Dear community, we're excited to announce the launch of OpenCTI 6.9.0! 🥳
This release focuses on solving key pain points and unlocking new use cases:
- Make Priority Intelligence Requirements actionable
- CTI-driven assessment by integrating OpenCTI & OpenAEV
- Draft Authorize members, to protect from unwanted modification or approval
- Avoid some IOC to decay by introducing Decay Exclusion Rules
- Framework to import data in the platform via Form Intake
- UI & UX improvements
- Many other improvements (new capa for playbooks, pattern matching for IOC…)
- New Integrations/Connectors
🌟 Make Priority Intelligence Requirements actionable (EE)
- A new Threat Map widget in PIRs provides instant visual insight into your highest-priority threats, enabling faster threat assessment and prioritization.
- Priority Intelligence Requirements are now actionable within playbooks through intelligent filtering based on identified threats and scores. This enhancement transforms PIRs from passive threat awareness into actionable automation.
- Trigger enrichment and processing workflows upon threat detection
- Automatically initiate actions based on PIR threat scores
- Selective processing of entities (indicators, vulnerabilities, etc.) linked to specific PIR threats
This allows teams to move beyond static threat lists and automatically respond to prioritized threats. Playbooks now execute targeted actions on the threats that matter most to your organization, reducing noise and accelerating response times to high-priority threats.
🤖 CTI driven assessment by integrating OpenCTI & OpenAEV (CE)
Security assessments can now be initiated from threat intelligence in OpenCTI, executed as simulations in OpenAEV, and results automatically imported back into OpenCTI as actionable gap analyses, within a new entity type Security coverage. Additionally, the creation and generation of security coverages can now be fully automated through our playbook engine. This capability, combined with the ability to trigger playbooks based on PIR events, enables you to automatically test your defense posture against threats identified as relevant for your organization.
This first implementation lays the foundation for transforming security assessments from manual processes into automated, threat-driven continuous validation
See details in our documentation.
💡 Draft Authorize members, to protect from unwanted modification or approval & Service Account bypass (CE)
To get an approval workflow for draft, the first step has been for us to enable Authorize Members on Drafts.
This way, when creating a draft manually or via file upload, you will be able to define authorized members at draft creation. This will ensure no user will be able to validate your draft on your behalf or even modify it without your consent.
This change required us to introduce another related change: Service Account now bypasses Authorize Members. The rationale behind this behavior is that Service Accounts should be able to enrich observables within a Draft, even if the draft has some Authorize Members enabled. To be clear: even if Service Accounts are not added as Authorized Members, they will get the Edit permission on the entity (draft, containers). This bypass is a default behavior that cannot be changed.
👤 Avoid some IOC to decay by introducing Decay Exclusion Rules (CE)
Some IOCs should never expire: for instance, Yara rules (or any detection rules) should never be revoked, to avoid having any tools like your SIEM, XDR, EDR… failing to detect a malicious IOC.
This is the purpose of Decay Exclusion Rules: you can filter on some IOC attributes to avoid having the matching IOCs fall under a decay rule. Ultimately, it prevents your IOCs from being automatically revoked.
Please be careful with the decay exclusion rules:
- Decay exclusion rules are always first against a decay rule: if an IOC matches both a Decay rule & a Decay Exclusion rule, the decay exclusion will apply.
- An IOC that is currently matching a decay rule, will fall under a decay exclusion rule at upsert if the upsert matches the filters applied the decay exclusion rule.
- It will not be possible for an IOC under a decay exclusion rule to be changed so that a decay rule is applied.
This feature should also help you if you use sources that also manage the lifecycle of your IOCs to avoid having 2 automated lifecycle management applied to your IOCs.
See details in our documentation.
🛡️ Framework to import data in the platform via Form Intake (CE)
Creating data in the platform can be a complex task, especially because:
- Not all users are STIX experts.
- Administrators need a way to enforce data collection consistently.
As a result, we’re proud to introduce the Form Intake, to streamline the collection of threat intelligence data from external sources and stakeholders through structured forms.
Form intakes allow Administrators to define a form to specify which entities should be created and their needed mandatory fields. Also, Administrators can decide to automatically create relationships between entities created via the form and to create them as a draft or not. Additionally, the administrator can also label the entity or a specific field with a non-STIX label: this helps users not familiar with the platform and/or STIX to easily enter information in the platform.
This feature has proven (since available from 6.8.X) to be useful in the FIMI context, sharing communities such as ISACs or even Incident reporting.
Please provide as much feedback as possible on this feature, which should help you consolidate your database with consistent data.
🎨 UI & UX improvements (CE)
We keep working on the UI & UX part to provide a better experience to users.
- Improvement of the bulk search module to make it more useful and actionable, by allowing differentiated management of found entities (knowns) and not found entities (unknowns). Known entities now support bulk operations, and all unknown entities can be created simultaneously.
- The create Relationship floating action button has been replaced on all entity tabs across the platform. You can now create relationships from any tab using the button located next to the Update button.
- Custom themes are now available. Organizations can now align the platform’s visual design with their corporate branding guidelines.
- The Composer catalog now adapts seamlessly to your screen size, providing a better experience on any device.
- Open files in another tab in draft: when opening a file in a draft, it will open another tab, which should simplify usage of the app.
- Clarify the Add behavior on Authorized Members: the “+” to add authorized members was confusing. Therefore, a proper button ADD has been introduced instead to clarify the behavior.
💡 Many other improvements (new capa for playbooks, pattern matching for IOC…)
-
New observable to model SSH keys (CE): a new observable type, SSH key, has been introduced to help the modelization of SSH keys.
-
Email notifier improvements (CE): In the current implementation of our platform's mailer notifier, the content is generated in HTML format. However, the description field of an entity is formatted in Markdown by default. We introduce a solution for converting Markdown-formatted content to HTML to ensure consistency and proper rendering in the mail notifications.
-
Pattern matching filter (CE/EE): now also available for indicators in playbook, Live streams, CSV Feeds, and TAXII Collection.
-
Composer configuration (EE): for configuring a global HTTP/HTTPS proxy for connector network connectivity.
-
Change the capability linked to playbooks (EE): Playbook capability has been split into two capabilities:
- Manage playbooks: to allow users to create and manage playbooks
- Use playbooks: to allow users to trigger playbooks manually and automatically.
This should help administrators in managing the RBAC with a fine-grained approach. See details in our documentation.
-
Change of capability for Delete & Merge knowledge (CE): After some feedback from the community, we have decided to change the capability to merge & delete, to ensure that that now merge and delete are now two specific capabilities.
-
Add original value in the logs (CE): Understanding the changes on an entity in detail is key in Cybersecurity. Therefore, we have improved data traceability by allowing users to view the detailed changes about an entity. Now, each line of the history of an entity is clickable, to give you more details about the initial value and the new one.
-
Send to template in playbook (EE): a new box “Send email from template has been introduced”, allowing you to send email using the templates defined in parameters/security. The end goal is to send an email to users, leveraging the HTML capabilities of the Email template Editor. This template only supports user-related variables and not entity-related variables. Additionally, this capability supports some dynamic variables, such as selecting “dynamic objects from the object in bundle” (organization), to extract directly the users from the organization triggering the playbook. More info on our documentation page.
-
Introduction of an onboarding email template (EE): for new platforms, an email template for user onboarding will be prepopulated, to help administrators save time in setting up their platform.
-
Support of CVSS 3.0 vector strings (CE): until now, platform only supported CVSS 3.1, but is now able to also support CVSS 3.0 vector strings.
🔗 Connectors & Integrations (CE)
Regarding connectors and integrations, this milestone brought several new connectors.
Import Connectors
- DShield.org - Collects data from the DShield.org Recommended Block List
- Criminal IP C2 Daily Feed - Ingests malicious IP addresses from Criminal IP C2 Daily Feed
- TeamT5 - Enables automatic ingestion of Reports and Indicator Bundles from the Team T5 Platform
- FT3 - Imports the FT3 framework providing structured taxonomy for fraud tactics and techniques
- SPARTA - Imports the SPARTA framework defining TTPs used in cyber threats targeting spacecraft and space missions
Enrichment Connectors
- ESET - Automatic enrichment of ESET ETI reports
- Kaspersky - Investigates and enriches observables (File, IPv4, Domain/Hostname, URL) using the Kaspersky Threat Intelligence Portal
Stream Connectors
- MISP Intel - Streams threat intelligence to MISP, automatically creating, updating, and deleting MISP events based on OpenCTI containers (reports, groupings, and case management objects)
- Splunk SOAR Push - Pushes threat intelligence to Splunk SOAR (formerly Phantom), creating Events from Incidents and Cases from Containers
- SEKOIA Intel - Feeds Sekoia IOC collections using OpenCTI knowledge
Multiple connectors were added to the OpenCTI catalog, enabling one-click deployment (Feedly, Google TI, Recorded Future, CrowdStrike, VirusTotal, Mandiant)