github OpenCTI-Platform/opencti 6.6.0
Version 6.6.0
on GitHub

latest releases: 6.9.2, 6.9.1, 6.9.0...
8 months ago

Dear community, we're excited to announce the launch of OpenCTI 6.6.0! 🥳

This release focuses on solving key pain points and unlocking new use cases:

  • AI: become an assistant for analysts
  • Make import workflow seamless
  • Case management: improve filtering capabilities

OpenCTI offers lots of functionalities & various ways to see and collect information. However, sometimes, especially for new users, understand where and how to find the information can be a struggle.

We hope that 6.6 will relieve you from this pain, thanks to the introduction of our new AI functionality: the Natural Language Query powered by Arianne AI 💫. This Entreprise Edition feature allows you, from the top search bar, to ask questions to the platform! Your question will be translated into a set of filters and the corresponding results will be displayed as usual, letting you narrow down your search if needed 🔍.

This capability will fully rely on our filters and solely provide results about entities ⚠️ : as a result, any questions that would lead to filters that do not exists or a combination of filter not available in the app won’t provide you the expected results. In addition, the scope of the questions are restricted to entities. For more information regarding this functionality, please go to the dedicated documentation page https://docs.opencti.io/latest/usage/ask-ai/#assistance-for-finding-specific-entities-natural-language-query.

We are eager to hear your feedback for this functionality which is a first step towards making Arianne AI a real assistant in your daily life on OpenCTI.

Finding intelligence first requires ingesting it into the platform. We have worked hard to be able to revamp our import workflow and introduce two major features: a full rework of the import from files workflow ↖️ and the Draft feature 🎨.

First regarding the import workflow: you are now able to import multiple files at once 💡, and create a single draft out of it. As a result, this should make you win quite some time while gathering all information in a single place for validation purpose.

The second feature that comes along the import is the Draft 🎨. Draft workspaces aims to replace workbenches on the long run.

Basically, Drafts will provide the same capabilities than a workbench: the ability to view what has been extracted from the file & validate it before import. But that is not all: all the functionalities available in the application will also be available within a Draft workspace! For this first release, you will be able to enrich in Draft, apply bulk operation (mass create, edit…)💥. Switching your platform to a Draft “mode” will allow you to still browse your data, manipulate it, without impacting the main database.

You will also be able to convert your existing workbenches to Drafts.

As a result, the new import workflow coupled with the Draft functionality will enable you to better control your ingestion from files, ensuring that only high quality data is ingested for real in your OpenCTI instance.

We are keen to get feedback on this functionality that has required quite some work, therefore, feel free to try out & let us know what you think. More information on: https://docs.opencti.io/latest/usage/draftWorkspaces

We have spent some time to improve features around Case Management. We have introduced two new filters: the “@me” filter 🤝 & the ability to filter on relative date range ⏱️. This way, you will be able to create query like “show me all cases created within the last week” ⏱️. This should improve your operational efficiency.

OpenCTI’s complex and multi-layered ACL allows organizations to implement their own data segregation, each teams having their scope of responsibility, with need-to-know based sharing. This kind of process have impact on collaboration efficiency, and it is not rare that a teamA works on a correlated case handled by teamB without knowing it. Now in OpenCTI, with the Request Access feature (EE) 🧐 teamA is able to request access to the corelated case and thus, with respect to need-to-know basis, collaborate further with teams working already on it. Basically, in the context of a platform configured to segregate data per Organizations, if an entity, having a marking accessible to user exists in the platform, but not shared to the user’s organization, upon manual creation of entity, the user will have the ability to request access to this entity. It will result in a creation of an RFI that only a specific group of user pertaining to the correct organization could approve or reject, providing full control over data to users of the platform. Try it out!

We have also improved the playbooks to be able to filter on any container sub type 🎊 (incident response type, report type, request for information type…). Therefore, you will be able to automate with more granularity the automation of your cases. All together, these filtering capabilities should help you improve the operational efficiency of your teams working on cases.

Filtering has not only be improved in the context of containers, but globally within the application. All entities having a knowledge view can now benefit from a new view, the All view 🔥, which gathers all entities and all relations without any filters at all. This is a known pain point that has been raised since a while, since you were not able to easily see all linked entity with the one you’re looking at. This view will be used to also improve the current diamond model view 💎, since the various views of the diamond model will now redirect to a view All, with some predefined filters matching your view!

Some of your cases, container or even investigations can be huge and difficult to handle by our current front-end graph engine. This is one of the reason we have heavily reworked our graphs within the platform 📈, to ensure we are able to load large graphs. To do so, we have introduced a pagination when loading your graph, avoiding your platform to crash when you attempt to load a large graph. On the top of this, we have also clarified the select & search behavior to find more easily the information you are looking for. Dedicated documentation is available here : https://docs.opencti.io/latest/usage/pivoting/?h=pivoting. This technical rework opens the path to further improvements in our graph with objective to help users perform in-graph intelligence analysis and correlation.

A few other improvements have also been provided:

  • Import/Export CSV mappers 💥: this should help you to use them easily (in addition to sharing them among team members) and even troubleshoot CSV issues seamlessly. And, who knows, may be find, soon, ready-to-use CSV feeds and mappers in an online library… 😉
  • IOC management 💡 : allow you to update massively through mass operation and in playbooks
  • Danger Zone 🚸 : Add reset connector state into danger zone

Regarding connectors and integrations, this milestone brought several new connectors and integrations like:

  • VulnCheck
  • PAN Cortex XSOAR
  • Proofpoint TAP
  • Proofpoint ET
  • Microsoft Defender Incidents
  • Bambenek
  • RST WHOIS
  • Infoblox
  • SentinelOne Incidents
  • SentinelOne Intel

Last but not least, we are excited to introduce our new AI-powered import-document 💫 connector. This connector allows Enterprise Edition organizations to feed information from document to OpenCTI, with more extraction capabilities than regular Import Document connector. Go to the readme of the connector to understand how to use it and its scope: https://github.com/OpenCTI-Platform/connectors/tree/master/internal-import-file/import-document-ai

⚠️ Deprecation notes:

Given that the DRAFT feature has been released, Workbench will be deprecated within approximatively 6 months from this release. As a result, we strongly encourage you to have a look at the draft functionality, to try it out, and already highlight us any issue or feature existing in workbench that you do not find in Drafts.

Enhancements:

  • #10243 Improve gradient buttons
  • #10037 Telemetry technical improvements for cluster mode
  • #9952 [Authorized Member]: Enhance Authorized Member feature to support intersection between organizations and groups
  • #9805 Internal cache performance improvements
  • #9760 Improve the Import Workflow
  • #9751 [POC]: Natural Language Query capabilities in OpenCTI
  • #9657 Request Access: Notification & Authorized Members
  • #9387 Add reset connector state under danger zone
  • #9300 [Placeholder] Ensure draft readiness for release
  • #9298 Graph Rework step 1: Refactor, Improve loading & add enriching capability
  • #9144 [Playbook]: Support for more filtering capabilities to trigger a playbook
  • #9128 [Filters]: Dynamic "Me'" Filter
  • #8949 [Dissemination]: Ability to disseminate any file type
  • #8877 Move basic auth and bearer authentication out of platform sessions
  • #8245 Enhance massive operations on Indicators
  • #8051 Import / export CSV mappers
  • #7879 Create missing Diamond Model Views & Add a table in Entity/Knowledge/overview that lists all entities linked to the entity
  • #6044 Save Filter View: first development
  • #5169 Import YARA rules in bulk
  • #4950 [Filters]: Relative date-time

Bug Fixes:

  • #10481 Unable to override Worker Thread Pool Size via environment variable
  • #10467 In playbooks, I add a type indicator, choose it, then change add by replace. I then get an object that cannot be modified.
  • #10466 In Mass "replace" "Detection" property on indicator, replace to false disabled
  • #10375 Filter on Entity Type in Knowledge View/Relation view malfunctions
  • #10353 Missing connectors actions
  • #10327 Trying to update a specific Note raises an error
  • #10268 Delete button bad margin in Relationship edition form
  • #9871 Missing observable name when creating sighting from knowledge graph
  • #8806 Creating a new organization is slowed when having a lot of organizations
  • #8602 [Playbook] Deactivating the detection field on Indicator does not work
  • #7219 Investigation with thousands of entities will not open

Pull Requests:

New Contributors

Full Changelog: 6.5.11...6.6.0

Check out latest releases or
releases around OpenCTI-Platform/opencti 6.6.0

Don't miss a new opencti release

NewReleases is sending notifications on new releases.

Get notifications