MISP 2.5.1 released

We are pleased to announce the availability of both MISP 2.5.1 for those that have already transitioned to the PHP 8 release of MISP as well as 2.4.199 for those still on 2.4.

As a reminder, we will be supporting both branches for 6 months after the release of 2.5, but with that said we encourage everyone to use the opportunity to update their software stack with 2.5 ASAP. If your distro is not supported, don't forget that thanks to the diligent work to @ostefano, you can get your instance spun up in a matter of minutes using misp-docker, no matter which (modern) distro you are on.

Long list of bug fixes

This is the first post 2.5 release, introducing the first set of fixes for the issues reported since the release. We highly encourage everyone to update asap to avoid some of the issues identified. We still have multiple fixes on our radar, so sit tight for upcoming releases coming to a server near you soon.

Various workflow improvements

New triggers (for the event report and proposal saving), improvements to the editor as well as individual modules, @mokaddem may be forgetful when it comes to checking his passport expiration, but he sure doesn't forget about his users!

Long list of improvements and making use of the new toys we have access to with PHP 8.x

@JakubOnderka is at it again, fixes, improvements, performance tuning as well as a bunch of compatibility code for those still stuck on MISP 2.4. Thanks for all the awesome effort!

Kunai export

We have added the first version of the Kunai export, available via restSearch as a new format as of now. Whilst these are still early days for the integration itself (expect more to come!), we can't recommend Kunai enough, head over to the Kunai website to find how you can step up your Linux monitoring game the OSS way!

Various other new features and improvements

• @chrisr3d has been continuously Improving the STIX2 integration of MISP, squashing more edge cases with this release
• A new version comparison tool, warning users of new major MISP releases as well as correctly indicating that they're up to date on their given branch
• Various fixes, many thanks to @goodlandsecurity, @JSCU-CNI, @cudeso for the PRs and to everyone else diligently reporting issues to us!

MISP 2.4.199 released

We are pleased to announce the availability of both MISP 2.5.1 for those that have already transitioned to the PHP 8 release of MISP as well as 2.4.199 for those still on 2.4.

As a reminder, we will be supporting both branches for 6 months after the release of 2.5, but with that said we encourage everyone to use the opportunity to update their software stack with 2.5 ASAP. If your distro is not supported, don't forget that thanks to the diligent work to @ostefano, you can get your instance spun up in a matter of minutes using misp-docker, no matter which (modern) distro you are on.

Long list of bug fixes

Whilst we are still hammering out some of the kinks of 2.5, we are also making sure to backport the fixes and improvements to 2.4.x directly, so this release is mostly to reach feature parity with 2.5.1. As such there's a long list of fixes for issues that affected both branches equally.

Various workflow improvements

New triggers (for the event report and proposal saving), improvements to the editor as well as individual modules, @mokaddem may be forgetful when it comes to checking his passport expiration, but he sure doesn't forget about his users!

Polyfill for various PHP 8.x functioanlities

@JakubOnderka is at it again, fixes, improvements, performance tuning as well as a bunch of compatibility code for those still stuck on MISP 2.4. Thanks for all the awesome effort!

Kunai export

We have added the first version of the Kunai export, available via restSearch as a new format as of now. Whilst these are still early days for the integration itself (expect more to come!), we can't recommend Kunai enough, head over to the Kunai website to find how you can step up your Linux monitoring game the OSS way!

Various other new features and improvements

• @chrisr3d has been continuously Improving the STIX2 integration of MISP, squashing more edge cases with this release
• A new version comparison tool, warning users of new major MISP releases as well as correctly indicating that they're up to date on their given branch
• Various fixes, many thanks to @goodlandsecurity, @JSCU-CNI, @cudeso for the PRs and to everyone else diligently reporting issues to us!

MISP 2.5.0 released with PHP8.x support

MISP 2.5.0 release

Long overdue, but finally here, we are happy to announce the immediate availability of MISP 2.5. This release is unusual enough for it to grant the first minor version bump in 9 years and serves as the first major change of requirements, modernising the environment that MISP runs in.

What is new?

PHP and framework versions

MISP 2.5.0 relies on a forked version of CakePHP, based on the fork by kamilwylegala. This allowed us to bring PHP 8.1+ support to MISP along with a some other modifications.

Supervisor is now the default worker engine

Whilst CakeResque's fork has received the required php8 love to make it work in MISP 2.5, we much prefer @righel's Supervisor based implementation and are now defaulting to it for new installations and instances upgraded via the upgrade script. This is more reliable, robust and lightweight than the previous implementation, not to mentioned that it no longer relies on ancient libraries. The only feature you lose when switching to the newer engine is the loss of scheduled tasks, which we have advised against using for over 5 years now. They will also be sunset for good in MISP 3.x, so use this opportunity to make the leap ahead of time.

Internal reworking of MISP along with changes of some dependencies

We have left behind some dependencies for more modern, PHP8.x compatible alternatives, or in some cases forked unmaintained dependencies and brought them up to snuff.

Brand new installation script

We have a new installation script that installs the MISP core with some sane defaults along with its new set of requirements. Make sure you head over to the Ubuntu installation script if you are considering a new native installation or to the Ubuntu upgrade script for existing Ubuntu installations. For the latter make sure that you follow the instructions and first upgrade your Ubuntu installation to 24.04 before executing the script.

We will be rolling out installation scripts for alternate distributions, though keep in mind when deciding what to use in the future, our main target is Ubuntu, so it will always have priority for us. If you insist on using for example RHEL, we ask you to sit tight and rely on 2.4 until installation guides are ready to go. 2.4 remains fully compatible with 2.5 in terms of synchronisation and usage for now.

Upgrading MISP 2.4

As mentioned above, the UPGRADE script will take care of the upgrade for supported distributions, obviously even for unsupported ones it's relatively straight forward to adapt the install script and simply rework the package installation script to match your flavour's installer along with the list of package names used for the php dependencies on your flavour. With that said, the upgrade process IS manual and using the built in update function in MISP (via the UI or API) will not trigger the minor version upgrade.

Docker installation

If you would like to run MISP in a dockerised environment instead, fear not, @ostefano has got you covered. MISP-docker is ready to install or upgrade your prior installation to MISP 2.5.

What will happen to 2.4?

We are committed to make sure that users can reliably take their time with upgrading to 2.5. We will be maintaining the 2.4 branch with new features, fixes and improvements for the next 6 months, whilst also ensuring that the synchronisation remains compatible between 2.4 and 2.5. There might be some edge cases for features that rely on php 8.x features that will not get backported to 2.4, but we do not expect this to be common nor something that we plan to do for essential features.

With that said, we highly encourage everyone to upgrade to MISP 2.5 ASAP to benefit from a non EOL version of PHP.

Github repo / development changes

We have reshuffled the branches a fair bit in anticipation of this release, so the main branches to monitor for developers are:

2.5 (new default branch)
develop (the develop branch, to be merged into 2.5 for each release)
2.4 (the legacy branch maintained over the next 6 months)
2.4-develop (the develop branch to be merged into both 2.4 and 2.5-develop regularly)
3.x (the development branch for the next generation MISP rework)

Get involved

We are looking forward to bug reports and feedback on 2.5 along with pull requests, new features and the usual torrent of github issues. If you want to get involved in the development, don't hesitate to reach out via our chat channels.

MISP 2.4.198 released with bug and security fixes.

MISP v2.4.198 (2024-09-13)

Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as possible.

New

• [attribute type] dom-hash is a structural fingerprint of HTML's Document Object Model. [Alexandre Dulaunoy]

  dom-hash is a structural fingerprint of the HTML's Document Object Model (DOM) originally developed by CERT.PL.

  The fingerprint is calculated by extracting all the tag names (ignoring the content itself as well as attributes of the HTML Page). The tag names are concatenated with a pipe value |, hashed using the SHA-256 algorithm, and truncated to the first 32 characters.

  Software such as LookyLoo[1] has implemented the algorithm, which can be used in MISP to share and correlate information about similar web pages (e.g., phishing pages).

  [1] Lookyloo/lookyloo@466a3c5

Changes

• [version] bump. [iglocska]
• [PyMISP] Bump. [Raphaël Vinot]
• [internal] Simplified cake.php and load dispatcher from absolute path. [Jakub Onderka]
• [internal] Server sync debug message when pushing events. [Jakub Onderka]
• [PyMISP] Updated to the latest version. [Alexandre Dulaunoy]
• [ui] Better description for server settings. [Jakub Onderka]

Fixes

• [event-report:edit] Take first Attribute value from an object if unable to get the priority value. [Sami Mokaddem]

• [security] Ensure proper sanitization of sensitive fields in user-login-profiles. [Sami Mokaddem]

  Prevents other org-admins (from the same org) from viewing sensitive fields of other org-admins when they confirm their login session.

  • Reported by Sharad Kumar Dahal of Green Tick Nepal Pvt. Ltd

• [users:view_login_history] Column not found error when not being a site-admin. [Sami Mokaddem]

  Ensured the user's Role is included in the result.

• [users:index] Redact autkey visibility to other org-admins in the same organization. [Sami Mokaddem]

  • Since by design, org admins can already change the password of other org-admins (from the same org), this is considered a fix.

• [security] ACL ignored on GUI attribute search. [iglocska]

  • Reported by KZ-CERT, the National CERT Team of Kazakhstan.

• [attribute search] Fixes for invalid returns on deleted = [0,1], fixes #9866. [iglocska]

  • Object-level deleted field check blocked the inclusion of non-object attributes.

• [feed] Old path replaced with official MISP website path. [Alexandre Dulaunoy]

• [baseurl] Preference changed to MISP.baseurl, fixes #9895. [iglocska]

  • external_baseurl no longer used as a preferred source.
    • Now intended to be informational only for sharing groups.

• [internal] Throw exception in GpgTool if GnuPG.homedir is empty. [Jakub Onderka]

• [internal] Throw exception in EncryptedValue invalid state. [Jakub Onderka]

Other

• Merged branch develop into 2.4. [iglocska]

• Merged branch develop from github.com:MISP/MISP into develop. [iglocska]

• Merged branch 2.4 into develop. [Alexandre Dulaunoy]

• Merged branch fix/authkey-visibility into develop. [Sami Mokaddem]

• Merged pull request #9903 from JakubOnderka/shell-dispatcher. [Jakub Onderka]

  • [internal] Simplified cake.php and loaded dispatcher from absolute path.

• Merged branch 2.4 into develop. [iglocska]

• Merged pull request #9685 from JakubOnderka/push-server-sync-debug. [Jakub Onderka]

  • [internal] Server sync debug message when pushing events.

• Merged branch 2.4 into develop. [iglocska]

• Merged pull request #9890 from JakubOnderka/log-unpublished. [Jakub Onderka]

  • [ui] Better description for server settings.

• Merged pull request #9896 from JakubOnderka/encrypt-exception. [Jakub Onderka]

  • Encrypt exception fix.

MISP 2.4.197 released with many bugs fixed, a security fix and improvements.

Release Notes - v2.4.197 (2024-09-02)

New Features

• Config Option: Added a new configuration option user_org_uuid_in_response_header to include a response header with the requesting user's organization UUID. [Jeroen Pinoy]
• Build: Display required STIX dependencies versions during the build process. [Jakub Onderka]
• Bookmark now supports comment.

Changes

• Version: Version bump. [iglocska]
• Warning List: Updated the warning list. [Alexandre Dulaunoy]
• Taxonomies: Updated to the latest version. [Alexandre Dulaunoy]
• MISP Galaxy: Updated to the latest version. [Alexandre Dulaunoy]
• PyMISP: Version bump. [Raphaël Vinot]
• Internal Logging: Added logging when an event will not be published. [Jakub Onderka]
• Global Menu - Bookmarks: Added comment field as the dropdown element's title in the global menu bookmark. [Sami Mokaddem]
• Database Upgrade - Bookmarks: Upgraded the database to support bookmark comments. [Sami Mokaddem]
• Bookmark View: Added a missing comma for the new comment function and added a field for comments in the bookmark view. [Jan Z.]
• Bookmark Index: Added a field to display comments in the bookmarks index. [Jan Z.]
• Bookmark Add/Edit: Added a field to add and edit comments for bookmarks. [Jan Z.]
• MISP Object: Updated to the latest version. [Alexandre Dulaunoy]

Fixes

• UI/Footer: Improved UI footer to avoid confusion for some users. [Alexandre Dulaunoy]
• IOC Import: Added a check to ensure the provided XML is valid. [Jakub Onderka]
• Schema: Updated schema version. [Jakub Onderka]
• UI: Fixed tag popover to return already parsed data. [Jakub Onderka]
• Bookmarks - Add: Lower-cased the comment field. [Sami Mokaddem]
• Sightings: Correctly retrieve sightings per the requested event. [Tom King]
• Bookmarks - Verbose Returns: Fixed an issue with overly verbose returns from bookmarks when shared with the organization. This fix was reported by Sharad Kumar Dahal of Green Tick Nepal Pvt. Ltd. [iglocska] This fixes a security issue recorded as CVE-2024-45509.
• Feed: When pulling feeds, events are now checked against specified rules if any rules are provided. [Benni0]

Other

• Merged pull requests addressing issues with unpublished events logging, tag popover parsing, sightings restSearch performance, and STIX dependencies version display. [Jakub Onderka, Andras Iklody, Andrew Hicks]
• Fixed issues related to sightings restSearch negation of organization ID. [Andrew Hicks]

MISP 2.4.196 released with many bugs fixed and improvements.

MISP 2.4.196 released with many bugs fixed and improvements.

New Features

• Decaying Model: Introduced a new DecayingModel that leverages true positive and false positive sightings for better decision-making. [Marcel Slotema]
• Log Search Enhancement: Added an optional hh:mm:ss accuracy to log searches, allowing for more precise time-based queries. This update also includes significant refactoring to improve code quality. [iglocska]
• User Log Review: Improved the functionality of the "review user logs" button. It now links directly to logs relevant to the specific user, considering the new audit log system. Future enhancements will include email-based log searches. [iglocska]

Changes

• PyMISP Update: Updated PyMISP to the latest version. [Raphaël Vinot]
• Decaying Model Formulas: Enhanced error handling by catching undefined indexes in decaying model formulas. [Sami Mokaddem]
• Attributes Search: Added support for sorting by publish_timestamp and introduced the X-Skipped-Elements-Count header to improve pagination during REST searches. [Benni0]
• Reverse Proxy Handling: Fixed issues with base URL handling for reverse proxies, eliminating problematic redirects. Special thanks to Mitch Germansky for the extensive debugging. [iglocska]
• MISP Components Update: Updated MISP Object, Galaxy, and STIX components to their latest versions. [Alexandre Dulaunoy, Christian Studer]

Fixes

• STIX 2 Import: Updated the STIX 2 parsers following recent changes in MISP-STIX. [Christian Studer]
• Base URL Setting: Adjusted the priority order in beforeFilter to avoid redis errors during benchmarking. [iglocska]
• Image Helper: Allowed for variable-width organization logos without overlapping text. [iglocska]
• Workflow Module: Ensured correct type return if redis fails to load during workflow:getEnabledModules. [Sami Mokaddem]
• Settings Management: Fixed multiple issues related to changing instance settings, including improvements to CLI checks. [iglocska]
• Attribute Search Ordering: Reverted ID-based sliding window ordering due to performance concerns. [iglocska]

Other

• Merged several development branches to integrate recent changes, updates, and fixes from various contributors. Notably, the branches related to attribute search order, skipped elements count, and environment dependencies were integrated into the main branch. [iglocska, Christian Studer, Sami Mokaddem, Alexandre Dulaunoy, Stefano Ortolani, Andras Iklody]

MISP 2.4.195 - hot summer olympic release

MISP 2.4.195 - hot summer olympic release

We are pleased to announce the immediate availability of MISP v2.4.195, a summer release aiming to introduce new features, fix a long list of reported bugs and deficiencies as well as give your servers a breather in the scorching summer heat by taking a load off your CPUs thanks to a set of impactful performance fixes.

Correlation rule system added

With the Olympics being in full swing, we too wanted to break our previous performance records and one of the biggest hurdles to overcome were the data-sets resulting from the ingestion of unerringly overlapping data-sources. This could be coming from daily internal digests from your own tooling all the way to feed providers, data from a single source could often end up being extremely noisy in terms of cross correlations. To combat this, we have added a new system that allows you to create correlation rules (better thought of as de-correlation rules) that instruct MISP to skip any correlations between groups of events.

How it works:

A site administrator can add a new de-correlation rule for example telling MISP to disqualify the creation of any correlations between individual events coming from the same organisation, such as a feed vendor or an internal organisation. Simply add a new rule, select the selector type (org_id, orgc_id, event_id, event_info) and add a list of values that shouldn't correlate.

For example, if you wanted to stop the creation of correlation between any event coming from the ACME organisation, simply look up their local user ID and pass it in a JSON list to the correlation rule, such as the example below:

selector_type: orgc_id

selector_list:

[
    15
]

If you wanted to create a list of non-correlating events (for example for events that come from freetext feeds, or from a script that ingests large amounts of data recurringly into the same event, use the following example below:

selector_type: event_id

selector_list:

[
    1,
    2,
    6,
    7
]

The event_info selector is a bit special in that it also allows for sub-string matching, using the % syntax used across the application. A simple example for a daily feed being excluded this way would look as follows:

selector_type: event_info

selector_list:

[
    "%s] Daily scan results",
    "Weekly scan results week #%"
]

Any event that is picked up by the selector will be blocked from creating correlations between one another, but unlike the prior feature of disabling correlations for an event, this will not prevent from said events from correlating with events not matching the selector. So if you do end up working on an incident that contains an indicator found in the daily scans in the example above, all the necessary correlations needed to point you towards the relevant scan results will be created.

OpenAPI spec updates

Thanks to Stefano Ortolani's (@ostefano) and Luciano Righetti's (@righel) relay race, digging into the OpenAPI spec, several issues and discrepancies have been resolved, further cementing the reliability of the spec as the de-facto tool for building integrations for MISP. Whilst we are firm believers of the implementation being law, it is absolutely crucial that the documentation reflects the reality of the internals and as such we encourage everyone to keep their eyes peeled for any errors in the spec and to let us know when there's some unsportsmanlike behaviour.

Performance improvements for the attribute restsearch

As the outcome of a several week long heroic debugging effort with Mitch Germansky (@github_germ), we have managed to get to the bottom of several serious bottlenecks when it comes to the attribute restSearch. This will especially be noticeable for queries that end up returning large data-sets and when paginating the data to be returned. By enabling MISP to internally cluster searches when pagination parameters are provided by the user and by improving the heuristics of such queries, as well as with the switch to a sorted, ID based internal pagination rather than relying on mysql offsets, the search API has truly pulled up its spinnaker.

We have also added a setting for a legacy restsearch behaviour, that will use joins rather than sub-queries in the attribute restsearch, we have seen this cause a massive performance boost on older mysql versions, so it might be worth experimenting with for anyone running on older database software versions.

MISP 2.4.194 released with new functionalities and various bugs fixed

MISP 2.4.194 released with new functionalities and various bugs fixed

Screencast.from.21-06-2024.15.41.20.webm

New Features

• Bookmark Functionality:
  • Users can now create bookmarks.
  • Bookmarks can be shared with all users in the same organization.
• Heartbeat Endpoint:
  • New /users/heartbeat endpoint.
  • Accessible without authentication; returns a 200 response to indicate the instance is operational.
  • Designed for quick checks to see if the instance is up and running.
• Skip OTP Requirement:
  • New role permission to exclude certain roles from OTP requirements.
  • Useful for filtered, local service accounts.
• Users API Update:
  • Added a new boolean field indicating whether TOTP is set up for the user.
  • Applicable to /users/view, /admin/users/view, /admin/users/index endpoints.

Changes

• Various Version Bumps:
  • Updates for misp-stix, schema, PyMISP, warning-lists, misp-galaxy, and misp-objects.
• Bookmark Improvements:
  • Added title documentation for the exposed_to_org field.
  • Enhanced quick search support for bookmarks.
• ACL and Schema Updates:
  • Heartbeat added to the ACL component.
  • Updates to schema and mysql.sql.

Fixes

• Default Roles and Permissions:
  • Added delegation permission for sync user and publisher roles.
  • Readded default roles.
  • Fixed issues with PyMISP tests, default roles, and various editor and ingestion bugs.
• UI and Functional Fixes:
  • Corrected event report markdown editor to display tags.
  • Included user agent in feed ingestion to address issues with specific feeds.
  • Fixed editing view for galaxycluster blocklist.
  • Readded missing org logo in the decaying model.
  • Corrected JSON response handling in the decaying tool.
  • Fixed object reference links for proper view refocus.
  • Corrected errors in the server edit view.
  • Fixed typo in bookmark description.
  • Adjusted default role settings in mysql.sql.
  • Updated local flag in EventTags to be boolean.
  • Corrected filenames in RHEL background worker migration guide.
  • Improved performance by increasing chunk size for sighting sync.

MISP 2.4.193 released with many bugs fixed, API improvements and security fixes

v2.4.193 (2024-06-06)

New

• [attributes/enrich] endpoint added.

  • Simply post a list of modules you wish to enrich the attribute by.
  • URL: /attributes/enrich/[attribute_id|attribute_uuid]
  • Post body format: {"dns": 1, "foo_bar_baz": 1} listing all modules to execute.

• [misp-community] MISP-LEA information sharing community added.

• [events:view] New UI feature to collapse Attributes inside an object.

  • Comes with an MISP setting to configure this behavior at an instance-wide level.

• [fatal error] logging added.

  • Helps administrators to easily see issues related to timeouts/OOM.

• [feed acl] changed for feeds with visibility set to 1.

  • Any user can now use open feeds to:
    • Browse the data.
    • Preview individual events.
    • Search the feed caches for the given feeds.
    • Run overlap comparisons on them.
  • For feeds/server correlations that do not allow users to see contents:
    • Correctly show server-wide opt-in correlations on local events as text, rather than non-functional links.

• [feed] sync pull rule checks on manifest, fixes #9728.

  • Added checks to rule out events from MISP feed pulls that do not match the filter rules.
  • Should speed up processes considerably.

Changes

• [version] bump.
• [PyMISP] Bump version.
• [misp-stix] Bumped latest version.
• [taxonomies] updated to latest version.
• [misp-galaxy] updated.
• [warning-lists] updated.
• [misp-objects] updated.
• [diagnostics] add Database/MysqlObserverExtended to valid data sources list.
• [attributes/enrich] added to ACL.
• [community] misp-lea.org is vetted by us.
• [PyMISP] Bump for testing.
• [event:view] Small UI improvement for attribute's type in object row.
• [events:view] Small UI tweak to prevent object name from wrapping.
• [galaxy:galaxy-matrix] Respect order of tabs based on kill_chain_order definition.
• [analyst-data:relationship] Prevent self-referencing relationships.
• [analyst-data:view] Always return attached analyst-data.
• [analyst-data:capture] Recursively capture nested analyst-data.
• [component:CRUD] Added support of afterFind in the delete function.

Fix

• [feed settings] unpublish_event setting had the inverted effect, fixes #9739.

• [JS] invalid comparison fixed.

  • 2jsirl4jsirl

• [tag search] fixed.

• [modules] /queryEnrichment endpoint fixed in modules controller - correctly pass module data, fixes #9758.

• [event fetcher] pop the tag filter after the first round of lookups.

  • Avoid adding the same condition twice.

• [tag search] fixes #1.

  • Correctly break execution for ANDed tag searches if one tag doesn't exist.
  • Correctly compare against event_id field in attribute_tags table.

• [API] don't HTML encode JSON documents.

  • Earlier fix caused issues.

• [security] changed menu_custom_right_link to CLI only.

  • Prevents malicious/hijacked admin accounts from embedding malicious JS in a global menu link.

• [galaxyClusters:restSearch] filter on org_id and orgc_id if param set.

• [security] rest endpoints - additional sanitisation for non-JSON responses.

  • Escape non-JSON response bodies.

• [security] changed menu_custom_right_link_html to CLI only.

  • Prevents embedding malicious JS in every page.

• [PyMISP] Fix the tests.

• [Collections] path pluralisation fix in ACL check for collections, fixes #9745.

• [event:view] Correctly handle first click on toggle attribute visibility.

• [audit-logs:eventIndex] Fixed pagination issue while viewing event history, fixes #9726.

• [event-report:publishing] Do not reset the event timestamp when updating an event report.

• [feeds] function name change not handled everywhere.

• [ACL] private function name convention not kept for a new function.

  • Prevents ACL self-test complaints about an accessible endpoint.

• [correlation] small fix for preview_event.

• [server correlation UI] fixed link to index preview.

• [password reset] ACL fix.

• [ACL] fixed pre-auth dynamic function calls.

• [server/feed] correlation bug fix.

  • Prevents MISP from failing due to too many correlating events.

• [bruteforceProtection] Avoid failing when wrong username is used.

Other

• Add Infoblox feed to defaults.json.

MISP 2.4.192 released with many performance improvement, fixes and updates.

MISP 2.4.192 released with many performance improvement, fixes and updates.

New Features

• Security Enhancements:

  • Ability to disable TOTP/HTOTP when linked to an identity provider with strong authentication.
  • Introduced Fast API Authentication with temporary storage of hashed API keys in Redis to enhance endpoint performance.

• Logging and Tracking:

  • Enhanced detailed tracking sent to Sentry as breadcrumbs.

• User Interface Improvements:

  • Addition of missing views for analyst data to enhance UI functionality.

Changes

• Performance and Functionality Improvements:

  • Updated CRUD operations to support afterFind in the delete function.
  • Removal of redundant UI elements and dependencies, streamlined distribution settings, and enhanced event view loading.
  • Upgraded warning lists, MISP galaxies, and MISP objects to the latest versions.
  • Simplified JSON structure updates and UI enhancements, including a nicer menu design.

• Configuration and Security Settings:

  • Improved role management with OIDC and adjusted security settings to disable password resetting when changes are disabled.

Fixes

• Security and Stability Fixes:

  • Addressed various security concerns including fixing redirect loops, removing redundant security tests, and patching stored XSS vulnerabilities. CVE-2024-33855
  • Restored and fixed the Email OTP feature and ensured the proper functioning of external authentication.
  • Made several critical fixes in the handling of analyst data and UI operations, like pagination in logs and event view configurations.

• Optimization and Error Corrections:

  • Fixed issues in SQL logs, benchmarking, and handling of event indexes related to tags and threat levels.

For a complete list of updates, please refer to the changelog pages.