Skip to content

misp-stix 2026.3.13 - Indicator & Observable Fingerprinting, plus broad improvements across import & export features

Choose a tag to compare

View all tags
@chrisr3d chrisr3d released this 16 Mar 09:55
· 58 commits to main since this release
2026.3.13
65d7832
This commit was signed with the committer’s verified signature.
chrisr3d Christian Studer
GPG key ID: 6BBED1B63A6D639F
Verified
Learn about vigilant mode.

misp-stix v2026.3.13 Release Notes

New major feature: Indicator & Observable Fingerprinting

  • New matching system that links STIX Indicators with Observable objects by comparing pattern values against observable fields
  • When an indicator describes the same data as an observable (e.g., file hashes in a pattern matching a full file observable), the to_ids flag is set on the resulting MISP attributes
  • Indicator IDs stored in attribute comments for traceability
  • Separate implementations for internal (MISP-generated) vs external (third-party) STIX content
  • Deterministic v5 UUID generation based on content values for consistent attribute identification

Dual Indicator + Observed Data Export

  • MISP attributes/objects with to_ids=True now generate both an Observed Data object AND an Indicator (with STIX pattern), linked by a relationship
  • Removed the to_ids label from exported STIX objects for cleaner output
  • Default to_ids values applied per attribute type
  • Proper deduplication of relationships between indicators and observed data
  • Deterministic relationship object IDs (no longer entirely random)

New MISP Object Types coverage

  • artifact object: import from STIX Artifact observables and indicators (payload_bin support), and export back to STIX
  • malware object: export to STIX 2.x Malware SDO
  • malware-analysis object: export to STIX 2.1 MalwareAnalysis SDO
  • http-request object: import from network-traffic observables with HTTP request extensions

ACS Marking Definition Support

  • Import: STIX 2.1 ACS marking extension definitions converted to MISP Galaxy Clusters (grouped in a single Galaxy)
  • Export: Custom ACS marking Galaxy Clusters converted back to STIX 2.1 Marking Definitions (and STIX 2.0 custom marking objects)
  • Proper handling of multiple further_sharing rules
  • Marking definitions referenced in Report/Grouping object_refs are properly handled
  • Tags from marking definitions correctly attached to the resulting MISP Event

Enhanced STIX 2.x Indicator Pattern Parsing

Comprehensive parsing improvements for:

  • x509 certificates (improved hash property handling)
  • Processes
  • Registry keys (proper value parsing with list index support)
  • Email messages
  • Domain-name + IP combinations (proper domain-ip object or domain attribute conversion)
  • Autonomous systems
  • Socket extensions
  • Network traffic and network connections
  • MAC addresses
  • Mutex objects
  • PE extensions
  • Artifact payload_bin

Unreferenced Objects Handling

  • STIX objects not referenced in any Report or Grouping are now properly parsed and converted

Identity Object Fixes

  • Fixed conversion for Identity objects back to legal-entity, news-agency, and person MISP objects

Architecture & Code Quality

  • New AbstractParser base class for shared error/warning tracking across all parsers
  • Internal vs external STIX 2 handling properly separated at converter level
  • Default MISP event validation before export
  • Modern Python 3.10+ typing (| union syntax)
  • Sightings and data analyst references properly handled for attributes and objects converted to both indicator and observed data

Testing

  • Comprehensive new test suites for indicators converted to MISP attributes and objects
  • Tests for standalone observable objects with related indicators
  • Tests for observed data with related indicators
  • Tests for large batches of multiple observable objects
  • ACS marking definition tests
  • Unreferenced objects handling tests
  • Consistent UUID usage across all test samples for reproducible documentation generation

Detailed Changelog

349 commits since v2026.2.12 (~10 months of development), 120 files changed, ~89k insertions, ~48k deletions.

New Features

STIX 2 Import

  • Parsing MAC address indicators (3cd5eb5)
  • Converting external network-traffic observables with HTTP request extension as http-request MISP object (31d427d)
  • Handling marking references for STIX 2 SDOs imported as Galaxy Cluster (c5d217e)
  • Handling marking definitions referenced in report or grouping object_refs (3ebc7ea)
  • Handling tags from marking definition extensions attached to the resulting MISP Event (ce1fd1f)
  • Storing IDs of STIX objects not referenced in any grouping or report (fe178a0)
  • Parsing artifact payload_bin from Artifact objects and indicators (18fe315)
  • Added artifact indicator conversion method (f4b58b5)
  • Added missing network_connection_pattern_mapping for Internal STIX indicators (062888d)
  • Added possibility to parse multiple STIX objects having potential contextual fields while adding an Attribute (69213b3)
  • Methods to check links between indicator patterns and observable objects (ac1b1bd)

STIX 2 Export

  • Converting malware objects to STIX 2.x (6ea4151)
  • Converting malware-analysis object to STIX 2.1 (55237be)
  • Converting ACS Marking custom Galaxy Cluster to STIX 2.1 Marking Definition (6ac9db2)
  • Converting custom ACS marking Galaxy Clusters to STIX 2.0 custom marking objects (b8c5469)
  • Converting attributes with to_ids flag as both Indicator + Observed Data (09c59d3)
  • Converting MISP objects to Observable objects + extracting to_ids attributes to generate Indicators (099b600)
  • Converting network-socket & process objects to both Observed Data & Indicator (d0a720e)
  • Handling references for populating reference fields instead of generating relationship objects (a610ed0)

Tests

  • Unit tests for indicators converted to MISP Attributes (01b0af8)
  • External STIX 2.0 & 2.1 Indicator samples (29ec46c, e38226d)
  • Tests for STIX 2.0 & 2.1 Indicators converted to MISP Objects (523bdae, bc352df, acf8ca8)
  • Tests for standalone Observable objects and related Indicators (7cc5f55)
  • Tests for STIX 2.0 & 2.1 Observed Data and related Indicators (88a086c, 04f2228)
  • Tests for large batches of multiple STIX 2.0 & 2.1 observable objects (ef9a065, 9d69583)
  • Tests for ACS Marking Definition extension objects (985a6a7)
  • Tests for unreferenced objects handling (611dcb3)
  • Additional unittests for attributes converted from observable objects (408a719)
  • Tests for standalone Network Traffic Observable objects from STIX 2.1 (d77c5a3)
  • Tests for Observable objects import from STIX 2.1 (29b3668)
  • Generating Bundles with single Observed Data containing all Observable objects (ad616b1)

Changes

STIX 2 Import

  • Splitting Grouping & Report objects from the rest while loading STIX Bundles (a81aaec)
  • Clarification of relationship type for domain name references (2f0b359)
  • Created abstract parent class for all parsers (9b90d49)

STIX 2 Export

  • Making Relationship object IDs deterministic (no longer entirely random) (eada035)
  • Using Attribute validation method from pymisp tools (1aae965)
  • Removed labels mentioning the to_ids flag (96e7915)
  • Using property to reach the relationships storage variable (b37aeca)
  • Simplified typings; comprehension dicts/lists for for loops (8b9c437)
  • Default MISP event validation before export (1e0e39d)

Tests & Documentation

Package

  • New version (65d7832)
  • Updated submodules to latest version (3c59612)
  • Bumped poetry lock file with latest versions (1a587f8)

Bug Fixes

STIX 2 Import — Indicator Pattern Parsing

  • Properly parsing x509 indicators with hash property handling (48402c8)
  • Properly parsing process indicators using attribute handling method (3cdbcaf)
  • Properly parsing registry key values with list index support (c958bbf)
  • Fixed pattern parser to keep indexes for lists of embedded values (672b36d)
  • Properly parsing socket-ext patterns (e938056)
  • Properly parsing network-socket and network-traffic (6ca073b)
  • Better parsing mutex indicators (fd03b7b)
  • Better parsing PE extension from file indicators (a2d1890)
  • Properly parsing email-message patterns for email objects (518a9e1)
  • Fixed domain-name and IP pattern handling for domain-ip Object or domain Attribute (277a9d6)
  • Fixed autonomous-system pattern parsing (e5fb1ba)
  • Fixed file hashes mapping for indicators conversion (777bfee)

STIX 2 Import — Observable Objects

  • Fixed conversion for Identity objects back to legal-entity, news-agency & person MISP objects (29ec2dc)
  • Fixed undefined variable when parsing IP addresses in AS observable objects (5642edf)
  • Properly handling email address observable objects referenced by email messages (2bb68b3)
  • Properly handling Observable objects referenced by Network Traffic objects (69dcb8c)
  • Properly handling multiple observable objects (bdb3b04)
  • Fixed STIX 2.0 multiple Observable objects fetching from Observed Data (835256c)
  • Better embedded observable objects references handling (fdf149e)
  • Properly parsing creator_user_ref from registry key observable objects (f31909b)
  • Harmonised file Observable objects conversion between converters (d0aa438)
  • Made directory Observable objects conversion more straightforward (5874fcc)
  • Properly parsing email-message observable objects fields and references (4320793)
  • Properly parsing email-address with display name support (1836da4)
  • Fixed DomainName observable objects conversion from STIX 2.0 Observed Data (dae1014)
  • Parsing artifact payload refs in network traffic observable objects (2e24b7b)
  • Avoiding duplicated parsing of Observable objects referenced by email messages (39e4e18)
  • Avoiding observable objects in Observed Data being fetched in random order (b7c12c0)

STIX 2 Import — Indicator References & Fingerprinting

  • Properly setting to_ids flag and other fields for AS name (9dc754d)
  • Making sure to check AS number value as described in observable objects (dd4f465)
  • Properly checking indicator references with composite attribute values (bd6774c)
  • Avoiding self-referencing objects when converted from both observed-data and indicators (96bd8cc)
  • Better storing indicator references for internal STIX 2 content (425259f)
  • Fixed indicator reference fetching for observable objects conversion (c4c8ff2)
  • Splitting methods to child classes for internal vs external indicator references (b18736e)
  • Fixed indicator reference for standalone observable objects (15419d4)
  • Harmonisation of fields used to generate v5 UUIDs (9bbe81f)
  • Fixed UUID generation for observable objects conversion as MISP Attributes (313d87c)

STIX 2 Import — General

  • Generic method to handle object attributes (9a4ff27)
  • Properly handling Object Attributes with data field (3ef85c5)
  • Importing labels as tags only for internal STIX content (10896c9)
  • Preserving order of STIX objects not referenced in a report/grouping (3b3bab0)
  • Making sure adding tags to an Attribute does not reset the timestamp (3bcce9b)
  • Attaching labels to Object Attributes as tags (78f7c6d)
  • Avoiding issues with Attribute uuid field being a dict (6f4403e)
  • Better loading and unreferenced objects handling (a2244ee)
  • Properly handling conversion from internal Observed Data to MISP Attributes (fc82fa4)
  • Skipping parsing indicators alone when they should be handled alongside observables (423688b)
  • Fixed typing for objects converted as Galaxy Cluster (bcd2806)
  • Cleaned up attribute uuid sanitation method (c6f3f96)

STIX 2 Import — ACS Markings & Galaxy Clusters

  • Attaching ACS Marking Clusters in a single Galaxy instead of replicating (0c52c6e)
  • Better formatting for datetime values in custom Galaxy Cluster meta fields (56e3740)
  • Making sure all datetime fields in meta are properly formatted (baab692)
  • Better handling of multiple further_sharing rules (a9a79fd)
  • Converting created & modified to Galaxy Cluster meta equivalent fields (6843212)
  • Storing right datetime format for created and modified from STIX 2.x objects in Clusters (be528ab)
  • Using actual ID fields to set custom ACS marking Galaxy & Cluster (350b94e)
  • Reordered methods to attach tags from marking definitions (babab9c)

STIX 2 Export

  • Avoiding issues with missing protocols in Network Traffic (9b02ae9)
  • Properly handling values used in STIX patterns (83e1d35)
  • Attack Pattern fields don't need to be escaped as STIX patterns (ebd824b)
  • Removed character escaping for patterning language objects (bfb1f9d)
  • Properly handling sightings and analyst data for attributes/objects converted to both indicator and observed data (a7a14d5)
  • Using registry-key value sanitation for registry-key values (6db1ff6)
  • Using default to_ids value (d6555e5)
  • Avoiding duplication of relationships (e305751)
  • Avoiding issues with pe and pe-section objects conversion (2a76116)
  • Removed duplicated relationships between indicators and observed data objects (ff02313)
  • Properly converting PE objects and sections to both Observed Data and Indicator (e577549)
  • Fixed datetime fields handling for Indicators (6bc1e6e)
  • Avoiding issues with missing STIX object type field (95d339c)
  • Avoiding issues with non existing variable (9bb8050)
  • Better handling of datetime values from Clusters meta fields (28e7d9e)
  • Better conversion of the ACS extension definition (6dccad7)
  • Making sure meta field values supposed to be single are converted as single values (d6d6774)
  • Avoiding issues with empty object_refs in STIX 2.0 Custom Event Report (e8acbb8)
  • Properly handling potential created & modified from galaxy clusters meta (0cdc947)
  • Setting datetime.now (UTC) as fallback when timestamp is missing (6ba4f18)
  • Improving categorisation of MISP JSON content for the right conversion method (275dbf1)
  • Avoiding issues with UTC method from datetime library (30d4fa8)
  • github-username attribute parsing method name fix (76d7db3)
  • Reverted changes on port, size-in-bytes, and http-method attribute conversion (95ba0e9, abe4192)
  • Removed unwanted prints (470f34e)

STIX 1 Export

  • Supporting recent changes from the abstract parent class introduction (49b7046)

Tests

  • Updated STIX 1 export tests for recently added hash attribute types (91878db)
  • Updated tests for STIX object labels generation changes (89ebdf7)
  • Updated internal STIX 2.0 & 2.1 Bundle samples for recent export changes (c5e8e48, 5b8eb83)
  • Updated test samples for Internal STIX 2.0 & 2.1 conversion (75c9c10, 6f5f8fa)
  • Fixed tests for annotation objects export to STIX 2.1 (e1c6780, 377dffd)
  • Fixed tests for analyst data export to STIX 2.0 (1188558)
  • Fixed tests for validated MISP content export to STIX 2.0 (a76a610)
  • Fixed tests for campaign galaxies import including created & modified meta fields (7391212)
  • Various test fixes, alignments, and UUID consistency updates across all test suites

Poetry / Dependencies

  • Making sure we have the latest PyMISP (2c32728)

Additional fixes, refinements and iterative improvements

The changes below were produced during the extensive development and testing cycle for the indicator-observable fingerprinting feature and the other major additions in this release. They include incremental work-in-progress steps, method relocations, typo fixes, merge conflict resolutions, and test alignments that collectively shaped the final implementation.

STIX 2 Import — Indicator References Implementation

  • Reworked the indicator references handling (05f3863)
  • Introducing the indicator references to the observable objects converter methods (a909082)
  • indicator_refs introduced from the top observed data parsing methods (284a6fb)
  • Handling indicator references for more observable types associated with observed data (12cd85e, 8911c85, 4d3fa8f)
  • Dealing with indicator_ref (c53cf1e)
  • Better observables and indicators matchings parsing (7e4fc4b)
  • Experimenting ways to reference observable objects and patterns (b8d6225)
  • Better handling of indicator references as well as the to_ids flag and UUID generation depending on the presence of an indicator related to an observable object (6077d70)
  • Checking references between indicators and observable objects by value only (c8d83c6)
  • Better way to store matchings between indicators and observable objects (f142b0b)
  • Simplified the indicator id references storing (30ac9ae)
  • Handling cases where an observable object has multiple indicator references (45d4b05)
  • A few fixes on the indicator refs handling (45d737d)
  • Fallback value for indicator_ref is None (f31e92a)
  • Removed unused method and fixed indicator reference(s) argument type (d919ff0)
  • IP observable indicator reference parsing (c88a5a3)
  • Making sure hash types are correctly matched from both observable objects and indicators (95ecc78)
  • Properly looking for indicator reference with AS number (0e9c67f)
  • Making sure we check Autonomous System indicator references with the number value (a99ad5e)
  • Making sure we set the to_ids value when there is no indicator reference (c14f5a8)
  • Changed methods to find indicator references following changes on the way they are stored with the observable types (e4def99)
  • More accurate way to select indicator's references (06816f5)
  • Properly setting observable type argument when checking indicator reference for standalone observable objects (06898a7)
  • Fixed wrong key to get indicator references related to a given Observed Data (7f33c65)
  • Added the observable type argument to check the indicator reference (6917359)
  • Passing the Observable type argument from Observed Data conversion methods (b1e09df)
  • Using the observable type argument (63d3d1e)
  • Moved Indicator references handling method for external STIX 2 where it belongs (bedd487)
  • Splitting Observables conversion methods into the 2 supported cases — internal & external STIX 2 — to have more specific handling of Indicator references (afde8bb)
  • Added missing method and property related to the indicator references (a81c44a)
  • Added missing components and other fixes (4806ad9)
  • Avoiding issues with indicators converter when there is no Observed Data object in the STIX Bundle (b5b1a21)
  • Adapting methods used to handle indicator references in a way that is specific to STIX generated from MISP (57ad05b)

STIX 2 Import — Observable Objects Conversion Refinements

  • Aligning methods to convert standalone observable objects with the methods to convert observable objects referenced by Observed Data (9e0926e)
  • Aligned process observable objects conversion methods between standalone and Observed Data converters (919dcd5)
  • Converting multiple observable object types within Observed Data objects following the same priority order as standalone observable objects (eb06ee0)
  • Observable mapping enriched with additional missing types & order for unparsed observable objects updated based on references (32e7cde)
  • Edited the list of observable types to have the right priority in the parsing order (c5c0efc)
  • Updated Observable objects mapping (2bcf46e)
  • Propertly using the Observables conversion methods for Observed Data's Observable objects (f838e84)
  • Reusing the MISP Attribute creation method through the different observable and observed data objects conversion classes (694066a)
  • Fixed name of the method to use to parse observable objects (1a2a71d)
  • Quick observable objects conversion fixes (e2aecc2)
  • Handling MISP object fields in case of an observable object used in multiple MISP objects (fa9c75c)

STIX 2 Import — Attribute & Object Creation Methods

  • Single Attribute creation methods (5431384)
  • Better single Attributes creation (7b193fa)
  • Updates on the generic methods used to populate object attributes (ff1dcd7)
  • Properly handling Object Attributes to convert Indicators back to MISP objects (21a7db3)
  • Indicator converter will have its own method to populate Attributes in Objects (f7f6abe)
  • Indicators converter having its own Attributes creation method (0a7a3d6)
  • Fixed the Attribute dict creation method (2eb8dd7)
  • The latest argument of _populate_object_attribute_with_data is a kwargs (46a6595)
  • Reflecting changes made on _populate_object_attribute_with_data to the latest occurrences where it is called (8c082eb)
  • Reusing and defining Attribute mapping definitions (13b9fe4)
  • Attributes creation method made more flexible to handle mutex observable objects which don't have a value but a name (0599259)
  • Added kwargs to the Attribute UUID sanitation method (67759c4)
  • Passing the display name attribute dict and not the class method from the mapping class (3719b85)
  • Fixed arguments permutation issue (0f128c6)
  • Fixed yield transmitting single value (f4cefa1)
  • Fixed arguments mess in the method to create attributes from observable objects (f0c86f2)
  • Handling the case of multiple values (2716ace)

STIX 2 Import — Domain, Email & Network Fixes

  • Creation of domain-ip objects is consistent with the logic used for every other object (d36e2b1)
  • The domain observable objects conversion method returns single attributes (1a212d9)
  • Parsing domain locally with generic handling method and no longer with specific domain handling method that we removed (0766763)
  • Removed domain observable parsing method which won't be used anymore (fd35408)
  • Network Traffic observables handling method specific for external STIX 2.x (a9ae222)
  • Making sure we reference internally body references in Email Message observable objects so the given objects are not handled multiple times (1a5dd66)
  • Added missing argument in email message Observable objects parsing (834cbaa)
  • Setting UUID for attribute from email-message object references following the same process as for network-traffic object references (b5a0f67)
  • Internally referencing the right object so the right UUID is used later when we see the object was already parsed (3b44a9d)
  • Mapping used to set which conversion method to use fixed for email message observables objects (6eab539)

STIX 2 Import — Registry Key, Marking & Other Fixes

  • Better parsing of registry key values (4d25633)
  • Better parsing of Internal registry-key observable objects (fb78d0a)
  • Fixed registry key values mapping name (714fc16)
  • Using the same mapping name for registry key value objects (596143e)
  • Better Marking Definition handling (d24359f)
  • Also converting the created value of marking definition objects converted to custom ACS marking definition Galaxy Cluster (e206d23)
  • Starting parsing objects not referenced in reports or grouping (9e9728d)
  • Made the STIX objects partitioning and standalone object refs storing specific to the external STIX content parser (8db950e)
  • Restored change on the meta datetime fields that probably was overwritten during a conflict merge (a27f5a1)
  • Avoiding KeyError while fetching observable objects (12abb90)
  • Fixed f-string unmatched character issue due to the use of the inappropriate type of quotes (ef3db88)
  • Avoiding issue with non existing variable (a687b5c)

STIX 2 Import — Code Organisation & Cleanup

  • Moved object or attribute import case method to indicators converter (6c56eeb)
  • Replicating the object attributes handling for attributes we do not know yet if they will be single or in object (06d60dd)
  • Using the indicators converter's _handle_object_attributes specific method (2d8ec10)
  • Quick indicator mapping update (ac3a7b6)
  • Moved some mappings to their appropriate place (5b3c23e)
  • Quick method relocation for clarity (1bed2fe)
  • Moved network traffic and http request handling methods adapted for internal STIX objects to the internal observable conversion class (30f5c6a)
  • Removed confusion in argument name between 2 different methods (bc65637)
  • Splitting methods to child classes to avoid issues with the difference in indicator references structure between internal and external STIX conversion (b18736e)
  • Removed network-connection parsing method (ca59d83)
  • Removed unused method (d306340)
  • Removed duplicated test (5149415)
  • Typo (2251e9d, 8d53d90)
  • Typos and wrong variable name fixed (46eef08)
  • Typo on field used to store attribute converted from observable (eee3c9a)
  • Typos, missing checks and a few other fixes to make the feature branch merge work (ca9fa3d)
  • Fixed a few issues caught only now with the feature branch merged into the standard dev branch (6374e23)
  • Wrong variable name in user-account observable conversion (0d3d52f)
  • Fixed some merge barfing (082b15b)
  • Quick visual fix (5c567b4)

STIX 2 Export — Incremental Fixes

  • Using the right method to extract attributes from objects exported as user-account indicator pattern (e0602f4)
  • Using the appropriate method to extract attributes to convert from regkey objects (93850ed)
  • Making sure we keep the pe object uuid when converting a PE not related to a file object (898b270)
  • Returning Observed Data objects after they're generated from the conversion of a MISP object, so we can handle the relationship with the potential indicator (4fa9428)
  • Using the default relationship type between indicator and observed data (64c0dea)
  • Making sure relationships storage is reset for attributes collections export to STIX 2.x (2d51abe)
  • Propagating changes on the UUID generation & object attributes populating methods (9046c56)
  • Removed the argument to parse killchain from malware objects as it should not have it (1caf7bc)
  • Passing STIX objects dict to the galaxies parsing methods for a more modular handling (22810b4)
  • Passing STIX 2 parsing arguments that were missing (c513530)
  • Removed duplicated method (a038619)
  • Removed unused method (3a6c51c)
  • Added dateutil parser import that was removed by mistake with a merge (e11be33)
  • Method name typo (fcf694b)
  • Removed command duplicated by mistake in a copy/paste (c86888f)
  • Using property instead of private variable (708c535)
  • Another round of simplification using a property instead of setting an additional dict and calling an additional method to populate it (4b6ebf0)
  • Quick change using property instead of 'private' variable (3b55004)
  • Quickly moved a piece of code where it makes more sense which also adds more clarity (3c8260b)
  • A quick typing fix (110f7e2)
  • A few styling fixes (b47cd09)

Tests — Incremental Fixes & Alignments

  • Quick preparation for the existing tests for Observed Data and Observable objects to support the future tests for related indicators (45e0a49)
  • Rearranged some samples (fd63695)
  • Removed indicators from tests meant for Observed Data / Observable objects only (d121e9a)
  • Added reusable helper to extract pattern & moved internal testing method to the internal class (e524e04)
  • Added indicator samples for external STIX tests (3eb362d)
  • Updated automated documentation generation to avoid issues when changes occur (2b1e078)
  • Handling Observed Data documentation with both single object or multiple object(s) (8c97ca3)
  • Updated tests for STIX 2.1 conversion back to MISP objects (6072fb0)
  • Fixed specific tests with custom labels or with different Report/Grouping object(s) presence/absence (e732fc9)
  • Fixed tests for STIX 2.1 conversion back to MISP Attributes (610b774)
  • Updated Internal STIX 2.1 testing samples (19000ad)
  • Populating documentation of Observed Data conversion back to single Attribute based on the default to_ids flag (209353b)
  • Quick syntax fix on the STIX 2.0 test samples (4c98849)
  • Separating the File observable objects check of some fields (71b1dfb)
  • Properly testing MISP Objects converted from internal STIX 2.0 (074d05a)
  • Updated tests for Bundle conversion depending on the number of report objects (7a9479b)
  • Properly testing Attributes converted from internal STIX 2.0 (906ce66)
  • Using valid UUID for relationship objects ID in Internal STIX 2.x test samples (4509334)
  • Fixed mapping documentation for file, pe & sections objects export to STIX 2.0 (026184f)
  • Testing and documenting automatically more hash types (974a6e3)
  • Updated mapping documentation for MISP objects export to STIX 2.x (9669b0d)
  • Updated documentation automated generation from STIX 2.0 export tests (803d3b1)
  • Quick fix on the autonomous-system attribute export to STIX 2.1 (1e80a2b)
  • Updated tests for MISP Attributes and Objects export to STIX 2.0 (89ef83b)
  • Updated collections export samples (df1b1d3)
  • Adapting tests to the validation of MISP data (96d3827)
  • Fixed tests (1255401, 739df1b)
  • A few tiny sanitation tests fixes and updates (770c1d8)
  • Variable name typo (52ad71b)
  • Fixed 2.1 tests to properly check the conversion of different MISP data layer into both Observed Data and Indicator (c890d62)
  • Making sure we're testing the absence/presence of observed data and observable objects alongside with indicators in given cases (4d0a853)
  • Correctly testing conversion of attributes as both observed data and indicator (8b3fc9b)
  • Using the right relationship type for relations between indicators and observed data in the test samples (d47e368)
  • Fixed additional tests containing Attributes exported to both indicator and observed data (f66627c)
  • Updated attributes collection conversion result sample (6fc1aae)
  • Updated the conversion result samples (33f8874)
  • Deeper looping over objects during collections export tests (3bbc3c9)
  • Started fixing tests for attributes export to indicators (d47d68f)
  • Added indicators to tests matching with observable objects (43f83c4)
  • Fixed tests on autonomous system number conversion (8f6fbad)
  • Fixed unittests on attributes converted from payload_bin field in artifact observable objects (4393b50)
  • Added tests to observe similar behavior between the conversion of a large list of multiple observable objects in Observed Data and standalone observable objects (ce89444)
  • Better testing the conversion of STIX 2.0 domain objects referencing each other (b675eb5)
  • Fixed tests on Attributes to cover changes on UUID generation (350e6a1)
  • Updated tests for domain-ip objects import from STIX 2.1 (71a1f6f)
  • Avoiding getting Artifact objects with same UUID when testing conversion with a large number of multiple observable objects (aa38281)
  • Fixed tests following recent change on the UUID of attributes converted from email-addr observable objects referenced by email-message objects (b0c2fa4)
  • Updated tests for Network Traffic Observable objects conversion to MISP (cf5cb0f)
  • Removed overlapping tests already executed while checking the galaxy cluster fields (5b6fc6c)
  • Fixed wrong variable name (d300bdb)
  • Fixed tests to align with the more recent changes merged (f4259e0)
  • Properly testing datetime fields conversion into custom Galaxy Cluster meta fields (2ee9679)
  • Some quick linting (41cfebf)

Documentation

  • Automatic update of the mapping documentation (663d9b4)
Assets 2
Loading