Seven Great New MISP Features You May Have Missed

Seven Great New MISP Features You May Have Missed
February 21, 2024

MISP has a cracking pace of development; we factor in 12-15 releases per year here at Cosive as we maintain our hosted CloudMISP instances. That speaks volumes about the awesome and very active MISP developer community.

With such a tempo it’s very easy to miss new features or not have time to fully dig into them. Let’s go through a few of the notable new features of the last 12 months that we particularly like which you may have missed.

TIME-BASED ONE TIME PASSWORD (TOTP)

Since: 2.4.172 (June 2023)

What is it?

A new, standard way of providing two-factor authentication (2FA) to MISP users.

Why it's great

MISP has had 2FA via an email code for quite some time now, but many would prefer something that matches what they use elsewhere. In a lot of cases that’s time-based one time passwords or TOTP that you might already use with Google Authenticator or Yubico Authenticator.

How to use

Enabling it for your account is simple: Global Actions -> My Profile then the “Generate” link next to TOTP. That will present you with the no doubt familiar QR code + backup code generation workflow.

To make TOTP mandatory for all users: Adminstration -> Server Settings & Maintenance -> Security then set `Security.otp_required` to true. This will prompt users to set up TOTP next time they’ve authenticated as per usual.

Administration -> List Users has also added a handy column to know which users have enabled TOTP:

HIGHLIGHTED TAXONOMY TAGS

Since: 2.4.167 (Dec 2022)

What is it?

A way to make important MISP event tags for your team rise above the noise.

Why it's great

You might be all too familiar with a blizzard of tags on MISP events like this relatively tame example:

Quick - can you see if there’s an admiralty scale confidence rating set? Having such detailed metadata on events can be excellent but there are also particular tags that hold more important meaning like TLP or confidence.

Highlighted taxonomy tags let certain tag families rise above the noise. It’s also very handy for visually noticing when certain tags are missing before you publish an event. Below we can see admiralty scale and TLP taxonomies are highlighted; after noting a missing admiralty scale tag it’s simple for us to add one.

How to use

Enabling a highlighted taxonomy family is very easy via Event Actions -> List Taxonomies:

WORKFLOWS

Since: 2.4.160 (Aug 2022) but much ongoing work happening

What is it?

A way to automate MISP data processing via visual flowcharts inside the platform.

Why it's great

A classic pattern to process events as they update on your MISP instance is a ZeroMQ-aware script which can trigger as events flow through. Using PyMISP or similar, you can make changes to events as you see fit via scripting automation. This is indeed often the best way to do it for maximum control and flexibility, but not all of us can easily develop, test, and deploy such scripts easily.

The good news is there’s an ongoing effort to allow graphical workflow-based automation right inside MISP itself via MISP Workflows. Here’s a simple example which auto-tags any event created by Cosive with the TLP:AMBER+STRICT tag:

Like all automation, we need to be careful about the filters, triggers, and operations we select so we don’t put massive load on our MISP instance or otherwise make a mess of our data. It’s always best to try these things out on a test MISP instance (always a good thing to have!) before you unleash your workflow on your production data where untested mistakes may be painful to undo.

MISP Workflows is shaping up well but it’s well worth noting it’s still under heavy development and is considered experimental at this point. All the same, it’s well worth having an experiment with it to see what’s possible.

How to use

1. Enable Workflows via: Administration -> Server Settings & Maintenance -> Plugin -> set Plugin.Workflow-enable = true.

2. Enable Workflow elements via Adminstration -> Workflows -> List Modules -> All. You may wish to enable all of them to experiment with but as an administrator you can restrict this to whatever makes sense for you.

3. Still within the Workflows screen, click on “List Triggers” on the left. Then you can click on the “</>” link to edit the workflow itself. How to actually construct solid workflows is something we’ll leave for another time, however.

DASHBOARD OVERHAUL

Since: 2.4.171 (May 2023)

What is it?

A way to visualise the state of data and systems in MISP.

Why it's great

If you’re a long-time MISP user, you may have tried the built-in or separate dashboard app but it didn’t quite give you the sorts of insights you were after.  A lot of work has gone into overhauling MISP’s built-in dashboarding features allowing for better understanding of the data held in your instance.

Late breaking at the time of writing is the addition of a MITRE ATT&CK heatmap which shows the flexibility that widgets can allow (screenshot from the MISP 2.4.173 release notes):

How to use

Just click “Dashboard” in the menu and add some widgets.

STIX CONVERSION IMPROVEMENTS

Since: 2.4.168 (Feb 2023) but improvements continually ongoing

What is it?

A way to convert MISP’s data model to and from the STIX data model and format.

Why it's great

With its long history of CTI data standards and transformation work, Cosive has spent a LOT of time working with MISP to and from STIX. It’s a deep topic which deserves a lot more attention but suffice to say that converting the event-centric MISP model to the graph-centric STIX model can be a challenge. Please have a read of our MISP vs STIX introduction if you’d like to know a little more about that.

MISP’s built-in converter for MISP to STIX and vice-versa continues to improve and is very important for sharing with organisations that may be using other tools or with other business units using STIX-capable tools like Sentinel or Splunk ES. These days it also handles conversion of a lot of important taxonomies like MITRE ATT&CK which is represented via MISP Galaxies.

How to use

From an event you can use “Download as…” then pick the STIX 2.1 option. You can also do this in an automated fashion with PyMISP or the library and CLI tools provided by MISP-STIX-Converter.

TAXII PUSH

Since: 2.4.166-172 (Dec 2022) and continually improving

What is it?

A way to easily publish your MISP events as STIX bundles on a TAXII transport server.

Why it's great

Since you know MISP can generate STIX, the next thing you’ll very likely want to do is use STIX’s native transport protocol TAXII to share it with other parties. While MISP feeds are great for sharing with other MISPs, TAXII is a common method for publishing and sharing with non-MISP platforms like commercial TIPs, open source TIPs, and SIEMs like Sentinel.

Until recently, that required some scripting skills to automatically export MISP events as STIX bundles then to push them into a TAXII server’s collection. With that done, your STIX-consuming partner can collect them as they become available.

With the introduction of built-in support to push from MISP to a TAXII server, this becomes a lot easier out of the box. It’s early days for TAXII push support but well worth a look at where it’s going and how you might use it.

It’s also worth noting you’ll need to provide your own TAXII server instance which could be part of a separate threat intelligence platform or something standalone.

How to use

Navigate to Sync Actions -> List TAXII servers -> Add TAXII server.

You’ll want to set a filter for which events get pushed to the TAXII server, e.g. only those with a particular tag.

CREATE OBJECTS IN EVENTS USING FREE-TEXT IMPORT

Since: 2.4.167 (Dec 2022)

What is it?

A way to streamline creation of MISP objects in events.

Why it's great

Grouping together MISP attributes as objects is great; if you’re not already doing this to bind things like filenames and their related hashes together, you absolutely should.

As well as creating a new object on an event via the standard object creation form, there’s also a more streamlined way to do this. Using the free-text import tool, you can also get it to extract attributes and auto-populate an appropriate object type to add into an event you’re creating.

How to use

1 . View the event you want to add objects to.
2. Click “Populate from…” on the left menu.

3. Now click “Freetext Import” from the resulting dialogue.

4. Copy or create the snippet of text we’ll extract the object’s attributes from:

5. It will find attributes matching certain patterns and list them as individual attributes. Instead of clicking “Submit attributes” we can instead decide to group them as an grouped object via the “Create object” button at the bottom of the page, which also suggests object types with the corresponding attribute types:

6. This will take you to a screen showing the object it will create. Add comments and tags too - these are GREAT for contextual understanding.

7. You now have an object attached to your event with the extracted attributes. Great success!

CONCLUSION

New MISP releases happen a little faster than monthly and it’s important to stay up to date. As well as all-important security updates, taxonomy updates, and MISP Galaxy updates, there may well be a lot of new features and enhancements added that you aren’t taking full advantage of yet.

As a part of our CloudMISP offering we also review each MISP release down to the code diff level, road test any new or changed functionality, and provide advice on how to best take advantage of new changes in your SOC and CTI workflows. If taking some of those MISP care and feeding problems off your hands sounds good, please feel free to get in touch for a chat!