Releases: MISP/misp-workbench
Release list
misp-workbench - [beta-1.5] local file feeds, file based exports
This release adds local file uploads for feeds with hard-delete support for events, notebook export to PDF, searches file export (JSON, CSV, MISP, STIX 2.1), and extended OpenSearch dashboards. Also includes new user menu/settings UI, automated doc screenshot generation, Node 20 upgrade, theme-aware hunts screenshots, and various fixes plus dependency bumps.
What's Changed
- fix: screenshots url paths by @righel in #323
- add: env var to define tech lab code path by @righel in #324
- chg: bump poetry version, add solver.min-release-age 7d conf by @righel in #325
- add: create user menu item, improve user settings ui by @righel in #326
- Automate doc screenshots generation by @righel in #327
- fix: make hunts screenshots aware of theme by @righel in #328
- fix: correct hunts schedule in screenshots by @righel in #329
- add: support file uploads for feeds. hard delete events, add deleted … by @righel in #330
- build(deps): bump js-cookie from 3.0.5 to 3.0.7 in /frontend by @dependabot[bot] in #331
- build(deps): bump uuid and cypress in /frontend by @dependabot[bot] in #332
- build(deps-dev): bump tmp from 0.2.4 to 0.2.7 in /frontend by @dependabot[bot] in #333
- build(deps-dev): bump vitest from 3.2.4 to 4.1.0 in /frontend by @dependabot[bot] in #334
- build(deps): bump qs and @cypress/request in /frontend by @dependabot[bot] in #335
- add: export notebook output as pdf by @righel in #336
- Add local feed files docs by @righel in #337
- Upgrade node 20 by @righel in #338
- Extend opensearch dashboards by @righel in #340
- fix: docs link by @righel in #341
- fix: logo img path by @righel in #342
- build(deps): bump aiohttp from 3.13.5 to 3.14.0 in /api by @dependabot[bot] in #339
- build(deps-dev): bump shell-quote from 1.8.3 to 1.8.4 in /frontend by @dependabot[bot] in #344
- add: searches file export by @righel in #343
- chg: regenerate screenshots by @righel in #345
- add: misp export format by @righel in #346
Full Changelog: beta-1.4...beta-1.5
misp-workbench - [beta-1.4] Tech-Lab: Reactor Scripts and Analyst Notebooks
We're excited to announce the release of MISP Workbench beta-1.4, introducing two major additions automation features via the new the Tech Lab menu: Reactor Scripts and Analyst Notebooks.
⚡ Reactor Scripts
Reactor Scripts bring automation and extensibility directly into MISP Workbench. Write and run custom scripts that interact with your MISP data, enabling you to automate repetitive tasks, enrich events, or trigger custom workflows — all from within the platform.
This release also ships with a test sandbox with integrated flame graph profiling, so you can measure and optimize your scripts' performance before deploying them in production.
📓 Analyst Notebooks
Analyst Notebooks provide a flexible, interactive workspace for threat analysts. Combine notes, queries, and structured analysis in a single place, making it easier to document investigations, share findings with your team, and build reproducible analytical workflows on top of your MISP data.
🔍 Explore View Improvements
The Explore view now supports correlations search, and hunts can be directly linked to explorations — making it faster to pivot from a hunt result into a broader correlation analysis.
🔧 Other Changes & Fixes
- Dependency updates across the frontend and API (axios, postcss, urllib3, authlib, and more)
Full changelog: [beta-1.3 → beta-1.4](beta-1.3...beta-1.4)
Docs
- Tech-Lab: Reactor Scripts: https://misp-workbench.readthedocs.io/en/latest/features/tech-lab/reactor/
- Tech-Lab: Analyst Notebooks: https://misp-workbench.readthedocs.io/en/latest/features/tech-lab/notebooks/
What's Changed
- add: support correlations search in explore view, link hunts to explo… by @righel in #306
- chg: change to 30s by @righel in #307
- add Tech Lab — Reactor Scripts by @righel in #311
- add: profile reactor scripts in test sandbox, add flamegraph by @righel in #314
- build(deps-dev): bump axios from 1.15.0 to 1.16.0 in /frontend by @dependabot[bot] in #313
- build(deps): bump postcss from 8.5.6 to 8.5.14 in /frontend by @dependabot[bot] in #315
- fix: reactor scripts screenshots url by @righel in #319
- build(deps): bump mako from 1.3.11 to 1.3.12 in /api by @dependabot[bot] in #317
- build(deps): bump python-multipart from 0.0.26 to 0.0.27 in /api by @dependabot[bot] in #316
- build(deps): bump urllib3 from 2.6.3 to 2.7.0 in /api by @dependabot[bot] in #321
- tech-lab: analyst notebooks by @righel in #320
- build(deps): bump authlib from 1.6.11 to 1.6.12 in /api by @dependabot[bot] in #322
Full Changelog: beta-1.3...beta-1.4
misp-workbench - [beta-1.3] Hunts enhanchments, audit log and more
New features:
- MITRE ATT&CK Hunts (developed during https://hackathon.lu/ 2026)
- Hunts heatmap (developed during https://hackathon.lu/ 2026)
- Configurable data retention period
- Long-lived API keys for third-party integrations
- Audit logs system
What's Changed
- build(deps-dev): bump pytest from 8.4.2 to 9.0.3 in /api by @dependabot[bot] in #276
- chg: use mock response from mmdb_lookup module by @righel in #278
- build(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 in /frontend by @dependabot[bot] in #277
- build(deps-dev): bump black from 25.12.0 to 26.3.1 in /api by @dependabot[bot] in #275
- add: mitre attack hunts by @righel in #279
- add: hunt heatmap by @righel in #282
- add: configurable mail from address by @righel in #283
- fix: size too big by @righel in #284
- chg: change hunt heatmap color scheme by @righel in #285
- fix: hunt heatmap not loading properly by @righel in #286
- add: autogenerate oauth secrets by @righel in #290
- build(deps): bump python-multipart from 0.0.18 to 0.0.26 in /api by @dependabot[bot] in #288
- build(deps): bump dompurify from 3.3.2 to 3.4.0 in /frontend by @dependabot[bot] in #289
- fix: push events to remote misp servers, add icon to push events indi… by @righel in #291
- fix: missing property by @righel in #292
- fix: fix event pull by @righel in #293
- fix: event pull error response by @righel in #294
- build(deps): bump mako from 1.3.10 to 1.3.11 in /api by @dependabot[bot] in #295
- build(deps): bump authlib from 1.6.9 to 1.6.11 in /api by @dependabot[bot] in #296
- add: retention period setting, add retention badge to event view by @righel in #297
- add: retention period docs by @righel in #298
- add: missing retention from menu by @righel in #299
- add: show running tasks by @righel in #300
- add: api longed-lived keys for third-party apps by @righel in #301
- add: extend audit log system by @righel in #303
- fix: image path by @righel in #304
- add: audit log entries for user changes by @righel in #305
Full Changelog: beta-1.2...beta-1.3
misp-workbench - [beta-1.2] storage layer refactor
The main change in this release is a significant refactor of the storage layer: events, attributes, and objects are now stored exclusively in OpenSearch, removing the previous duplication with PostgreSQL. This improves scalability and simplifies the data architecture.
Other notable additions include:
- Explore view enhancements: result tabs, filters, and a timeline plot
- CPE hunts support and hunt history deletion, new hunt results highlighted.
- User password reset and simplified role/scope management
- Health endpoint for monitoring
- User creation via org name (CLI)
- S3 key auto-creation and expanded environment variable configuration
- Various bug fixes of prod deployment (CSV feed creation, CORS origins, proxy config, submodule updates)
- Dependency updates across the frontend and API
What's Changed
- fix: mcp docs video path by @righel in #230
- fix: paths by @righel in #231
- build(deps): bump flatted from 3.4.1 to 3.4.2 in /frontend by @dependabot[bot] in #229
- Explore results tabs by @righel in #233
- Add explore filters by @righel in #234
- add: openapi spec to readthedocs by @righel in #238
- refactor: do not store events/attributes/objects in sql, use opensearch by @righel in #239
- build(deps): bump picomatch in /frontend by @dependabot[bot] in #240
- build(deps): bump pygments from 2.19.2 to 2.20.0 in /api by @dependabot[bot] in #244
- build(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 in /frontend by @dependabot[bot] in #243
- build(deps): bump cryptography from 43.0.3 to 46.0.6 in /api by @dependabot[bot] in #242
- build(deps-dev): bump requests from 2.32.5 to 2.33.0 in /api by @dependabot[bot] in #241
- Add timeline plot explore view by @righel in #245
- add: cpe hunts, delete hunt history by @righel in #248
- chg: [refactor] simplify user roles, enforce scopes in ui accordinly by @righel in #249
- build(deps): bump lodash-es from 4.17.23 to 4.18.1 in /frontend by @dependabot[bot] in #251
- build(deps): bump lodash from 4.17.23 to 4.18.1 in /frontend by @dependabot[bot] in #253
- build(deps): bump aiohttp from 3.13.3 to 3.13.4 in /api by @dependabot[bot] in #250
- add: user password reset by @righel in #255
- fix prod deployment issues, default admin creation by @righel in #257
- fix: add CORS_ORIGINS env var to add custom domains by @righel in #258
- Add some configuration through env vars by @claudex in #261
- add: create s3 keys if not present by @righel in #262
- build(deps-dev): bump vite from 6.4.1 to 6.4.2 in /frontend by @dependabot[bot] in #260
- Health endpoint by @righel in #263
- Fix typo on proxy parameter for uvicorn by @claudex in #264
- add: celery result backend env vars by @righel in #266
- fix: how to properly update submodules by @righel in #267
- fix: csv feeds creation bug by @righel in #268
- fix: error with event_uuid pydantic schema by @righel in #270
- chg: highlight new hunt results by @righel in #271
- chg: use org name instead of id when creating a user via cli by @righel in #272
- chg: show new results first by @righel in #273
- build(deps-dev): bump axios from 1.11.0 to 1.15.0 in /frontend by @dependabot[bot] in #274
- build(deps): bump cryptography from 46.0.6 to 46.0.7 in /api by @dependabot[bot] in #269
New Contributors
Full Changelog: beta-1.1...beta-1.2
misp-workbench - [beta-1.1] mcp server release
MISP Workbench beta-1.1 - MCP Server Release
Expose MISP Workbench's OpenSearch-indexed threat intelligence to LLM-powered clients via the Model Context Protocol. Analysts and AI agents can query indicators, correlations, and feed data using natural language, enabling faster triage and investigation directly from tools like Claude Desktop/Code, Cursor, OpenClaw or others.
Screencast.from.2026-03-20.12-20-08.webm
MCP Server Docs
What's Changed
- add: extend docs by @righel in #222
- build(deps): bump flatted from 3.3.3 to 3.4.1 in /frontend by @dependabot[bot] in #221
- build(deps): bump pyjwt from 2.11.0 to 2.12.0 in /api by @dependabot[bot] in #220
- add: misp-modules diagnostics card by @righel in #223
- chg: refactor misp feed edit and view, unify design by @righel in #224
- add: mcp server by @righel in #225
Full Changelog: beta-1.0...beta-1.1
misp-workbench - [beta-1.0] first beta release of misp-workbench
MISP Workbench – First Beta Release v1.0
MISP Workbench is a powerful analyst-focused platform designed to tame the challenge of working with large volumes of threat intelligence at scale. It is capable of ingesting data from multiple origins — including MISP instances, external feeds, and other threat intelligence sources — and consolidates them into a unified workspace where analysts can actually get things done.
At its core, MISP Workbench puts the analyst in control: query across your entire data corpus, enrich and process indicators, pivot between related intelligence, and push curated results back to MISP or downstream consumers — all from one place. Whether you're triaging a large batch of incoming indicators, hunting for patterns across feeds, or preparing a finished intelligence product, MISP Workbench is built to cut through the noise and accelerate the workflow from raw data to actionable insight.
This first beta release marks the foundation of that vision — expect rough edges, rapid iteration, and a strong appetite for feedback.
Main features:
| Feature | Description |
|---|---|
| Feed ingestion | Ingest MISP, CSV, JSON, and Freetext feeds on a schedule or on demand |
| Correlations | Batch and incremental correlation scans over indexed attributes |
| Explore | Lucene queries against OpenSearch for fast indicator lookups |
| Enrichments | IOC enrichment powered by misp-modules |
| Hunt | Hunts are saved searches that run periodically and trigger alerts. |
| Notifications | Event-driven notifications processed by Celery workers |
| REST API | FastAPI backend with automatic OpenAPI documentation |
| Storage | Garage (S3-compatible) or local filesystem for attachments |


