and tlp:red Blocking - Block actions if any attributes have the PAP:RED or tlp:red tag.
• Remote to_ids flag if the indicator appears in known file list - Disable to_ids flag for existing hash in hashlookup.
• Set tag based on BGP Ranking maliciousness level - Set tag based on BGP Ranking maliciousness level.

New MISP modules

• [expansion] Added extract_url_components module to create an object from an URL attribute.
• [expansion] New crowdsec expansion module added.
• [expansion] New VARIoT IoT exploits database expansion module added.
• [expansion] Updates on hyasinsight expansion module.

MISP taxonomies

• new misp-workflow taxonomy to have a consistent tag message for the MISP workflow.
• Taxonomy in support of integrating MISP with Sentinel. Sentinel indicator threat types added.

For more details.

MISP galaxy

• Many updates to the threat actor database.
• Update to the MITRE ATT&CK framework to version 12.0.

For more details.

MISP objects

• New object to describe Telegram bots.
• Updated exploit object.

For more details.

Social network - Mastodon

MISP project is also now reachable via Mastodon. Feel free to follow us at @[email protected]

We are pleased to announce the immediate availability of MISP v2.4.164 with a new tag relationship features, many improvements and a security fix.

New tag relationship feature

Relationship can now be added to any attribute tag or event tag. This works with tags and galaxy clusters. The new feature is available in event view.

The tag relationship feature is also exposed in the API under the endpoint /tags/modifyTagRelationship/[scope]/[id] where scope is the attribute/event and id is the id of the EventTag / AttributeTag object.

Improvements and bug fixes

• [periodic_report] Added security recommendations section showing course of actions related to attack techniques.
• [workflow] add support for local and relationship in workflow.
• [API/galaxyCluster/restSearch] Allow multiple filtering conditions to be used at once.
• [EventGraph] Added entity comment in the graph as tooltip and support of comment in searches.
• [UI] Many improvements and optimisation.

CVE-2022-42724

This release fix a security vulnerabilities (CVE-2022-42724) which allows org admin to discover role names which should have been restricted to site admin.

We strongly recommend MISP administrator to update to this latest version.

For a more detailed changelog, please see the online Changelog.

We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification system and many improvements.

Updated periodic notification system

• A new option has been added to set the number of days for the trending calculation.
• New correlation are now showed in the periodic notification.
• Only the top 10 MITRE ATT&CK techniques are displayed and sorted by number of occurrences.
• Layout has been improved in the UI and also in the static email rendering.
• Only show data in the chart for tags having changes over time.

For more information, check out the Periodic summaries - Visualize summaries of MISP data blog.

Fixes

• MISP OpenAPI description file has been improved.
• [community] Clarification concerning the NATO process.
• [ssdeep] Check if the ssdeep contains newline characters.
• Many code clean-up and speed-up included.
• Improvements and bugs fixed in the correlation engine.
• Many bugs fixed.

Thanks to all the contributors and users reporting bugs to make the software better.

As always, a detailed and complete changelog is available with all the fixes, changes and improvements in MISP core.

misp-stix v.2.4.163

misp-stix has been released too and now in-line with the MISP release schedule. The full changelog is available.

Many improvements in the MISP galaxy and especially the threat-actor galaxy, 360.net Threat Actors added. There is a detailed changelog.

New financial taxonomy and many other taxonomies. There is a detailed changelog.

Multiple objects were updated and added, for more details.

Various fixes in misp-modules for more details.