MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

Update 2019-11-10-MISP.2.4.118.released

pull/19/head
Andras Iklody 2019-11-10 14:48:16 +01:00 committed by GitHub
parent f2fc831871
commit 6a42d076f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
_posts/2019-11-10-MISP.2.4.118.released
View File

@ -6,7 +6,7 @@ featured: /assets/images/misp/blog/exclusive/exclusive-example-1.png
# MISP 2.4.118 released
A new version of MISP ([2.4.118](https://github.com/MISP/MISP/tree/v2.4.118)) has been release including the exclusivity tag functionality, the support of additional external SightingDB lookup and many fixes.
A new version of MISP ([2.4.118](https://github.com/MISP/MISP/tree/v2.4.118)) has been release including a functionality that allows for tag exclusivity within taxonomies, the support for external Sighting sources via SightingDB and many fixes.
# Exclusive taxonomies
@ -15,11 +15,14 @@ A new version of MISP ([2.4.118](https://github.com/MISP/MISP/tree/v2.4.118)) ha
![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-3.png)
![](https://www.misp-project.org/assets/images/misp/blog/exclusive/exclusive-example-4.png)
In the MISP taxonomy format, we introduced some time ago the exclusive field to show the exclusivity aspects of a taxonomy or selected part of the taxonomy (at predicate level). Now MISP user-interface shows and enforces inconsistency at user-interface level of exclusivity between tags assigned at event level or attribute level.
Some time ago, we've introduced the "exclusive" field in the MISP taxonomy format, in order to define rules of exclusivity within a given taxonomy predicate. As of this release, the MISP user-interface shows and enforces inconsistencies of exclusivity between tags assigned at the event and the attribute levels.
# SightingDB support
For the past years, MISP project worked on improving sighting in its threat intelligence sharing platform but also to improve sighting at large for the users. After discussions with various users, we introduced a new functionality to configure external SightingDB server and query large dataset efficiently. Our friends at Devo decided to work with us and provide a [dedicated SightingDB server](https://github.com/stricaud/sightingdb) in open source to have a fast-lookup system. Devo decided to standardise the format of the SightingDB protocol format and we decided to host it under the [misp-standard.org](https://www.misp-standard.org/) umbrella.
Over the course of the past years, the MISP Project has worked on improving the sighting capabilities of the platform in various ways when it comes to being able to provide contextualised sightings for information sharing. Most of the use-cases driving this type of sighting reporting were based on a need to encode intelligence gathered during incidents, as part of reporting or encoding the time-based aspects of intelligence. Being able to contextualise the sighting with information on the source, tie its release to the ACL rules governing the sighted data and describing the type of sighting were of a higher priority than performance.
After discussions with users looking for a completely diverging use-case, namely that of bulk, large-scale data/traffic analysis and correlation thereof with the threat information databases of their MISPs. Thanks to our friends at Devo, who have developed an open source system tackling these issues - the [SightingDB server](https://github.com/stricaud/sightingdb) - we had something to integrate into MISP as an alternate sightings system handling lookups against a large-scale sighting system.
Devo also decided for the standardisation of the SightingDB protocol format and we have decided to host it under the [misp-standard.org](https://www.misp-standard.org/) umbrella.
The SightingDB support includes the following:
@ -31,9 +34,9 @@ The SightingDB support includes the following:
# Improved meta search in restSearch
The restSearch now supports the ability to search by creator organisation and by also the fields present in the galaxies.
The restSearch now supports the ability to search by creator organisation and also by the meta fields present in the galaxy clusters.
Such request can now be done on any field within a galaxy:
Such requests can now be done on any meta field within a galaxy:
~~~~
/attributes/restsearch/
@ -43,7 +46,7 @@ Such request can now be done on any field within a galaxy:
}
~~~~
or combining the search based on the meta-data presents on MISP organisations:
along with the various fields of the creator organisation object itself:
~~~~
/events/restsearch/
@ -55,11 +58,11 @@ or combining the search based on the meta-data presents on MISP organisations:
# Update module
The database schema model update has been improved in MISP and you can see the current inconsistencies of any past model change or the ongoing upgrade of the database model. This has been introduced because the next version of MISP will include a major improvement in the data model to add time references at the all the event of the MISP data model. This update in 2.4.119 includes an update of the attributes table which can take a significant time depending of your MISP installation.
The database schema model update has been improved in MISP and you can see the current inconsistencies of any past model change or the ongoing upgrade of the database model. This has been introduced because the next version of MISP will include a major improvement to the data model in order to add time references at several layers of the MISP data model. This update, coming in 2.4.119, includes an update of the attributes table which can take a significant amount of time depending of your MISP installation.
# MISP modules - many new modules with objects support
[Many new modules](http://misp.github.io/misp-modules/) were added such as the (event query language) EQL query module, Endgame EQL export module, OSINT.digitalside.it lookup module and many improvements to existing modules such as the CSV import module, IBM X-Force expansion module, ... Don't forget to update your modules to the latest version.
[Many new modules](http://misp.github.io/misp-modules/) were added such as the (event query language) EQL query module, Endgame EQL export module, OSINT.digitalside.it lookup module and many improvements to existing modules such as the CSV import module, IBM X-Force expansion module and more. Don't forget to update your modules to the latest version.
# Acknowledgement