Version 5.5.0

🔔 Dear community, we are very happy to announce the release of OpenCTI 5.5.0 🥳! A new amazing milestone in our journey to make OpenCTI more relevant for CTI analysts, SOC teams and incident responders ✨. We would like to thank all the contributors who, once again, made an amazing job especially by bringing new connectors to life (Domain Tools, FlashPoint, Recorded Future, CrowdSec, Sophos Labs Intellix and much more...) 🚀.

On the core platform side, this new version brings major features and bugfixes 🎁:

• Fully reworded dashboarding engine with dynamic filtering and widgets which will allow you to build advanced KPIs across the whole knowledge graph 📊.
• Custom ontology for all open vocabularies with alias management and merging so you can map your own ontology with the STIX one and any other vendor-specific categorization 📜.
• Massive copy/paste of observables and enhancement on list selection across all screens (shift selection, etc.) ❤️‍🔥.
• Introduction of new types of entity to handle MITRE data components and data sources as well as detection courses of action 🖥️.
• Timeline view in all report that will continue to be enhanced with interval customization and horizontal views in the future ⌛.
• On-the-fly container creation (report or grouping) by selecting entities you would like to add 📋.
• Automatic creation of external references when a file is uploaded 🏢.
• Multiple enhancements in notes management, workspaces and organization seggregation ⚙️.

This major version was also the opportunity to prepare the field for the future full-fledged case management system (and integrated notifications bus) 🔥, with enrichment connectors for SIEMs, XDRs and operational subsystems in modern IT environments 📡. As usual, latest version of Elastic and Redis are supported by OpenCTI 5.5.0 🎀.

Enhancements:

• #2650 Improve note management for participating users
• #2640 Protect platform organization change with SET ACCESS capability
• #2625 Add organizations to SSO Users when login in
• #2581 Display data labels in charts
• #2534 Add a background task capabilities to massively add entities to a container
• #2425 Custom Dashboards Entity Filtering Feature Request
• #2417 Automatically create external references when a file is uploaded in an entity (settings in platform)
• #2410 Heatmaps everywhere, including dashboards
• #2409 Enhance dashboard widgets: multi-data + filters
• #2173 Timeline view in reports
• #1724 Add a copy button to the toolbar in Observations page
• #1602 [Custom Ontology] Ability to add/edit parameters for objects such as Malware, Indicator, Intrusion Set
• #1554 Compare activity of multiple entities
• #1348 Dashboard Filter
• #1342 Ability to SHIFT+select multiple objects to edit in bulk, rather than clicking on each individual object
• #680 Adding "Data Source" and "Data component" entities

Bug Fixes:

• #2647 Live stream invalid check of element access rights
• #2637 CSVFeed: Removal of Entity -unknown Error
• #2633 We can't create a course of action from an attack pattern
• #2631 Error occurs in Observable > Knowledge > adding a Nested object
• #2626 SSDEEP hashes stored in lowercase
• #2617 Unknown Error when attempting to sort investigations by modification date
• #2609 Missing organizations in user create/edit screen

Pull Requests:

• Tool/relay hook template by @Kedae in #2575
• [build] fix front-builder in dockerfile by @axelfahy in #2607
• [front] Filters update to pure function by @Kedae in #2610
• [worker] fix description of metric by @axelfahy in #2620
• Tiny fix for Japanese translation by @minanokawari1124 in #2619
• [worker] set isNumber for prometheus telemetry port by @axelfahy in #2616
• [api/frontend] Full refactor of statistics and dashboarding engine (#2409, #2410, #1348, #2425) by @SamuelHassine in #2613
• [Front & Back] Bulk copy of observables in the tool-bar (#1724) by @Archidoit in #2595
• [front] - Fix course of action creation from attack pattern (#2630) by @RomuDeuxfois in #2636
• Adding "Data Source" & "Data Component" entity by @SarahBocognano in #2627
• [front/api] Add vocabulary as module by @Kedae in #2630
• [front] Fix use of convert filter by @RomuDeuxfois in #2642
• [back/front] Improve Custom Ontology (#1602) by @richard-julien in #2645
• Bugfix/release by @RomuDeuxfois in #2646
• [api] SSDEEP hashes stored in case-sensitive way (#2626) by @richard-julien in #2649
• [api] Live stream invalid check of element access rights (#2647) by @richard-julien in #2648
• [Front] ExternalReference creation when a file is uploaded in an entity (#2417) by @Archidoit in #2614
• [back/front] Improve note management for participating users (#2650) by @richard-julien in #2651

New Contributors

• @minanokawari1124 made their first contribution in #2619
• @SarahBocognano made their first contribution in #2627

Full Changelog: 5.4.1...5.5.0

Version 5.4.1

Dear community, OpenCTI 5.4.1 has been released 🎉! This new version fixes all known bugs affecting the platform especially the creation of indicators without kill chain phases, sightings screen and bulk enrichment of artifacts 🎊. OpenCTI 5.4.1 also contains some performance and export improvements ✨.

Enhancements:

• #2600 [front] Add sharing organization capability to indicator
• #2599 [back] Prevent organization sharing to be empty by an upsert
• #2596 Issue with valid_from field when creating indicator
• #2592 [back] Improve containerWithRefsBuilder for fastest rescan and live handling
• #2587 Inconstant use of "Indicator Type" terminology & Limited Indicator filtering ability
• #2580 [BUG][5.4.0] Custom SAML config options dont seem to be passed to passportjs
• #481 Export improvement. Use file to ask list of ids or queries

Bug Fixes:

• #2604 Bulk enrichment from artifacts doesn't use whole filter
• #2602 [front] Sighting screens keep reloading
• #2594 [BUG] Multiple Indicator Type Filters in live datastream
• #2593 [BUG] Cannot create indicator with KillChainPhases
• #2579 [BUG] OIDC reports invalid token from ADFS
• #2578 [BUG/FEATURE] 5.4.0 Upgrade Revoking Indicators w/o valid_until set on upgrade

Pull Requests:

• [back] Improve containerWithRefsBuilder for fastest rescan and live handling by @richard-julien in #2591
• [back] Enhance valid_from and valid_until indicator computation by @richard-julien in #2598

Full Changelog: 5.4.0...5.4.1

Version 5.4.0

🔔DING! DING!🔔 Dear community, we are so proud to announce that OpenCTI version 5.4.0 has been released 💥! This was a huge joint effort from the brand new Filigran engineering team as well as all community contributors 🍻. Thank you everyone for your continuous efforts to make OpenCTI the world leading threat intelligence platform 🙏!

This milestone contains important new features but also the implementation of more systematic development best practices (TypeScript, pure functions, etc.) 🧩 that will allow us to speed-up future milestones in the months and years to come 🚀.

First of all, OpenCTI 5.4.0 brings long-awaited features 🎁:

• bulk search of entities and observables in the platform 🔍;
• customization of workflow statuses for all types of entity 🛠️;
• introduce an analyst workbench to modelize entities and relationships massively and easily before create the knowledge in the platform 👩‍💻;
• new inference rules to propagate reports to parent entities (sectors / locations) 🗺️;
• performances improvement due to the new way to validate indicators syntax (creation of indicators speed x10) 🚅;
• it is now possible to deny connectors from creating new labels and keep a set of pre-defined labels in the platform ✨;
• country flags for IPs when located-at relationship is set to a specific country 🏴;
• new specific capabilities for notes and opinions to allow feedback even from read-only users ✍️;
• implement the STIX 2.1 "Grouping" entity type to allow information clustering without creating a report when it is not relevant 📦;
• Japanese translation, OpenTelemetry, investigation improvements and much more 💝...

Last but not least, this release introduces a major new data segregation and sharing capability by organization 🏢. This allows administrators to associate users to organizations (organizations can belong to parent organizations as well) and to distribute knowledge across one or multiple organizations in the platform 🔓.

It is also possible to set a default organization for the whole platform to restrict all data and starting to share progressively information 🌎. A demonstration video will be published to better explain this new feature which will help organizations to open access to third-parties / constituents with full confidence about the confidentiality of the data 🥳.

⚠️ All internal-export-file connectors should now be launched with a user which has the Administrator role, because they now impersonate the user requesting the export to prevent data leak.

⚠️ All technical creators (users) of existing entities are no longer mapped on the history and then are displayed as "SYSTEM". New entities / relationships will be created with the correct creator fully modelized. If you would like to recover the creators information of your existing data, you can launch a background task (based on the history) on the selected entities (or all of them) using the mass operations toolbar Update => Replace => Creator.

⚙️ When using the organization segregation capability, it is recommended to enable the inference rule ORGANIZATION PROPAGATION VIA PARTICIPATION so it will propagate if a user A participates in organization B and organization B is part of organization C, then the user A also participates in organization C.

Since the last release, minio implements breaking change. If you decide to upgrade minio, a procedure must be applied. Please read https://min.io/docs/minio/linux/operations/install-deploy-manage/migrate-fs-gateway.html

Enhancements:

• #2543 [api] Improve version checking of platform start
• #2535 Be able to hide background tasks screen using RBAC capabilities
• #2530 Add new attributes to the entity incident
• #2502 Improv dev env by injecting a data set
• #2483 Be able to use workflow status in the stream filters
• #2475 Implement the "Grouping" STIX 2.1 entity as a container
• #2470 Limit the history message length both in backend (when inserting) and frontend
• #2464 Title and meta description of the platform
• #2463 [api] Add usage of impersonate feature to connectors
• #2456 Add Japanese translation
• #2446 Add "Shodan" Pattern Type to Indicators
• #2435 [api] Filters support multiples keys to search on
• #2420 Add a quick filter for sighting lists (false / true positive)
• #2408 Full refactor of pre-validation screen into an analyst workbench
• #2414 Support "content_ref" for StixFile to Artifact (obs_content ?) relation
• #2406 [Feature] Filter for 'Score less than' within Retention Policy Rules
• #2401 Improve of performance indicator checkIndicatorSyntax function
• #2397 Enhance the view of the rules definition in the frontend
• #2341 [rules] Add report objects related rules
• #2336 Bulk search of SDOs and SCOs
• #2331 Mass delete labels
• #2293 Add Infrastructure fields to UI when creating new Objects
• #2263 Ability to search OpenCTI for a list of Observables (as opposed to one by one)
• #2196 Finer access controls for Reports for feedback - Separate "Opinions" as a knowledge creation access control under roles.
• #2188 Add organizations restrictions on top of markings to increase data segregation possibilities
• #2163 Entity details edition during data import
• #2116 Session refresh on user rights change
• #2109 Create/Update notes and opinions specifying author with a different user
• #2029 Add technical creator in data + ordering/filtering
• #1991 Exporting Report details, Malware or Intrusion Sets is hard to do
• #1943 Ability to create additional custom workflow status names straight from the UI if possible.
• #1934 Ability to expand to any kind of entity from Investigations Workspace
• #1867 Removing report
• #1799 Bulk creation of knowledge around a threat entity
• #1781 STIX ID standard is useless to analysts but have the most visible spot in item pages
• #1757 Add Indicator to Report when Observable+Indicator created within the context of a Report
• #1755 Be able to select labels to import
• #1730 Add country flag icons to IPv4/IPv6 observables
• #1596 Expose worker metrics for prometheus
• #1468 Remove entities after report deletion
• #1428 Suppressing an entity does not suppress its relations
• #1182 Infrastructure, Systems and Vulnerabilities
• #1071 No way to implement STIX's Windows Service (and Process) extensions

Bug Fixes:

• #2550 Events/Incidents/Observables. Doesn't display more than 25 observables.
• #2487 Empty channels type break the UI
• #2448 Pending Imports UI potentially referencing incorrect path for STIX bundles when APP__BASE_PATH is set

Pull Requests:

• [api] Add OpenTelemetry for tracing and metrics (#1596) by @richard-julien in #2439
• [Tool] Update some files for dev env setup by @Kedae in #2440
• [api] Filters support multiples keys to search on (#2435) by @Kedae in #2444
• [api] Introduce impersonate capability for bypass role (#1755) by @richard-julien in #2445
• [api] Fix missing filters on graphQL and update of elastic size for d… by @Kedae in https://github.com/OpenCTI-Platf...

Version 5.3.17

Dear community, OpenCTI 5.3.17 has been released 🎉! This is a hotfix for a few minor bugs in the user interface and some connectors updates in the ecosystem 🐨.

Enhancements:

• #2351 Report's Correlation View does not show all "correlated" data
• #1784 Add aliases to CVE
• #1674 Add filters for display before image export
• #1610 Ability to control merging of entities
• #1576 Implement more complex exports forms
• #1563 Display error in distribution of entities in reports for cryptocurrency wallet
• #1484 Organize objects in Knowledge Graph into tree while forces are disabled
• #1469 View reports in the master graph
• #1381 Filter types of entities included in Incident Global Kill Chain/Timeline
• #1108 Create relationships between observables in the context of a report

Bug Fixes:

• #2432 Synchronizer Erroring and Looping
• #2426 don´t see the Marking Definition

Pull Requests:

• Fix Correlation Graph bugs reported in Issue #2351 by @ckane in #2353

Full Changelog: 5.3.16...5.3.17

Version 5.3.16

Dear community, OpenCTI version 5.3.16 has been released 🥳! This version fixes all known bugs of the platform and introduces minor enhancements in different views of the user interface 🎁. Also, a new type of observable is available to modelize media content (Twitter, Facebook, Telegram, Website article, etc.) 📰.

🚨 This release contains important security fixes, we strongly advise all organizations to upgrade as soon as possible their instance. 🚨
Big thanks to @sandeshkumart for the security report/analysis

Enhancements:

• #2402 Add media content SCO
• #2400 Cannot create Indicator Sighting for Sectors
• #1905 Add "Rust" to Malware programming languages + allow Admins to add custom languages
• #1903 From a Report, view what other Reports have IOCs in common
• #1831 Inferred targeting of sectors or regions are called "Direct targeting"
• #1813 Bug of display when moving in the chronology (date not correctly taken into account
• #1794 Trying to import STIX2 with a resolves-to relationship between two observables results in an error
• #1783 When viewing the targetting of a sector by a threat actor, the intrusion sets used should be more visible
• #1766 MITRE implemented non-standard STIX relationship detects
• #1756 Export observables (and other objects) from and SDO's Knowledge page

Bug Fixes:

• #2403 Not possible to view export when report's title contains some special characters
• #2396 Target type filter not working in the observable section of threats
• #2391 Not possible to empty the author field
• #2395 Subscriptions & digests error
• #2381 The "Subscriptions & digests" email returns "{defaultValue(entry)}"

Pull Requests:

• Expand list of Event types by @mattreduce in #2393

New Contributors:

• @mattreduce made their first contribution in #2393

Full Changelog: 5.3.15...5.3.16

Version 5.3.15

Dear community, OpenCTI 5.3.15 has been released 💡! This version fixes a few minor bugs in some connectors, the Python library and the frontend 🤓.

Enhancements:

• #2377 Avoid automatic enrichment when editing in the built-in editor

Bug Fixes:

• #2358 There are some Bugs in Content menu(download)

Full Changelog: 5.3.14...5.3.15

Version 5.3.14

Dear community, OpenCTI version 5.3.14 is out 🥳! This version fixes a major bug in stream connectors and some other minor issues in the frontend and connectors work management ✨.

Bug Fixes:

• #2376 Truncate history/errorcontent message to prevent elastic/opensearch query errors
• #2374 Stream connectors can have an erroneous state with "-0-0"
• #2372 Content's table looks weird (version : 5.3.12)

Full Changelog: 5.3.13...5.3.14

Version 5.3.13

Dear community, OpenCTI 5.3.13 is out 🤯! This minor release fixes some minor bugs in the user interface graphs and the rule engine data update 🎉. Also, it significantly improves the memory footprint of the platform when merging entities with a lot of relationships 💡.

In the Python library, the stream manager and helper has been enhanced to fix all known issues when consuming streams from connectors or in third-party systems 📡.

Enhancements:

• #2366 [api] Improve merging memory footprint
• #2357 [api] Relation check for type detection improvement for observables
• #2356 [api] Improve stream delay and heartbeat occurrence

Bug Fixes:

• #2367 [api] Upsert of inferred entity fail
• #2360 Text adjustment in lateral panel
• #2359 Images are missing in graphs for new types of entity

Pull Requests:

• Adjust content to be shorter by @febrezo in #2361
• [api] Improve merging memory footprint (#2366) by @richard-julien in #2368
• Fix typo in 'agent' role by @febrezo in #2364
• More tiny fixes in the Spanish translation by @febrezo in #2363

Full Changelog: 5.3.12...5.3.13

Version 5.3.12

Dear community, OpenCTI 5.3.12 is out 🤯! This new minor version fixes some important bugs especially in background tasks and connectors 🩹. Also, the format of the STIX IDs (and internal IDs) is now verified before ingestion and creation of objects 🧽.

If you have developed connectors that directly call the API through GraphQL, you will have to migrate some query definitions from string type to StixId type.

Enhancements:

• #2337 Validate STIX IDs and internal IDs when creating entities / relationships
• #2344 The relationship type "uses" is not allowed between Artifact and Attack-Pattern
• #2325 Extend the supported entity types for a CSV feed

Bug Fixes:

• #2343 "Select all" for Bulk update within Analysis Report "Observables" view causes edit to apply to all observables in system
• #2342 Search bar results for Channels
• #2338 In StixSighting: TypeError: null is not an object (evaluating 'd.entity_type')

Pull Requests:

• Fix typos (and linting) in French locales by @febrezo in #2328
• Add extra spanish locales by @febrezo in #2340

Full Changelog: 5.3.11...5.3.12

Version 5.3.11

Dear community, OpenCTI version 5.3.11 has been released 🥳! This version is a hotfix for a few minor bugs in the user interface and some connectors 🤖.

Enhancements:

• #2332 [Front] Add Spanish translation

Bug Fixes:

• #2333 [Front] Some special characters in report names are not escaped when uri is generated
• #2329 GraphQL playground not working in Docker releases
• #2326 image file(png,jpg,webp etc.) upload fail in html content

Pull requests:

• Add Spanish translation by @febrezo in #2324

New Contributors:

• @febrezo made their first contribution in #2324

Full Changelog: 5.3.10...5.3.11