Releases: OpenCTI-Platform/opencti
Version 6.3.0
Dear community, we're excited to announce the launch of OpenCTI 6.3! 🥳
This released has been focused on solving well known pains 🎯 :
- providing more control & clarity to admins related to the ingestion process
- improve application usability by making it easier to ingest
- manipulate data and initiating work toward vulnerability management.
Clarity & control over the ingestion process is a must. Hence the introduction of our feature Integrated feeds Ingestion 🧠*.* More and more of you are ingesting data via “integrated” feeds (TAXII, RSS, CSV), and we've worked to give you greater visibility over the data ingestion flow by representing these feeds in the form of a dedicated connector and by allocating dedicated RabbitMQ queues per ingestion configurations in place of common queues (see our depreciation announcements).
Thanks to this enhancement, you'll be able to identify bottlenecks more quickly and gain real-time insights into your data ingestion flow. 💡
Following up on this pain of providing more control to admins over the ingestion, we have introduced a new capability: bypass custom mandatory fields.
The problem is that your connectors providing you data do no always have a a specific field that you want your analyst to provide, which results in failing the creation of entity. ❌ As a result, thanks to this new capability, you will be able to enforce this custom mandatory attribute only for specific groups of users (your analysts), while allowing others (your connectors) to be able to create data without a specific field. 🔥
As mentioned in introduction, we focused on usability. This is why we introduced a new feature: bulk creation 🥇
- Bulk Creation of Entities: For entities that only require a single field, you can now copy and paste a list directly into the platform. This allows for the instant creation of multiple entities at once, eliminating the need for repetitive, step-by-step creation processes.
- Bulk Creation of Relations: In addition, we’ve added the ability to create relationships in bulk, even for entities that don’t yet exist in the platform. This powerful feature, adapted from our Analyst Workbench’s "add context" functionality, streamlines the process of building connections between entities.
Together, these features are designed to save you time and enhance your productivity, enabling you to focus on more critical tasks.
Improving app usability means better identification of the data that matters to you 💡
Every organization has unique data needs, even within different entities of the same company. To meet this, we introduce the new Custom Overview per Entity Type feature.
This allows users to customize each entity’s layout, selecting key information "blocks" to prioritize and adjust their size. It makes it easier to quickly spot and focus on critical data.
Usability also comes from having similar functionalities in similar screens across the app.
First of all, we have introduced List views for Threat Actors, Intrusion Sets, Campaigns & Malware, on the top of the existing card view 🪪. This will tremendously help the management of these entities without the need to go in data/entities to manage them.
Massive operations have also been added to all Arsenal entities (Malware, Channels, Tools, Vulnerability), Narratives and Attack Patterns! In this way, the consistency of operations across the application is greatly enhanced.
Last but not least, you will notice one last update that has been heavily worked in order to improve our application usability: New data tables 🎉
When upgrading to our new version, you’ll notice that data table look different: we have upgraded them. As a result, you’ll notice that:
- the table will introduce proper pagination (size of each page can be defined) in order to improve loading.
- another long awaited improvement is the ability to resize each columns in order to view long names or values. This would make the usability of our app way better. 🚀
- Additionally, when clicking on one of the columns title, you’ll enable a quick filter: efficiency is key when dealing with loads of data. ❤️🩹
- Behind the scenes, this new technology reduce our technical debt and enable future use cases that we can’t wait to develop!
As some of you may be aware, we would like to make easier the vulnerability management process in OpenCTI.
The first step to achieve this goal was to extend our Vulnerability model to support EPSS and CISA KEV attributes. Support of these two information were highly requested by the community🔥. Regarding EPSS, an enrichment connector to fill the data has been created too, see below.
Having these fields was not enough, we also added the ability to use them (like other vulnerability fields) in playbook components to help you build your own vulnerability decision tree 🪄.
While files and workbenches are essential, they can contribute to performance issues over time, since documents are piling up in the platform. ❌
Retention Rules for Files and Workbenches: We’ve added configurable retention rules, which are not set by default but can be easily customized. For example, you can implement a one-year policy to automatically delete any file or workbench created over a year ago. This helps prevent outdated data from accumulating and improves overall platform performance. 💯
Administrators have also been heard with an additional feature, or rather a UX improvement. To ease management of dashboard we have also introduce a new tab in the dashboard menu, to be able to view only the public dashboards as list without needing to enter in each dashboard to view the corresponding dashboards.
In terms of integrations, lots of effort has been put to deliver new connectors & improvements of existing connectors.
We already announced it on slack, but during this release, we delivered a new Splunk app 🔥, aiming to:
- seamlessly ingest indicators through an OpenCTI live stream.
- Instantly trigger actions in response to alerts and investigate them directly within OpenCTI.
With the OpenCTI Add-on for Splunk, you can leverage comprehensive threat information, improving your ability to detect and respond to security incidents more effectively. More info can be found on : https://splunkbase.splunk.com/app/7485.
To provide more support to our community, we completely refactored the Qradar connector to become an official Filigran support connector. This means that we will be able to provide support on this connector if a bug arise. The refactor has also fixed some known bugs, which are listed in the below list of issues.
Being open source also means ensuring that everybody has the capacity to contribute to our codebase. However, in the past, our readmes & guidelines to contribute in our connector repository were not up to date. We’ve made some effort to update it so that all the documentation is up to date, allowing everybody to bring their own contribution more easily 💪!
As mentioned earlier, we have worked towards helping analysts to perform vulnerability management with OpenCTI. To cater this need, we built an enrichment connector to provide values for EPSS 🤘This connector integrates with the organisation “FIRST” API, aiming to retrieve EPSS values about a specific vulnerability. This enrichment connector is of course playbook compatible 🚀
Some connectors have also been reworked (namely Sekoia, Crowdstrike, Mandiant, AlienVault, Recorded Future, CISA KEV) to support our new scheduling and auto-pausing feature that will pause your connector when its queue gets full.
You’ll see in these connectors new variables "duration_period" & "queue_threshold" that you need to define to enable these features. More details can be found in the respective connector pages.
We also improved the Mandiant connector by providing an option to import aliases of malwares & improve campaigns import. Campaigns import improvement provide more details regarding TTPs (labels, relation with intrusion sets, start & stop time & addition of description). In essence, we’ve made sure that we import as much data as we can.
To list them all, here are all the new connectors delivered in the milestone: Jira, Infloblox, Cisco SMA, Group IB, Cofense. The detailed list of connectors & improvement is available here: ****https://github.com/OpenCTI-Platform/connectors/releases?page=1
On a finish note, we would like to thank you for your contributions 🙏 to our product, that helps making our product better: shmztk, Bonsai8863, Fhwang0926, ParamConstructor, VerboseCat, WolfByttner, brett-fitz, mmolenda, Mathieu4141, annoyingapt, DNRRomero, DinkoReversingLabs, pietrocapece, sari3l, bradchiappetta, debelyoo, uTomasAnderson, leitosama, XGREENi3, sudesh0sudesh, cert-orangecyberdefense, cmandich, obideuce, sda06407, Obdam, piolug93, daemitus, polakovicp, julienloizelet, khalidelborai, Renizmy, curiouspython1!
Of course, a huge thank you to all for your contributions 🥇
We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.
Depreciation announcements
The RabbitMQ “push_sync...
Version 6.2.18
Bug Fixes:
- #8129 User overview light theme hidden entities tiles
- #8116 [CSV Mapper] When having error, "Create" button is disabled
- #7964 Bulk Search - inconsistent results involving HashedObservable objects
- #7793 TAXII2 pagination incorrectly sets more to false if MAX_TAXII_PAGINATION > ES_DEFAULT_PAGINATION
- #7623 [Bulk search] The column ordering doesn't work
- #6758 [Workbench] Campaign object unrecognized in relationships
Full Changelog: 6.2.17...6.2.18
Version 6.2.17
Bug Fixes:
- #8205 app.base_path configuration is not working anymore (default empty works fine)
- #8011 When a user is administrator of an organization, he should be able to manage the users of this organization (enable / disable)
- #7651 Unable to scroll a large markdown content file in preview mode
Full Changelog: 6.2.16...6.2.17
Version 6.2.16
Bug Fixes:
- #8182 Order of kill chain phases are lost after dataset is updated
- #8150 [Retention policy] Entities are not deleted
- #8013 Error when creating a user in my organisation as an organisation administrator
- #7951 Float values are not exported on csv
Full Changelog: 6.2.15...6.2.16
Version 6.2.15
Bug Fixes:
- #8134 UI Bug: Limited File Display and Missing Scrollbar in File Upload & Import Interfaces
- #8124 Rule engine list view is crashing (out of memory)
- #8122 When editing a user administrator of an organization, error is raised
- #8113 [UI] "Distribution of opinions" is not fully displayed
- #8053 [Taxonomies] Problem adding aliases to open vocab
- #7885 History is not correct when you impact the score with a background task
- #7682 Changing "Organizations" in a user make the page full re-render and close the drawer
- #7656 Manipulating organizations in the user edit panel is very slow / triggering errors
- #7559 Diamond model captures scroll action for zooming rather than page scrolling
Pull Requests:
- [backend] Fix migration timestamp (#6509) by @lndrtrbn in #8112
- [backend] Fix UI issue when changing organization in a user (#7682) by @CelineSebe in #8054
- Update vitest monorepo to v2 (major) by @renovate in #8111
- Update dependency uuid to v10 by @renovate in #8110
- Update dependency @testing-library/react to v16 by @renovate in #8107
- Update dependency tap to v21 by @renovate in #8109
- [backend] History is not correct when you impact the score with a background task (#7885) by @ValentinBouzinFiligran in #8118
- [frontend] roll back apexcharts to 3.51.0 (#8124) by @labo-flg in #8126
- [backend/frontend] enable custom overview layout for most entities (#6724) by @labo-flg in #8010
- [frontend] display alias value in place of alias label in form field (#8053) by @frapuks in #8130
- [frontend] allow transparent background Radar option (#8113) by @frapuks in #8136
- [frontend] Diamond view : disable zoom on scroll (#7559) by @lndrtrbn in #8056
Full Changelog: 6.2.14...6.2.15
Version 6.2.14
Enhancements:
- #8092 Be able to define time unit for retention policies
Bug Fixes:
- #8103 Merge is broken on Data>Entities screen
- #8070 Apollo errors for version 4 refactor to comply with previous version
- #8055 When a user is administrator of an organization, he should be able to create users for this organization
- #8027 Lines in connectors list are not vertically centered correctly like other lists
- #8026 Display of reliability is not correct
- #8022 Some x_opencti_linked-to ref relations weren't cleaned properly, causing schema validations error on impacted entities
- #8020 Timeout error when ingesting certain complex bundle
- #7329 Effect of drawer is not correct in Update dropdown on "latest relationships" widget in the overview of entities
Pull Requests:
- [backend] Trial for improving import page by @Kedae in #8031
- Update dependency axios to v1.7.4 [SECURITY] by @renovate in #8024
- [backend] lower verbosity of feature flag logs by @labo-flg in #8029
- Update dependency file-type to v19.4.1 by @renovate in #8044
- [frontend] display reliability in one line (#8026) by @frapuks in #8036
- Update dependency apexcharts to v3.52.0 by @renovate in #8043
- Update dependency i18n-auto-translation to v1.6.2 by @renovate in #8047
- Update aws-sdk-js-v3 monorepo to v3.632.0 by @renovate in #8042
- Update dependency loader-utils to v3.3.1 by @renovate in #8048
- Update dependency filigran-ui to v0.13.0 by @renovate in #8045
- [frontend] lines in connector centered vertically (#8027) by @frapuks in #8049
- Update Yarn to v4.4.0 by @renovate in #8041
- Update docker.elastic.co/elasticsearch/elasticsearch Docker tag to v8.15.0 by @renovate in #8059
- Update quay.io/keycloak/keycloak Docker tag to v23.0.7 by @renovate in #8062
- Update material-ui monorepo to v5.16.7 by @renovate in #8061
- Update dependency lru-cache to v10.4.3 by @renovate in #8074
- Update dependency openai to v4.56.0 by @renovate in #8075
- Update dependency @types/react to v18.3.3 by @renovate in #8076
- Update aws-sdk-js-v3 monorepo to v3.633.0 by @renovate in #8077
- Update dependency @elastic/elasticsearch to v8.15.0 by @renovate in #8078
- Update dependency @types/node to v20.16.1 by @renovate in #8079
- Update dependency react-router-dom to v6.26.1 by @renovate in #8080
- Update dependency axios-cookiejar-support to v5.0.2 by @renovate in #8081
- Update graphql-tools monorepo by @renovate in #8082
- Update dependency webpack to v5.93.0 by @renovate in #8084
- Update dependency lru-cache to v11 by @renovate in #8085
- Update dependency ws to v8.18.0 by @renovate in #8087
- Update dependency esbuild to v0.23.1 by @renovate in #8088
- Update dependency @escape.tech/graphql-armor to v3 by @renovate in #8089
- Update quay.io/keycloak/keycloak Docker tag to v25 by @renovate in #8091
- Update docker/build-push-action action to v6 by @renovate in #8090
- Update dependency ramda to v0.30.1 by @renovate in #8093
- Update dependency winston to v3.14.2 by @renovate in #8094
- Update graphqlcodegenerator monorepo by @renovate in #8095
- [backend] Fix log by @Kedae in #8099
- [frontend] Fix toolbar for merge on entities (#8103) by @Kedae in #8104
- [backend] added migration for missed linked-to refs by @JeremyCloarec in #8100
- [frontend/backend] Dashboard refacto - split view between dashboard and public dashboards by @CelineSebe in #7702
Full Changelog: 6.2.13...6.2.14
Version 6.2.13
Bug Fixes:
- #7988 CSV Ingestion manager - No ingestion made even if file has changed
- #7968 Useless error message at nested relationship start time edition
- #7946 Data components contextual creation design
- #7940 Error at attack patterns detection edition
- #7907 [Workbench] Can't create relationship with Area entity type
- #7842 Platform is flooded with sessions when stopping a stream consumed by other remote platforms
- #7837 Kill "all" session button is not working anymore in the user overview
- #7798 Sorting not working in Workbench entities list
- #7737 Missing captions when downloading widgets in dark mode
Pull Requests:
- [backend/frontend] Fix Kill all session button in the user overview (#7837) by @CelineSebe in #7959
- [backend/frontend] add sorting on retention rules view (#7482) by @Archidoit in #7956
- [frontend] Disable labels and in_platform sorting in Workbench content (#7798) by @Archidoit in #7960
- [frontend] fix detection field focus in Attack Pattern edition form (#7940) by @Archidoit in #7958
- [backend] Add logs in CSV ingestion manager by @lndrtrbn in #7981
- [backend] Kill session on synchro when an HTTP error is send to client. (#7842) by @aHenryJard in #7980
- [backend] Allow iframe usage for public dashboard (#7756) by @aHenryJard in #7783
- [backend] Change how CSV Ingestion hashes are generated (#7988) by @lndrtrbn in #7990
- [backend] fix entity organization sharing for users outside platform organization (#7974) by @JeremyCloarec in #7991
- [backend/frontend] Configure TAI overview layout from settings (#6724) by @labo-flg in #7969
- [frontend] change chart's background color (#7737) by @frapuks in #7985
- [frontend] [Workbench] Can't create relationship with Area entity type (#7907) by @SarahBocognano in #8002
- [frontend] Fix Simulation again by @Kedae in #8018
- [frontend] start and stop time edition for nested ref (#7968) by @Archidoit in #8008
Full Changelog: 6.2.12...6.2.13
Version 6.2.12
Bug Fixes:
- #7975 Stream consume with inferences error too_long_http_line_exception
- #7945 Bypass External Ref not working as expecting
- #7939 Button to share with an Organization has disappeared from Incident Response Case entities
- #7910 [Workbench] "Directory" Observable type not recognized by the workbenches
- #7869 Attack patterns details not compliant with "empty" signs "-"
- #7866 Duplicates exist in the Korean translation.
- #6517 "is not empty" operator does not work on CPE attribute
Pull Requests:
- Update dependency analytics to v0.8.14 by @renovate in #7915
- Update redis Docker tag to v7.4.0 by @renovate in #7933
- Update material-ui monorepo by @renovate in #7932
- Update emotion monorepo to v11.13.0 by @renovate in #7931
- Update dependency tap to v18.8.0 by @renovate in #7928
- Update dependency mdi-material-ui to v7.9.1 by @renovate in #7927
- Update dependency turndown to v7.2.0 by @renovate in #7929
- [frontend] directory default value in workbench (#7910) by @Archidoit in #7936
- [backend/frontend] Retention rules for files and workbench (#7482) by @Archidoit in #7698
- [frontend] authorize Case Incident organization sharing (#7939) by @Archidoit in #7941
- [backend] nil filter operators for empty strings and dates (#6517) by @Archidoit in #6550
- [frontend] fix attack patterns details with not "empty" signs "-" (#7869) by @CelineSebe in #7909
- [frontend] Duplicates exist in the Korean translation (#7866) by @SarahBocognano in #7938
- [backend] Add feature flag for active users count (#7943) by @SouadHadjiat in #7947
- [frontend/backend] Connector queuing auto backpressure (#6325) by @Megafredo in #7658
- [backend] Edit customization through the API (#6724) by @Goumies in #7825
- [frontend] Add in bulk entities and some observables in knowledge and containers tabs (#4352) by @lndrtrbn in #7800
- [frontend/backend] Add EPSS Support for Vulnerability Entity (#3568) by @ValentinBouzinFiligran in #7802
- [backend] Fix Bypass external ref issue (#7945) by @Kedae in #7949
- [backend] Disable count active users (#7943) by @SouadHadjiat in #7963
- [frontend] properly set light theme primary color (#7934) by @defendable-ole in #7935
- Update dependency typescript to v5.5.4 by @renovate in #7930
- [backend] Fix too_long_http_line_exception error on splunk stream (#7975) by @SouadHadjiat in #7976
New Contributors:
- @defendable-ole made their first contribution in #7935
Full Changelog: 6.2.11...6.2.12
Version 6.2.11
Bug Fixes:
- #7920 [Filter] Impossible to filter by marking
- #7914 Can't export observables
- #7905 Can no longer access the "Data" tab of an Incident
- #7904 Header + Simulation layout broken in reports / cases
- #7926 On components, new STIX filters are not working anymore
Pull Requests:
- [frontend] Cleaning up unused props by @CelineSebe in #7912
- [frontend] Fix simulation alignment (#7904) by @Kedae in #7913
- Update dependency reactflow to v11.11.4 by @renovate in #7916
- Update dependency tough-cookie to v4.1.4 by @renovate in #7918
- [frontend/e2e] attempt to remove flake on backgroundTask test (#7378) by @aHenryJard in #7861
- [frontend] Allow Users to Add an Entity as Context When Uploading File by @VerboseCat in #7195
- [frontend/backend] Fix default value of variable "first" that cannot be null (#7905) by @lndrtrbn in #7911
- [frontend] Remove flaky background test by @Kedae in #7923
- Update dependency semver to v7.6.3 by @renovate in #7917
New Contributors:
- @VerboseCat made their first contribution in #7195
Full Changelog: 6.2.10...6.2.11
Version 6.2.10
Bug Fixes:
- #7870 Massive operation toolbar incorrect icons in trash
Pull Requests:
- Update dependency react-cookie to v7.2.0 by @renovate in #7877
- Update dependency file-type to v19.3.0 by @renovate in #7875
- Update dependency react-router-dom to v6.25.1 by @renovate in #7878
- Update dependency @opensearch-project/opensearch to v2.11.0 by @renovate in #7881
- Update dependency filigran-ui to v0.12.1 by @renovate in #7876
- Update dependency @vitejs/plugin-react to v4.3.1 by @renovate in #7884
- [frontend/backend] Add authorized members on caseIncident (#4538) by @marieflorescontact in #7773
- Update dependency @types/react-test-renderer to v18.3.0 by @renovate in #7883
- [frontend] Incorrect icons in massive operation toolbar are removed in trash (#7870) by @CelineSebe in #7873
- Update dependency @playwright/test to v1.45.3 by @renovate in #7882
- Update dependency ajv to v8.17.1 by @renovate in #7886
- Update dependency apexcharts to v3.51.0 by @renovate in #7887
- Update dependency convert to v5.3.0 by @renovate in #7888
- Update dependency eslint-plugin-jsx-a11y to v6.9.0 by @renovate in #7890
- Update dependency esbuild to v0.23.0 by @renovate in #7889
- Update Node.js to v20.16.0 by @renovate in #7891
- Update aws-sdk-js-v3 monorepo to v3.621.0 by @renovate in #7893
- Update Yarn to v4.3.1 by @renovate in #7892
Full Changelog: 6.2.9...6.2.10