Releases: OpenCTI-Platform/opencti
Version 5.0.3
Dear community, we have released a hotfix version 5.0.3. This version fixes a major bug in the TAXII collections π₯³.
Enhancements:
- #1405 Display the full name of an entity
Bug Fixes:
- #1650 TAXII collection error
Full Changelog: 5.0.2...5.0.3
Version 5.0.2
Dear community, OpenCTI 5.0.2 is now available π₯³! This new release fixes 13 minor issues and contains a lot of tiny enhancements π€.
The subscription scheduler is now optional by default, so SMTP configuration is not mandatory anymore π‘. Graphs of knowledge have been enhanced (higher resolution in PNG exports, reports in knowledge aggregation, etc.) and external references can now be enforced (in configuration) on any creation or modification for traceability π‘.
This release re-introduces the compatibility with ElasticSearch >= 7.10 (and OpenSearch >= 1.1) which has been broken in previous minor (5.0.1) π.
Among all bug fixes, we have worked to ensure more consistency between screens, including the resolution of errors when using RBAC / data segregation π§±. Also, the computation of valid_until field of indicators has been fixed (for the moment no migration of already ingested indicators, it will be in the next minor release).
Stay tuned for the next upcoming major releases: case management, garbage collector, and a lot more to come π!
Enhancements:
- #1646 Improve background task error logging
- #1645 Prevent operation on inferences when not permitted
- #1623 Create a view for external references
- #1621 Make rule engine correctly supported in UI when disable
- #1615 Make subscription scheduler optional by default
- #1606 Rule manager auto restart support in multiple API env
- #1601 Maintains support of OpenSearch (auto disable features require by elasticsearch 7.10.1+)
- #1595 Expose express server metrics for prometheus
- #1592 Add reports in master graph
- #1591 Datetime field in dashboards
- #1590 Filter timelines
- #1589 Take files into account in synchronization
- #1569 Restrict individual live streams to specific user Groups
- #1436 Enhance resolution of images when exporting a graph in PNG/PDF
Bug Fixes:
- #1647 Cannot query Course of Action by x_mitre_id or external_id
- #1641 No error message if start date is after stop date
- #1640 Opinion radar not visible with light theme
- #1639 Delay to take into account changes resulting in dropping them
- #1637 Error with relations display when modifying inferences
- #1634 Indicator : "valid until" not correctly filled
- #1631 Error with exports : troncated marking levels
- #1629 Cities coordinates cannot be filled (lat and long)
- #1624 Top 10 Active Entities (Dashboard) widget show only the top 8 entities
- #1618 Observed data unknown in reports
- #1612 Canβt modify description field of entities
- #1607 Can't remove atime, mtime, ctime from File observable in GUI
- #1603 Multiple Groups in SAML response are seen as a single string
Pull Requests:
- [api] Adapt STIX relationships by @nor3th in #1605
- [api] Expose express server metrics for prometheus by @debelyoo in #1598
New Contributors:
Full Changelog: 5.0.1...5.0.2
Contributors
Assets 4
Version 5.0.1
Dear community, OpenCTI 5.0.1 has been released π₯³! This minor release includes several bug fixes for all known issues since the release of the version 5 πΎ. Also, a new rule has been introduced to automatically create incidents based on sightings in order to prepare our future case management system π‘.
One of the major enhancements in 5.0.1 is also the activation of new sorting capabilities (by observable "value", by author, by marking definition, etc.) π, thanks to new ElasticSearch runtime fields. Next releases will be focused on garbage collection and case management, as planned in our strategic roadmap πͺ.
This version requires ElasticSearch >= 7.12 (for observables sorting). This is not compatible with OpenSearch/AWS. Given the feedback from the community, we have decided to bring back the support of OpenSearch in the next version using a feature flag to disable this feature if not supported.
Enhancements:
- #1588 Enhancement of modification reference
- #1587 Add UI capability to manage x_opencti_stix_ids
- #1585 Create the SightingIncident rule and adapt the observed sighting one
- #1578 Migration to Yarn 2
- #1571 Improve inputs resolution and change tests to use object_refs direct creation
- #1570 Populate x_opencti_additional_names field of File observable when merging multiple file names
- #1564 The deleted or merged entities should not be imported once again.
- #1477 Multitenancy support
- #1394 [frontend] Sort report observables causes crash
Bug Fixes:
- #1586 Creating report with all object_refs unknown fail
- #1582 Artifact STIX2.1 export
- #1581 Artifact - Mutual exclusion of properties 'url' and 'payload_bin'
- #1575 TAXII Collections Discovery URL
- #1572 [frontent] File - Artifact relationship wrong name
- #1517 It will show error if the TLP level is not granted to the user on the whole page
Pull Requests:
Full Changelog: 5.0.0...5.0.1
Contributors
Assets 4
Version 5.0.0
π DING DING!! π
Dear community, we are glad to announce the release of OpenCTI 5.0.0 π, after 3 months of collective work from the whole OpenCTI community. This new version is based on two fundamental principles:
- Make OpenCTI more reactive and intelligent with the data while we ensure consistency and robustness of our current components π§ .
- Build the roots of more collaboration, sharing and engagement on threat intelligence structured data π€.
In this major release, we have entirely reworked most of our essential components, especially the data streams to enable community sharing and synchronization between platforms π‘. Furthermore, this milestone re-introduces a global reasoning mechanism on the data, allowing analysts to visualize accurate and exhaustive knowledge without constantly pivoting between entities and relationships π.
A lot of new features described in our blog post are available in OpenCTI 5.0.0: subscriptions / digests, content viewer / enriched editor, custom workflows, dashboard widgets, etc π. Among all these changes, more than 50 bugfixes are part of this release, whether related to the core platform or the connectors/libraries ecosystem π¨π¨.
We are working on updating our strategic roadmap so it will reflect where we stand, but next steps have been already planned in the different Luatix development committees: garbage collector, case management, connectors and widgets will be our main focus in the coming months π.
Please note that the subscription manager is enabled by default. This means you will be required to provide the API with SMTP access. If you don't have a SMTP server, just disable the Subscription manager with:
"subscription_scheduler": { "enabled": false }- SUBSCRIPTION_SCHEDULER__ENABLED=falsein your configuration.
Enhancements:
- #1550 Allow file upload in external refereance
- #1534 how can i add the relation "CONSISTS_OF" between INFRASTRUCTURE and OBSERVED_DATA
- #1530 Implement a generic status for all entities
- #1521 OpenIDConnect Strategy doesn't support roles from claims
- #1486 Increase body-parser express limit to prevent "request entity too large"
- #1467 Marking column is missing
- #1455 Improve elastic-searching from platform. (global searching, author searching, individual entity screen searching)
- #1453 Ability to filter on types of Report Type in Report's Correlation view
- #1449 Add an option to automatically add new marking to certain groups
- #1447 Clickable links on Attack Matrix View
- #1444 Observed data upsert management (first_seen, last_seen, number_observed)
- #1438 [frontend] Report can't create Course of Action
- #1437 Enhance the large graph performances
- #1435 Remove this red cross sign when no access in observable
- #1433 Feed subscription / bulletin / digests
- #1425 'belongs-to' is not a permissible relation between IP and ASN
- #1419 Re-implement inferences and automatic rules of computing
- #1402 Importing STIX file from Report doesn't associate objects from the report
- #1359 Get Alert / Notification from OpenCTI
- #1358 Refactor sightings (viewing Sighting Description)
- #1351 Create Exportable list of Courses of Action per Incident, based on related Attack Patterns
- #1347 List Widget for Dashboarding
- #1324 Missing permissions to prevent access to Data/Entities and Data/Background tasks
- #1322 Implement system identity objects
- #1319 Creating relationships between entities in the context of investigations
- #1312 Enable Tree Mode in Knowledge Graph while forces are in disabled
- #1304 Refactor sightings and display history of relations
- #1303 Refactor notes & opinions to be more "user friendly"
- #1287 Add dashboard widget to display indicators lifecycle
- #1275 Default connector role and mutation
- #1265 The description content is different from the preview page.
- #1063 Filtering based on area of concern & Watch List feature request
- #912 Rules for correlation
- #904 "Rich text editor" (report creator + export PDF)
- #876 Referenced all platform information
- #874 Make a backup of the platform
- #788 Targeted organisations should be able to connect to locations/regions
- #753 Add description of infered relations
- #649 Inferences - threat actors -intrusion sets
- #183 Implement a timeline visualization for multiple entities
Bug Fixes:
- #1559 Line break in description fields for notes and relations is not displayed
- #1558 Plateform freezing when creating a new entity without an author
- #1552 URLs are incorrectly rewritten when using a reverse proxy
- #1548 Investigations error when contains
resolves-torelationship - #1539 ElasticSearchMetrics GraphQL error: Int cannot represent non 32-bit signed integer value
- #1538 Custom colour setting hex-code handling
- #1531 Setting x_mitre_id to None Causes webUI Crash
- #1529 Can not delete "marking definition" on incident page
- #1525 Unable to manually create "observed data" entry
- #1524 Check why standard_id is in other STIX IDs and create a migration
- #1502 Error Displaying Intrusion Sets
- #1489 CVEs Identified in OpenCTI
- #1480 Observables missing from the menu to create a new entity in Reports
- #1479 Bug with bookmarks when an entity is suppressed
- #1478 Internal server error when launching pdf file import
- #1471 Report titles appear blank when creating relationships
- #1465 Bug when expand TTP in investigation menu
- #1448 Unable to change time period in custom dashboards with a "Read Only" role
- #1446 [frontend] Report entities can't select check box
- #1443 Exporting of entities in a Threat Report exports all entities when filtered.
- #1439 Creation of embedded relations broken in the latest release
- #1430 Filter by marking not working in graph view
- #1418 Uploading from python connector stopped working
- [#1369](https://github.com/OpenCTI-Platform/opencti/i...
Contributors
Assets 4
Version 4.5.5
Dear community, OpenCTI 4.5.5 has been released π₯³! A lot of bug fixes and tiny enhancements in this new minor version π§.
The authentication system now supports SAML standard and LDAP groups mapping π. Some improvements have been implemented in graph views and forms π¨. Also, multiple minor bugs mainly impacting the UI side have been fixed πͺ².
The next major milestone is under development and will contain significant enhancements over all our components, from automated rules engine to report advanced editor and notification systems πππ.
Enhancements:
- #1414 Implement the SAML SSO system
- #1399 Improve Workers statistics screen
- #1422 Unable to update "confidence" relations
- #1393 Have a "part-of" relation for threat actors
- #1391 Be able to filtrate analysis by type:report or note or opinion
- #1390 Incident confidence level cannot be modified
- #1389 Have the name of the author automatically filled
- #1387 Have the confidence level field available when creating a new object or relation
- #1386 Notes : be able to modify the date
- #1376 Configure attribute mapping from LDAP
- #1311 LDAP Group import v2
- #1195 Easily organize objects in Knowledge Graph
- #1175 Prevent elastic database from corrupting itself if reverting platform versions
Bug Fixes:
- #1416 Adding same External Reference to Report twice Deletes both
- #1408 Unable to change author for an indicator
- #1406 Issue displaying the md formatting features in the description box
- #1394 [frontend] Sort report observables causes crash
- #1421 No related indicator is create when creating an observable of type 'email-message' with option: CreateIndicator
- #1388 Relations creation : have the last seen field filled by default
- #1413 OpenCTI with Elasticsearch https
Version 4.5.4
Dear community, OpenCTI version 4.5.4 has been released π€―! This iteration fixes some minor bugs and introduces a bunch of new features π. Among them, we are proud to announce the global availability of the OpenCTI light theme π, including the ability for organizations to customize colors and logos of their OpenCTI instances π π». This new feature comes with more advanced export capabilities (theme selection, transparent backgrounds, etc.) for basically every visualizations in the platform βοΈ.
Also, the enrichment APIs and screens have been moved to the global meta entity Stix-Core-Object, which covers STIX Cyber observables but also STIX Domain Objects ποΈ. This move prepares the work around new STIX Domain Object enrichment connectors for vulnerabilities, organizations, incidents, etc. such as Wikipedia, CRMs, ticket management systems... π
Last but not least, a few connectors have been enhanced π¦. The AlienVault connector has new options to enable/disable relationships between Attack Patterns and Indicators (which may lead to have a lot of relationship for each pulse). It's also possible to fully disable relationships.
The
ImportFilePdfObservablesconnector has been replaced by a fully rewritten ImportReport connector which also supports plain text files. A huge thank you to @nor3th for this amazing work π!
We are preparing an update of our strategic roadmap to give everyone more visibility on where we are and what is coming. Our focus remains on analysts centric features, logical inferences and reports builder π».
Enhancements:
- #1380 Add "Attack Pattern" to Incident timeline
- #1367 Bug in the custom dashboard : campaign activity and incidents activity displaying "not implemented yet"
- #1307 Background task for confidence level
- #1305 Enhance the observable knowledge section
- #1191 Create relationships between similar objects in bulk
- #779 Course of Action for Threat Hunting
- #530 Implement a light theme (and allow users to select the theme)
Bug Fixes:
- #1377 Donut visualization of the threat or arsenal item perspective is not restricted to the selected entity
- #1373 The relationship type belongs-to is not allowed between IPv4-Addr and Autonomous-System although offered by UI
- #1371 Vulnerability Severity can't be set to CRITICAL
- #1370 Can't modify Observable network-traffic object
- #1365 Bug in the dashboards - can't see the day/date when picking the last 7 days period
- #1364 Bug when switching the type of relationship between a country and an intrustion set
Version 4.5.3
Dear community, OpenCTI 4.5.3 has been released π₯³! Docker images for ARM and PPC architectures are now available as well as knowledge export in PNG and PDF from the UI (dashboards, graphs, kill chains, etc.) π.
Some minor bugs on CSV export and reports display have been fixed. Our next milestones will now be focused re-introducing logical reasoning rules on the knowledge π₯ and on custom subscriptions/digests, alerting, analyst features such as comments, feedback on data, etc π.
Enhancements:
- #1357 Edit indicator_types of an indicator
- #1355 Be able to export views, graphs and dashboards in PNG/PDF
- #1352 Ability to filter by "No Label"
- #1350 Ability to Update Vulnerability Severity, Availability Impact via GUI
- #1349 Unable to update Indicator valid_until
- #1341 Ability to edit objects in bulk within the context of a report
- #1271 Add ARM support by building OCTI with multi-arch
Bug Fixes:
- #1354 Lines view under Analysis shows all reports in the system instead of just the relevant ones
Version 4.5.2
Dear community, OpenCTI 4.5.2 has been released π! This is a hotfix for a bug affecting attack patterns management coming from the MITRE connector.
Bug Fixes:
- #1345 Attack patterns standard IDs not correctly generated (merging is not coherent)
Version 4.5.1
Dear community, OpenCTI 4.5.1 has been released π! This version introduces a lot of new features and minor bugfixes π₯³. First of all, as planned in our roadmap, we've tackled our brand new live streaming system π‘, which allows to create as many streams as needed (like TAXII 2.1 collections) π°.
To demonstrate the power of this new system π‘, this release also brings the availability of 2 new and long-awaited connectors: Splunk KV Stores & ElasticSearch SIEM π. Also, the Tanium connector has been entirely refactored to use this new streaming system.
Finally, our Synchronizer connector has been enhanced so we'll soon be able to start working on true exchange communities built on top of OpenCTI instances π°οΈ.
π To know more about the live streams and our event format (STIX 2.1 compliant), don't hesitate to read our dedicated documentation.
Last but not least, this new version also contains some enhancements in the user interface with new capabilities in custom dashboards and investigations. Also, global graphs of knowledge for each entity have been introduced β¨. They gather all the entities and relationships from the reports associated to the concerned entity π.
Next milestones will be focused on improving the overall engagement of OpenCTI users with a refactor of notes, opinions and the introduction of subscriptions and workflows π.
Be careful on the MITRE and the OpenCTI connectors, scopes have been modified.
Enhancements:
- #1334 Extend the Dashboards for "Sector or locations" to the entity "Organistion"
- #1314 Description is not appearing in the Course of Action
- #1313 Score filters for Observables & Indicators
- #1302 Export full indicator via SSE upon deletion
- #1297 Improve platform initialization to prevent concurrency problems
- #1269 OpenCTI fails to start with clean Redis instance
- #1261 Create a relational "master" graph in Intrusion-Set and Threat-Actor menu
- #1232 Implement custom/filtered streams
- #811 Possibility to obtain a synthesis report of knowledge
Bug Fixes:
- #1344 Datetimepicker - wrong language on days header
- #1343 Prevent creation conflict when user have no visibility on element creation
- #1339 Organizations knowledge - Add new observables relationship doesn't work
- #1333 Dashboards - changing the time window has no effect on the shown results
- #1328 TAXII API - Filters (Score greater than) not working
- #1323 First seen and last seen not updated for existing sighting
Version 4.5.0
Dear community, OpenCTI version 4.5.0 has been released π₯³! This new major branch introduces a lot of enhancements and some minor bug fixes ππΌ. We've also started to work on the API side to be able to build in the next versions the expected integrations with a lot of third-party systems π‘.
Among the various new features in this version, more filters are available in the TAXII collection API β¨, it's now possible to upload artifacts in a dedicated section and to quickly display observables sighted in specific organizations or locations. Also, the detection attribute is now automatically disabled when an indicator is expired and LDAP group mapping with platform roles has been implemented π.
We've also migrated the our custom Incident entity type to the new STIX 2.1 standard and enhanced the ability to create relationships between observables (resolves-to, contains, etc.) π¨. Last but not least, the users are now able to pin entities as favorite in some views, which is the very beginning of massive work around analyst centric capabilities, users engagement, comments, subscriptions, etc π¨βπ»π©βπ».
Enhancements:
- #1306 Implement expandable external references panel
- #1299 Ability to Merge Observables of the same type
- #1296 Add Infrastructure in Knowledge section of Threat Actors, Intrusion Sets and Malware
- #1294 Introduce artifacts upload and enrichments/imports
- #1286 Disable attribute "Detection" when an indicator has expired
- #1285 Filter indicators by "Detection" value and by "Score" range
- #1284 Display of attribute "Detection"
- #1283 Display a correct error message when Github login profile have no public email
- #1282 Refactor the knowledge section (and the root section) of organizations & individuals.
- #1243 Add more filters on the export taxii module
- #1235 Its says it has 1 indicator relationships BUT there is nothing listed under Indicators
- #1185 Migrate Incidents to new STIX2.1 official entity
- #1089 Unable to link observable Domain Name to IPv4 Address
- #1049 Export Observables after Filtering by (Report)
- #1007 LDAP Group import
- #861 Changing relationship between two entities on report knowledge graph
- #812 Multiple selection of SDOs in order to link them to another entity
- #614 Support Azure AD integration
- #587 Bookmark items
- #507 Configurable logon banner