github OpenCTI-Platform/opencti 6.5.0
Version 6.5.0
on GitHub

18 hours ago

Dear community, we're excited to announce the launch of OpenCTI 6.5.0! 🥳

This release focuses on solving key pain points and unlocking new use cases:

  • Help analysts produce & disseminate finished intelligence
  • IOC management: introduce exclusion lists to avoid ingesting unwanted IOCs
  • AI: become an assistant for analysts

ℹ️ Enterprise Edition Activation Changes

Note

As you know, in June 2023 we introduced an “Enterprise Edition” of the platform. As we explained at the time, this was in no way a reneging on our commitment to open source software, which has been part of our DNA since the very first day of our adventure. We are convinced that we have honored this promise perfectly, continuing to invest heavily in the features of the community version and innovating for all our communities.
Access to the Enterprise Edition, subject to a special license and annual subscription, has remained for almost two years based on the good faith of the platform's users, with acceptance of the license requiring a simple checkbox in the platform settings.
To promote transparency and fair use of our products, OpenCTI 6.5.0 introduces a license key system to control activation of the Enterprise Edition. All Filigran customers and non-governmental charity organizations using EE in accordance with the terms of the license have already received their license key(s).
As a consequence, upgrading a platform with EE activated and without a valid license key will result in the full de-activation of all EE features. Of course, for organizations wishing to access the associated features for testing and development purposes, trial license keys can be generated automatically and independently from our website. Please, don't hesitate to reach out to us if you have any question or concern about this new license key system.

Analysts spend significant time working on incidents and reports to identify threats and create knowledge that improves their organization's security posture.

However, transforming this information into standardized, easily disseminated finished intelligence documents often proves challenging.

This is why we introduced the ability to create your own finished intelligence template 📜 (Enterprise Edition). From the container's customization page, you can now define templates that use variables of your container and the entities and relations present in your container. These predefined templates will reuse the intelligence contained in your container. Your analysts can simply generate finished intelligence from these templates to initialize documents pre-populated with relevant data. This significantly reduces the time needed to produce any kind of reports.

Better yet, these templates can be imported and exported 💡, allowing you to reuse them across different platforms!

In addition, we've added the capability to manage dissemination lists & leverage them to send PDF documents via email (Enterprise Edition) 📨. Once administrators define email distribution lists, analysts can use them to send Finished Intelligence documents directly to their dissemination circles. This gives non-OpenCTI users easy access to analyst-produced documents.

In certain circumstances, intelligence access needs to be more restricted—for instance, during critical incidents or when handling sensitive threat reports. To address this, we've added the ability to restrict access to a container with our authorized member mechanism 🔒. Even with shared containers, enabling access restriction limits visibility to specifically authorized users, groups, or organizations. These authorized members receive only the access rights you grant them (view, edit, manage), helping you maintain data confidentiality.

To ensure restricted data remains manageable if an entity manager leaves your organization, administrators can access a restriction management panel 🔓 to remove restrictions on entities when needed.

Minimizing false positives is essential for improving the accuracy and effectiveness of threat detection. To support this, we've introduced exclusion lists ⛔ in OpenCTI.
This feature lets you create exclusion lists to prevent specific IOCs, such as internal IPs or trusted domains, from being ingested into the platform. By preventing the ingestion of these non-malicious IOCs, you ensure they are not propagated to your external detection solutions (ex: SIEM), reducing noise and enhancing detection accuracy.

AI should enhance analysts' daily work, which is why we've revamped our AI module(Enterprise Edition). Now available across all platform entities, it supports analysts in their daily tasks. From any entity, such as a threat, analysts can quickly view latest activity, get summaries from recent reports, and see activity logs—putting useful information at their fingertips!

Understanding and presenting data effectively is crucial in CTI. This is why we have worked on the following features.

  • Correlation views have been redesigned with this in mind. All container types can now correlate with each other—for example, if an incident response shares IOCs with a report, they'll be correlated. We've added an information panel explaining container correlations and improved the graph view to better illustrate entity relationships between containers. 💡
  • Dashboards, especially List widgets, now feature the ability to select columns in knowledge & entity perspective 📊. Users can select and reorder columns based on their needs. When filtering across multiple entity types, only common attributes will be available for selection.
  • We've added a useful feature to notifications: you can now filter on the trigger of the notification 🔔(via label click or filter selection). This helps you understand which trigger generated which notification.
  • Knowledge views for Attack Patterns have been enhanced with a relation view, making information easier to understand and manage. This improvement was specifically requested by the community 👂 to better handle Attack Patterns linked to threats.

Our OpenBAS :openbas: integration has been redesigned to support choosing the correct architecture when running simulations from OpenCTI. This includes a deprecation, detailed below.

In terms of data ingestion, OpenCTI now provides the capability to expose TAXII 2.1 data collections for pushing STIX-formatted data. Available under Data/Ingestion, the TAXII Push ingester enables users and external systems to import STIX 2.1 objects into OpenCTI through an exposed TAXII collection, ensuring full compliance with the 'Add objects' section of the TAXII 2.1 specification.

We’ve also updated and integrated a new GraphQL playground to enhance your development experience by making it easier to test and interact with our GraphQL API 😎.

Finally, we've improved performance for large dataset operations ⚡ through two backend enhancements: improved worker thread pool and relocated lock mechanism to a separate process. This means faster background task processing and more efficient operations on shared entities, resulting in fewer errors.

Regarding connectors and integrations, this milestone brought several new connectors and integrations like:

  • Tenable Security Center
  • Google SecOps SIEM
  • Proofpoint ET Pro Rep List
  • Spycloud
  • Zvelo
  • YARA Import Files

But also to enhance some connectors :

  • Hatching triage
  • Sentinel-Intel
  • RecordedFuture
  • Mandiant
  • Crowdstrike
  • ImportDocument
  • Harfanglab
  • Flashpoint

We deeply want to thank our Partner & Community for their contributions:

  • New connectors:
    • Loader Insight Agency File Feed
    • Intel471-V2
    • Zscaler ZIA
    • IBM XTI
    • Hunt.io
    • Wiz
  • Connectors enhancements:
    • TAXII2-connector
    • MISP connector
    • Feedly
    • Tagger
    • crtsh
    • Orange Cyber Defense
    • Zerofox
    • TheHive
    • Greynoize
    • VirusTotal
    • ShadowServer
    • ransomware.live

Finally, we have made efforts to expand the availability of our Docker containers. In addition to being hosted on Docker Hub, all OpenCTI containers are now also accessible via [GitHub Container Registry](https://github.com/orgs/OpenCTI-Platform/packages).

We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.

All the details about what has been released for which repo is available here:

⚠️ Deprecation

Deprecation Notice: GenerationScenario Mutations in OpenCTI - OpenBAS

The following three mutations related to GenerationScenario have been deprecated due to changes in their signature and response format:

  • obasContainerGenerateScenario → Replaced by obasContainerGenerateScenarioWithInjectPlaceholders
  • obasThreatGenerateScenario→ Replaced by obasThreatGenerateScenarioWithInjectPlaceholders
  • obasVictimGenerateScenario→ Replaced by obasVictimGenerateScenarioWithInjectPlaceholders

Key Changes in new version : + WithInjectPlaceholders

New Signature Object: SimulationConfig

  • simulationType: Defines the type of simulation: Technical or Simulated
  • selection:
  • interval: Defines the execution interval.

New Response Object: GenerationResponse

  • urlResponse: URL of the generated scenario in OpenBAS.
  • attackPatternNotAvailableInOpenBAS: List of identifiers not covered by OpenBAS.
  • hasInjectPlaceholders: Indicates if any inject placeholders were created in OpenBAS.

For more information about the deprecation duration, please refer to our documentation: https://docs.opencti.io/latest/deployment/breaking-changes/.

Enhancements:

  • #9711 Move resource lock handling to a separate process
  • #9709 Improve worker thread control using thread pool
  • #9598 Implement EE license mechanism
  • #9580 Introduce AI Insights and refactor Ask AI
  • #9572 Be able to reset local storage from User Profile
  • #8943 Authorized members on Containers: Remove Feature Flag & Verify testing coverage
  • #8941 Finish Exclusion Lists MVP
  • #8940 Finish Outcome Template First Step
  • #8906 Import/export an Outcome Template
  • #8835 Add a view in entity/knowledge/attack pattern representing the relation
  • #8820 Specify arch and platform when creating injects for OpenBAS
  • #8336 Make outcome templates customizable
  • #7309 In notifications, be able to filter for given triggers (and add it as quick filters)
  • #7296 In list of relationships in custom dashboard (Knowledge => List), be able to choose to see only the "source" or only the "target" instead of both
  • #7295 Be able to select the columns to display in custom dashboard lists widgets
  • #6728 Draft: finish last chunk & test ux worklow
  • #5652 Deploy the NLP connector to SaaS users for testing
  • #5554 Leverage mailing lists to send manually any entity - PDF only
  • #5551 Create mailing lists in the platform for the default mailer
  • #4961 Management panel for Access Restriction on Knowledge Entities
  • #3345 Be able to request access to information when creation is conflicting between organizations - First part
  • #3227 Related containers / correlation enhancements

Bug Fixes:

  • #9795 [backend] Improve notification template verifications
  • #9508 [Dashboard] Number of elements in list capped at 100 despite larger value in "Number of results"
  • #8689 Container: copy/pasting some content directly in source mode in main content breaks the platform
  • #8191 Playground favicon is not correct

Pull Requests:

New Contributors:

Full Changelog: 6.4.11...6.5.0

Check out latest releases or
releases around OpenCTI-Platform/opencti 6.5.0

Don't miss a new opencti release

NewReleases is sending notifications on new releases.

Get notifications