MISP (core software) - Open Source Threat Intelligence and Sharing Platform
We are pleased to announce the immediate availability of MISP v2.4.172 with new TOTP/HTOP authentication, many improvements and bugs fixed.
New TOTP support are now included in MISP. This functionality works in two modes:
When logging in the user can enter either the TOTP or the HOTP (one time paper token) OTP attempts are also limited by the Bruteforce component. So multiple failed attempts will result in a temporary blocking. HTOP is available for recovery and also for security environment where mobile phone or electronic devices are forbidden.
User can generate TOTP through their Profile page:
A QR code is generated and they need to fill in the code once to confirm all is well: Then they get directed to the page containing their next 50 HOTP/paper tokens:
Their profile then shows they have a token, they can also check again what their paper tokens are: So does the admin page (the phone icon) (org)Admins can delete the secret of a user:
When they have their TOTP secret, after user/pass window they are prompted to enter the or the HOTP.
Logging is also generated:
The MISP.totp_required
security setting allows enforcing TOTP for the whole MISP instance.
In this case users are invited to store their TOTP at next login. They cannot access any other page until they validated the TOTP. The server wide parameter has a beforeHook to ensure the required PHP libraries are installed, as otherwise the admin might lock themselves out.
Requires 2 additional PHP libraries to be installed through composer:
TAXII integration is still in its infancy in MISP, but with the current release we aim to make the process of interacting with a TAXII server more in-depth. Prior to the current release, you could add a taxii server connection, pointing to a collection and initiate a filtered push of your MISP data - however, there was no way to view the contents of the collection nor to see your data reflected after a push.
The current release aims to complete the work on the initial TAXII push functionalities, with a TAXII browser built into the tool along with various fixes to bugs and issues that were reported to the prior implementation.
Simply add a TAXII server via the the TAXII connections interface (sync actions -> List TAXII servers)
Make sure that you configure the filters used to decide which of your events should be pushed to the given server. Creating a local tag such as "taxii_push" allows you to manually control and label events to be pushed as in the example above.
Once the basic server information has been encoded, use the wrench button on top of the API root
field to populate the dropdown with the valid options found on the TAXII server and once you've selected a root, click the wrench on top of the collection
field to populate it and select the target colleciton for the connection.
Once a connection is established, you can view the connection object and list its collections and the objects in the configured collection on the taxii_servers/view/[id] endpoint, as follows:
You can view individual collections and browse their contents, paginating through all STIX objects (the default collection is shown at the bottom of the page). By clicking view on a STIX object, you can view the STIX 2.1 JSON object in full:
Simply use the push button on the TAXII server index to initiate a push to the selected collection with the pre-defined filters.
For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.171 with a long list of fixes, major STIX 2 improvements and an overhaul over the dashboard widget toolkit.
In order to support communities' need to monitor ongoing trends, community growth and sharing activities in general, we've added and reworked a host of dashboard widgets.
A large focus of the improvements was making the widgets more configurable, especially in terms of being able to create dashboards showing individual data per groups of organisations. Groupings happen on the metadata of organisations, such as country, sector or the adaptable "type" field, allowing administrators to lump organisations into buckets based on commonalities in their community, such as membership status, sub-groups, etc.
Additionally time range definitions have been added for a host of the new and reworked widgets, allowing to see changes in the current month, past x days or the current year.
New widgets include:
For a detailed list of changes affecting the MISP core in this release, head over to the changelog.
For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
For more details, the misp-taxonomies changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.170 with new features, workflow improvements and bugs fixed.
It includes many improvement release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).
if logic
module.breakOnDuplicate
named parameter on /attributes/add
endpoint, default value is true
which keeps the current behavior of throwing an error when the user tries to add duplicate attribute to an event. When set to false
the endpoint will work as an upsert, updating the attributes timestamp
and any other properties provided in the payload, no error logs will be written.A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.
Go to the detailed changelog for more details about the changes to the MISP core software.
rewrite
added.For more details, the misp-object changelog is available.
For more details, the misp-galaxy changelog is available.
For more details, the misp-warninglists changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.169 with various improvements and bug fixes.
It includes many improvement release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).
A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.
Go to the detailed changelog for more details about the changes to the MISP core software.
ransomware-group-post
has been created to support ransomlook.io.victim
object.transport-ticket
has been created to share information about transports in MISP.network-connection
, network-socket
.registry-key-value
For more details, the misp-object changelog is available.
first-dns
matrix describing DNS abuse techniques has been added.threat-actors
, sigma
, stealer
, tools
, region
, 360net
, MITRE ATT&CK.For more details, the misp-galaxy changelog is available.
captive-portals
warning list added.parking
page warning list added.For more details, the misp-warninglists changelog is available.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.
We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes.
It includes a rather substantial release of misp-stix, the core Python library for importing and exporting STIX (1, 2.0 and 2.1).
Thanks to the reporter Cyber Controls from SIX Group and Dawid Czarnecki of Zigrin Security.
A huge thanks to all the contributors and supporters of the MISP project. This release wouldn't be possible without the help of all the organisations and people supporting us to make MISP a reality.
Go to the detailed changelog for more details about the changes to the MISP core software.
The MISP projet has its own Mastodon server misp-community.org - don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.
We are pleased to announce the immediate availability of MISP v2.4.167 with new features and fixes, bugs fixed and a security fix.
Timeline is a convenient way to display the different attributes and objects over the time. Events with a large set of attributes or objects (more than 500) cannot display a human readable timeline. Nevertheless there are still a lot of valuable information in such event especially concerning the occurences over time. A new feature has been added in 2.4.167 to display the overall occurrences over the time and display the overall sighting trend.
For MISP users and organisations, it's important to show the important contextualised information and especially the taxonomies which are important to your use-case. We introduced a new feature to highlight the important taxonomy in a MISP instance.
The site admin user can select the important taxonomies in the taxonomy list:
and then the taxonomy namespace will appear in a visible box:
The free-text import in MISP is very nifty for analysts willing to enter quickly new attributes. This functionality was initially used for attributes only. In 2.4.167, MISP objects can be created from the free-text import directly too.
Many UI improvements and a special thank to Jakub Onderka for the attention to details in the UI.
A security XSS vulnerability has been fixed in this release and tracked under CVE-2022-47928. We recommend every users to update to the latest version.
A huge thanks to all the contributors and supporters of the MISP project. This release won't be possible by all the organisations and people supporting us to make MISP a reality.
For more details about changes in the MISP core software.
MISP projet has its own Mastodon server misp-community.org and don't forget to follow @[email protected] on the fediverse. Core contributors of MISP can sign-up if you want an account.
We are pleased to announce the immediate availability of MISP v2.4.166 with new features and fixes, including two critical security fixes.
With the collaboration of CISA and MITRE, we have included the first version of the TAXII integration in MISP, allowing administrators to configure their MISPs to push content to TAXII 2.1 servers. For more informatia new dedicated will be posted soon. On server side, the taxii2-client Python library is required to be installed. The conversion is performed by the wonderful and efficient misp-stix library.
The logging of MISP has been severely reworked by Jakub Onderka, including a separate Access log subsystem as well as multiple improvements and cleanups to the system at large.
Two critical vulnerabilities have been patched allowing for the tampering with data shared in the community via galaxy clusters and tags. It is HIGHLY recommended to update to 2.4.166 as soon as possible to avoid information tampering. We also encourage everyone to consider informing peered MISP instance owners to do the same. CVEs have been requested and are pending for both. Thanks to Jakub Onderka for discovering and fixing the vulnerabilities.
Even though TLP 2.0 has been supported by MISP for a while, in order to cope with both tools old and new as well as older information sources, we see the need to often attach both TLP:WHITE and TLP:CLEAR to data points. This has however been blocked by the taxonomy exclusivity rules - something that we've now added exceptions for.
Let's hope that we can avoid similar surprises in the future.
For more details about changes in the MISP core software.
We are pleased to announce the immediate availability of MISP v2.4.165 with many improvements to the workflow subsystem along with various performance improvements.
We strongly recommend MISP administrators to update to this latest version.
For a more detailed changelog, please see the online Changelog.
New workflow blueprints were added to support new use-cases.
tlp:clear
on tlp:white
- Attach the tlp:clear
tag on elements having the tlp:white
tag.PAP:RED
and tlp:red
Blocking - Block actions if any attributes have the PAP:RED
or tlp:red
tag.to_ids
flag if the indicator appears in known file list - Disable to_ids flag for existing hash in hashlookup.For more details.
For more details.
For more details.
MISP project is also now reachable via Mastodon. Feel free to follow us at @[email protected]
We are pleased to announce the immediate availability of MISP v2.4.164 with a new tag relationship features, many improvements and a security fix.
Relationship can now be added to any attribute tag or event tag. This works with tags and galaxy clusters. The new feature is available in event view.
The tag relationship feature is also exposed in the API under the endpoint /tags/modifyTagRelationship/[scope]/[id]
where scope
is the attribute/event and id
is the id of the EventTag / AttributeTag object.
local
and relationship
in workflow.This release fix a security vulnerabilities (CVE-2022-42724) which allows org admin to discover role names which should have been restricted to site admin.
We strongly recommend MISP administrator to update to this latest version.
For a more detailed changelog, please see the online Changelog.
We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification system and many improvements.
For more information, check out the Periodic summaries - Visualize summaries of MISP data blog.
Thanks to all the contributors and users reporting bugs to make the software better.
As always, a detailed and complete changelog is available with all the fixes, changes and improvements in MISP core.
misp-stix has been released too and now in-line with the MISP release schedule. The full changelog is available.
Many improvements in the MISP galaxy and especially the threat-actor galaxy, 360.net Threat Actors added. There is a detailed changelog.
New financial
taxonomy and many other taxonomies. There is a detailed changelog.
Multiple objects were updated and added, for more details.
Various fixes in misp-modules for more details.