github OpenCTI-Platform/opencti 6.7.0
Version 6.7.0
on GitHub

latest releases: 6.7.17, 6.7.16, 6.7.15...
2 months ago

Dear community, we're excited to announce the launch of OpenCTI 6.7.0! 🥳

This release focuses on solving key pain points and unlocking new use cases:

  • Notifications spamming
  • Saved filters & Dynamic filtering
  • UI & UX improvements
  • Security Posture & MITRE ATTACK sub-techniques
  • Fintel PDF Export Branding Customization
  • Reset Password
  • JSON Mapper/Feed Ingestion
  • Apply Case Templates via Playbooks
  • Vulnerability Management & Data model
  • Background tasks processed by workers
  • New Integrations/Connectors (Dragos, Cofense, ServiceNow, Mailboxes…)

🔔 Notifications Spamming (CE)

Notifications have been improved to avoid spamming users. Starting from 6.7, all platforms will have a buffer enabled by default for all notifications coming from OpenCTI.

Practically, if a single edit matching a live trigger is made on an entity, notification for this single change will remain real time. However, if multiple edits matching a live trigger are made on a single entity which would result in multiple notifications, only a single one will be send (To be clear, you will receive one notification per trigger). By default, the timer is set to 60 seconds.

This behavior will affect all notifications type (email, in-app, webhook) and will be enabled by default for all platforms (behavior set at affecting platform level, therefore affecting all users of the platform).

You can both disable this feature or change the timer duration, through configuration parameters PUBLISHER_MANAGER__ENABLE_BUFFERING and PUBLISHER_MANAGER__BUFFERING_SECONDS. See documentation

💾 Saved Filters & Dynamic filtering (CE)

We are also enhancing our filtering capabilities with the introduction of Saved Filters. Users can create filters tailored to their specific needs and save them for future use. These filters can be quickly accessed, removing the need to re-enter search criteria for frequent queries. Furthermore, users have the flexibility to update their saved filters as their analysis requirements change.

Dynamic filtering is also a new addition to our release: the concept of dynamic filtering is the same than the pre-queries in dashboards. It aims to identify a subset of entities/relations matching your dynamic filtering & then apply the rest of the filter on the data found through this dynamic filtering. On relationship screen, two filters Dynamic From & Dynamic To allow you to filter on each side of the relation, to get more precise results. At entity level, In regards of (dynamic) will let you be more specific in your “in regards of filters”, by applying additional filters (and not only filtering on the specific entity). Therefore, you will be able to perform queries such as “list all victims of malwares having the type ransomware”.

🖥️ UI & UX Improvements (CE)

We are aware that the UI & UX of the platform can sometimes be difficult to grasp. We are working towards improving this part. This is why we have made several changes to enhance accessibility and overall user experience. The change include:

  • The Floating Action Button (the circular “+” or “edit” button previously located at the bottom of each page) has been relocated to the top right of each screen for easier access. This change has not yet been applied to the knowledge views of entities.
  • The Delete button for entities is now placed within the Edit Panel to avoid unwanted deletion.
  • Home Dashboard selection is now available in the user profile section, instead of the main dashboard homepage.

We have also revamped the "Data/Import" view to better organize resources. Now, all uploaded files, workbenches, and drafts are centralized in one place for enhanced accessibility and simplified organization. As a result, the "Draft" menu has been relocated to this view.

🛡️Security Posture & MITRE ATTACK Sub Techniques (CE)

Gaining insight into your cyber defense coverage in relation to the techniques used by threats is essential for identifying detection gaps and improving your security posture. To support this goal, we have introduced a new entity "Security Platform" which allows you to manually map the techniques your detection tools are intended to cover (should-cover relationship) and compare them with actual threat techniques. To facilitate this process, the MITRE ATT&CK Matrix view has been enhanced, enabling easy comparison between the techniques theoretically covered by your security tools and those used by threats. By leveraging this feature, organizations can achieve improved alignment of their security strategies with real-world threats, facilitating proactive defense measures and strategic improvements over time.

In addition to this new capability, we have enhanced the "MITRE ATT&CK Matrix" view by adding support for sub-techniques. It is now easy to see the number of sub-techniques used by a threat via a badge. Additionally, you can expand a parent technique to display its associated sub-techniques, providing greater visibility into the details of the tactics employed by threats.

🎨 Fintel PDF Export Branding Customization (EE)

To ensure that report exports reflect your corporate identity, we have introduced new customization options for Fintel PDF exports, providing a more personalized and tailored presentation. Beginning with version 6.7.0, you can configure a Fintel design by uploading your company logo and choosing custom colors to be applied throughout your Fintel PDF reports. This update guarantees that your exported documents are in line with your organization's branding, maintaining a consistent visual identity.

🔐 Reset Password (CE)

We are excited to introduce the new Reset Password feature in this release. This enhancement addresses a key requirement from our user community for better password management and improved security. Users can now initiate a password reset process directly from the login page. Upon request, a secure code will be sent to the registered email address, allowing users to set a new password.

🚀 JSON Mapper/Feed (CE)

In addition to our CSV Feed/Mapper capability, we are pleased to announce the new JSON Feed/Mapper feature, which enables seamless ingestion of JSON-formatted files and feeds. With this enhancement, you can effortlessly import, parse, and map both simple and complex JSON data structures, offering greater flexibility for integrating diverse cyber threat intelligence sources.

We’ve also improved the scheduling of our built-in Feed ingesters. You can now configure a specific fetching interval for each ingester (JSON, RSS, CSV). This enhancement allows you to better comply with external data source constraints and optimize your data ingestion processes.

📓 Apply Case Templates via Playbooks (EE)

Across all 6.X.X releases, we have always tried to improve our case management capabilities based on various feedback we received from the community. In this regard, we are glad to announce that, from 6.7, within playbooks, when wrapping elements into a Case container, you can now also apply a case template directly from the playbook. This should help you improve your case management, by enabling more automation, based for instance on the cases types filters in playbooks introduced last release.

🧰 Vulnerability Management & Data model (CE)

Our vulnerability model now includes comprehensive data and metrics for CVSSV2 and CVSSV4, alongside the full attributes for CVSS V3, enhancing our assessment capabilities. We have also introduced a native capability to parse CVSS vector strings, which automatically populates respective metrics directly within our platform. This feature enhances efficiency by allowing users to input a vector string and instantly see the corresponding metrics filled in.

Finally, we've also introduced a "remediates" relationship to link software versions to specific vulnerabilities they fix, providing clearer remediation pathways. These updates deliver more detailed and actionable insights, helping users manage vulnerabilities more effectively.

In 6.7, we also extended our data model:

  • A score has been added to Organizations, in order to cater for the supply chain use case: this score aims to be used in order to represent the risk on an organization.
  • A new relationship “belongs-to” has been added between Threats (Intrusion Set & Threat Actors) and Channels, to facilitate the counter-disinformation use case.

🔧 Background tasks processed by workers (CE)

We have enhanced our background task management system to improve performance and prevent platform lock-ups during extensive background tasks. The task execution logic has been moved to asynchronous workers, allowing for better distribution of processing across different workers. Tasks are now provisioned into worker queues and executed by these workers. The tasks view has been updated to reflect these changes, allowing you to monitor the provisioning step followed by the execution step.

🔗 Connectors & Integrations

Regarding connectors and integrations, this milestone brought several new connectors and integrations.

  • The Dragos connector enables users to import intelligence from the Worldview API into OpenCTI. Through this integration, reports, indicators, and adversary information can be ingested and leveraged within OpenCTI. See documentation.
  • The Flashpoint connector now supports the ingestion of "Compromised Credentials Monitoring" (CCM) data. This information is structured as Incidents in OpenCTI, making it possible to effectively track and manage credential exposures. See documentation.
  • Two new connectors have been developed to enable organizations to automate the collection of shared information via e-mail, by regularly polling a mailbox and transforming each message into an OpenCTI report.
    • The Email Intel IMAP Connector enables the ingestion of cyber threat intelligence reports received via email into the OpenCTI platform using the IMAP protocol. A dedicated Google OAuth provider was also added for the integration with Google Mailboxes. See documentation.
    • The Email Intel Microsoft Connector ingests cyber threat intelligence reports received via email into the OpenCTI platform using the Microsoft Graph API. See documentation.
  • A new connector for Cofense ThreatHQ has been developed, enhancing the ingestion and modeling of Cofense Intelligence phishing threat data. See documentation.
  • A new connector, ServiceNow, has been created. This connector aims to import your Security Incidents directly in OpenCTI (Security Incident Module in ServiceNow). Any Security Incident raised into ServiceNow will be create a Case Incident Response in OpenCTI, including its associated Tasks, comments and observables. At the moment, we only support default fields defined in ServiceNow and it’s not possible to edit a case incident in OpenCTI and expect this update to be present in ServiceNow.
    • It is possible to filter the Security Incidents from Service Now to be ingested in OpenCTI based on their state, severity, priority & comments. For more information regarding how to setup this connector, please have a look at the documentation of the connector, available here.
    • This connector also allows you to import Observables from Service Now.

We would like to extend our sincere thanks to our partners and community for their valuable contributions to our connector ecosystem. Thanks to your efforts, new connectors such as Dogesec CTI Butler, Dogesec Vulmatch, Dogesec Stixify, Dogesec Obstracts and a new connector for MalwareBazaar have been added. Additionally, several existing connectors including Sekoia, Intel471, Group-IB, IBM XTI, GreyNoize Feed, MISP Feed, TheHive, and VirusTotal enrichment have been significantly improved. Your collaborations are instrumental in driving our platform forward and providing even greater possibilities to all our users. Thank you all!

Enhancements:

  • #11445 [backend] Improve label filtering to support name instead of only id
  • #11366 Implement CVSS 2 and CVSS4 as well as missing attributes on CVSS3
  • #11357 Introduce dynamic filters for relationships and in regards of
  • #11323 Implement translations override and hidden vocabs
  • #11244 Introduce "remediates" relationship between Software and Vulnerability objects
  • #11207 Upgrade Relay to v19
  • #11062 Add support for JSON Feed and JSON Mapper
  • #10985 Revamp floating action buttons (FAB) and header menus
  • #10636 Upgrade to relay 18
  • #10482 Finalize new screen of Import
  • #10452 Create security platform entity (relation & import/export python included)
  • #10421 Migrate selection of home dashboard from home to profile
  • #10383 Update and highlight saved filters
  • #10369 Upgrade to React 19
  • #10284 Add platform logo in first page of a Fintel Template
  • #10274 Background task into worker
  • #10240 Matrices: align component between Containers & Entities
  • #10080 Data table - show as many chars as possible in a data table
  • #9811 Introduce a score field on Organization entities
  • #9605 Forgot Password
  • #8685 Spamming user when modifying a report assigned to someone
  • #8608 CSV mapper phase 3: last improvements
  • #8497 Add the relationship type “belongs to” between Channel and Threat Actor
  • #8258 Custom scheduling for CSV and RSS Feed Ingesters
  • #7574 Filters are back on the right handside for containers
  • #7231 Apply case template with playbook
  • #6975 Make OpenCTI compatible with the latest version / new image of Redis
  • #4948 Be able to overlay two ATT&CK matrices
  • #1633 Display subtechniques in the matrix views.

Bug Fixes:

  • #11439 STIX bundles are not processed when fields, like kill_chain_phases and external_references, are set to null
  • #11185 Wrong Japanese translations
  • #11105 Back to login link should be vertically centered
  • #10902 AI Insights sometimes returns content in Markdown instead of expected HTML
  • #10360 Relationship missing when creating indicators from observables
  • #10343 Intrusion Set Lists Fails to Display Correct Resource Level Value

Pull Requests:

New Contributors:

Full Changelog: 6.6.18...6.7.0

Check out latest releases or
releases around OpenCTI-Platform/opencti 6.7.0

Don't miss a new opencti release

NewReleases is sending notifications on new releases.

Get notifications