Skip to content

Releases: OpenCTI-Platform/opencti

Version 6.5.0

05 Feb 15:57
@Filigran-Automation Filigran-Automation
6.5.0
c9872d8
This commit was created on github.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.5.0 Latest
Latest

Dear community, we're excited to announce the launch of OpenCTI 6.5.0! 🥳

This release focuses on solving key pain points and unlocking new use cases:

  • Help analysts produce & disseminate finished intelligence
  • IOC management: introduce exclusion lists to avoid ingesting unwanted IOCs
  • AI: become an assistant for analysts

ℹ️ Enterprise Edition Activation Changes

Note

As you know, in June 2023 we introduced an “Enterprise Edition” of the platform. As we explained at the time, this was in no way a reneging on our commitment to open source software, which has been part of our DNA since the very first day of our adventure. We are convinced that we have honored this promise perfectly, continuing to invest heavily in the features of the community version and innovating for all our communities.
Access to the Enterprise Edition, subject to a special license and annual subscription, has remained for almost two years based on the good faith of the platform's users, with acceptance of the license requiring a simple checkbox in the platform settings.
To promote transparency and fair use of our products, OpenCTI 6.5.0 introduces a license key system to control activation of the Enterprise Edition. All Filigran customers and non-governmental charity organizations using EE in accordance with the terms of the license have already received their license key(s).
As a consequence, upgrading a platform with EE activated and without a valid license key will result in the full de-activation of all EE features. Of course, for organizations wishing to access the associated features for testing and development purposes, trial license keys can be generated automatically and independently from our website. Please, don't hesitate to reach out to us if you have any question or concern about this new license key system.

Analysts spend significant time working on incidents and reports to identify threats and create knowledge that improves their organization's security posture.

However, transforming this information into standardized, easily disseminated finished intelligence documents often proves challenging.

This is why we introduced the ability to create your own finished intelligence template 📜 (Enterprise Edition). From the container's customization page, you can now define templates that use variables of your container and the entities and relations present in your container. These predefined templates will reuse the intelligence contained in your container. Your analysts can simply generate finished intelligence from these templates to initialize documents pre-populated with relevant data. This significantly reduces the time needed to produce any kind of reports.

Better yet, these templates can be imported and exported 💡, allowing you to reuse them across different platforms!

In addition, we've added the capability to manage dissemination lists & leverage them to send PDF documents via email (Enterprise Edition) 📨. Once administrators define email distribution lists, analysts can use them to send Finished Intelligence documents directly to their dissemination circles. This gives non-OpenCTI users easy access to analyst-produced documents.

In certain circumstances, intelligence access needs to be more restricted—for instance, during critical incidents or when handling sensitive threat reports. To address this, we've added the ability to restrict access to a container with our authorized member mechanism 🔒. Even with shared containers, enabling access restriction limits visibility to specifically authorized users, groups, or organizations. These authorized members receive only the access rights you grant them (view, edit, manage), helping you maintain data confidentiality.

To ensure restricted data remains manageable if an entity manager leaves your organization, administrators can access a restriction management panel 🔓 to remove restrictions on entities when needed.

Minimizing false positives is essential for improving the accuracy and effectiveness of threat detection. To support this, we've introduced exclusion lists ⛔ in OpenCTI.
This feature lets you create exclusion lists to prevent specific IOCs, such as internal IPs or trusted domains, from being ingested into the platform. By preventing the ingestion of these non-malicious IOCs, you ensure they are not propagated to your external detection solutions (ex: SIEM), reducing noise and enhancing detection accuracy.

AI should enhance analysts' daily work, which is why we've revamped our AI module(Enterprise Edition). Now available across all platform entities, it supports analysts in their daily tasks. From any entity, such as a threat, analysts can quickly view latest activity, get summaries from recent reports, and see activity logs—putting useful information at their fingertips!

Understanding and presenting data effectively is crucial in CTI. This is why we have worked on the following features.

  • Correlation views have been redesigned with this in mind. All container types can now correlate with each other—for example, if an incident response shares IOCs with a report, they'll be correlated. We've added an information panel explaining container correlations and improved the graph view to better illustrate entity relationships between containers. 💡
  • Dashboards, especially List widgets, now feature the ability to select columns in knowledge & entity perspective 📊. Users can select and reorder columns based on their needs. When filtering across multiple entity types, only common attributes will be available for selection.
  • We've added a useful feature to notifications: you can now filter on the trigger of the notification 🔔(via label click or filter selection). This helps you understand which trigger generated which notification.
  • Knowledge views for Attack Patterns have been enhanced with a relation view, making information easier to understand and manage. This improvement was specifically requested by the community 👂 to better handle Attack Patterns linked to threats.

Our OpenBAS :openbas: integration has been redesigned to support choosing the correct architecture when running simulations from OpenCTI. This includes a deprecation, detailed below.

In terms of data ingestion, OpenCTI now provides the capability to expose TAXII 2.1 data collections for pushing STIX-formatted data. Available under Data/Ingestion, the TAXII Push ingester enables users and external systems to import STIX 2.1 objects into OpenCTI through an exposed TAXII collection, ensuring full compliance with the 'Add objects' section of the TAXII 2.1 specification.

We’ve also updated and integrated a new GraphQL playground to enhance your development experience by making it easier to test and interact with our GraphQL API 😎.

Finally, we've improved performance for large dataset operations ⚡ through two backend enhancements: improved worker thread pool and relocated lock mechanism to a separate process. This means faster background task processing and more efficient operations on shared entities, resulting in fewer errors.

Regarding connectors and integrations, this milestone brought several new connectors and integrations like:

  • Tenable Security Center
  • Google SecOps SIEM
  • Proofpoint ET Pro Rep List
  • Spycloud
  • Zvelo
  • YARA Import Files

But also to enhance some connectors :

  • Hatching triage
  • Sentinel-Intel
  • RecordedFuture
  • Mandiant
  • Crowdstrike
  • ImportDocument
  • Harfanglab
  • Flashpoint

We deeply want to thank our Partner & Community for their contributions:

  • New connectors:
    • Loader Insight Agency File Feed
    • Intel471-V2
    • Zscaler ZIA
    • IBM XTI
    • Hunt.io
    • Wiz
  • Connectors enhancements:
    • TAXII2-connector
    • MISP connector
    • Feedly
    • Tagger
    • crtsh
    • Orange Cyber Defense
    • Zerofox
    • TheHive
    • Greynoize
    • VirusTotal
    • ShadowServer
    • ransomware.live

Finally, we have made efforts to expand the availability of our Docker containers. In addition to being hosted on Docker Hub, all OpenCTI containers are now also accessible via [GitHub Container Registry](https://github.com/orgs/OpenCTI-Platform/packages).

We hope this release will please you! Feel free to drop us a note about anything. We’re always happy to get feedback about our product usage, whether it’s to hear that everything works perfectly or to get some improvement ideas to.

All the details about what has been released for which repo is available here:

⚠️ Deprecation

Deprecation Notice: GenerationScenario Mutations in OpenCTI - OpenBAS

The following three mutations related to GenerationScenario have been deprecated due to changes in their signature and response format:

  • obasContainerGenerateScenario → Replaced by obasContainerGenerateScenarioWithInjectPlaceholders
  • obasThreatGenerateScenario→ Replaced by obasThreatGenerateScenarioWithInjectPlaceholders
  • obasVictimGenerateScenario→ Replaced by obasVictimGenerateScenarioWithInjectPlaceholders

Key Changes in new version : + WithInjectPlaceholders

New Signature Object: SimulationConfig

  • simulationType: Defines the type of simulation: Technical or Simulated
  • selection:
  • interval: Defines the execut...
Read more

Contributors

richard-julien, SouadHadjiat, and 22 other contributors
Assets 4
Loading

Version 6.4.11

04 Feb 11:28
@Filigran-Automation Filigran-Automation
6.4.11
d32d207
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.11

Enhancements:

  • #9814 [backend] Limit inference explanations for single relationship

Bug Fixes:

  • #9824 An infinite update loop can happen when two instances listen to each other streams
  • #9795 [backend] Improve notification template verifications
  • #9771 Missing CSV feeds entity types translations
  • #9769 Bad confirmation message when deleting a dashboard or an investigation
  • #9752 [Task] When you try to add a participant, the message remains blocked.
  • #9270 Reindexing fail from opencti_stix_core_relationships-000001 to opencti_deleted_objects
  • #9057 In an Incident, the Observables count on Knowledge is one below the actual count
  • #8985 No action when clicking on a label in 'Add entities' panel
  • #8697 OpenCTI TAXII Feed - 413 Content Too Large
  • #8672 Missing entities listed in Knowledge tab
  • #8115 Incorrect display in Threat Actors menu category

Pull Requests:

Full Changelog: 6.4.10...6.4.11

Contributors

SouadHadjiat, renovate, and 6 other contributors
Assets 6
Loading

Version 6.4.10

29 Jan 17:14
@Filigran-Automation Filigran-Automation
6.4.10
3889848
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.10

Enhancements:

  • #9748 Improve prepareElementForIndexing function to prevent event loop blocking
  • #9481 Major upgrade of mistrail ai client to 1.3.6

Bug Fixes:

  • #9279 Bad margin in 'Add indicators to observable' panel

Pull Requests:

Full Changelog: 6.4.9...6.4.10

Contributors

richard-julien, renovate, and 4 other contributors
Assets 4
Loading

Version 6.4.9

28 Jan 08:55
@Filigran-Automation Filigran-Automation
6.4.9
1fba256
This commit was signed with the committer’s verified signature.
SamuelHassine Samuel Hassine
GPG key ID: 966CA4FD74C31B9B
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.9

Enhancements:

  • #9717 Remove some denormalized IDs for very large entities to improve performances

Bug Fixes:

  • #9721 Bad confirmation message when deleting an Infrastructure
  • #9719 Platform crashes after user deletion
  • #9698 Error when creating an Infrastructure
  • #9693 Bearer token plaintext in error logs of the worker
  • #9568 History tab top margin / spacing is incorrect
  • #9567 In create entity form (on the fly), spacing of the first field is not correct
  • #9520 Search feature in content mapping view does not search for highlighted text
  • #9401 Bug - GraphQLError: Execution timeout, too many concurrent call on the same entities / File not found or restricted
  • #9299 Can't download CSV/PNG/SVG of a dashboard widget
  • #9216 Clicking on a stopped live stream logout from the platform
  • #8981 The description of the relationship between an object and a TTP is not displayed
  • #8736 [RSS Feed] Error 403 on accessible public feeds
  • #8183 Upserting text field with "null" with configured default value lead to strange update behavior
  • #6835 Imported sightings' confidence level is always "5 - Improbable"

Pull Requests:

Full Changelog: 6.4.8...6.4.9

Contributors

SamuelHassine, renovate, and 7 other contributors
Assets 4
Loading

Version 6.4.8

17 Jan 12:36
@Filigran-Automation Filigran-Automation
6.4.8
7d5bb14
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.8

Enhancements:

  • #9335 [Multiple connectors] Support AMBER+STRICT marking

Bug Fixes:

  • #9586 Suggestion engine select field is broken in containers
  • #9573 Cannot access CSV and TAXII feed if user has only capability to manage feeds
  • #9521 Task objects listed "Unknown"
  • #9428 Logout button miss placed if connected user as no knowledge capability
  • #9371 Sync ingestion: manage error on file issue and allow ingestion of elements with missing files
  • #9358 Memory leak when ingesting an opencti stream configured with an empty starting synchronization date
  • #9330 Tools entity version are not fillable
  • #9280 Ordering not working in add nested objects panel
  • #9211 Improve confidentiality of history
  • #9078 [Org segregation] Object not visible despite belonging to the correct organization
  • #8986 [livestream] renaming of observable creates a new one in perfect sync mode
  • #8843 Livetstream filtering of containers does not send event of ref being shared
  • #8146 Unable to display "sighting" detail when creating a sighting from an organisation entity
  • #7637 [Filter] Filter on "Observable" meta type

Pull Requests:

Full Changelog: 6.4.7...6.4.8

Contributors

renovate, aHenryJard, and 8 other contributors
Assets 4
Loading

Version 6.4.7

13 Jan 11:23
@Filigran-Automation Filigran-Automation
6.4.7
b15b97c
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.7

Enhancements:

  • #9545 [platform] Build and push docker images in ghcr.io
  • #4199 Ensure log lines would be efficiently streamed to log visualization tools

Bug Fixes:

  • #9554 Auth0 issue when using environment variable for clientID
  • #9543 Error when accessing the Observables tab in a workbench
  • #9534 Intrusion set - CREATORS column is blank
  • #9273 Groups not sorted in User creation form

Pull Requests:

Full Changelog: 6.4.6...6.4.7

Contributors

richard-julien, renovate, and 5 other contributors
Assets 4
Loading

Version 6.4.6

08 Jan 19:30
@Filigran-Automation Filigran-Automation
6.4.6
343e8b6
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.6

Enhancements:

  • #9509 Add static mime resolution for custom files extension upload
  • #9500 Add delete background task for Playbooks
  • #7648 [Playbook] Modify severity field with playbooks

Bug Fixes:

  • #9506 Name for Network traffic is Unknown in workbench
  • #9499 500 error in the logs
  • #9497 Task/Report/Grouping/Malware Analysis name are Unknown in knowledge related entities
  • #9473 [Playbook] Untranslated window
  • #9466 Logout remote option missing on Auth0 strategy
  • #9457 Domain Name creation error
  • #9453 Default render for empty string should be '-' in entities lists
  • #9452 Advanced Search not loading with empty search term
  • #9424 Cannot delete permanently an entity from trash if a file is associated
  • #9291 Buttons not clear in Suggestions
  • #9233 [Connector Error Display] Error "Id loading expect only one response" not supported
  • #9231 Screen greyed out when exporting a workspace to light image
  • #9217 Cannot manually enrich a Note or Grouping and cannot enroll them in a playbook
  • #9106 Taxii sharing: it's not possible anymore to select authorized user/group allowed
  • #9011 Problem when exporting TTP matrix in image and light mode
  • #8983 [Bulk update] The chosen "values" disappear when you click outside the field
  • #8909 Content mapping view available on PDF files
  • #8814 Sightings tab under Observables and Indicators shows no data
  • #8585 time out on Simulate report with IA and Email for OpenBas
  • #8534 In custom dashboard list, the call to action hover effect is semi-hidden

Pull Requests:

Read more

Contributors

richard-julien, renovate, and 10 other contributors
Assets 6
Loading

Version 6.4.5

19 Dec 09:27
@Filigran-Automation Filigran-Automation
6.4.5
06a7970
This commit was signed with the committer’s verified signature.
labo-flg Laurent Bonnet
GPG key ID: 7A9E96042268FC39
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.5

Enhancements:

  • #9305 Improve load file access restrictions

Bug Fixes:

  • #9381 Cannot create nested ref relationships on observables knowledge tab
  • #9325 Latest Docker tag incorrectly points to a lower semantic version if it is more recent
  • #9311 Error when I try to access the report (OCTI OBAS)
  • #9293 Analyses graph performance issue when too many objects
  • #9285 "Update indexing fails" error message when activating the "In carousel" button in a picture update / threat actor page
  • #9264 The default "Latest Reports" dashboard widget does not list recent reports
  • #9245 Note & Opinion displayed as unknown in relationship creation form
  • #9227 In global search, header is blinking 2 times (2 re-renders)
  • #9191 Tasks becomes unknown after adding a task in Related entities of another task
  • #9187 Wordcloud Public Dashboard - Not Implemented Yet
  • #8822 Platform crashes - http call interceptor fail / stream is not readable
  • #8676 Can't import files imported from connectors
  • #8601 Queries for sectors do not account for aliases
  • #8539 Replace action in playbook doesn't replace but update
  • #8510 History of entity is not visible (no history)
  • #8416 Worker Validation Error on STIX/TAXII Import
  • #8388 [Import] 'x_opencti_workflow_id' not taken into account
  • #8332 Scaled Platform from 2 to 5 Nodes in AWS - Platform Fails to Initialize with Error - The client noticed that the server is not Elasticsearch
  • #8296 Label filtering in Global search is invisible and not removable
  • #8243 Hide some actions in "data" tab when user does not have the capability to create/update knowledge
  • #7588 SHA256 not taken into account when generating an Indicator under certain condition

Pull Requests:

Full Changelog: 6.4.4...6.4.5

Contributors

SouadHadjiat, renovate, and 11 other contributors
Assets 4
Loading

Version 6.4.4

11 Dec 18:13
@Filigran-Automation Filigran-Automation
6.4.4
671eae4
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.4

Enhancements:

  • #7728 Add assignee through automation playbook

Bug Fixes:

  • #9301 Getting an 'Error in store update event' error when updating a report
  • #9247 Error in 'Knowledge from container view' of Knowledge Observables
  • #9226 [Playbook] Label application on Observable doesn't work
  • #9225 Add a confirmation popup before deleting any files in the content section of an entity/container
  • #9214 Knowledge pages Details crash if vocabulary opinion_ov is empty
  • #9186 List of opinions have UI issues
  • #9091 Adding an opinion will open 2 popups instead of closing
  • #8463 Taxii feed: when updating feed to change starting date, the cursor should be reset

Pull Requests:

Full Changelog: 6.4.3...6.4.4

Contributors

renovate, aHenryJard, and 5 other contributors
Assets 4
Loading

Version 6.4.3

06 Dec 11:26
@Filigran-Automation Filigran-Automation
6.4.3
333c9d1
This commit was signed with the committer’s verified signature.
Filigran-Automation Filigran Automation
GPG key ID: C708FDB840E80D34
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 6.4.3

Enhancements:

  • #4770 Redact credentials for ingestion (password and private keys) of ingester in the audit logging

Bug Fixes:

  • #9173 Unable to delete some relationships - mapping set to strict, dynamic introduction of [i_stop_time_year] within [_doc] is not allowed
  • #9168 [Filter] Filter missing in the "Data > Relationship" view
  • #9136 ImportDoc connector Will not Automatically Create a Workbench When Uploading a PDF on the Data page of an Observable and Artifact
  • #9133 [RSS] Brackets escaped in RSS feed
  • #9126 [Bulk enrich] Available connectors are not displayed if "select all"
  • #9082 Error when exporting a list of entities in PDF format
  • #8808 Bulk actions invisible in the tool bar for some screens resolution
  • #8748 [RBAC] User kicked out when accessing a forbidden resource
  • #8405 User can't export indicators while having the capabilities for it
  • #7987 Workbench creation: labels not taken into account
  • #7973 Public dashboard link is incomplete when using a base path that is not empty for OpenCTI
  • #7944 Option "auto new marking" in groups not working on max_shareable_markings, could make exports fail
  • #6409 [technical] wrong extension typing in StixCyberObject

Pull Requests:

Full Changelog: 6.4.2...6.4.3

Contributors

SouadHadjiat, renovate, and 6 other contributors
Assets 4
Loading