Dear community, we're excited to announce the launch of OpenCTI 6.3! 🥳
This released has been focused on solving well known pains 🎯 :
- providing more control & clarity to admins related to the ingestion process
- improve application usability by making it easier to ingest
- manipulate data and initiating work toward vulnerability management.
Clarity & control over the ingestion process is a must. Hence the introduction of our feature Integrated feeds Ingestion 🧠*.* More and more of you are ingesting data via “integrated” feeds (TAXII, RSS, CSV), and we've worked to give you greater visibility over the data ingestion flow by representing these feeds in the form of a dedicated connector and by allocating dedicated RabbitMQ queues per ingestion configurations in place of common queues (see our depreciation announcements).
Thanks to this enhancement, you'll be able to identify bottlenecks more quickly and gain real-time insights into your data ingestion flow. 💡
Following up on this pain of providing more control to admins over the ingestion, we have introduced a new capability: bypass custom mandatory fields.
The problem is that your connectors providing you data do no always have a a specific field that you want your analyst to provide, which results in failing the creation of entity. ❌ As a result, thanks to this new capability, you will be able to enforce this custom mandatory attribute only for specific groups of users (your analysts), while allowing others (your connectors) to be able to create data without a specific field. 🔥
As mentioned in introduction, we focused on usability. This is why we introduced a new feature: bulk creation 🥇
- Bulk Creation of Entities: For entities that only require a single field, you can now copy and paste a list directly into the platform. This allows for the instant creation of multiple entities at once, eliminating the need for repetitive, step-by-step creation processes.
- Bulk Creation of Relations: In addition, we’ve added the ability to create relationships in bulk, even for entities that don’t yet exist in the platform. This powerful feature, adapted from our Analyst Workbench’s "add context" functionality, streamlines the process of building connections between entities.
Together, these features are designed to save you time and enhance your productivity, enabling you to focus on more critical tasks.
Improving app usability means better identification of the data that matters to you 💡
Every organization has unique data needs, even within different entities of the same company. To meet this, we introduce the new Custom Overview per Entity Type feature.
This allows users to customize each entity’s layout, selecting key information "blocks" to prioritize and adjust their size. It makes it easier to quickly spot and focus on critical data.
Usability also comes from having similar functionalities in similar screens across the app.
First of all, we have introduced List views for Threat Actors, Intrusion Sets, Campaigns & Malware, on the top of the existing card view 🪪. This will tremendously help the management of these entities without the need to go in data/entities to manage them.
Massive operations have also been added to all Arsenal entities (Malware, Channels, Tools, Vulnerability), Narratives and Attack Patterns! In this way, the consistency of operations across the application is greatly enhanced.
Last but not least, you will notice one last update that has been heavily worked in order to improve our application usability: New data tables 🎉
When upgrading to our new version, you’ll notice that data table look different: we have upgraded them. As a result, you’ll notice that:
- the table will introduce proper pagination (size of each page can be defined) in order to improve loading.
- another long awaited improvement is the ability to resize each columns in order to view long names or values. This would make the usability of our app way better. 🚀
- Additionally, when clicking on one of the columns title, you’ll enable a quick filter: efficiency is key when dealing with loads of data. ❤️🩹
- Behind the scenes, this new technology reduce our technical debt and enable future use cases that we can’t wait to develop!
As some of you may be aware, we would like to make easier the vulnerability management process in OpenCTI.
The first step to achieve this goal was to extend our Vulnerability model to support EPSS and CISA KEV attributes. Support of these two information were highly requested by the community🔥. Regarding EPSS, an enrichment connector to fill the data has been created too, see below.
Having these fields was not enough, we also added the ability to use them (like other vulnerability fields) in playbook components to help you build your own vulnerability decision tree 🪄.
While files and workbenches are essential, they can contribute to performance issues over time, since documents are piling up in the platform. ❌
Retention Rules for Files and Workbenches: We’ve added configurable retention rules, which are not set by default but can be easily customized. For example, you can implement a one-year policy to automatically delete any file or workbench created over a year ago. This helps prevent outdated data from accumulating and improves overall platform performance. 💯
Administrators have also been heard with an additional feature, or rather a UX improvement. To ease management of dashboard we have also introduce a new tab in the dashboard menu, to be able to view only the public dashboards as list without needing to enter in each dashboard to view the corresponding dashboards.
In terms of integrations, lots of effort has been put to deliver new connectors & improvements of existing connectors.
We already announced it on slack, but during this release, we delivered a new Splunk app 🔥, aiming to:
- seamlessly ingest indicators through an OpenCTI live stream.
- Instantly trigger actions in response to alerts and investigate them directly within OpenCTI.
With the OpenCTI Add-on for Splunk, you can leverage comprehensive threat information, improving your ability to detect and respond to security incidents more effectively. More info can be found on : https://splunkbase.splunk.com/app/7485.
To provide more support to our community, we completely refactored the Qradar connector to become an official Filigran support connector. This means that we will be able to provide support on this connector if a bug arise. The refactor has also fixed some known bugs, which are listed in the below list of issues.
Being open source also means ensuring that everybody has the capacity to contribute to our codebase. However, in the past, our readmes & guidelines to contribute in our connector repository were not up to date. We’ve made some effort to update it so that all the documentation is up to date, allowing everybody to bring their own contribution more easily 💪!
As mentioned earlier, we have worked towards helping analysts to perform vulnerability management with OpenCTI. To cater this need, we built an enrichment connector to provide values for EPSS 🤘This connector integrates with the organisation “FIRST” API, aiming to retrieve EPSS values about a specific vulnerability. This enrichment connector is of course playbook compatible 🚀
Some connectors have also been reworked (namely Sekoia, Crowdstrike, Mandiant, AlienVault, Recorded Future, CISA KEV) to support our new scheduling and auto-pausing feature that will pause your connector when its queue gets full.
You’ll see in these connectors new variables "duration_period" & "queue_threshold" that you need to define to enable these features. More details can be found in the respective connector pages.
We also improved the Mandiant connector by providing an option to import aliases of malwares & improve campaigns import. Campaigns import improvement provide more details regarding TTPs (labels, relation with intrusion sets, start & stop time & addition of description). In essence, we’ve made sure that we import as much data as we can.
To list them all, here are all the new connectors delivered in the milestone: Jira, Infloblox, Cisco SMA, Group IB, Cofense. The detailed list of connectors & improvement is available here: ****https://github.com/OpenCTI-Platform/connectors/releases?page=1
On a finish note, we would like to thank you for your contributions 🙏 to our product, that helps making our product better: shmztk, Bonsai8863, Fhwang0926, ParamConstructor, VerboseCat, WolfByttner, brett-fitz, mmolenda, Mathieu4141, annoyingapt, DNRRomero, DinkoReversingLabs, pietrocapece, sari3l, bradchiappetta, debelyoo, uTomasAnderson, leitosama, XGREENi3, sudesh0sudesh, cert-orangecyberdefense, cmandich, obideuce, sda06407, Obdam, piolug93, daemitus, polakovicp, julienloizelet, khalidelborai, Renizmy, curiouspython1!
Of course, a huge thank you to all for your contributions 🥇
We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.
Depreciation announcements
The RabbitMQ “push_sync”, “listen_sync”, “listen_playbook” and “push_playbook” queues are no longer used by our product and will be considered deprecated once empty. These queues will be permanently removed in version 6.6.
Enhancements:
- #8319 Implements dedicated queues for playbooks, synchronizers and CSV Mapper import
- #7906 Update views to new DataTable
- #7500 Apply the Bulk Relationship POC on all required entities
- #6724 Ability to custom Entity overviews' widgets position at platform level
- #8275 Be able to declare default admin account externally managed
- #4352 Bulk entity creation of SDO/SCO with Copy/Pasting
- #8275 Connector default role should bypass mandatory attributes by default
- #8263 Add telemetry counter and gauge for graphql queries and mutations
- #7704 Mirror Integrated feeds in built in connector to allow works monitoring
- #7482 retention for FILES MVP
- #6509 Dashboard Refacto: Admin to View all, New list for public dash & Massive operations
- #3304 Bulk entity creation of SDO/SCO with Copy/Pasting
- #7409 Create a new capa to byPass mandatory fields
- #8149 Create a Persona Observable
- #7312 In the connector overview, display the user associated to the connector and additional infos
- #3568 Add EPSS Support for Vulnerability Entity
- #6325 Some connectors will pause based on queues threshold
- #6741 Be able to filter and sort on Narratives
- #7566 Content Tab improvement
- #7696 Add a graphql api to send stix bundle in the ingestion process
- #4234 Massive operations / checkboxes in Arsenal (Channels / Tools / Vulnerabilities)
- #7390 Support of "KEV" field for vulnerability entity
Bug Fixes:
- #8361 Download API Improvements
- #8314 Clickable mouse for Markings and Status in Entity overview
- #8311 Authorized Members - Default value
- #8278 Case overview loading is not correctly aligned
- #8235 InternalFiles can be duplicated after index rollover
- #8172 Can't enrich multiple observables
- #7995 Javascript error during authentication when OpenCTI is configured with LDAP as provider
- #7454 Inconsistency in numbers between dashboard and list
- #8246 Retention unit not taken into account in Retention Rule Count Checking
- #8231 UI Regression : horizontal scrollbar on details page
- #8193 Bug in label display
- #6662 Attack pattern knowledge matrix query perf issue
- #8255 Improve platform security
- #8230 Retention rule verify : wrong number of elements that will be deleted
- #8190 Retention rules created before 6.2.14 have no unit
- #8017 Performance issues with popovers in some list views
- #8152 Auto-save feature in report content editor is not paused while typing
- #8156 [Ext Ref Search] Some Ext Ref are not found in search
Pull Requests:
- [frontend/backend] Added persona/moniker support by @Bonsai8863 in #6629
- [frontend] Add forgotten feature flag (#8134) by @Kedae in #8143
- [frontend] Fix for TAI mutations (#8149) by @Kedae in #8148
- [backend/frontend] Remove last SETTINGS capabilities (#3304) by @frapuks in #7937
- [backend/worker] Release 6.2.15 by @Kedae in #8155
- [frontend] fix filters format for organizations queries (#8013) by @frapuks in #8016
- [frontend] Change light theme accent (#8129) by @CelineSebe in #8141
- [ci] Allow retry for e2e tests (#7378) by @aHenryJard in #7993
- [frontend] [Bulk search] The column ordering of markings doesn't work (#7623) by @SarahBocognano in #8034
- [backend] Fix capabilities check on background tasks by @lndrtrbn in #8163
- [frontend/backend] Create public dashboards from dashboard list pages (#6509) by @lndrtrbn in #8114
- [backend] Be able to use Vulnerability specific fields in playbook filters (#7409) by @ValentinBouzinFiligran in #8135
- [frontend] fix hash check search bulk by @JeremyCloarec in #8133
- [frontend] Allow clicking on External References (#8156) by @Gwendoline-FAVRE-FELIX in #8165
- [backend] fix elements to delete filtering in retentionManager by @JeremyCloarec in #8164
- [backend] Change kill_chain_phase.order attribute upsert value (#8182) by @lndrtrbn in #8181
- [frontend] fix csv mapper creation form on error (#8116) by @Archidoit in #8177
- Updated template ids by @troll-os in #8192
- Update dependency webpack to v5.94.0 [SECURITY] by @renovate in #8196
- Bump webpack from 5.93.0 to 5.94.0 in /opencti-platform/opencti-front by @dependabot in #8195
- Bump micromatch from 4.0.7 to 4.0.8 in /opencti-platform/opencti-graphql by @dependabot in #8194
- [ci] Add upload of test results to JFrog (#7378) by @aHenryJard in #8166
- [backend] Rework error in case of interceptor to prevent HTML default page (#7696) by @Kedae in #8140
- Better Japanese translations by @shmztk in #8212
- [backend] Add a missing basePath (#8205) by @aHenryJard in #8206
- [backend] [Workbench] Campaign object unrecognized in relationships (#6758) by @SarahBocognano in #8209
- [backend] Fix organization admin user can't delete/edit user account status (#8011) by @marieflorescontact in #8030
- [e2e] Enable back end to end test on background tasks (#7378) by @aHenryJard in #8187
- [frontend] Fixing note creation auto-scroll when layout is custom (#6724) by @labo-flg in #8217
- [backend/frontend] massive delete operations for public dashboard and workspaces (#6509) by @lndrtrbn in #8158
- [frontend/backend] authorized members bypass organization sharing for case IR (#4538) by @marieflorescontact in #8052
- [frontend] changed content autosave to trigger onBlur instead of onChange (#8152) by @JeremyCloarec in #8173
- [backend/frontend] remove feature flag CAPABILITY_BYPASSFIELDS (#3304) by @frapuks in #8198
- [front] Remove Public dashboard list FF (#6509) by @CelineSebe in #8201
- [backend/frontend] Usage of Datable in multiple places (#7906) by @Kedae in #8035
- Replaced Edit Floating Action Buttons for Entities by @Bonsai8863 in #7823
- Replaced Edit Floating Action Buttons for Arsenals by @Bonsai8863 in #7743
- [frontend/backend] Global files filtering and ordering (#3016) by @Archidoit in #8184
- Replaced Edit Floating Action Buttons for Techniques by @Bonsai8863 in #7744
- [frontend/backend] make unit mandatory for Retention Rules by @Archidoit in #8200
- [frontend] remove feature flag for Files retention rules (#7482) by @Archidoit in #8189
- [frontend] allow to disable line selection on datatables by @lndrtrbn in #8236
- Replaced Edit Floating Action Buttons for Events by @Bonsai8863 in #7740
- Replaced Edit Floating Action Buttons for Observations by @Bonsai8863 in #7741
- Replaced Edit Floating Action Buttons for Threats by @Bonsai8863 in #7742
- [frontend] Bulk entity creation of SDO/SCO with Copy/Pasting (#4352) by @ValentinBouzinFiligran in #7609
- [backend] Use of dedicated RabbitMQ queues for integrated feeders/ingestors (#7704) by @richard-julien in #8169
- [backend] improve platform security (#8255) by @labo-flg in #8256
- [backend] Fix meEdit & authorized authorities update by @Archidoit in #8254
- [backend] Add telemetry counter and gauge for graphql queries and mutations by @richard-julien in #8262
- [github] Adding a workflow to auto set labels by @Dimfacion in #8261
- [backend] Improve Attack Pattern knowledge matrix view performance (#6662) by @SouadHadjiat in #7924
- [frontend] label display for user without Knowledge update capability (#8193) by @Archidoit in #8257
- [backend] take retention unit into account in retention rule check (#8246) by @Archidoit in #8247
- [backend] Connector default role should bypass mandatory attributes by default (#8275) by @SamuelHassine in #8276
- Implement new graphql armor protection by @richard-julien in #8286
- [frontend] New import screens under FF (#3016) by @Archidoit in #8266
- [backend] retention rules on files with status complete or timeout (#7482) by @Archidoit in #8267
- [frontend] Improve Simulation buttons CSS (#8231) by @lndrtrbn in #8232
- [frontend] Fix infinite scroll (#7906) by @SouadHadjiat in #8290
- [frontend] Fix shift select for some data tables (#7906) by @SouadHadjiat in #8292
- [backend/frontend] implement authorized members for containers (#4538) by @marieflorescontact in #8228
- [frontend] Apply the Bulk Relationship POC on all required entities (#7500) by @ValentinBouzinFiligran in #8294
- [backend] Force LDAP bindCredentials to be a String and add docker image for dev (#7995) by @aHenryJard in #8233
- [frontend/e2e] Navigation on groupings and malware analyses (#7378) by @aHenryJard in #7860
- Bump body-parser from 1.20.2 to 1.20.3 in /opencti-platform/opencti-graphql by @dependabot in #8304
- Bump express from 4.19.2 to 4.20.0 in /opencti-platform/opencti-front by @dependabot in #8305
- Update dependency express to v4.20.0 [SECURITY] by @renovate in #8306
- [frontend] Remove feature flag for bulk entities (#4352) by @lndrtrbn in #8229
- [backend/frontend] Finalize Overview layout customization (#6724) by @Goumies in #8308
- [backend] Add feature flag for schema attributes (#4538) by @SouadHadjiat in #8315
- [frontend] Bulk entity creation of SDO/SCO with Copy/Pasting (#4352) by @ValentinBouzinFiligran in #8302
- Bump dset from 3.1.3 to 3.1.4 in /opencti-platform/opencti-graphql by @dependabot in #8321
- [frontend] RegExs updated to validate more completely the Bulk add of Hash values (#4352) by @ParamConstructor in #8327
- [frontend] Bulk entity creation of SDO/SCO with Copy/Pasting (#4352) by @ValentinBouzinFiligran in #8328
- [frontend] remove Connectors list in Data>Import by @Archidoit in #8326
- [backend/frontend] Remove feature flag for bulk create relations (#4352)(#7500) by @aHenryJard in #8342
- [frontend] Align design and fix new datatable (#7906) by @aHenryJard in #8269
- [backend/frontend] Implement dedicated queues for playbooks and synchronizers by @richard-julien in #8320
- Bump express from 4.20.0 to 4.21.0 in /opencti-platform/opencti-graphql by @dependabot in #8334
- [frontend] Fixes on DataTable (#7906) by @Kedae in #8351
- [frontend] Authorized members default value should not contain me user (#8311) by @Archidoit in #8338
- [backend] update or index internalFile to avoid duplicates (#8235) by @SouadHadjiat in #8299
- [frontend] Multiple fixes on DataTables (#7906) by @Kedae in #8362
- [frontend] Fix tasks widget height (#8278) by @Goumies in #8360
- [frontend] no pointer if Item Marking/Status is not clickable (#8314) by @Archidoit in #8364
- [backend] add verification on file download (#8361) by @aHenryJard in #8363
- [backend] fix update internal file (#8235) by @SouadHadjiat in #8365
- [frontend] Multiple fixes on DataTables (#7906) by @Kedae in #8367
- Update dependency @xmldom/xmldom to v0.9.2 by @renovate in #8356
- Update dependency convert to v5.4.0 by @renovate in #8358
- Update Node.js to v20.17.0 by @renovate in #8344
- Update dependency @opensearch-project/opensearch to v2.12.0 by @renovate in #8354
- Update fontsource monorepo to v5.1.0 by @renovate in #8347
- Update Yarn to v4.5.0 by @renovate in #8345
- Update dependency apexcharts to v3.53.0 by @renovate in #8357
- Update aws-sdk-js-v3 monorepo to v3.651.1 by @renovate in #8346
- [backend] filtering-utils fixes and tests by @Archidoit in #8218
- Revert "Update dependency @xmldom/xmldom to v0.9.2" by @aHenryJard in #8370
- [frontend] adjust data tables styling by @labo-flg in #8369
- Update docker.elastic.co/elasticsearch/elasticsearch Docker tag to v8.15.1 by @renovate in #8371
- Update quay.io/keycloak/keycloak Docker tag to v25.0.5 - autoclosed by @renovate in #8373
- Update dependency filigran-ui to v0.18.1 by @renovate in #8375
- Update docker.elastic.co/kibana/kibana Docker tag to v8.15.1 by @renovate in #8372
- Update dependency openai to v4.61.1 - autoclosed by @renovate in #8376
- [frontend] Bulk entity creation of SDO/SCO with Copy/Pasting (#4352) by @ValentinBouzinFiligran in #8381
- Update dependency filigran-icon to v0.8.1 by @renovate in #8374
- [backend/frontend] improve organization sharing (#4538) by @marieflorescontact in #8301
New Contributors:
- @shmztk made their first contribution in #8212
- @Dimfacion made their first contribution in #8261
Full Changelog: 6.2.18...6.3.0