github OpenCTI-Platform/opencti 6.3.0
Version 6.3.0

latest releases: 6.3.11, 6.3.10, 6.3.9...
one month ago

Dear community, we're excited to announce the launch of OpenCTI 6.3! 🥳

This released has been focused on solving well known pains 🎯 :

  • providing more control & clarity to admins related to the ingestion process
  • improve application usability by making it easier to ingest
  • manipulate data and initiating work toward vulnerability management.

Clarity & control over the ingestion process is a must. Hence the introduction of our feature Integrated feeds Ingestion 🧠*.* More and more of you are ingesting data via “integrated” feeds (TAXII, RSS, CSV), and we've worked to give you greater visibility over the data ingestion flow by representing these feeds in the form of a dedicated connector and by allocating dedicated RabbitMQ queues per ingestion configurations in place of common queues (see our depreciation announcements).

Thanks to this enhancement, you'll be able to identify bottlenecks more quickly and gain real-time insights into your data ingestion flow. 💡

Following up on this pain of providing more control to admins over the ingestion, we have introduced a new capability: bypass custom mandatory fields.

The problem is that your connectors providing you data do no always have a a specific field that you want your analyst to provide, which results in failing the creation of entity. ❌ As a result, thanks to this new capability, you will be able to enforce this custom mandatory attribute only for specific groups of users (your analysts), while allowing others (your connectors) to be able to create data without a specific field. 🔥

As mentioned in introduction, we focused on usability. This is why we introduced a new feature: bulk creation 🥇

  1. Bulk Creation of Entities: For entities that only require a single field, you can now copy and paste a list directly into the platform. This allows for the instant creation of multiple entities at once, eliminating the need for repetitive, step-by-step creation processes.
  2. Bulk Creation of Relations: In addition, we’ve added the ability to create relationships in bulk, even for entities that don’t yet exist in the platform. This powerful feature, adapted from our Analyst Workbench’s "add context" functionality, streamlines the process of building connections between entities.

Together, these features are designed to save you time and enhance your productivity, enabling you to focus on more critical tasks.

Improving app usability means better identification of the data that matters to you 💡

Every organization has unique data needs, even within different entities of the same company. To meet this, we introduce the new Custom Overview per Entity Type feature.

This allows users to customize each entity’s layout, selecting key information "blocks" to prioritize and adjust their size. It makes it easier to quickly spot and focus on critical data.

Usability also comes from having similar functionalities in similar screens across the app.

First of all, we have introduced List views for Threat Actors, Intrusion Sets, Campaigns & Malware, on the top of the existing card view 🪪. This will tremendously help the management of these entities without the need to go in data/entities to manage them.

Massive operations have also been added to all Arsenal entities (Malware, Channels, Tools, Vulnerability), Narratives and Attack Patterns! In this way, the consistency of operations across the application is greatly enhanced.

Last but not least, you will notice one last update that has been heavily worked in order to improve our application usability: New data tables 🎉

When upgrading to our new version, you’ll notice that data table look different: we have upgraded them. As a result, you’ll notice that:

  • the table will introduce proper pagination (size of each page can be defined) in order to improve loading.
  • another long awaited improvement is the ability to resize each columns in order to view long names or values. This would make the usability of our app way better. 🚀
  • Additionally, when clicking on one of the columns title, you’ll enable a quick filter: efficiency is key when dealing with loads of data. ❤️‍🩹
  • Behind the scenes, this new technology reduce our technical debt and enable future use cases that we can’t wait to develop!

As some of you may be aware, we would like to make easier the vulnerability management process in OpenCTI.

The first step to achieve this goal was to extend our Vulnerability model to support EPSS and CISA KEV attributes. Support of these two information were highly requested by the community🔥. Regarding EPSS, an enrichment connector to fill the data has been created too, see below.

Having these fields was not enough, we also added the ability to use them (like other vulnerability fields) in playbook components to help you build your own vulnerability decision tree 🪄.

While files and workbenches are essential, they can contribute to performance issues over time, since documents are piling up in the platform. ❌

Retention Rules for Files and Workbenches: We’ve added configurable retention rules, which are not set by default but can be easily customized. For example, you can implement a one-year policy to automatically delete any file or workbench created over a year ago. This helps prevent outdated data from accumulating and improves overall platform performance. 💯

Administrators have also been heard with an additional feature, or rather a UX improvement. To ease management of dashboard we have also introduce a new tab in the dashboard menu, to be able to view only the public dashboards as list without needing to enter in each dashboard to view the corresponding dashboards.

In terms of integrations, lots of effort has been put to deliver new connectors & improvements of existing connectors.

We already announced it on slack, but during this release, we delivered a new Splunk app 🔥, aiming to:

  • seamlessly ingest indicators through an OpenCTI live stream.
  • Instantly trigger actions in response to alerts and investigate them directly within OpenCTI.

With the OpenCTI Add-on for Splunk, you can leverage comprehensive threat information, improving your ability to detect and respond to security incidents more effectively. More info can be found on : https://splunkbase.splunk.com/app/7485.

To provide more support to our community, we completely refactored the Qradar connector to become an official Filigran support connector. This means that we will be able to provide support on this connector if a bug arise. The refactor has also fixed some known bugs, which are listed in the below list of issues.

Being open source also means ensuring that everybody has the capacity to contribute to our codebase. However, in the past, our readmes & guidelines to contribute in our connector repository were not up to date. We’ve made some effort to update it so that all the documentation is up to date, allowing everybody to bring their own contribution more easily 💪!

As mentioned earlier, we have worked towards helping analysts to perform vulnerability management with OpenCTI. To cater this need, we built an enrichment connector to provide values for EPSS 🤘This connector integrates with the organisation “FIRST” API, aiming to retrieve EPSS values about a specific vulnerability. This enrichment connector is of course playbook compatible 🚀

Some connectors have also been reworked (namely Sekoia, Crowdstrike, Mandiant, AlienVault, Recorded Future, CISA KEV) to support our new scheduling and auto-pausing feature that will pause your connector when its queue gets full.
You’ll see in these connectors new variables "duration_period" & "queue_threshold" that you need to define to enable these features. More details can be found in the respective connector pages.

We also improved the Mandiant connector by providing an option to import aliases of malwares & improve campaigns import. Campaigns import improvement provide more details regarding TTPs (labels, relation with intrusion sets, start & stop time & addition of description). In essence, we’ve made sure that we import as much data as we can.

To list them all, here are all the new connectors delivered in the milestone: Jira, Infloblox, Cisco SMA, Group IB, Cofense. The detailed list of connectors & improvement is available here: ****https://github.com/OpenCTI-Platform/connectors/releases?page=1

On a finish note, we would like to thank you for your contributions 🙏 to our product, that helps making our product better: shmztk, Bonsai8863, Fhwang0926, ParamConstructor, VerboseCat, WolfByttner, brett-fitz, mmolenda, Mathieu4141, annoyingapt, DNRRomero, DinkoReversingLabs, pietrocapece, sari3l, bradchiappetta, debelyoo, uTomasAnderson, leitosama, XGREENi3, sudesh0sudesh, cert-orangecyberdefense, cmandich, obideuce, sda06407, Obdam, piolug93, daemitus, polakovicp, julienloizelet, khalidelborai, Renizmy, curiouspython1!

Of course, a huge thank you to all for your contributions 🥇

We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.

Depreciation announcements

The RabbitMQ “push_sync”, “listen_sync”, “listen_playbook” and “push_playbook” queues are no longer used by our product and will be considered deprecated once empty. These queues will be permanently removed in version 6.6.

Enhancements:

  • #8319 Implements dedicated queues for playbooks, synchronizers and CSV Mapper import
  • #7906 Update views to new DataTable
  • #7500 Apply the Bulk Relationship POC on all required entities
  • #6724 Ability to custom Entity overviews' widgets position at platform level
  • #8275 Be able to declare default admin account externally managed
  • #4352 Bulk entity creation of SDO/SCO with Copy/Pasting
  • #8275 Connector default role should bypass mandatory attributes by default
  • #8263 Add telemetry counter and gauge for graphql queries and mutations
  • #7704 Mirror Integrated feeds in built in connector to allow works monitoring
  • #7482 retention for FILES MVP
  • #6509 Dashboard Refacto: Admin to View all, New list for public dash & Massive operations
  • #3304 Bulk entity creation of SDO/SCO with Copy/Pasting
  • #7409 Create a new capa to byPass mandatory fields
  • #8149 Create a Persona Observable
  • #7312 In the connector overview, display the user associated to the connector and additional infos
  • #3568 Add EPSS Support for Vulnerability Entity
  • #6325 Some connectors will pause based on queues threshold
  • #6741 Be able to filter and sort on Narratives
  • #7566 Content Tab improvement
  • #7696 Add a graphql api to send stix bundle in the ingestion process
  • #4234 Massive operations / checkboxes in Arsenal (Channels / Tools / Vulnerabilities)
  • #7390 Support of "KEV" field for vulnerability entity

Bug Fixes:

  • #8361 Download API Improvements
  • #8314 Clickable mouse for Markings and Status in Entity overview
  • #8311 Authorized Members - Default value
  • #8278 Case overview loading is not correctly aligned
  • #8235 InternalFiles can be duplicated after index rollover
  • #8172 Can't enrich multiple observables
  • #7995 Javascript error during authentication when OpenCTI is configured with LDAP as provider
  • #7454 Inconsistency in numbers between dashboard and list
  • #8246 Retention unit not taken into account in Retention Rule Count Checking
  • #8231 UI Regression : horizontal scrollbar on details page
  • #8193 Bug in label display
  • #6662 Attack pattern knowledge matrix query perf issue
  • #8255 Improve platform security
  • #8230 Retention rule verify : wrong number of elements that will be deleted
  • #8190 Retention rules created before 6.2.14 have no unit
  • #8017 Performance issues with popovers in some list views
  • #8152 Auto-save feature in report content editor is not paused while typing
  • #8156 [Ext Ref Search] Some Ext Ref are not found in search

Pull Requests:

New Contributors:

Full Changelog: 6.2.18...6.3.0

Don't miss a new opencti release

NewReleases is sending notifications on new releases.