Skip to content

MISP Objects v2026031300: From Ghidra Functions to AI Summaries

Latest
Latest

Choose a tag to compare

View all tags
@adulau adulau released this 13 Mar 09:27
2026031300
This tag was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Verified
Learn about vigilant mode.
750b333
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

MISP Objects Release Notes - v2026031300

Date: 2026-03-13

🆕 New Object Templates

This release adds a variety of new templates to bridge gaps in digital forensics, network infrastructure, and CTI automation.

  • Forensics & Malware Analysis:
    • ghidra-function: Support for documenting functions identified during Ghidra analysis.
    • trusted-timestamp: Template for documenting RFC 3161 or similar timestamp tokens.
  • Infrastructure & Networking:
    • wifi-connection: New object for documenting specific WiFi connection parameters.
    • rmm: Dedicated object for Remote Monitoring and Management agent details (e.g., for tracking legitimate tool abuse).
  • Threat Intelligence & Reporting:
    • summariser-output: Designed to store outputs from AI or NLP-based summarizers (born from hackathon.lu 2025).
    • shadowserver-beacon-*: Two new objects (url-overlap and ttl-report) contributed by Shadowserver for the MISP-LEA project.
    • spambee-report: Integration for Spambee analysis reports.
    • taranis: New templates for news-item and story tracking.
  • Legal & Administrative:
    • administrative-decision: For tracking formal legal or administrative actions.
  • Other:
    • data-url: To represent data URIs.
    • flowintel: Task resource management for the FlowIntel project.

🛠️ Significant Changes & Improvements

📱 Hardware & IoT

  • Mobile Devices: The phone object now supports multiple IMEI fields to accommodate dual-SIM devices.
  • UAVs/Drones: Major overhaul. Added a picture field, removed general geolocation in favor of flight-path attachments and specific mission details.
  • Devices: Added a perspective field to distinguish between Adversary and Victim devices.

🛡️ Vulnerability & Detection

  • Vulnerability: Updated UI priority to keep CVE-ID at the top. Added impact and payload fields to better describe exploitation potential. Now supports any CVSS version.
  • Sigma/YARA: Updated UI priorities for rule names and incremented version definitions for better organization.
  • Detection: Refined meta-categories to ensure consistent classification.

💰 Cryptocurrency

  • Expanded the coin-address, cryptocurrency, and cryptocurrency-transaction objects with new currencies (credits to Ransom-ISAC).

🌐 Network & Web

  • IP/Port: Added support for PTR records.
  • Domain/URL: Added dom-hash and ref fields to file and url objects to track analysis references.
  • Social Media: Updated instagram-account and google-account templates for better forensic detail.

🐛 Bug Fixes & Maintenance

  • JSON Schema: Massive cleanup using jq across almost all templates to ensure strict schema compliance.
  • Typos: Fixed naming errors in python-evtx-event-log and github-repo.
  • Correlation: Disabled correlation on firmware and specific text fields where it caused false positives.
  • Documentation: Updated the README and main object list to reflect current definitions and the new logo.

Note: If you are using the MISP UI, please remember to go to Global Actions > List Objects and click "Update objects" to fetch these latest definitions.

Assets 2
Loading