Skip to content

misp-stix 2025.01.09 - New Year release including support of Analyst Data

Latest
Latest
Compare
Choose a tag to compare
@chrisr3d chrisr3d released this 07 Jan 10:06
· 7 commits to main since this release
2025.01.09
1549df4
This commit was signed with the committer’s verified signature.
chrisr3d Christian Studer
GPG key ID: 6BBED1B63A6D639F
Verified
Learn about vigilant mode.

This new release introduces changes to support the conversion between MISP Analyst Data and the STIX 2.x Note & Opinion objects.

It includes the following features:

  • Improvement on the support of STIX 2 Note & Opinion objects that are now converted into MISP Analyst Data
  • Supporting the export of MISP Analyst Data that is now converted into STIX 2 Note & Opinion objects
  • A few fixes on the command line feature and some edge cases
  • The argument to force the conversion of STIX 2.x SDOs as Galaxy Cluster

Here’s the complete list of changes with the complete changelog:

[2025.01.09] - 2025-01-09

Add

  • [stix2 import] New argument to force the conversion of a STIX 2.x SDO as Galaxy Cluster

Chg

  • [readme] Updated package information, CLI description & updated active period information
  • [poetry] Bumped lock file with latest versions
  • [poetry, package] Bumped package version
  • [CLI] In long argument names, replaced underscores with dashes

Fix

  • [CLI] Fixed confusion between single_output and single_event arguments

[2025.01.07] - 2025-01-07

Chg

  • [poetry, package] New tag version
  • [poetry] Bumped lock file with latest versions
  • [poetry, package] Updated versions

Fix

  • [CLI] Fixed argument confusion between the import & export command line feature

[2024.12.20] - 2024-12-20

Add

  • [stix2 import] Adding to the Event the information on the producer using the producer galaxy
  • [stix2 import] Adding to the Event the information on the producer using the producer galaxy
  • [tests] Tests for Analyst Data import from STIX 2.x content generated from MISP
  • [tests] Better report/grouping references handling in STIX2 Bundle samples
  • [tests] Tests for Event Report import
  • [tests] Testing the Note & Opinion objects type for Analyst Data exported to STIX 2.x
  • [stix2 export] Added labels to Notes and Opinions objects converted from Analyst Data or Event Report
  • [tests] Added tests for Analyst Data export to STIX 2.0
  • [tests] Added tests for Event Report export to STIX 2.0
  • [tests] Added tests with Analyst Data attached to a MISP object
  • [misp_stix_converter] Making available the method to check the origin of STIX 1 files
  • [stix1 import] STIX 1 to MISP automation methods added
  • [tests] Tests for STIX 2.x Bundle import with specific producer or title set by user
  • [misp_stix_converter] Added title argument to prefix Event info field with some title
  • [readme] Added instructions on the producer argument
  • [misp_stix_converter, stix2 import] Added producer argument to add in the Events converted from STIX 2.x the name of the producer
  • [misp_stix_converter] Extended the command line feature to allow to push Events on MISP from the conversion of STIX 2.x Bundles
  • [tests] Tests for Analyst Data export to STIX 2.1

Chg

  • [poetry] Bumped lock file
  • [stix2 import] Converting report or grouping description as MISP Event Report
  • [stix2 import] Adding Analyst Data to Attributes, Objects and Event
  • [stix2 import] Improved the Note & Opinion objects parsing
  • [tests] Updated samples & tests for analyst data export with content exported to Observed Data
  • [stix2 export] Making Analyst Data export to STIX 2.0 available
  • [stix2 export] Exporting Event Reports also to STIX 2.0
  • [stix2 import] More specific name for the method to check is a STIX 2.x file was generated from MISP
  • [stix2 import] Better error and warning messages handling
  • [poetry] Bumped lock file with latest versions
  • [stix2 import] Defining a separate abstract class for methods related to external STIX only
  • [stix2 import] Excluding the producer from the event info title
  • [stix2 import] Better handling of the STIX2 Parser class arguments
  • [stix2 import] Added separation in the generic Event info field, between the title and information on the producer
  • [stix2 import] Adding producer - when provided - to the generic info field
  • [misp_stix_converter] Getting the current user organisation uuid to use it for the Custom Clusters creation
  • [readme] Updated instruction for the command line feature
  • [stix2 export] Converting Analyst Notes and Opinions to STIX 2.1 Note & Opinion objects

Fix

  • [poetry] Updated lock file with missing dependencies
  • [poetry] Trying to fix setuptools dependency on Python 3.12 & 13
  • [github actions] Updated Github actions setup
  • [stix2 import] Trying to fix Python 3.9
  • [poetry] Trying to fix missing setuptools dependency
  • [poetry] Bumped latest PyMISP version
  • [poetry] Bumped latest lock file with the right python versions and some library updates
  • [github] Updated Python versions
  • [poetry] Updated Python versions
  • [stix2 import] Removed duplicated property method already present in a parent class
  • [stix2 import] Quick clean-up
  • [poetry] Bumped lock file
  • [stix2 import] Utilising the set of creator id references to skip parsing identity objects that are mentioned is STIX objects with the created_by_ref field
  • [stix2 import] Avoiding issues with event tags variable when we are parsing STIX documents with no report or grouping
  • [stix2 import] Avoiding KeyError exceptions while parsing standalone STIX 2.1 observable objects
  • [stix2 import] Better parsing for observables referenced in malwares objects
  • [stix2 import] Fixed missing method name
  • [stix2 import] Utilising the set of creator id references to skip parsing identity objects that are mentioned is STIX objects with the created_by_ref field
  • [stix2 import] Avoiding issues with event tags variable when we are parsing STIX documents with no report or grouping
  • [stix2 import] Avoiding KeyError exceptions while parsing standalone STIX 2.1 observable objects
  • [stix2 import] Better parsing for observables referenced in malwares objects
  • [stix2 import] Fixed missing method name
  • [tests] Fixed created_by_ref identity id
  • [stix2 import] Avoiding issues while attaching Data Analyst to the different MISP data layers
  • [stix2 import] Better Analyst Data information loading and parsing
  • [stix2 import] Properly importing Analyst Notes and Opinions attached to Event Reports
  • [stix2 import] Added missing opinion value for Analyst Opinion imported from STIX 2.1 generated from MISP
  • [tests] Updated tests for STIX 2 External content conversion to MISP
  • [stix2 import] Simplifying some typings, avoiding missing variable
  • [stix2 import] Variable name fixed
  • [stix2 import] Converting Event Reports from STIX 2.0 Custom x-misp-event-report objects and STIX 2.1 Note objects
  • [stix2 import] Added missing Event Report import feature
  • [stix2 import] Removed unused import
  • [stix2 import] Simplification of the converters declaration
  • [stix2 import] Fixed Analyst Data authors fields that is a string in MISP
  • [stix2 import] Fixed call to warning handling which taking place in the main parser and not in the converters
  • [stix2 import] Removed duplicated property for MISP Event
  • [stix2 import] Fixed a quick issue coming from the last conflicts resolving
  • [stix1 import] Making python 3.8 & 3.9 happy with typings
  • [tests] Quick fix on the tests for event report export as STIX 2.0
  • [stix2 import] Added missing import
  • [tests] Cleaned up tests for analyst data export
  • [stix2 export] Fixed Note and Opinion objects arguments
  • [stix2 export] Adding Note and Opinion IDs used at Event level to the object_refs list of references within the Report or Grouping object
  • [stix2 export] Parsing analyst data related to Observed Data objects & added a few missing typings
  • [tests] Avoiding issues with test samples being altered
  • [stix2 export] Fixed Event Report references fetching
  • [stix2 export] Making the methods related to event reports part of the parent STIX 2 export class
  • [tests] Added fallback test to avoid issues with datetime values
  • [stix2 export] Removed non existing comment field in Analyst Note
  • [stix2 import] Added typing in external mapping and made different variable checks easier
  • [stix2 export] Better Analyst Note & Opinion conversion
  • [stix1 import] Fixing the email object handling and a few other clean-up changes
  • [stix2 import] Fixed synonyms_mapping call
  • [stix2 import] Fixed synonyms_mapping call
  • [stix2 import] Removed unused part of the datetime to timestamp conversion method
  • [stix2 import] Fixed test on indicator version
  • [stix2 import] Code monkey typo fixed
  • [stix2 import] Making the MISP_org_uuid available while putting its declaration at the right place
  • [poetry] Bumped fixed version
  • [stix2 import] Fixed the method to directly load and parse STIX Bundle giving a filename
  • [stix2 import] Fixed the method to directly load and parse STIX Bundle giving a filename
  • [misp_stix_converter] Fixed some argparse help values
  • [tests] Fixed tests for STIX 2.x Bundles imported as MISP Events where producer and info values are set by user
  • [stix2 import] Fixed generic info field to use the title set by users
  • [stix2 export] Avoiding issues with Note objects referencing Custom objects
  • [stix2 import] Avoiding issue with getattr which isn't able to check whether a __ prefixed variable exists or not
  • [misp_stix_converter] Handling cases where url or authentication key is not provided to connect to MISP
  • [stix2 import] Added missing producer argument
  • [misp_stix_converter] Updated command-line import arguments
  • [stix2 import] Added bundle id to the generic Event info field used when there is no Report or Grouping to parse
  • [misp_stix_converter] Quick fixes on the command-line feature
  • [misp_stix_converter] Providing default value to the version and distribution arguments with the command line feature
  • [stix2 import] Checking if internal STIX 2.1 Note object has labels
  • [stix2 import] Avoiding issues with the Event tags variable
  • [exportparser] Fixed variable name typo
  • [stix2 export] Converting the created & modified values to datetime objects required within the STIX objects
  • [stix2 export] Converting the created and modified fields of analyst notes and opinions
  • [stix2 export] Some clean-up

Wip

  • [stix1 import] First version of a STIX 1 import feature porting from the MISP core code base
  • [stix2 import] Making the Note objects Converter an internal converter

Pull Requests

  • Merge pull request #67 from castaples/remove-keyerror

Contributions

New Contributors

Full Changelog: v2.4.196...2025.01.09

Contributors

castaples
Assets 2
Loading