Dear community, we're excited to announce the launch of OpenCTI 6.2! 🥳This update focuses on three main use cases: improving the platform usability to reduce analyst fatigue, aiding administrators in managing the application, and enhancing customization to cater to your needs.
In Cyber Threat Intelligence, there are a lot of ways to display and analyse characteristics of a threat, phase of attacks, and so on. Among them, the Diamond Model is a well known and useful analytic framework, but one that can be hard to harness and produce. OpenCTI 6.2 introduces an automatically generated Diamond Model for each Threats in the platform and each Incidents! 💎 This new view, accessible in the Knowledge tab of the entity, is based on all the knowle7dge accumulated around it. No manual work is required here and you can focus your precious time on analyzing the subject through the Diamond Model analytical framework! 🧠
Extracting structured knowledge from documents is a tedious and time-consuming task. Therefore, we've moved the content mapping to the content section for logical consistency and have improved the UX to be clearer and simpler to use. It is now available for all containers. 🤩 We've also added an auto-saving of the content, eliminating the need to manually save your work. 💾 Note that this auto-saving is not implemented for files you modify here, at the moment.
To further ease the process of mapping each entity within text content, we've introduced automatic mapping! This feature will recognize entities that already exist on your platform. Currently, there is no magic. Mapping suggestion are based on the current capability of the ImportDocument connector (used also when you generate an Analyst Workbench from the import of a file) and there is still noise created. This is our first step towards an AI-assisted (NLP) automatic mapping that will ensure smarter extraction and less noise! 🪄
In OpenCTI 6.2, we've also made it possible to automate the creation of Analyst Workbenches for External Reference coming from a specific source. For example, it can be used to automatically create an Analyst Workbench for Reports coming from an RSS feed, automating the ingestion process while ensuring data correctness. The RSS feed triggers the external ref connector, which triggers the import document, resulting in workbenches created for each new incoming report. 💯
For our Entreprise Edition users, we have also enhanced “Ask AI” functionality: it can now leverage files uploaded from External References! 💡
Talking about ingestion, we've enhanced the CSV feed ingestion with a feature that uses the default value set in your CSV mapper to populate the marking. This simplifies data classification control and ensures that only users with sufficient marking can access data imported from CSV feeds.
On the administrative side, the Role-Based Access Control (RBAC) capabilities have been reworked to allow administrators to manage access in a more granular way. This long awaited feature will help administrators to better control who has access to what. Each menus of the Settings are now linked to a specific Capability and now an administrator can grant management of labels to a user without granting them the ability to change the interface. 🔒
We've also introduced a new "Access security activity" capability that allows to see logs related to security related events. Without this capability, a user can only view events related to modification and access of Knowledge entities.
Some sources provide Reports containing Observables for characterizing potentially malicious events. Based on that, analyst can decide these technical elements are characteristic of an attack and want to send them for further security actions (detection for example). Best practice is to send Indicators, not Observables. With OpenCTI 6.2, it is now possible to easily add Indicators related to the contained Observables when you promote these Observables via massive operations’ toolbar! 🔥
Sharing has also been improved! Now, you can also decide whether relationships created from inference rules should be shared in the TAXII collection when creating a new one. Additionally, 6.2 introduces the ability to use Organization sharing through massive operations directly! Now, you can simply select all entities you want to share with a specific Organization and click on 'share' ! 🥰
In terms of integration, administrators can now clear the queue of a connector if it gets stuck, enhancing performance management.
The Crowdstrike Feed connector has been improved to use FalconPy library when importing Threats, Reports, and also YARA and SNORT rules! Community members brought also a lot of value with the development of connectors for Red Flag Domains (external-import), ShadowServer foundation (external-import) and ReversingLabs (internal-enrichment). The Zerofox connector has also been improved! Thanks a lot! ♥️
We're eager for your feedback on these enhancements!
⚠️ Breaking changes
Since OpenCTI version 6.2 there is an upgrade of
passport-samllibrary that implies that for platform using SAML provider:
- Document signatures are now required by default. Setting
wantAuthenResponseSigned=falsedisables this feature and restores the prior, less secure behavior- Require all assertions be signed; new option
wantAssertionsSignedcan be set to false to enabled the older, less secure behavior.It means that if it’s not already done, you should generate certificates and configure the SAML identity provider in a secure way. Or else in OpenCTI configuration parameters
want_authn_response_signedand/orwant_assertions_signedcan be set to false:
PROVIDERS__SAML__CONFIG__WANT_AUTHN_RESPONSE_SIGNED=falsePROVIDERS__SAML__CONFIG__WANT_ASSERTIONS_SIGNED=falsePlease read the passport-saml detailed changelog for more details.
Enhancements:
- #6836 Ensure the valid_until date on Indicators is set to a greater value than valid_from when empty (compliance with STIX 2.1)
- #6171 Ability to add indicator generated from the observables of a container in the container
- #5550 Split capabilities to create labels / marking etc & update other capabilities to provide more clarity in RBAC
- #5651 Content tab: Refactor & Add content tab in multiple entities
- #6803 Content Tab: Auto Map content mapping & Create relation
- #6836 In CSV Feed Ingester, take into account Default Marking definition options from CSV Mapper
- #7467 Need more information at error level when a file cannot be download from S3
- #6506 Upgrade saml-passport version to major 4.0.0 (4.0.4)
- #7278 In the user overview, be able view all activities (read, etc.) in Operations / History
- #7333 Infer usage of parent techniques
- #5371 Have a workbench created automatically from RSS Feed
- #5304 Introduce diamond model view
- #7069 Share the result of inferrence rules in TAXII collections
- #3781 Add a button to clear the queue of a specific connector
- #6826 Leverage external ref's files with GenAI functions at entity level
Bug Fixes:
- #7419 [CSV Mapper] Not possible to add labels to URL representation
- #6887 [UI] light mode: csv mapper test result is hardly readable
- #7114 [Playbook] Manipulating knowledge by replacing status does not work on all entities
- #7494 First Seen seems to be auto populating with Dec/1969 on record creates via frontend
- #7430 In Content tab of containers, when selecting "main content", it is displayed "No file selected" on the bottom
- #7310 When merging 2 entities, the "result marking" displayed is always none
- #7488 Reject unauthorized is not taken into account in proxy configuration
- #7268 Unecessary error message at sighting edition
- #7265 [Bulk Update] Revoked field not set after bulk edit of score
- #7191 Lifecycle of an indicator is not updated when changing the score from a report "Entities" page
- #6287 [CSV Mapper] External reference creation
- #7174 Search keyword not taken into account for stix core relationships exports
- #7442 Knowledge entity list is not automatically refreshed anymore
- #7210 Cannot bulk delete External References when using a filter
- #7291 Bad FR translation encrypted archives
- #7269 Cannot enrich multiple observables when shift-selecting
- #7315 Missing number formatter in some dashboard widgets
Pull Requests:
- Use number formatter for widgets (#7315) by @frapuks in #7424
- [frontend] Fix enrichment of multiple observables when shift-selecting (#7269) by @CelineSebe in #7355
- Update dependency csv-parse to v5.5.6 by @renovate in #7410
- Update dependency eslint-plugin-react to v7.34.3 by @renovate in #7411
- Update dependency graphql to v16.8.2 by @renovate in #7412
- [backend] Trigger enrichment connectors with filters (#5371) by @SouadHadjiat in #7137
- [backend] add analysisPush, analysisClear and stixCoreObjectAnalysis queries to add, clear and retrieve analysis result (#6803) by @JeremyCloarec in #7270
- [frontend] Fix Bad FR translation encrypted archives (#7291) by @SarahBocognano in #7423
- CI improvement: client-python build once and fail fast on test-api (#7359) by @aHenryJard in #7361
- [backend] Bulk deleted external reference is not working when using a filter(#7210) by @aHenryJard in #7435
- Split settings capabilities (#5550) by @aHenryJard in #7054
- Upgrade saml-passport to 4.0.4 (#6506) by @aHenryJard in #7387
- [frontend] Fix knowledge entities list refresh (#7442) by @SouadHadjiat in #7457
- [frontend] Be able to filter and sort on Narratives (#6741) by @Gwendoline-FAVRE-FELIX in #7425
- [Frontend] Fix on search for user history (#7452) by @Kedae in #7455
- [backend] Fix issue Int cannot represent 32-bit signed integer by @helene-nguyen in #7462
- Bump ws from 7.5.9 to 7.5.10 in /opencti-platform/opencti-graphql by @dependabot in #7418
- Update docker.elastic.co/elasticsearch/elasticsearch Docker tag to v8.14.1 by @renovate in #7464
- Update docker.elastic.co/kibana/kibana Docker tag to v8.14.1 by @renovate in #7465
- [frontend] Revert "be able to filter and do massive operations on Narratives" (#6741) by @labo-flg in #7470
- [backend] Test CSV bundler with Indicators with external references … by @Goumies in #6995
- [Backend] Fix rabbitmq queue access for connector message (#7473) by @Kedae in #7475
- Split capabilities : Dashboard & investigations into 2 (#5550) by @frapuks in #7456
- [backend] Change log level for S3 download file errors (#7467) by @aHenryJard in #7468
- [frontend/backend] Fix generated schema by @helene-nguyen in #7481
- [backend] task manager updated for indicator score replace action (#7… by @ValentinBouzinFiligran in #7471
- [frontend] Make nullable first seen and last seen (#7268) by @Gwendoline-FAVRE-FELIX in #7483
- [frontend/backend] In CSV Feed Ingester, take into account Default Marking definition options from CSV Mapper by @Goumies in #7275
- merge result marking updated by @ValentinBouzinFiligran in #7491
- [Frontend/backend] split SETTINGS capacity (#5550) by @aHenryJard in #7480
- Added option to feature branch deployment to choose Redis deployment type by @troll-os in #7498
- [backend/frontend] Add suggested mapping & refactor content tab (#5651)(#6803) by @marieflorescontact in #7262
- [backend/frontend] Marking label and entity type chip color adjustment (#6609) by @Bonsai8863 in #7373
- [Frontend] Improve date checking (#7494) by @Kedae in #7496
- [backend] set x_opencti_workflow_id upsert attribute (#7114) by @marieflorescontact in #7408
- In CSV Feed Ingester, take into account Default Marking definition options from CSV Mapper - improvements by @Goumies in #7497
- [frontend/backend] Ability to add indicator generated from the observables of a container in the container (#6171) by @labo-flg in #7360
- [backend] on Artifact creation pass mime_type to upload (#7486)(#7434) by @labo-flg in #7490
- [backend] Migration to remove representative in DB (#7484) by @SouadHadjiat in #7493
- [Backend] Add relations ref to observable representations (#7419) by @CelineSebe in #7474
- [backend] Ensure the valid_until date on Indicators is set to a greater value than valid_from when empty (#6836) by @SarahBocognano in #7227
- [frontend] fix themeLight for the csv mapper test result(#6887) by @CelineSebe in #7422
- [frontend] UI improvements to content mapping suggestion page (#5651) by @JeremyCloarec in #7501
New Contributors:
- @Gwendoline-FAVRE-FELIX made their first contribution in #7425
Full Changelog: 6.1.13...6.2.0