Skip to content

Releases: OpenCTI-Platform/opencti

Version 6.3.0

17 Sep 15:23
558e6c1
Compare
Choose a tag to compare

Dear community, we're excited to announce the launch of OpenCTI 6.3! 🥳

This released has been focused on solving well known pains 🎯 :

  • providing more control & clarity to admins related to the ingestion process
  • improve application usability by making it easier to ingest
  • manipulate data and initiating work toward vulnerability management.

Clarity & control over the ingestion process is a must. Hence the introduction of our feature Integrated feeds Ingestion 🧠*.* More and more of you are ingesting data via “integrated” feeds (TAXII, RSS, CSV), and we've worked to give you greater visibility over the data ingestion flow by representing these feeds in the form of a dedicated connector and by allocating dedicated RabbitMQ queues per ingestion configurations in place of common queues (see our depreciation announcements).

Thanks to this enhancement, you'll be able to identify bottlenecks more quickly and gain real-time insights into your data ingestion flow. 💡

Following up on this pain of providing more control to admins over the ingestion, we have introduced a new capability: bypass custom mandatory fields.

The problem is that your connectors providing you data do no always have a a specific field that you want your analyst to provide, which results in failing the creation of entity. ❌ As a result, thanks to this new capability, you will be able to enforce this custom mandatory attribute only for specific groups of users (your analysts), while allowing others (your connectors) to be able to create data without a specific field. 🔥

As mentioned in introduction, we focused on usability. This is why we introduced a new feature: bulk creation 🥇

  1. Bulk Creation of Entities: For entities that only require a single field, you can now copy and paste a list directly into the platform. This allows for the instant creation of multiple entities at once, eliminating the need for repetitive, step-by-step creation processes.
  2. Bulk Creation of Relations: In addition, we’ve added the ability to create relationships in bulk, even for entities that don’t yet exist in the platform. This powerful feature, adapted from our Analyst Workbench’s "add context" functionality, streamlines the process of building connections between entities.

Together, these features are designed to save you time and enhance your productivity, enabling you to focus on more critical tasks.

Improving app usability means better identification of the data that matters to you 💡

Every organization has unique data needs, even within different entities of the same company. To meet this, we introduce the new Custom Overview per Entity Type feature.

This allows users to customize each entity’s layout, selecting key information "blocks" to prioritize and adjust their size. It makes it easier to quickly spot and focus on critical data.

Usability also comes from having similar functionalities in similar screens across the app.

First of all, we have introduced List views for Threat Actors, Intrusion Sets, Campaigns & Malware, on the top of the existing card view 🪪. This will tremendously help the management of these entities without the need to go in data/entities to manage them.

Massive operations have also been added to all Arsenal entities (Malware, Channels, Tools, Vulnerability), Narratives and Attack Patterns! In this way, the consistency of operations across the application is greatly enhanced.

Last but not least, you will notice one last update that has been heavily worked in order to improve our application usability: New data tables 🎉

When upgrading to our new version, you’ll notice that data table look different: we have upgraded them. As a result, you’ll notice that:

  • the table will introduce proper pagination (size of each page can be defined) in order to improve loading.
  • another long awaited improvement is the ability to resize each columns in order to view long names or values. This would make the usability of our app way better. 🚀
  • Additionally, when clicking on one of the columns title, you’ll enable a quick filter: efficiency is key when dealing with loads of data. ❤️‍🩹
  • Behind the scenes, this new technology reduce our technical debt and enable future use cases that we can’t wait to develop!

As some of you may be aware, we would like to make easier the vulnerability management process in OpenCTI.

The first step to achieve this goal was to extend our Vulnerability model to support EPSS and CISA KEV attributes. Support of these two information were highly requested by the community🔥. Regarding EPSS, an enrichment connector to fill the data has been created too, see below.

Having these fields was not enough, we also added the ability to use them (like other vulnerability fields) in playbook components to help you build your own vulnerability decision tree 🪄.

While files and workbenches are essential, they can contribute to performance issues over time, since documents are piling up in the platform. ❌

Retention Rules for Files and Workbenches: We’ve added configurable retention rules, which are not set by default but can be easily customized. For example, you can implement a one-year policy to automatically delete any file or workbench created over a year ago. This helps prevent outdated data from accumulating and improves overall platform performance. 💯

Administrators have also been heard with an additional feature, or rather a UX improvement. To ease management of dashboard we have also introduce a new tab in the dashboard menu, to be able to view only the public dashboards as list without needing to enter in each dashboard to view the corresponding dashboards.

In terms of integrations, lots of effort has been put to deliver new connectors & improvements of existing connectors.

We already announced it on slack, but during this release, we delivered a new Splunk app 🔥, aiming to:

  • seamlessly ingest indicators through an OpenCTI live stream.
  • Instantly trigger actions in response to alerts and investigate them directly within OpenCTI.

With the OpenCTI Add-on for Splunk, you can leverage comprehensive threat information, improving your ability to detect and respond to security incidents more effectively. More info can be found on : https://splunkbase.splunk.com/app/7485.

To provide more support to our community, we completely refactored the Qradar connector to become an official Filigran support connector. This means that we will be able to provide support on this connector if a bug arise. The refactor has also fixed some known bugs, which are listed in the below list of issues.

Being open source also means ensuring that everybody has the capacity to contribute to our codebase. However, in the past, our readmes & guidelines to contribute in our connector repository were not up to date. We’ve made some effort to update it so that all the documentation is up to date, allowing everybody to bring their own contribution more easily 💪!

As mentioned earlier, we have worked towards helping analysts to perform vulnerability management with OpenCTI. To cater this need, we built an enrichment connector to provide values for EPSS 🤘This connector integrates with the organisation “FIRST” API, aiming to retrieve EPSS values about a specific vulnerability. This enrichment connector is of course playbook compatible 🚀

Some connectors have also been reworked (namely Sekoia, Crowdstrike, Mandiant, AlienVault, Recorded Future, CISA KEV) to support our new scheduling and auto-pausing feature that will pause your connector when its queue gets full.
You’ll see in these connectors new variables "duration_period" & "queue_threshold" that you need to define to enable these features. More details can be found in the respective connector pages.

We also improved the Mandiant connector by providing an option to import aliases of malwares & improve campaigns import. Campaigns import improvement provide more details regarding TTPs (labels, relation with intrusion sets, start & stop time & addition of description). In essence, we’ve made sure that we import as much data as we can.

To list them all, here are all the new connectors delivered in the milestone: Jira, Infloblox, Cisco SMA, Group IB, Cofense. The detailed list of connectors & improvement is available here: ****https://github.com/OpenCTI-Platform/connectors/releases?page=1

On a finish note, we would like to thank you for your contributions 🙏 to our product, that helps making our product better: shmztk, Bonsai8863, Fhwang0926, ParamConstructor, VerboseCat, WolfByttner, brett-fitz, mmolenda, Mathieu4141, annoyingapt, DNRRomero, DinkoReversingLabs, pietrocapece, sari3l, bradchiappetta, debelyoo, uTomasAnderson, leitosama, XGREENi3, sudesh0sudesh, cert-orangecyberdefense, cmandich, obideuce, sda06407, Obdam, piolug93, daemitus, polakovicp, julienloizelet, khalidelborai, Renizmy, curiouspython1!

Of course, a huge thank you to all for your contributions 🥇

We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.

Depreciation announcements

The RabbitMQ “push_sync...

Read more

Version 6.2.18

30 Aug 18:08
337f272
Compare
Choose a tag to compare

Bug Fixes:

  • #8129 User overview light theme hidden entities tiles
  • #8116 [CSV Mapper] When having error, "Create" button is disabled
  • #7964 Bulk Search - inconsistent results involving HashedObservable objects
  • #7793 TAXII2 pagination incorrectly sets more to false if MAX_TAXII_PAGINATION > ES_DEFAULT_PAGINATION
  • #7623 [Bulk search] The column ordering doesn't work
  • #6758 [Workbench] Campaign object unrecognized in relationships

Full Changelog: 6.2.17...6.2.18

Version 6.2.17

30 Aug 11:24
c599e1a
Compare
Choose a tag to compare

Bug Fixes:

  • #8205 app.base_path configuration is not working anymore (default empty works fine)
  • #8011 When a user is administrator of an organization, he should be able to manage the users of this organization (enable / disable)
  • #7651 Unable to scroll a large markdown content file in preview mode

Full Changelog: 6.2.16...6.2.17

Version 6.2.16

29 Aug 09:34
5706d91
Compare
Choose a tag to compare

Bug Fixes:

  • #8182 Order of kill chain phases are lost after dataset is updated
  • #8150 [Retention policy] Entities are not deleted
  • #8013 Error when creating a user in my organisation as an organisation administrator
  • #7951 Float values are not exported on csv

Full Changelog: 6.2.15...6.2.16

Version 6.2.15

23 Aug 09:20
738cc69
Compare
Choose a tag to compare

Bug Fixes:

  • #8134 UI Bug: Limited File Display and Missing Scrollbar in File Upload & Import Interfaces
  • #8124 Rule engine list view is crashing (out of memory)
  • #8122 When editing a user administrator of an organization, error is raised
  • #8113 [UI] "Distribution of opinions" is not fully displayed
  • #8053 [Taxonomies] Problem adding aliases to open vocab
  • #7885 History is not correct when you impact the score with a background task
  • #7682 Changing "Organizations" in a user make the page full re-render and close the drawer
  • #7656 Manipulating organizations in the user edit panel is very slow / triggering errors
  • #7559 Diamond model captures scroll action for zooming rather than page scrolling

Pull Requests:

Full Changelog: 6.2.14...6.2.15

Version 6.2.14

20 Aug 05:05
62049d4
Compare
Choose a tag to compare

Enhancements:

  • #8092 Be able to define time unit for retention policies

Bug Fixes:

  • #8103 Merge is broken on Data>Entities screen
  • #8070 Apollo errors for version 4 refactor to comply with previous version
  • #8055 When a user is administrator of an organization, he should be able to create users for this organization
  • #8027 Lines in connectors list are not vertically centered correctly like other lists
  • #8026 Display of reliability is not correct
  • #8022 Some x_opencti_linked-to ref relations weren't cleaned properly, causing schema validations error on impacted entities
  • #8020 Timeout error when ingesting certain complex bundle
  • #7329 Effect of drawer is not correct in Update dropdown on "latest relationships" widget in the overview of entities

Pull Requests:

Full Changelog: 6.2.13...6.2.14

Version 6.2.13

13 Aug 10:53
62fb3f0
Compare
Choose a tag to compare

Bug Fixes:

  • #7988 CSV Ingestion manager - No ingestion made even if file has changed
  • #7968 Useless error message at nested relationship start time edition
  • #7946 Data components contextual creation design
  • #7940 Error at attack patterns detection edition
  • #7907 [Workbench] Can't create relationship with Area entity type
  • #7842 Platform is flooded with sessions when stopping a stream consumed by other remote platforms
  • #7837 Kill "all" session button is not working anymore in the user overview
  • #7798 Sorting not working in Workbench entities list
  • #7737 Missing captions when downloading widgets in dark mode

Pull Requests:

Full Changelog: 6.2.12...6.2.13

Version 6.2.12

07 Aug 15:18
8ac5be1
Compare
Choose a tag to compare

Bug Fixes:

  • #7975 Stream consume with inferences error too_long_http_line_exception
  • #7945 Bypass External Ref not working as expecting
  • #7939 Button to share with an Organization has disappeared from Incident Response Case entities
  • #7910 [Workbench] "Directory" Observable type not recognized by the workbenches
  • #7869 Attack patterns details not compliant with "empty" signs "-"
  • #7866 Duplicates exist in the Korean translation.
  • #6517 "is not empty" operator does not work on CPE attribute

Pull Requests:

New Contributors:

Full Changelog: 6.2.11...6.2.12

Version 6.2.11

01 Aug 23:42
b6391c8
Compare
Choose a tag to compare

Bug Fixes:

  • #7920 [Filter] Impossible to filter by marking
  • #7914 Can't export observables
  • #7905 Can no longer access the "Data" tab of an Incident
  • #7904 Header + Simulation layout broken in reports / cases
  • #7926 On components, new STIX filters are not working anymore

Pull Requests:

New Contributors:

Full Changelog: 6.2.10...6.2.11

Version 6.2.10

31 Jul 22:38
4f9f13c
Compare
Choose a tag to compare

Bug Fixes:

  • #7870 Massive operation toolbar incorrect icons in trash

Pull Requests:

Full Changelog: 6.2.9...6.2.10