Version 6.2.2

Enhancements:

• #7581 Can't contextually create a malware analysis
• #7519 Marking chips are missing a tooltip for when text is truncated

Bug Fixes:

• #7603 Remove wrong label & tooltip in export popup
• #7600 Redis in single mode won't let user select DB
• #7591 The new loader should not be used at it is not ready
• #7587 [ExportFileCsv] Unable to choose user access filter for CSV feed when no English language is in use
• #7543 Inferred relationships cannot be shared with organization manually
• #7529 Incorrect space in the data / import section view between breadcrumb and content
• #7525 Incorrect placeholder in Security / Organizations list
• #7512 User not logged out when session is expires
• #7459 Invalid correlated cases when correlating an incident response with a request for information case
• #7447 In rules, panel is not correctly aligned
• #7383 Not possible to update a relation between a relation and an attack pattern
• #7346 Create Threat Actor Individual in workbench is converter to group

Pull Requests:

• [frontend] Incorrect space in the data / import section view between breadcrumb and content (#7529) by @SarahBocognano in #7585
• [frontend] correlated cases display in cases overview (#7459) by @Archidoit in #7579
• [frontend] In rules, panel is not correctly aligned (#7447) by @SarahBocognano in #7583
• Update dependency http-proxy-middleware to v3 by @renovate in #7140
• [frontend] Not possible to update a relation between a relation and an attack pattern (#7383) by @ValentinBouzinFiligran in #7578
• [frontend] add tooltips to marking chips (#7519) by @labo-flg in #7548
• [frontend] allow to create Malware-Analyses and Tasks from knowledge tab (#7581) by @labo-flg in #7590
• [frontend] remove wrong label & tooltip in export dialog (#7603) by @SouadHadjiat in #7604
• [frontend] Incorrect placeholder in Security / Organizations list (#7525) by @SarahBocognano in #7601
• [frontend] Fix toggle shift and Loader (#5405) by @Kedae in #7595
• [frontend] enable to share inferred relationships with organizations in ui (#7543) by @Archidoit in #7596
• [Frontend] Fix iddle logout (#7512) by @Kedae in #7550
• [frontend] Fix add threat actor individual in workbench (#7346) by @marieflorescontact in #7573
• [frontend] Fix Feed creation with authorized members (#7587) by @Kedae in #7613
• [ci] Fix e2e stix data and add extended error to CI (#7611) by @aHenryJard in #7612

Full Changelog: 6.2.1...6.2.2

Version 6.2.1

Enhancements:

• #7443 POC on Bulk creation of SDO/SCO with Copy/Pasting: bulk create relationship
• #6704 Test E2E of dashboards
• #6607 Change depending on the selected language
• #6606 Change page title when navigating across the platform

Bug Fixes:

• #7580 In light mode, history is not displayed correctly anymore
• #7562 Incorrect file name when exporting diamond model in PNG or PDF
• #7558 Issue on CI at e2e tests step
• #7545 Creating indicator from observable works, but the UI freezes and needs to be reloaded
• #7538 Add back unique colours to observables types in the observable view
• #7530 File indexing page is too slow to be production grade ready
• #7382 Artifact cannot be delete from trash if the referenced file is missing on S3
• #7344 Issue with public dashboard name and case sensitivity
• #7287 In Threat => Knowledge => Attack patterns: Still old style filters box
• #7215 [Bulk search] Sorting on the columns doesn't work
• #7214 [Bulk search] Odd behavior of the bulk search
• #7182 Sightings entity type column doesn't correspond to entity type filter
• #6922 Malware Analysis displayed as Unknown in relationship list widget
• #6870 Bulk update allow irrelevant actions
• #6865 Last created relationship with a relationship displayed as Unknown
• #6494 Labels display doesn't work
• #6074 The way to handle external ref is inconsistent

Pull Requests:

• Update opentelemetry-js monorepo by @renovate in #7466
• [frontend] E2E tests on Dashboard - chunk 2 (#6704) by @lndrtrbn in #7368
• [frontend] restore observable singular colors (#7538) by @labo-flg in #7551
• [Frontend] Fix labels list (#6494) by @Kedae in #7518
• [Frontend] Add new data tables & apply them in feature flag in addition to Cards views (#5405) by @Kedae in #7516
• [drone] remove python caching causing issue with playwright by @labo-flg in #7564
• [frontend] Fix [Bulk search] Sorting on the columns doesn't work (#7215) by @SarahBocognano in #7513
• [Frontend] Fix on columns (#5405) by @Kedae in #7560
• [frontend] New filters in Threat>Knowledge>Attack Patterns (#7287) by @Archidoit in #7492
• [frontend] score bulk update only authorized on entity types with score (#6870) by @Archidoit in #7549
• [frontend] fix duplicates in Bulk Search (#7214) by @Archidoit in #7552
• [backend/frontend] Issue with public dashboard name and case sensitivity (#7344) by @SarahBocognano in #7554
• [frontend] Creating indicator from observable works, but the UI freezes and needs to be reloaded (#7545) by @ValentinBouzinFiligran in #7567
• [frontend] Bulk create relationship in container context (#7443) by @ValentinBouzinFiligran in #7242
• [frontend] simple stix object relationship fragment update (#6865) by @ValentinBouzinFiligran in #7472
• [backend] improve file indexing metrics performance (#7530) by @SouadHadjiat in #7556
• [frontend] Initial approach to dynamic update of Title and Language for pages by @ParamConstructor in #7374
• [frontend/backend] source and target filters for sightings (#7182) by @Archidoit in #7563
• [backend/frontend] Update on data tables columns (#5405) by @Kedae in #7576
• [frontend] Malware Analysis displayed as Unknown in relationship list widget (#6922) by @ValentinBouzinFiligran in #7553
• [frontend] Fix colors (#7580) by @Kedae in #7584
• [frontend] fix handling of references enforcment in containers by @JeremyCloarec in #6727

Full Changelog: 6.2.0...6.2.1

Version 6.2.0

Dear community, we're excited to announce the launch of OpenCTI 6.2! 🥳This update focuses on three main use cases: improving the platform usability to reduce analyst fatigue, aiding administrators in managing the application, and enhancing customization to cater to your needs.

In Cyber Threat Intelligence, there are a lot of ways to display and analyse characteristics of a threat, phase of attacks, and so on. Among them, the Diamond Model is a well known and useful analytic framework, but one that can be hard to harness and produce. OpenCTI 6.2 introduces an automatically generated Diamond Model for each Threats in the platform and each Incidents! 💎 This new view, accessible in the Knowledge tab of the entity, is based on all the knowle7dge accumulated around it. No manual work is required here and you can focus your precious time on analyzing the subject through the Diamond Model analytical framework! 🧠

Extracting structured knowledge from documents is a tedious and time-consuming task. Therefore, we've moved the content mapping to the content section for logical consistency and have improved the UX to be clearer and simpler to use. It is now available for all containers. 🤩 We've also added an auto-saving of the content, eliminating the need to manually save your work. 💾 Note that this auto-saving is not implemented for files you modify here, at the moment.
To further ease the process of mapping each entity within text content, we've introduced automatic mapping! This feature will recognize entities that already exist on your platform. Currently, there is no magic. Mapping suggestion are based on the current capability of the ImportDocument connector (used also when you generate an Analyst Workbench from the import of a file) and there is still noise created. This is our first step towards an AI-assisted (NLP) automatic mapping that will ensure smarter extraction and less noise! 🪄

In OpenCTI 6.2, we've also made it possible to automate the creation of Analyst Workbenches for External Reference coming from a specific source. For example, it can be used to automatically create an Analyst Workbench for Reports coming from an RSS feed, automating the ingestion process while ensuring data correctness. The RSS feed triggers the external ref connector, which triggers the import document, resulting in workbenches created for each new incoming report. 💯

For our Entreprise Edition users, we have also enhanced “Ask AI” functionality: it can now leverage files uploaded from External References! 💡

Talking about ingestion, we've enhanced the CSV feed ingestion with a feature that uses the default value set in your CSV mapper to populate the marking. This simplifies data classification control and ensures that only users with sufficient marking can access data imported from CSV feeds.

On the administrative side, the Role-Based Access Control (RBAC) capabilities have been reworked to allow administrators to manage access in a more granular way. This long awaited feature will help administrators to better control who has access to what. Each menus of the Settings are now linked to a specific Capability and now an administrator can grant management of labels to a user without granting them the ability to change the interface. 🔒
We've also introduced a new "Access security activity" capability that allows to see logs related to security related events. Without this capability, a user can only view events related to modification and access of Knowledge entities.

Some sources provide Reports containing Observables for characterizing potentially malicious events. Based on that, analyst can decide these technical elements are characteristic of an attack and want to send them for further security actions (detection for example). Best practice is to send Indicators, not Observables. With OpenCTI 6.2, it is now possible to easily add Indicators related to the contained Observables when you promote these Observables via massive operations’ toolbar! 🔥

Sharing has also been improved! Now, you can also decide whether relationships created from inference rules should be shared in the TAXII collection when creating a new one. Additionally, 6.2 introduces the ability to use Organization sharing through massive operations directly! Now, you can simply select all entities you want to share with a specific Organization and click on 'share' ! 🥰

In terms of integration, administrators can now clear the queue of a connector if it gets stuck, enhancing performance management.

The Crowdstrike Feed connector has been improved to use FalconPy library when importing Threats, Reports, and also YARA and SNORT rules! Community members brought also a lot of value with the development of connectors for Red Flag Domains (external-import), ShadowServer foundation (external-import) and ReversingLabs (internal-enrichment). The Zerofox connector has also been improved! Thanks a lot! ♥️

We're eager for your feedback on these enhancements!

⚠️ Breaking changes

Since OpenCTI version 6.2 there is an upgrade of passport-saml library that implies that for platform using SAML provider:

• Document signatures are now required by default. Setting wantAuthenResponseSigned=false disables this feature and restores the prior, less secure behavior
• Require all assertions be signed; new option wantAssertionsSigned can be set to false to enabled the older, less secure behavior.

It means that if it’s not already done, you should generate certificates and configure the SAML identity provider in a secure way. Or else in OpenCTI configuration parameters want_authn_response_signed and/or want_assertions_signed can be set to false:

• PROVIDERS__SAML__CONFIG__WANT_AUTHN_RESPONSE_SIGNED=false
• PROVIDERS__SAML__CONFIG__WANT_ASSERTIONS_SIGNED=false

Please read the passport-saml detailed changelog for more details.

Enhancements:

• #6836 Ensure the valid_until date on Indicators is set to a greater value than valid_from when empty (compliance with STIX 2.1)
• #6171 Ability to add indicator generated from the observables of a container in the container
• #5550 Split capabilities to create labels / marking etc & update other capabilities to provide more clarity in RBAC
• #5651 Content tab: Refactor & Add content tab in multiple entities
• #6803 Content Tab: Auto Map content mapping & Create relation
• #6836 In CSV Feed Ingester, take into account Default Marking definition options from CSV Mapper
• #7467 Need more information at error level when a file cannot be download from S3
• #6506 Upgrade saml-passport version to major 4.0.0 (4.0.4)
• #7278 In the user overview, be able view all activities (read, etc.) in Operations / History
• #7333 Infer usage of parent techniques
• #5371 Have a workbench created automatically from RSS Feed
• #5304 Introduce diamond model view
• #7069 Share the result of inferrence rules in TAXII collections
• #3781 Add a button to clear the queue of a specific connector
• #6826 Leverage external ref's files with GenAI functions at entity level

Bug Fixes:

• #7419 [CSV Mapper] Not possible to add labels to URL representation
• #6887 [UI] light mode: csv mapper test result is hardly readable
• #7114 [Playbook] Manipulating knowledge by replacing status does not work on all entities
• #7494 First Seen seems to be auto populating with Dec/1969 on record creates via frontend
• #7430 In Content tab of containers, when selecting "main content", it is displayed "No file selected" on the bottom
• #7310 When merging 2 entities, the "result marking" displayed is always none
• #7488 Reject unauthorized is not taken into account in proxy configuration
• #7268 Unecessary error message at sighting edition
• #7265 [Bulk Update] Revoked field not set after bulk edit of score
• #7191 Lifecycle of an indicator is not updated when changing the score from a report "Entities" page
• #6287 [CSV Mapper] External reference creation
• #7174 Search keyword not taken into account for stix core relationships exports
• #7442 Knowledge entity list is not automatica...

Version 6.1.13

Bug Fixes:

• #7486 MIME type in uploaded artifacts is not correct and lead to multiple errors
• #7484 In some old instances, we have representative (main / secondary) indexed which leads to issues
• #7473 Reset clear queue has broken access to connectors that have vhost
• #7460 Connector cannot be displayed in production
• #7452 The search in the activity of a user does not work anymore
• #7434 Bad .docx file upload at artifact creation

Full Changelog: 6.1.12...6.1.13

Version 6.1.12

Enhancements:

• #7428 Split "data sharing and ingestion" capability into 3
• #7427 Escape information used in HTML head main page

Bug Fixes:

• #7406 ExternalReferences with automatic creation is broken
• #7392 Error at max shareable marking migration if version < 6.0
• #7350 [Dashboard] Multiple filters with the same name
• #7349 Import Stix Connector SSL Error
• #7308 Disable link of the line for delete notification
• #7264 Mandatory fields can block the 'malware analysis' creation
• #7197 Error in use AI for containers: creating a file when choose "main content" (attribute content)
• #7127 Default trigger for assignment is not generating a meaningful notification
• #7116 CSV Mapper default value for boolean fields are not working
• #7101 Missing filters in the activity events
• #6968 Can't remove pid of a process
• #6867 Malware knowledge panel markings issue
• #6829 Ask AI button in Ask AI dialog is semi-hidden
• #6258 Merging files must move existing files in S3 and rewrite path in x_opencti_files

Pull Requests:

• [frontend] e2e tests on dashbaords - chunk 2 (#6704) by @lndrtrbn in #7135
• [frontend] Leverage external ref's files with GenAI functions at entity level (#6826) by @SarahBocognano in #7347
• [frontend] disable redirection for delete notification lines (#7308) by @Archidoit in #7365
• [frontend/backend] add User and Group in context activity filters values (#7101) by @Archidoit in #7150
• [backend] Merged entity should also have all files of the merged entity and at the right path in S3 (#6258) by @aHenryJard in #6671
• [backend] improve default trigger notification (#7127) by @marieflorescontact in #7171
• [frontend] Remove update description because flaky (#6704) by @lndrtrbn in #7369
• [frontend] Add content mapping in content tab (#5651) by @marieflorescontact in #7136
• [backend] prevent wrong type for empty pid (#6968) by @frapuks in #7235
• [frontend] Fix Error in use AI for containers: creating a file when choose "main content" (#7197) by @SarahBocognano in #7371
• [frontend] add dialog box to confirm deletion in notifications (#7308) by @CelineSebe in #7376
• [backend/frontend] modify EntityStixCoreRelationshipsEntitiesComponent to list entities through relations by @JeremyCloarec in #7249
• [frontend] add fields that can be made mandatory in Malware Analysis creation form by @Archidoit in #7375
• Bump @grpc/grpc-js from 1.10.6 to 1.10.9 in /opencti-platform/opencti-front by @dependabot in #7367
• Added steps to force python venv creation to ensure build by @troll-os in #7396
• [backend] add askAnalysis mutation to request file or fields analysis (#6803) by @JeremyCloarec in #7192
• [frontend] Ask AI button in Ask AI dialog is semi-hidden (#6829) by @ValentinBouzinFiligran in #7404
• [frontend]CSV Mapper default value for boolean field (#7116) by @CelineSebe in #7238
• Bump braces from 3.0.2 to 3.0.3 in /opencti-platform/opencti-graphql by @dependabot in #7366
• Ci featbranc update by @sbocahu in #7420
• [backend/frontend] Purge a specific queue on reset state (#3781) by @helene-nguyen in #7232
• [frontend/backend] Share the result of inferrence rules in TAXII collections (#7069) by @ValentinBouzinFiligran in #7218
• [Frontend/Backend] split cpapabilites Data Sharing & Ingestion into 3 + manage CSV + Bypass ref + Connector Api (#7428) by @frapuks in #7149
• [backend] fix max shareable markings migration (#7392) by @Archidoit in #7399
• [backend] Fix handling of platform_entity_files_ref config (#7406) by @JeremyCloarec in #7417
• [backend/frontend] fix date filters with same name in widgets (#7350) by @Archidoit in #7429

Full Changelog: 6.1.11...6.1.12

Version 6.1.11

Enhancements:

• #7006 Max shareable marking definitions in groups (for export and public dashboard)
• #6878 Override of confidence level per Entity per Group
• #5844 Add filter "pattern" for Indicator in Stored Filters (Data sharing, etc.) with the operator starts with

Bug Fixes:

• #7348 Export PDF,JSON, CSV does not fully take into account the Marking Restriction
• #7336 TOP 10 targets broken for some restricted elements
• #7332 [Export] Exporting a container too large fail
• #7286 In Threat => Knowledge => Victimology => Relationships view, missing filters: from type, to type
• #7251 The Count attribute for a Sighting is not useable in Custom Dashboards
• #7250 [File import] Error when importing files
• #7240 When using Generate Report Document using AI, the first digit in "number of paragraphs" is fixed
• #7220 Unable to filter "Sigthings" by "Status"
• #7194 Creating a relationship with a set label doesn't work
• #7167 Export error is still "pending" / Actual error is override with timeout when exporting
• #7118 Add height / weight do not work
• #7099 Cache issue for extended monitoring of user activity
• #7017 Live Streams sort by description broke the view
• #7012 [ImportDocument] Can't find countries using aliases
• #6943 [File indexing] Jumping on an external ref linked to a file doesn't work
• #6801 Infrastructure Breaking Investigations
• #6773 PDF export of content in HTML is not working anymore

Pull Requests:

• [frontend] Fix file indexing accessing to external file (#6943) by @Kedae in #7254
• [frontend/backend] Fix work message when timeout (#7167) by @Kedae in #7253
• [Backend] Reset settings cache when changing organization to user (#7099) by @Kedae in #7252
• [frontend] Fix Add height / weight do not work (#7118) by @SarahBocognano in #7165
• [frontend/backend] Add available filter keys to stored filters for CSV feeds by @Goumies in #7098
• [backend] Add status filter for Sightings (#7220) by @Kedae in #7266
• [frontend/backend] Remove sorting of Description (#7017) by @Kedae in #7271
• [frontend/backend] Ability to add indicator generated from the observables of a container in the container (#6171) by @ValentinBouzinFiligran in #7134
• [frontend/backend] Max shareable markings at the group level for exports and public dashboard (#7006) by @Archidoit in #7107
• [frontend/backend] show effective max confidence with creators (#6878) by @labo-flg in #7186
• [frontend] all available filters in Knowledge relationships views (#7286) by @Archidoit in #7334
• [frontend] Fix name resolution for distribution (#7336) by @Kedae in #7337
• Bump @grpc/grpc-js from 1.10.3 to 1.10.9 in /opencti-platform/opencti-graphql by @dependabot in #7341
• [frontend] fix filter icon button operators display in widgets (#7251) by @Archidoit in #7335
• [frontend] Fix Infrastructure breaking Investigation (#6801) by @SarahBocognano in #7343
• [frontend] Ignore font-family while exporting report content (#6773) by @lndrtrbn in #7339
• [frontend] paragraphs value check in Ask AI pop-up (#7240) by @Archidoit in #7345
• [backend] handle labels during stix core relationship creation (#7194) by @SouadHadjiat in #7331
• Revert "[frontend/backend] Ability to add indicator generated from the observables of a container in the container (#6171)" by @Kedae in #7357
• [backend] added limitQuerySize option on elFindByIds (#7250) by @JeremyCloarec in #7273
• [backend/frontend] Rework model for Max shareable (#7348) by @Archidoit in #7353
• [frontend] Improve content marking usage (#7348) by @Kedae in #7364

Full Changelog: 6.1.10...6.1.11

Version 6.1.10

Bug Fixes:

• #7263 Force disable introspection can prevent correct platform usage

Full Changelog: 6.1.9...6.1.10

Version 6.1.9

⚠️ This release introduced an issue which sets the platform in a non viable state, please use 6.1.10 ⚠️

Bug Fixes:

• #7245 "Select all" selects the whole platform, not just what's on the screen
• #7243 Settings security view is broken if only SETTINGS_SETMARKINGS capa
• #7223 Security Posture on OpenCTI
• #7222 [Pictures Management] Order is not taken into account
• #7211 Missing activ users count metric in telemetry file exports
• #7201 [technical] update react-pdf to v9 for security issue
• #7080 Pdf generated via import-external-reference are not automatically treated by import-document
• #7031 Reindixing fail error when deleting entities in some specific cases
• #6990 When sharing a Report with an Organisation (into the platform, organization seggregation) , inferred relationships are not shared
• #6281 [Network Traffic Object][Missing STIX field][Frontend]

Pull Requests:

• [backend/frontend] API types ref mapping completed (#6281) by @lndrtrbn in #7133
• [frontend] update react-pdf to v9 (#7201) by @labo-flg in #7207
• [backend] Handle external refs files upload by import document (#7080) by @SouadHadjiat in #7089
• [frontend] Clean up entity-type filter in Correlation Graphs by @ckane in #7145
• [e2e] Add env var in local e2e run to sandbox all infra (#6704) by @aHenryJard in #7002
• [frontend] sort images by order value in carousel (#7222) by @frapuks in #7237
• [backend] Fix reindexing fail error (#7031) by @SouadHadjiat in #7225
• [Frontend] Fix broken security screen (#7243) by @Kedae in #7244
• [Frontend] Fix toolbar selection in knowledge -> indicators (#7245) by @Kedae in #7248
• [backend] Use index with inferred relation when sharing a report to an organization (#6990) by @frapuks in #7224
• [backend] fix missing activ users count in telemetry exports (#7211) by @Archidoit in #7212
• [backend] Change external reference resolution for OpenBAS integration by @RomuDeuxfois in #7233

Full Changelog: 6.1.8...6.1.9

Version 6.1.8

Bug Fixes:

• #7202 Add keyPrefix for sentinel mode

Pull Requests:

• [backend] Add keyPrefix for sentinel redis mode by @Kedae in #7203

Full Changelog: 6.1.7...6.1.8

Version 6.1.7

Enhancements:

• #7062 Improve CI for OpenCTI and client-python contribution.
• #7020 [backend] Improve alias generation and resolution to improve data ingestion
• #6813 Update CSV mapper to improve TTP mapping

Bug Fixes:

• #7188 Support package is broken due to permissions issue in the container
• #7175 Regression on quick export to PDF in an entity
• #7109 [Notification] Bulk notification manipulation impossible
• #7090 [Support Packages] Error when trying to generate then Timeout
• #7064 Mutliple nested relations does not work
• #6818 [CSV Mapper] MISSING REFERENCE ERROR when importing file with CSV mapper
• #6716 Worker missing reference errors / Inconsistencies / Slow ingestion rate

Pull Requests:

• Update docker.elastic.co/elasticsearch/elasticsearch Docker tag to v8.13.4 by @renovate in #7177
• Update docker.elastic.co/kibana/kibana Docker tag to v8.13.4 by @renovate in #7178
• [frontend] Fix the redirect to content during a quick export to PDF (#6704) by @CelineSebe in #7185
• [CI] Enable multi-repository build from forks (#7062) by @aHenryJard in #7063
• Fix parameters in CI script by @aHenryJard in #7187
• Fix/feature branch by @troll-os in #7189
• [backend] fix user capabilities check for notification (#7109) by @marieflorescontact in #7130
• [backend] Improve alias generation and resolution to improve data ingestion (#7020) by @richard-julien in #7126
• [frontend] Mutliple nested relations does not work (#7064) by @ValentinBouzinFiligran in #7193
• [backend] Allow external ID to be mapped in CSV mapper (#6813) by @lndrtrbn in #7190

Full Changelog: 6.1.6...6.1.7