We have released 2.4.191 in rapid succession after 2.4.190 to resolve an issue introduced to the event index filtering

What’s Fixed in MISP v2.4.191?

• Event index filtering: A new feature introducing ANDed tags on the event index has introduced a regression with the way we handle multiple tags in the filters. This issue is now resolved and the new feature has been postponed to 2.4.192 to ensure that it is up to snuff with the expectations.

• Set OIDC issuer: It is now possible to set the issuer in the OIDC authentication subsystem.

For a complete list of updates, please refer to the changelog pages.

We are excited to announce the release of MISP v2.4.190. This latest version introduces a slew of new features, improvements, and fixes designed to streamline operations and enhance security measures for our users.

What’s New in MISP v2.4.190?

Enhanced Tagging and Event Management

• Advanced Tag Collection for Events: Users can now specify collections of tags to apply to events automatically when using the [feed:pullEvents] feature. This allows for more precise and organized tagging, leading to better event categorization and retrieval.

• Conditional Execution Stopping in Workflows: The new [workflowModules:stop-execution] feature lets users provide a specific reason for stopping a workflow. This is crucial for auditing and maintaining records of why certain processes were halted.

Robust Data Handling and Performance

• Unpublished Event Settings: The [feed] functionality now includes an option to keep all pulled events in an unpublished state, helping maintain privacy and control over event visibility until ready for disclosure.

• Benchmarking Suite: A comprehensive new benchmarking suite has been added to continuously collect and analyze performance metrics such as memory usage and query counts for individual users, endpoints and user-agents. This data is crucial for optimising MISP's performance and reliability as well as identifying misbehaving tools/users/integrations.

Key Changes and Updates

• Updated Components: Major components such as PyMISP, misp-galaxy, and various taxonomy lists have been updated to their latest versions to ensure users have access to the most current data and features.

• Improved System Logging and Handling: Several changes have been made to improve how MISP logs and handles data. These include modifications to syslog outputs to avoid line breaks and ensure consistent field counts, enhancing the overall stability and readability of logs.

Fixes and Optimizations

• Bug Fixes: This update addresses several bugs, including issues with tag collection permissions, HTML rendering in analyst data threads, and event report imports from URLs.

• Performance Enhancements: Numerous tweaks have been made to reduce memory usage and improve performance across various functions, particularly those involving synchronization and event handling.

Other Noteworthy Changes

• Accessibility Improvements: The update includes enhancements to the user interface's accessibility, such as enabling keyboard focus on certain elements to aid users who rely on keyboard navigation.

• API Extensions: New OpenAPI functionalities have been exposed (it was present but not documented), such as allowing data encapsulation in requests and extending STIX export capabilities to attribute levels.

This version of MISP not only introduces new capabilities but also builds on the existing features to provide a more robust, efficient, and user-friendly platform for handling cybersecurity data and events. We encourage all users to upgrade to take full advantage of these improvements.

For a complete list of updates and detailed instructions on how to implement these new features, please visit our official MISP documentation and changelog pages.

MISP 2.4.189 released with bug fixes, performance improvements and a new blocklist feature

New Features

Sighting blocklists

Sightings were something initially intended as a system of pinpointing the continued prevalence of indicators as seen by our communities, but as it happens with ever growing, interconnected communities, new use-cases do emerge. Some of those use-cases involve the collection of "bulk sightings" - for example by directly using a SIEM or IDS to feed your sighting collection.

Whilst this has many potential applications, especially for internal use-cases, it can easily get out of hand when such massive data amounts are shared across larger communities, easily going into the billions of sightings rather rapidly.

We have therefore introduced a new blocklist system that allows MISP administrators to filter out organisations with such use cases from their sighting sync use-cases. Make sure to use the new subsystem if you feel overwhelmed by such sighting strategies.

When synchronising with peers running MISP 2.4.189+, the filtering already happens during the negotiation phase, drastically reducing the time it takes to synchronise instances.

This development is an outcome of the JTAN (Joint Threat Analysis Network) project hackathon and workshop organised in Luxembourg.

Analyst data relationship improvement

Analyst data is still a very fresh feature, allowing the community to further elaborate on, share their points of view on or to interlink the various data points in MISP. Especially the latter pillar of the new system had, as pointed out by some community members, a pretty massive flaw in the first implementation. Users could create and quantify relationships between data points, but the relationships would only be visible unidirectionally on the source object. This has now been resolved and data-points being referenced by others are now properly highlighted.

New attribute type, integer

In hindsight, this seems like a massive oversight, but better late than never: We now have an "integer" attribute type, something that we until recently used the "count" type for, though it always felt like ramming a round peg through a square hole. If you are using your own object templates, make sure you revise them for the next iteration - whilst "count" is often the right choice, a generic integer may be more accurate in some of those cases.

Performance improvements

This is yet another rapid release for a set of planned performance improvements, expect more frequent releases in the next few weeks as we resolve bottlenecks.

A long list of bug fixes

Please refer to the full changelog for a full list of fixes and improvements. Many thanks to all the diligent contributors that ensure that MISP keeps improving rapidly!

MISP 2.4.188 with major performance improvements and many bugs fixed.

New Features

• Datasource Improvements:
  • Updates to some datasources with the ignoreIndexHint parameter (mysqlExtended, mysqlObserverExtended).
  • Fix for forceIndexHint.
• Settings:
  • Added setting to temporarily disable the loading of sightings via the API (affects restsearch and /events/view endpoints). This helps with performance issues caused by large sighting data sets.

Changes

• PyMISP:
  • Multiple version bumps.
• Version and Internal Updates:
  • General version bump.
  • Improved error handling and marking BadRequestException as fail log in CI.
  • Attempt to fix a failing test.
  • Updated misp-galaxy, misp-object, and warning-lists.
• Attribute Search Rework:
  • Significant performance improvement when using MysqlExtended or MysqlObserverExtended data sources.
  • Event level lookup moved to subqueries for faster queries.
  • Ignoring the deleted index to improve speed.
• OpenAPI Updates:
  • Added content for analyst-data and event-reports.
• Sighting Policy Support:
  • Added support of sighting policy in sightings:getLastSighting.
• Attribute Search Performance:
  • Improved performance of includeDecayScore by a factor of 5.
• Attribute Fetch Refactor:
  • Simplified conditions and optimizations.

Fixes

• Attribute Search:
  • Enforced unpublishedprivate directive.
• Internal Error Handling:
  • Error handling improvements in AttachmentScan.
• CurlClient HEAD Request:
  • Added CURLOPT_NOBODY for HEAD requests.
• CLI and ECS Updates:
  • Fix for redisReady in dragonfly.
  • Change type from Exception to Throwable in ECS.
• OIDC:
  • Default organization handling if not provided by OIDC.
• Publishing and Sync Issues:
  • Fix for publishing and sync errors.
• Performance Improvements:
  • Bulk loading of analyst data to speed up event loading.
• UI Update:
  • Added MISP.email_reply_to to server config.

Other

• Multiple merges of branches and updates.
• Fixes and changes in misp-stix, attachment scan error handling, OIDC default org handling, alert email titles, shadow attribute handling, and community additions (ICS-CSIRT.io).

Community and Contribution Updates

• Additions and changes to the community, including the introduction of the ICS-CSIRT.io community.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.187 with security fixes, new features and bugs fixes.

New Features

• CLI Enhancements:
  • Added org list to shell commands.
  • New command to change user role.
  • Fixes to role management.
• OIDC Update:
  • New option OidcAuth.update_user_role to disable role changes from OIDC.

Changes

• Version and Software Updates:
  • Version bump.
  • Updates to PyMISP, misp-galaxy, misp-warninglists, misp-objects, and taxonomies.
• Internal Updates:
  • Added ext-zstd to suggested PHP extensions.
  • Fixed non-focusable relationship dropdown search field in analyst data.

Fixes

• General Fixes:
  • Corrected variable unset in events:restsearch to prevent attribute override.
  • Ensured sync pulls continue after an event save failure.
  • Database update fixes for older MySQL versions.
  • Improved API consistency.
  • Fixed pulling from remote servers when analyst data is not supported.
  • Logging fix for removeTagFromObject().
  • Security improvements for file and logo uploads. (Thanks to Rémi Matasse and Raphael Lob from Synacktiv for the report)
    • CVE-2024-29859 < MISP 2.4.187 - add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
    • CVE-2024-29858 < MISP 2.4.187 - __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
  • Correct message display when disabling a galaxy.
• CLI Updates:
  • Added new functionalities including listing roles and creating users.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are pleased to announce the immediate release of MISP 2.4.186, which includes two major new feature called "Analyst Data" and "Collections" along with an extension to the MISP standard format.

Analyst Data Feature

The Analyst Data 🧑‍🔬 feature is an extended and shareable set of capabilities that allows analysts to share and add their own analysis to any MISP event.

The Analyst Data feature comprises three main new features:

• Adding an Analyst Note to any element in MISP, such as Event, Event Report, Object, Attribute, or Galaxy Cluster.
• Adding an Analyst Opinion with a rating (between 0 and 100) to any element in MISP, such as Event, Event Report, Object, Attribute, Galaxy Cluster, or Analyst Note.
• Adding an Analyst Relationship from/to any element in MISP with a specified relationship type.

This enhancement provides highly flexible capabilities for analysts to describe information about specific details. Analyst Data, similarly to Events and Galaxy clusters, are first class citizens, respecting ownership and distribution mechanisms as well as being synchronisable between MISP instances.

For a quick overview, the below screencast can give you an idea of the analyst data feature in action:

• Analyst data note
• Analyst data opinion
• Analyst data relationship

Collections Feature

The new collection feature allows users to create collections for organising data shared by the community. These collections can be categorised based on commonalities or as part of the research process. Collections are treated as first-class citizens and adhere to the same sharing rules as, for example, events do. You can create your own collection and share it with your partners on the same MISP instance.

Other fixes

Details changes are available in Changelog.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Galaxy

Major improvement were performed in the MISP galaxy including major updates in the threat-actor knowledge-base, the surveillance vendors. Additional updates were done to add the relationships in the MISP galaxy public website.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

We are happy to announce the immediate availability of MISP 2.4.185. This is mainly a bug fix release resolving several issues as well as tightening the security posture of the org image handling.

Security fixes

We have moved the organisation images out of the webroot to avoid a rogue administrator from being able to upload a crafted, malicious organisation image and for unsuspecting users to be redirected to a malicious direct link of the image. Whilst this vulnerability is highly unlikely, requiring a compromised/rogue site administrator as a premise, the issue is valid and has been fixed.

Thanks to Yusuke Nakajima and Andrei Agape of Teliacompany for both delivering reports of this issue.

Bugfixes

Various fixes affecting the API, proxy settings, sighting synchronisation. The synchronisation bug in particular could easily bring large, sighting rich instances (such as our own) to its knees when a remote instance tried to synchronise via a pull.

We would hereby like to again thank for our active community for supplying fixes, bug reports, vulnerability reports and suggestions for the continuous improvement of MISP, the tool definitely wouldn't be what it is today without all your help!

Details changes are available in Changelog.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Galaxy

Major improvement were performed in the MISP galaxy including major updates in the threat-actor knowledge-base, the surveillance vendors. Additional updates were done to add the relationships in the MISP galaxy public website.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.184 released with performance improvements, security and bugs fixes.

Improvements

• Speed up improvements in ssdeep correlation and many other parts of MISP. Thanks to Jakub Onderka for the work on this.
• [objects] restsearch first/last seen filters added.
• [event:publication] Added new setting to block event publication if the publishing user is the creator.
• [events:export] Make setting MISP.disable_cached_exports enabled by default. Since the /events/export has been marked deprecated for a years, we are starting the process to phase it out by first disabling the endpoint by default. The MISP ReST search API is the API to be used in the future if you still have very old scripts relying on export. We recommend to start making plans to rework those scripts.
• [organisation:orgMerge] Added missing models for organisation handover

Security fixes

A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances.

• [security] Improved security checks for organisation logo upload. (low)
• [security] New auditlogs's fullChange lack of ACL controls. (medium)
• [security] Enforce usage of POST to start an export generation process. (low)

CVE assignments are pending and will be published on the security page.

Bugs fixed

• [GalaxyClusters] fix tag_name restsearch filter (#9512).
• Various UI fixes.

Many bugs fixed and minor improvements. Feel free to read the detailed changelog

PyMISP

Many improvements in PyMISP including faster JSON parsing with orjson. Feel free to read the detailed changelog

MISP project knowledge bases

MISP Objects

• [artifact] Changed the payload_bin attribute to attachment type.
• [flowintel-task] add case-uuid.
• [process] Environment variables attribute.

MISP Galaxy

A new dedicated website has been developed to easily reference galaxy outside MISP.

• Improved Sigma rules galaxy, threat-actors database with many new threat-actors. A huge thanks to all the regular contributors.
• MITRE Data Sources and Data Components are now included in MITRE ATT&CK.
• Stealer galaxy updated.

MISP warning-lists

Warning-lists updated to the latest version from the different sources.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.183 released with a new ECS log feature, improvements and bugs fixed.

• MISP now supports Elastic Common Schema (ECS) security logging. A new option has been added Security.ecs_log to enable this new functionality. A new Security.alert_on_suspicious_logins to security audit has been added.
• The sync configuration in MISP now supports sharing group blueprints for a simple creation of filter rules based on dynamically updated organisation lists.
• Major improvement to STIX import handling and especially the misp-stix library such as Parsing PE binary extensions within File observable objects and many more improvements/fixes.
• API add tag functions updated to also work with uuids, rather than just local IDs.
• [event:view] Added option to mass local cluster tag.

Many bugs fixed and minor improvements. Feel free to read the detailed changelog

MISP project knowledge bases

MISP Objects

• New flowintel CM object added.

MISP Galaxy

A new dedicated website has been developed to easily reference galaxy outside MISP.

• Improved Sigma rules galaxy, threat-actors database with many new threat-actors
• New disarm galaxy is now available. Including Actor Types, Countermeasures, Detections and Techniques.
• New MITRE Atlas framework added. MITRE ATLAS Attack Pattern, MITRE ATLAS Course of Action

MISP warning-lists

Warning-lists updated to the latest version from the different sources.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.

MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.

MISP Core

New Features

• [event:view] Added new option show_server_correlations_for_all_users
  allowing non-privileged users to view server correlations. [Sami
  Mokaddem]

Changes

• [Version] bump. [iglocska]

• [misp-objects] updated to the latest version. [Alexandre Dulaunoy]

• [misp-stix] Bumped latest version. [Christian Studer]

• [warning-lists] updated to the latest version. [Alexandre Dulaunoy]

• [misp-galaxy] updated to the latest version. [Alexandre Dulaunoy]

• [Geo-Open] updated to the latest version. [Alexandre Dulaunoy]

• [PyMISP] Bump. [Raphaël Vinot]

• [CLI] runUpdates updated to purge any pending db lock first.
  [iglocska]

• [event reports] content field size changed to mediumtext. [Andras
  Iklody]

• [logging] fail silently if logging entry can't be saved. [iglocska]

  • can happen when the log change is too large for example
  • no need to roll back / break sync for example if a log entry is too large, just fail silently.

• [events:event-graph] Allow expansion of nodes by double-clicking.
  [Sami Mokaddem]

  In response to significant demand from Terrtia and subsequent evaluation by adulau

• [feed:attachFeedCorrelations] Added comment. [Sami Mokaddem]

• [event:view] Show feed meta-information as popup. [Sami Mokaddem]

• [misp-stix] Bump. [Jakub Onderka]

Fix

• [db_schema] dump. [iglocska]

• [correlation] exclusion cleaning was broken for noacl correlations,
  fixes #8899. [iglocska]

• [eventReport:editReport] Generate an UUID if new report added from
  pull. [Sami Mokaddem]

• [workflows:editor] Prepend baseurl to url. [Lukasz Rzasik]

• [TOTP] allow deletion of TOTP from edit page. [Christophe Vandeplas]

• [security] new audit logs lack of ACL controls. [iglocska]

  • added proper ACL handling to the new audit logs
  • as reported by fukusuket(Fukusuke Takahashi)
  • Assigned CVE-2023-50918 for this vulnerability. The new audit log is not enabled by default.

• [case sensitivity] fix. [iglocska]

• [login_history] fixes str_contains #9433. [Christophe Vandeplas]

• [login_history] fixes str_contains #9433. [Christophe Vandeplas]

• [password reset] required current password for token based reset.
  [iglocska]

• [diag] diagnostics page loading issue. [Michael Hirt]

• [openapi] add version to match spec. fixes #9058. [Luciano Righetti]

• [caching] remove uuid validation from the feed caching. [iglocska]

  • not really needed and it breaks the entire caching if a single old event has an invalid uuid

• [attribute bulk update] separate out tag deletion as it builds a
  ridiculously large query at times. [iglocska]

• [caching] remove uuid validation from the feed caching. [iglocska]

  • not really needed and it breaks the entire caching if a single old event has an invalid uuid

MISP project knowledge bases

MISP Objects

Improved shadowserver-malware-url-report and cs-beacon-config object template. Updates in the victim object template and report object template.

MISP Galaxy

Improved Sigma rules galaxy, threat-actors database with many new threat-actors

MISP warning-lists

Warning-lists updated to the latest version from the different sources.

Don't forget to follow us on Mastodon

The MISP project has its own Mastodon server misp-community.org - don't forget to follow @misp@misp-community.org on the fediverse. Core contributors of MISP can sign-up if they wish to have an account.

MISP Professional Services

MISP Professional Services (MPS) is a program handled by the lead developers of MISP Project, in order to offer highly skilled services around MISP and to support the sustainability of the MISP project. This initiative is meant to address the policy requirements of companies/organisations requiring commercial support contracts. Don't hesitate to get in touch with us if you need specific services.