MISP-STIX Spring Release

We're excited to share a new set of updates to misp-stix, bringing better STIX 2.x compatibility, smarter Galaxy Cluster handling, and improved validation — all wrapped up with stronger test coverage and smoother tooling.

Highlights of recent misp-stix changes (Jan–June 2025)

STIX 2.x compatibility improvements

• Enhanced import/export of custom Galaxy Clusters (Campaign, Threat Actor, Malware, Tool, Attack Pattern, etc.)
• Support for TLP 2.0 and improved parsing of ACS Marking and access privileges
• Better meta field mapping, labels, and synonym handling for SDOs

Validation & standard compliance

• Initial use of stix2validator to validate country codes was replaced by pycountry for more reliable handling

Bug fixes and stability

• Resolved issues with malformed or missing fields (name, object_refs, country, custom fields)
• Improved fallback logic and inheritance handling in mapping methods

Tests & coverage

• Broadened test suite for custom STIX object conversions
• Added regression tests and more comprehensive sample coverage

Packaging & tooling

• Regular dependency updates (poetry, lockfiles, submodules)
• Cleanup and consistency improvements in CLI options and argument naming

Detailed changelog

2025.6.12 - 2025-06-12

Chg

• [package, poetry] Updated version

Fix

• [stix2 export] Improving the categorisation of MISP as JSON content to call the right conversion to STIX 2.x method
• [stix2 import] Fixed mapping inheritance to avoid unavailability of a mapping method

2025.5.13 - 2025-05-13

Add

• [stix2 import] Mapping TLP 2 definitions

Chg

• [package] New version
• [submodules] Bumped latest mitre/cti & misp-galaxies versions

Fix

• [stix2 export] Making sure Identity objects are not raise any exception because of a custom field
• [stix2 import] Fixed access privilege parsing from ACS marking extension definitions

2025.4.30 - 2025-04-30

Add

• [test] Tests for custom Campaign Galaxy Clusters export to STIX 2.x
• [stix2 export] Converting Custom Galaxy Clusters imported from STIX 2.x Campaign objects, back to STIX 2.x

Chg

• [poetry, package] Bumped latest version
• [stix2 export] Validating country values while converting country galaxy clusters and custom location galaxy clusters
• [poetry] Bumped latest versions in lock file
• [tests] Updated test samples for Campaign objects import as Custom Galaxy

Fix

• [stix2 import] Using the right method to parse malware sample refs
• [stix2 import] Properly adding Galaxy with Cluster when converting Malware object both as MISP object and Cluster
• [stix2 import] Avoiding issues with missing name field in SDOs converted from STIX 2.x to MISP Galaxy Clusters
• [stix2 export] Catching exceptions on invalid country value
• [tests] Added tests for custom Vulnerability Galaxy Cluster export to STIX 2.x
• [stix2 import] Removed empty line
• [tests] Covering all fields in tests for custom Tool Galaxy Cluster
• [stix2 export] Avoiding issues with custom stix objects id in object_refs field of a Note
• [tests] Tests for Custom Threat Actor Galaxy export to STIX 2.x
• [stix2 export] Typo on the Threat Actor meta fields mapping
• [stix2 import] Added missing mapping for STIX 2.1 Threat Actor fields
• [tests] Better tests for custom Attack Pattern Clusters meta fields & added tests for custom Malware Clusters export to STIX 2.x
• [stix2 export] Better labels and malware/threat actor/tool types field handling
• [stix2 export] Better meta fields mapping handling
• [stix2 export] Added missing country code warning
• [stix2 import] Fixed STIX 2.1 Malware object to cluster meta fields mapping
• [stix2 export] Converting custom location Galaxy Clusters to STIX 2.1 Location objects
• [stix2 export] Updated Galaxy Clusters mapping & generic meta fields list
• [poetry, package] Added stix2validator dependency and updated lock file accordingly
• [tests] Updated tests for location clusters export to STIX 2.1
• [stix2 export] Passing meta values without making them a list when they are single values
• [tests] Better tests for Intrusion Set objects conversion in both directions
• [stix2 export] Better intrusion set clusters conversion
• [tests] Better tests for Campaign objects conversion
• [stix2 import] Parsing all Campaign object fields
• [tests] Better tests for Attack Pattern objects
• [stix2 export] Added missing parsing of attack pattern synonyms converted as aliases in STIX 2.1 Attack Pattern objects
• [stix2 export] Typo missing stix version to populate custom galaxies mapping
• [stix2 export] Typo in SDO types exported from galaxy clusters
• [stix2 export] Enabling the ability to export to any STIX 2.x version the custom galaxy clusters previously generated during the conversion from STIX 2.x
• [stix2 import] Properly parsing access privileges

2025.4.10 - 2025-04-11

Chg

• [package] Bumped latest version
• [poetry] Bumped lock file with latest versions
• [poetry] Updated lock file with latest versions

Fix

• [stix2 import] Made the Observable objects fetching method available for all standalone Observable objects conversion classes
• [stix2 import] Avoiding KeyError exxception when trying to fetch an observable object based on its id referenced in an observed data

2025.4.4 - 2025-04-04

Chg

• [package, poetry] New library version
• [submodules] Bumped latest versions
• [poetry] Bumped lock file with latest versions

Fix

• [tests] Updated test following the updated galaxy & cluster definition
• [stix2 import] Avoiding issues with Sighting objects

2025.03.04 - 2025-03-13

Chg

• [poetry, package] Library version bump
• [poetry] Bumped latest lock file

Fix

• [stix2 import] Passing the cluster distribution value to galaxy definitions too
• [stix2 import] Making Python 3.9 happy with my return typings being str or None
• [tests] Updated tests following recent change on the location objects conversion
• [stix2 import] Fixed imports
• [stix2 import] Converting STIX 2.1 Location objects with only global region, country or area attributes as custom galaxy
• [stix2 import] Removed unused mapping methods
• [stix2 import] Removed mapping that was move to converters

2025.02.14 - 2025-02-14

Chg

• [package] Bumped version
• [poetry] Bumped lock file
• [poetry] Replaced deprecated section name

Fix

• [stix2 import] Keeping UUID from Custom objects used to describe a Galaxy Cluster which we import back to MISP
• [stix2 import] Replaced undefined methods with actual error message handling

2025.01.10 - 2025-01-10

Chg

• [poetry, package] Bumped versions
• [stix2 import] Aligned the force contextual data argument to its naming on MISP

2025.01.09 - 2025-01-09

Add

• [stix2 import] New argument to force the conversion of a STIX 2.x SDO as Galaxy Cluster

Chg

• [readme] Updated package information, CLI description & updated active period information
• [poetry] Bumped lock file with latest versions
• [poetry, package] Bumped package version

misp-stix 2025.01.09 - New Year release including support of Analyst Data

This new release introduces changes to support the conversion between MISP Analyst Data and the STIX 2.x Note & Opinion objects.

It includes the following features:

• Improvement on the support of STIX 2 Note & Opinion objects that are now converted into MISP Analyst Data
• Supporting the export of MISP Analyst Data that is now converted into STIX 2 Note & Opinion objects
• A few fixes on the command line feature and some edge cases
• The argument to force the conversion of STIX 2.x SDOs as Galaxy Cluster

Here’s the detailed list of changes with the complete changelog:

[2025.01.09] - 2025-01-09

Add

• [stix2 import] New argument to force the conversion of a STIX 2.x SDO as Galaxy Cluster

Chg

• [readme] Updated package information, CLI description & updated active period information
• [poetry] Bumped lock file with latest versions
• [poetry, package] Bumped package version
• [CLI] In long argument names, replaced underscores with dashes

Fix

• [CLI] Fixed confusion between single_output and single_event arguments

[2025.01.07] - 2025-01-07

Chg

• [poetry, package] New tag version
• [poetry] Bumped lock file with latest versions
• [poetry, package] Updated versions

Fix

• [CLI] Fixed argument confusion between the import & export command line feature

[2024.12.20] - 2024-12-20

Add

• [stix2 import] Adding to the Event the information on the producer using the producer galaxy
• [stix2 import] Adding to the Event the information on the producer using the producer galaxy
• [tests] Tests for Analyst Data import from STIX 2.x content generated from MISP
• [tests] Better report/grouping references handling in STIX2 Bundle samples
• [tests] Tests for Event Report import
• [tests] Testing the Note & Opinion objects type for Analyst Data exported to STIX 2.x
• [stix2 export] Added labels to Notes and Opinions objects converted from Analyst Data or Event Report
• [tests] Added tests for Analyst Data export to STIX 2.0
• [tests] Added tests for Event Report export to STIX 2.0
• [tests] Added tests with Analyst Data attached to a MISP object
• [misp_stix_converter] Making available the method to check the origin of STIX 1 files
• [stix1 import] STIX 1 to MISP automation methods added
• [tests] Tests for STIX 2.x Bundle import with specific producer or title set by user
• [misp_stix_converter] Added title argument to prefix Event info field with some title
• [readme] Added instructions on the producer argument
• [misp_stix_converter, stix2 import] Added producer argument to add in the Events converted from STIX 2.x the name of the producer
• [misp_stix_converter] Extended the command line feature to allow to push Events on MISP from the conversion of STIX 2.x Bundles
• [tests] Tests for Analyst Data export to STIX 2.1

Chg

• [poetry] Bumped lock file
• [stix2 import] Converting report or grouping description as MISP Event Report
• [stix2 import] Adding Analyst Data to Attributes, Objects and Event
• [stix2 import] Improved the Note & Opinion objects parsing
• [tests] Updated samples & tests for analyst data export with content exported to Observed Data
• [stix2 export] Making Analyst Data export to STIX 2.0 available
• [stix2 export] Exporting Event Reports also to STIX 2.0
• [stix2 import] More specific name for the method to check is a STIX 2.x file was generated from MISP
• [stix2 import] Better error and warning messages handling
• [poetry] Bumped lock file with latest versions
• [stix2 import] Defining a separate abstract class for methods related to external STIX only
• [stix2 import] Excluding the producer from the event info title
• [stix2 import] Better handling of the STIX2 Parser class arguments
• [stix2 import] Added separation in the generic Event info field, between the title and information on the producer
• [stix2 import] Adding producer - when provided - to the generic info field
• [misp_stix_converter] Getting the current user organisation uuid to use it for the Custom Clusters creation
• [readme] Updated instruction for the command line feature
• [stix2 export] Converting Analyst Notes and Opinions to STIX 2.1 Note & Opinion objects

Fix

• [poetry] Updated lock file with missing dependencies
• [poetry] Trying to fix setuptools dependency on Python 3.12 & 13
• [github actions] Updated Github actions setup
• [stix2 import] Trying to fix Python 3.9
• [poetry] Trying to fix missing setuptools dependency
• [poetry] Bumped latest PyMISP version
• [poetry] Bumped latest lock file with the right python versions and some library updates
• [github] Updated Python versions
• [poetry] Updated Python versions
• [stix2 import] Removed duplicated property method already present in a parent class
• [stix2 import] Quick clean-up
• [poetry] Bumped lock file
• [stix2 import] Utilising the set of creator id references to skip parsing identity objects that are mentioned is STIX objects with the created_by_ref field
• [stix2 import] Avoiding issues with event tags variable when we are parsing STIX documents with no report or grouping
• [stix2 import] Avoiding KeyError exceptions while parsing standalone STIX 2.1 observable objects
• [stix2 import] Better parsing for observables referenced in malwares objects
• [stix2 import] Fixed missing method name
• [stix2 import] Utilising the set of creator id references to skip parsing identity objects that are mentioned is STIX objects with the created_by_ref field
• [stix2 import] Avoiding issues with event tags variable when we are parsing STIX documents with no report or grouping
• [stix2 import] Avoiding KeyError exceptions while parsing standalone STIX 2.1 observable objects
• [stix2 import] Better parsing for observables referenced in malwares objects
• [stix2 import] Fixed missing method name
• [tests] Fixed created_by_ref identity id
• [stix2 import] Avoiding issues while attaching Data Analyst to the different MISP data layers
• [stix2 import] Better Analyst Data information loading and parsing
• [stix2 import] Properly importing Analyst Notes and Opinions attached to Event Reports
• [stix2 import] Added missing opinion value for Analyst Opinion imported from STIX 2.1 generated from MISP
• [tests] Updated tests for STIX 2 External content conversion to MISP
• [stix2 import] Simplifying some typings, avoiding missing variable
• [stix2 import] Variable name fixed
• [stix2 import] Converting Event Reports from STIX 2.0 Custom x-misp-event-report objects and STIX 2.1 Note objects
• [stix2 import] Added missing Event Report import feature
• [stix2 import] Removed unused import
• [stix2 import] Simplification of the converters declaration
• [stix2 import] Fixed Analyst Data authors fields that is a string in MISP
• [stix2 import] Fixed call to warning handling which taking place in the main parser and not in the converters
• [stix2 import] Removed duplicated property for MISP Event
• [stix2 import] Fixed a quick issue coming from the last conflicts resolving
• [stix1 import] Making python 3.8 & 3.9 happy with typings
• [tests] Quick fix on the tests for event report export as STIX 2.0
• [stix2 import] Added missing import
• [tests] Cleaned up tests for analyst data export
• [stix2 export] Fixed Note and Opinion objects arguments
• [stix2 export] Adding Note and Opinion IDs used at Event level to the object_refs list of references within the Report or Grouping object
• [stix2 export] Parsing analyst data related to Observed Data objects & added a few missing typings
• [tests] Avoiding issues with test samples being altered
• [stix2 export] Fixed Event Report references fetching
• [stix2 export] Making the methods related to event reports part of the parent STIX 2 export class
• [tests] Added fallback test to avoid issues with datetime values
• [stix2 export] Removed non existing comment field in Analyst Note
• [stix2 import] Added typing in external mapping and made different variable checks easier
• [stix2 export] Better Analyst Note & Opinion conversion
• [stix1 import] Fixing the email object handling and a few other clean-up changes
• [stix2 import] Fixed synonyms_mapping call
• [stix2 import] Fixed synonyms_mapping call
• [stix2 import] Removed unused part of the datetime to timestamp conversion method
• [stix2 import] Fixed test on indicator version
• [stix2 import] Code monkey typo fixed
• [stix2 import] Making the MISP_org_uuid available while putting its declaration at the right place
• [poetry] Bumped fixed version
• [stix2 import] Fixed the method to directly load and parse STIX Bundle giving a filename
• [stix2 import] Fixed the method to directly load and parse STIX Bundle giving a filename
• [misp_stix_converter] Fixed some argparse help values
• [tests] Fixed tests for STIX 2.x Bundles imported as MISP Events where producer and info values are set by user
• [stix2 import] Fixed generic info field to use the title set by users
• [stix2 export] Avoiding issues with Note objects referencing Custom objects
• [stix2 import] Avoiding issue with getattr which isn't able to check whether a __ prefixed variable exists or not
• [misp_stix_converter] Handling cases where url or authentication key is not provided to connect to MISP
• [stix2 import] Added missing producer argument
• [misp_stix_converter] Updated command-line import arguments
• [stix2 import] Added bundle id to the generic Event info field used when there is no Report or Grouping to parse
• [misp_stix_converter] Quick fixes on the command-line feature
• [misp_stix_converter] Providing default value to the version and distribution arguments with the command line feature
• [stix2 import] Checking if internal STIX 2.1 Note object has labels
• [stix2 import] Avoiding issues with the Event tags variable
• [ex...

misp-stix v2.4.196 - Summer realease including changes on the command-line feature and a few fixes

v2.4.196 - 2024-08-21

Included in the release

• A few arguments to the STIX 2 to MISP parsers have been added to give the option to set directly some of the MISP Event fields or add more contextualisation to the data that is converted to MISP
• Overall improvement of the command-line feature, supporting more arguments - some are directly related to the above mentioned new arguments
• Updated documentation explaining the newest features

Add

• [misp_stix_converter] Global version argument added
• [tests] Tests for STIX 2.x Bundle import with specific producer or title set by user
• [misp_stix_converter] Added title argument to prefix Event info field with some title
• [readme] Added instructions on the producer argument
• [misp_stix_converter, stix2 import] Added producer argument to add in the Events converted from STIX 2.x the name of the producer
• [readme] Added more instructions and examples on the command-line feature usage
• [readme] Additional instructions on the installation process
• [misp_stix_converter] Extended the command line feature to allow to push Events on MISP from the conversion of STIX 2.x Bundles

Chg

• [package] Updated version
• [stix2 import] Excluding the producer from the event info title
• [poetry] Bumped latest versions in lock file
• [stix2 import] Better handling of the STIX2 Parser class arguments
• [stix2 import] Added separation in the generic Event info field, between the title and information on the producer
• [stix2 import] Adding producer - when provided - to the generic info field
• [poetry] Bumped lock file with the latest versions
• [poetry] Bumped lock file with the latest dependencies versions
• [readme] Updated command-line import feature arguments instructions
• [misp_stix_converter] Getting the current user organisation uuid to use it for the Custom Clusters creation
• [readme] Updated instruction for the command line feature

Fix

• [poetry] Tentative to fix lock file
• [misp_stix_converter] Fixed some argparse help values
• [tests] Fixed tests for STIX 2.x Bundles imported as MISP Events where producer and info values are set by user
• [stix2 import] Fixed generic info field to use the title set by users
• [stix2 export] Avoiding issues with EventReport referencing attributes or objects exported as Custom STIX 2 Object
• [stix2 import] Avoiding issue with getattr which isn't able to check whether a __ prefixed variable exists or not
• [misp_stix_converter] Handling cases where url or authentication key is not provided to connect to MISP
• [stix2 import] Added missing producer argument
• [misp_stix_converter] Updated command-line import arguments
• [stix2 import] Added bundle id to the generic Event info field used when there is no Report or Grouping to parse
• [misp_stix_converter] Quick fixes on the command-line feature
• [misp_stix_converter] Providing default value to the version and distribution arguments with the command line feature
• [stix2 import] Avoiding issues with the Event tags variable

misp-stix v2.4.194 - A few fixes and an important change to the Tags handling to avoid duplication of Event tags into Attributes

v2.4.194 - 2024-06-21

Included in the release

• A few issues fixed
• Some clean-up of the duplicated methods after the latest Converters have been merged
• Avoiding the duplication of Event tags in Attributes
  ➡️ When an Event is tagged with a specific tag, it implies all the Attributes contained in this Event are implicitly tagged with the same tag. We do not need to explicitly tag all the Attributes with the same tag in that case.
  ❌ : As a naive approach, we were looping through Marking Definitions to tag individually each Attribute when there was a reference between the corresponding STIX object and Marking Definition
  ✅ Now we first check if a given Tag is already attached to the Event before attaching it to an Attribute

Chg

• [poetry] Updated lock file with latest versions
• [poetry] Latest version
• [stix2 export] Cleaner STIX 2.x object IDs handling

Fix

• [stix2 import] Deduplication of the Event tags that were also added to Attributes
• [stix2 import] Removed unused methods
• [stix2 import] Avoid returning an error message for marking-definition refs not parsed
• [stix2 export] Cleaner code
• [stix2 import] Differenciating the network traffic mapping to use when parsing indicators

misp-stix v2.4.193 - Finalised the Observed Data and Observable objects Converter

[v2.4.193] - 2024-06-06

Included in this release

• The Observed Data & Observable objects Converter is now finalised as a separate converter and the branch containing the changes is now merged
  • Including some major improvement on the Observable objects conversion to MISP, such as:
    • standalone Observable objects are now correctly parsed
    • long lists of Observables referenced by - or containing in - a single Observed Data object, with no specific meaning are now correctly handled and parsed as separate objects even though they are now strictly respecting the Observable objects format specification
  • Observable objects mapping improved

Add

• [tests] Tests for Email Message objects - and references - import from STIX 2.x
• [stix2 import] Updated the STIX 2.x Email objects mappings
• [stix2 import] Added organisation_uuid argument to use to generate the custom clusters UUID
• [tests] Tests for Autonomous System observable objects with observed data import from STIX 2.x
• [stix2 import] Parsing Observed Data with Autonomous System observable objects from converters

Chg

• [poetry] Bumped latest version in lock file
• [poetry] Updated version
• [tests] Updated tests for domain-ip objects import from STIX 2.1 to cover specific cases with UUIDs handling
• [stix2 import] Adding source information to the custom Galaxy Clusters imported from STIX 2.x objects
• [stix2 import] Using the file observable references parsing method to convert v2.0 observable objects
• [stix2 import] Making the network-traffic objects parsing more generic
• [stix2 import] Simplify loading JSON files
• [stix2 import] Added generic conversion methods for observable objects associated to observed data objects imported as MISP objects
• [tests] Deduplicating existing tests for external directory observable objects

Fix

• [stix2 import] Making Python 3.8 & 3.9 happy with the typing
• [stix2 import] Post Observed Data Converter merge clean up and reassembling
• [stix2 import] Merged missing conflicts
• [stix2 import] Fixed UUID handling for email object attributes parsed from email-message references
• [stix2 import] Fixed domain-ip objects UUID handling
• [stix2 import] Handling domains resolving other domains with object references
• [stix2 import] Removed unnecessary intermediary method
• [stix2 import] Avoiding domain-name observable objects to be skipped because they're referenced by another domain-name object
• [stix2 import] Fixed domain-ip attributes UUIDs handling
• [stix2 import] Fixed domain-ip object attributes handling as _sanitise_attribute_uuid already returns a dict with the uuid key included
• [stix2 import] Fixed _observable variable name
• [stix2 import] Protocols error message made clearer
• [tests] Better UUID tests for objects imported from STIX 2.x Network Traffic Observable objects
• [stix2 import] Better internal http-request objects import from Observable objects
• [stix2 import] Better handling of attributes uuid for values converted from internal Network Traffic Observable objects
• [stix2 import] Fixing the internal STIX2 Network Traffic Observable objects and references IDs handling
• [stix2 import] Fixed Network Traffic Observable objects from internal STIX 2.x content parsing
• [stix2 import] Fixed STIX 2.0 Network Traffic Observable objects parsing
• [stix2 import] Added missing protocol_attribute property in STIX2Mapping parent class
• [stix2 import] Better handling of internal Galaxy & Cluster description
• [stix2 import] Updated Network Traffic observables objects mapping to MISP objects
• [stix2 import] Importing Network Traffic observable objects referenced by external Observed Data objects with the network-traffic generic MISP object template
• [stix2 import] Fixed email message objects parsing
• [stix2 import] Invalid typehint
• [stix2 import] Avoid running git process
• [stix2 import] No longer require to exclude patterns with 'AND' and 'OR'
• [stix2 import] Avoiding issues introduced since we updated the observables fetching method
• [stix2 import] Avoiding issues with the internal STIX 2.1 Autonomous System observable objects fetching method
• [stix2 import] Making the multiple observables fetching method available to both internal and external STIX 2 Observed Data object converters
• [stix2 import] Avoiding issues with ssdeep hash type in STIX 2.0 external content
• [stix2 import] Updated pe object mapping with the compilation-timestamp attribute
• [stix2 import] Better STIX 2.0 windows-pebinary-ext within File observable object handling
• [stix2 import] MISP object references handling method name
• [stix2 import] Error exceptions handling method name
• [stix2 import] Fixed the MISP object reference duplicates checking
• [stix2 import] Deduplication of MISP object references
• [stix2 import] Fixed File PE extension parsing method name to avoid confusion with the generic method used then from the observable objects converter class
• [stix2 import] Avoiding issues with observables references, by keeping track of each reference within a single STIX 2.0 observed data objects list
• [stix2 import] Returning MISPAttributes in some generic observable objects conversion methods
• [stix2 import] Fixed wrong variable name for a MISP object meta fields check
• [tests] Fixed tests for external STIX 2.x SDOs imported as Galaxy Clusters following the recent add of the organisation_uuid argument
• [stix2 import] Setting single_event when parsing a bundle with a single report/grouping, to avoid issues raised with multiple reports/groupings handling methods
• [stix2 import] Fixed the case with multiple events as result
• [stix2 import] In the end we have to parse the Sighting & Opinion objects and convert them as MISP Sighting when they are used
• [stix2 import] Fixed relationships handling between sighting & opinion objects, and their references
• [stix2 import] Fixed MISP Sightings handling
• [stix2 import] Removed unused import
• [stix2 import] Avoiding issues with STIX 2.x content coming from a TAXII collection or embedded into a single list instead of a Bundle
• [stix2 import] Removed unsued import & added missing blank lines to make pep8 happy
• [stix2 import] Added the missing sorting statement for observable objects types passed to match mapping
• [stix2 import] Clearer observable objects mapping handling in the observed data conversion methods
• [stix2 import] Reusing the STIX 2.1 observable objects fetching method
• [stix2 import] Setting MISP objects timestamp with the datetime value instead of an int
• [stix2 import] Fixed AttributeError with method from parent conversion class
• [tests] Passing observable ids instead of objects themselves for some tests that only need to know about ids
• [tests] Testing MISP Object comment when its uuid is v5
• [stix2 import] Added observed data id as comment for misp objects converted from STIX 2.0 when it has a v5 uuid
• [stix2 import] Some typings fixed
• [stix2 import] Quick reordering to allow more reusability
• [stix2 import] Avoiding issues with marking definitions referenced but not present in a file
• [stix2 import] Better tags from indicators parsing & simplified the tags handling method
• [stix2 import] Some methods deduplication between main parser & converters
• [stix2 import] Yield syntax
• [stix2 import] Copy-paste typo
• [tests] Quick fix on the created or created_time field from a process observable object
• [stix2 import] Avoid future potential issues with object names in generic conversion methods
• [stix2 import] Quick fix in the Process observable objects associated with Observed Data objects conversion method
• [stix2 import] Utilising the newly added environment-variables attribute to properly import the environment variables & arguments of a STIX 2.x process object
• [stix2 import] Updated typings
• [stix2 import] Typo on the generic observable object parsing method to call
• [stix2 import] Deduplication in the STIX 2.1 Directory objects parsing
• [stix2 import] Removed duplicated MISP Attribute dict creation methods
• [stix2 import] Better handling of generic observable object parsers
• [stix2 import] Quick clean-up on some observed data method arguments
• [stix2 import] Fixed Observable objects types mapping
• [stix2 import] Better overall UUID sanitation & comments handling for MISP attributes creation
• [tests] Removed spec_version fields in STIX 2.0 samples
• [stix2 import] Properly calling the UUID sanitation method
• [stix2 import] Removing unused variable in marking definitions parsing
• [stix2 import] Fixed directory observable objects parsing method header
• [tests] Added missing tests for directory path attribute types
• [stix2 import] Reuse of the method parsing Directory observable objects with an id field
• [stix2 import] Using the AS value parsing method for an AS value that was missing it
• [stix2 import] Fixed directory mapping
• [stix2 import] Quick pep8 clean-up
• [stix2 import] Fixed the converters composition
• [tests] A tiny clarification change
• [stix2 import] Observable objects fetcher moved to the parent class as it will be reused for internal & external conversion
• [stix2 import] Quick syntax fix

Wip

• [tests] Tests for domain-ip objects import from external STIX 2.x
• [tests] Tests for Network Traffic Observable objects imported from external STIX 2 bundles as network-traffic objects
• [stix2 import] Better conversion of Network Traffic references observable objects
• [stix2 import] Parsing Network Traffic Observable objects referenced in Observed Data from the Observed Data Converter
• [stix2 import] Parsing EmailMessage observable objects from Observed Data converter
• [stix2 import] Reusing EmailMessage observable parsing method
• [stix2 import] Parsing DomainName ...

misp-stix v2.4.188 - Supporting the ACS markings

v2.4.188 - 2024-03-21

Included in this release:

• Support of the ACS markings
  • Conversion of the Marking Definition object to a custom Galaxy Cluster, with an extraction and flattening of the complete ACS extension definition into the Cluster meta field
  • Extraction of a set of fields and values as Tags to provide a way to search existing MISP Events and Attributes based on those tags

Chg

• [poetry] Bumped lock file with latest versions
• [package] Bumping new version

Fix

• [stix2 import] Centralised the cluster creation in one single place and added the meta parsing as galaxy elements statement
• [stix2 import] Storing the galaxy args
• [stix2 import] Using the _add_misp_object helper that already handles tags and other stuff related to a MISP object and its attributes
• [stix2 import] Added missing collection_uuid value to the ACS marking clusters
• [stix2 import] Some typing and pycodestyle issues fixed
• [stix2 import] Fixed ACS marking parsing
• [stix2 import] Fixed variable assignment typo & storing of the acs marking clusters raising issues

Wip

• [stix2 import] Adding a set of tags alongside with the Galaxy Clusters converted from ACS markings
• [stix2 import] Attaching ACS markings as galaxies to the referenred data layer (attribute or event)
• [stix2 import] First shot of an ACS marking parsing method
• [stix2 import] Preparing for an update on marking definitions parsing

misp-stix v2.4.186 - STIX 2.x import to MISP improved

v2.4.186 - 2024-02-27

Add

• [stix2 import] Added organisation_uuid argument to use to generate the custom clusters UUID

Chg

• [package, poetry] New version
• [poetry] Bumped latest versions

Fix

• [tests] Fixed tests for external STIX 2.x SDOs imported as Galaxy Clusters following the recent add of the organisation_uuid argument
• [stix2 import] Avoiding issues with Marking Definition objects that are parsed and handle directly when they're loaded
• [stix2 import] Setting single_event when parsing a bundle with a single report/grouping, to avoid issues raised with multiple reports/groupings handling methods
• [stix2 import] Fixed the case with multiple events as result
• [stix2 import] In the end we have to parse the Sighting & Opinion objects and convert them as MISP Sighting when they are used
• [stix2 import] Fixed relationships handling between sighting & opinion objects, and their references
• [stix2 import] Fixed MISP Sightings handling
• [stix2 import] Avoiding issues with STIX 2.x content coming from a TAXII collection or embedded into a single list instead of a Bundle

misp-stix v2.4.185 - Some mapping fixed, and better handling of the object references when the referenced object is not provided

v2.4.185 - 2024-02-16

Chg

• [poetry] Bumped latest dependencies versions
• [poetry, package] Set latest version

Fix

• [stix2 import] Yield syntax
• [stix2 import] Fixed Observable objects types mapping
• [stix2 import] Removing unused variable in marking definitions parsing
• [stix2 import] Using the AS value parsing method for an AS value that was missing it
• [stix2 import] Fixed directory mapping
• [stix2 import] Fixed the converters composition
• [stix2 import] Avoiding issues with marking definitions referenced but not present in a file

misp-stix v2.4.183 - Various import features fixed and improved

v2.4.183 - 2024-01-04

Add

• [stix2 import] Handling clusters sharing group id for content converter from external STIX 2.x
• [stix2 import] Added cluster distribution argument to the external STIX 2 to MISP parser
• [tests] Tests for internal STIX 2.x content with custom labels

Chg

• [poetry] Bumped latest deps versions and lock file
• [stix2 import] Handling external ids and synonyms from STIX 2.x objects imported as MISP Galaxy Clusters
• [poetry] Updated pyproject & bumped lock file
• [tests] Updated STIX 2.x internal samples to match the recent changes on STIX 2.x export capacity
• [poetry] Bumped latest dependencies and versions

Fix

• [stix2 import] Separating the synonyms and external ids handling
• [stix2 import] Added missing imports for Observed Data Converters
• [tests] Fixed tests for galaxy and their clusters following recent changes on the synonyms and external ids handling
• [requirements] Updated the requirements list with no specific version
• [tests] Fixed tests to avoid issues with aliases
• [stix2 export] Fixed meta fields parsing for STIX objects having meta fields mapping
• [stix2 export] Fixed the external references parsing from Clusters meta fields
• [tests] Aligning test sample on tags with the tag name of the recently changed attack pattern cluster sample to keep testing the non duplication of the tag name with tags
• [tests] Aligning test sample on tags with the tag name of the recently changed attack pattern cluster sample to keep testing the non duplication of the tag name with tags
• [tests] Making the automated documentation generation specific to the related test Classes instead of making it run for each testing class tear down
• [documentation] Fixed and regenerated documentation for Galaxy Clusters export to STIX 2.x
• [documentation] Fixed and regenerated galaxies export documentation
• [documentation] Regenerated documentation
• [documentation] Changes in galaxies documentation, based on the cluster name changes
• [tests] Fixed tests on cluster values
• [stix2 export] Removing external id from all Galaxy Cluster value
• [tests] Making the automated documentation generation specific to the related test Classes instead of making it run for each testing class tear down
• [documentation] Fixed and regenerated documentation for Galaxy Clusters export to STIX 2.x
• [documentation] Fixed and regenerated galaxies export documentation
• [documentation] Regenerated documentation
• [documentation] Changes in galaxies documentation, based on the cluster name changes
• [tests] Fixed tests on cluster values
• [stix2 export] Removing external id from all Galaxy Cluster value
• [tests] Quick code style clean-up
• [stix2 import] Quick clean-up
• [stix2 import] Added missing cluster distribution argument
• [stix2 import] Fixed issues with protocols and references from network traffic observable objects
• [stix2 import] Cleaned up the unused parsing methods for internal STIX 2.x content, as they've been moved to the converters
• [stix2 import] Avoiding issues with custom labels
• [stix2 import] Some clean-up and better 'observable object id VS observed data id' handling
• [stix2 import] Making the user account extension mapping name compliant with the generic observable objects parsing method
• [tests] Fixed tests following recent changes including the observed data objects conversion, as well as some better UUID handling
• [stix2 import] Fixed generic & user-account observables conversion
• [stix2 import] Fixed domain-ip objects import from internal STIX 2.x
• [stix2 import] Fixing a few tiny issues
• [stix2 import] Fixed a few typo in variable names and indentation issues
• [stix2 import] Added missing argument for email references observables parsing
• [stix2 import] Fixed Network Traffic references id handling

Wip

• [stix2 export] Better handling meta fields, and the synonyms in particular
• [stix2 import] Supporting TLP 2.0 Marking definition
• [stix2 import] Updated the observable objects conversion capacity to support the reusability between standalone observable objects and observable objects referenced by observed data objects
• [stix2 import] Added Observed Data objects converter
• [stix2 import] Reusing elements from mapping
• [stix2 import] Parsing PE binary extensions within File observable objects
• [stix2 import] Some clean-up

misp-stix v2.4.182 - Improvement on the import of STIX 2.x objects as Galaxy Clusters

v2.4.182 - 2023-12-14

Add

• [stix2 import] Handling clusters sharing group id for content converter from external STIX 2.x
• [stix2 import] Added cluster distribution argument to the external STIX 2 to MISP parser
• [tests] Tests for internal STIX 2.x content with custom labels
• [tests] Added a resource_level attribute to the tests for intrusion-set objects export as STIX 2.0 & 2.1
• [documentation] Regenerated documentation with the latest changes
• [documentation] Added documentation for intrusion-set objects export as STIX 2.0 & 2.1
• [tests] Added tests for intrusion-set objects export as STIX 2.0 & 2.1
• [stix2 export] Exporting intrusion-set MISP objects to STIX 2.0 & 2.1
• [documentation] Regenerated documentation with the latest changes
• [documentation] Added documentation for intrusion-set objects export as STIX 2.0 & 2.1
• [tests] Added tests for intrusion-set objects export as STIX 2.0 & 2.1
• [stix2 export] Exporting intrusion-set MISP objects to STIX 2.0 & 2.1

Chg

• [poetry, package] Bumped latest versions

Fix

• [stix2 import] Some quick clean-up
• [stix2 import] Added missing cluster distribution argument
• [stix2 import] Avoiding issue with custom labels
• [stix2 import] Avoiding issues with custom labels
• [stix2 import] Avoiding issues with custom labels
• [stix2 import] Added missing entry for identity objects in the conversion mapping
• [stix2 import] Fixed identity objects import conversion
• [stix2 import] Making sure the Location object has a region field before calling it to define a Galaxy Cluster value
• [stix2 import] Fixed Location objects conversion when it should be converted to country or region Galaxy Cluster
• [stix2 import] Fixed wrong Location object field
• [stix2 import] Removed unnecessary mapping layer
• [stix2 import] Some clean-up
• [stix2 import] The ObservedData converter is not ready yet
• [stix2 import] Added intrusion-set to the STIX 2.x objects conversion mapping to MISP
• [documentation] Updated description of STIX 2 objects exported from Galaxy clusters
• [documentation] Fixed documentation for intrusion-set objects export as STIX 2.0 & 2.1
• [tests] Removed debugging print
• [tests] A simple clean-up on a MISP event sample definition
• [stix2 import] Cleaned up unnecessary mapping
• [stix2 import] Fixed inheritance between the Observable object conversion classes

Wip

• [tests] Tests for identity objects import from STIX 2.x
• [tests] Tests for person object import from internal STIX 2.x
• [stix2 import] Converting person objects from Internal STIX 2.x Identity objects
• [stix2 import] Converting STIX 2.x Identity objects from converters
• [stix2 import] Importing MISP annotation objects from STIX 2.1 Note objects
• [stix2 import] Parsing STIX 2.x Custom objects from converters
• [stix2 import] Converting STIX 2.x Location objects from converters
• [stix2 import] Converting STIX 2.x Vulnerability objects from converters
• [stix2 import] Parsing STIX 2.x Tool objects from converters
• [stix2 import] Parsing STIX 2.x Threat Actor objects from converters
• [tests] Tests for intrusion-set object import from STIX 2.x
• [stix2 import] Converting Intrusion Set objects from the converters side
• [stix2 import] Converting Campaign objects from the converters
• [stix2 import] Converting Course of Action objects from converters & cleaned up a few no longer used parsing methods that are now supported in converters too
• [stix2 import] Using a generic STIX 2 objects parsing method