Release notes 2.10.0

Product

EclecticIQ Platform

Release version

2.10.0

Release date

29 June 2021

Summary

Minor release

Upgrade impact

Medium

Time to upgrade

~18 minutes to upgrade an instance with 4 million entities.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Additional ~6 minutes to run pre-upgrade scripts for upgrading from 2.8.x and earlier.

Time to migrate

  • PostgreSQL database: ~6 minutes per 4 million entities

  • Elasticsearch database: ~1 minute per 4 million entities

  • Neo4j database: ~1 minute per 4 million entities.

Highlights

EclecticIQ Platform 2.10.0 is a minor release. It contains new features, improvements to existing functionality, as well as bug fixes.

This 1st release of the year delivers a significant step forward towards becoming fully interoperable with the STIX & TAXII 2.1 standards for intelligence exchange. Release 2.10 now supports ingesting and sharing of Indicators, Observed Data, Sightings, Courses of Action and Reports in STIX 2.1 format over TAXII 2.1. We’re adding objects as prescribed by the OASIS STIX 2 Preferred self-certification program. By following this program, we ensure that EclecticIQ Intelligence Center can reliably exchange threat data with the growing number of intelligence providers and security controls that are implementing support for these standards.

This release also brings many new features and improvements that are part of a series of new long-term initiatives which boost the functionality and overall usability of EclecticIQ Intelligence Center. This includes:

  • the integration of MITRE ATT&CK framework, which helps you to better understand the context of a threat, the phase of attacks and thus prioritize next steps accordingly.

  • the addition of Knowledge Packs, which lets you instantly start tracking relevant, timely threats without spending any time or effort on manually configuring the workspace.

  • the redesign of the navigation interface to streamline your way of working and improve workflow.

We hope you enjoy reading these release notes – once again accompanied by short feature videos for your convenience – and watching the quick tour video from the team.

View a quick tourimages/download/attachments/86441694/release-2-10-quick-tour.jpg

Upcoming

  • EclecticIQ Platform to be renamed EclecticIQ Intelligence Center

    2.10 is the last release using the EclecticIQ Platform name. As of release 2.11 we will rename the product to EclecticIQ Intelligence Center and update all documentation.

What’s new

  • MITRE ATT&CK support

    The platform now allows you to add MITRE ATT&CK classifications to entities.

    Entities have a new field for MITRE ATT&CK classifications, allowing you to add Enterprise ATT&CK tactics, techniques, and sub-techniques. Adding ATT&CK classifications to entities allows you to search and filter them by ATT&CK IDs when working with the platform.

    For more information, see the documentation.

    MITRE ATT&CK tourimages/download/attachments/86441694/release-2-10-mitre-attack.jpg

    This release adds MITRE ATT&CK support to the platform, but does not:

    • Add the ability for extensions to map MITRE ATT&CK data from vendor data to ATT&CK classifications in ingested platform entities.

    • Automatically convert MITRE ATT&CK data in existing entities that are not already set as MITRE ATT&CK classifications.

  • Major user interface improvements

    In this release, we take the first of many steps towards a new and improved UI for the platform. We’ve introduced:

    • Cleaner UI: Less visual clutter and better overall readability.

    • New navigation bar: We’ve improved how you move through the platform by streamlining the navigation bars. Important features are now accessible through the main navigation bar on the left, allowing you to get productive faster.

      For more information, see New navigation below.

    New navigation tourimages/download/attachments/86441694/release-2-10-updated-navigation.jpg

  • Azure AD: OAuth 2.0 and SAML support

    You can now set up the platform to use OAuth 2.0 and SAML to authenticate users against Azure AD (Active Directory).

    The platform allows you to:

    For more information, see the documentation.

  • STIX 2.1: Sightings and Course of Action

    This release moves the platform closer to STIX 2 Preferred status by adding support for the following STIX 2.1 objects:

    • Sighting SRO (Ingestion only)

    • Report SDO (Ingestion only)

    • Course of Action SDO (Ingestion and export)

    For more information, see the documentation.

  • Knowledge Packs

    This release introduces knowledge packs to the platform.

    Knowledge packs are pre-configured bundles that you can install on your platform instance to add collections of workspaces, datasets, and rules that you can use and build upon.

    For this release, knowledge packs curated by EclecticIQ threat analysts are available to install.

    To view and install knowledge packs, go to Data configuration > Knowledge packs on the platform.

    To allow your platform instance to retrieve knowledge packs from EclecticIQ servers, allow outgoing requests to https://cti.eclecticiq.com/list-published-configuration-bundles.

    Knowledge pack tourimages/download/attachments/86441694/release-2-10-knowledge-packs.jpg

  • Add images to reports

    You can now add images to the Summary or Analysis sections of a report when creating or editing a Report entity. Images (GIF, JPG, PNG) added to reports are added to that report entity as attachments, and are displayed in the Summary or Analysis section they are added to.

    Add images to reports tourimages/download/attachments/86441694/release-2-10-insert-images-into-reports.jpg

Important bug fixes

  • A user’s session token should be invalidated after password change

    Fixed issue where a user’s old session token would remain valid after changing their password, allowing the old session token to be used for subsequent requests. Session tokens are now correctly invalidated.

  • Slow performance in UI when using entity builder

    Fixed issue where creating or editing entities using the entity builder would cause the platform to slow down.

  • Observables would not show up in global search

    Fixed issue where observables would not show up in search results when using global search on the platform. The platform now correctly updates the view state when viewing the Observables tab in search results.

  • Reports from RSS feed would crash UI when edited

    Fixed issue where editing reports ingested through the RSS feed incoming feed would crash the UI when a user edits them in the entity builder. The issue is not specific to the RSS feed transport itself, but applies to any report entity containing HTML markup in its description.

    The crash occurs when the entity build attempts to display a report containing incomplete HTML microdata. The platform now ignores incomplete microdata, preventing similar crashes.

  • Incoming feed can get stuck in “Ingesting” state

    Fixed an issue where an incoming feed would be stuck in the “Ingesting” state because one or more entities contain external references that it cannot resolve, causing the platform to endless attempt to reprocess that entity.

    The platform now handles these unresolvable references gracefully.

  • Error when editing objects in the graph by selecting Edit from the context menu

    Fixed an issue where editing an object in the graph by right-clicking the object and selecting Edit opens the entity builder that displays: “There was an error while loading, please try again.”

Known issues

  • When you configure the platform databases during a platform installation or upgrade, you must specify passwords for the databases.

  • Systemd splits log lines exceeding 2048 characters into 2 or more lines.

    As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.

  • When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.

  • When creating groups in the graph, it is not possible to merge multiple groups into one.

  • If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.

  • Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.

  • Running multiple outgoing feed tasks may cause the platform to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.

Security issues and mitigations

To see a detailed list of security issues and their mitigations, go to All security issues and mitigations.

ID

CVE

Description

Severity

Status

Affected versions

EIQ-2021-0007

-

Users could create entities in Source Groups indirectly assigned through Groups, instead of only being able to create entities in Groups they are directly assigned to.

1 - LOW

images/download/attachments/86441694/check.svg 2.9.2

2.9.1 and earlier.

EIQ-2021-0006

-

SVG file upload could allow cross-site scripting (XSS)

2 - MEDIUM

images/download/attachments/86441694/check.svg 2.9.2

2.9.1 and earlier.

EIQ-2021-0005

-

HTML injection through the GUI

2 - MEDIUM

images/download/attachments/86441694/check.svg 2.9.2

2.9.1 and earlier.

EIQ-2021-0004

CairoSVG is vulnerable to regular expression denial of service

2 - MEDIUM

images/download/attachments/86441694/check.svg 2.10.0

2.9.1 and earlier.

EIQ-2021-0003

PySAML2 improper verification of cryptographic signature

2 - MEDIUM

images/download/attachments/86441694/check.svg 2.10.0

2.9.1 and earlier.

EIQ-2021-0002

Pillow is vulnerable to buffer overflows

2 - MEDIUM

images/download/attachments/86441694/check.svg 2.10.0

2.9.1 and earlier.

New navigation

2.10.0 reorganizes the navigation menus on the platform so that you can get to your work quicker.

images/download/attachments/86441694/2-10-improved-navigation.jpg

Instead of having to navigate between the left and top navigation bar to find items in these categories, the user interface update makes important features available in the left navigation bar, and reorganizes the top navigation so that they make more semantic sense.

Items usually accessible through the Intelligence/Data configuration drop down menu have had the following updates:

  • Data configuration (images/download/attachments/86441694/robot.svg-x24.png ) now has its own button in the left navigation bar:images/download/attachments/86441694/data-configuration-small-2-10.jpg

  • Intelligence has been reorganized:

    Feature

    2.9.x

    2.10.x

    Workspaces

    In the top navigation bar, go to Intelligence > All intelligence > {Workspace name}.

    Access workspaces (images/download/attachments/86441694/workspace.svg-x24.png ) directly from the left navigation bar.

    Global Dashboard

    In the top navigation bar, go to Intelligence > Dashboard.

    Access the global dashboard (images/download/attachments/86441694/dashboard.svg-x24.png ) directly from the left navigation bar.

    Workspace Dashboard

    In the top navigation bar, select a workspace by going to Intelligence > All intelligence > {Workspace name}.

    Then, select Dashboard from the top navigation bar.

    Select a workspace by going to Workspace images/download/attachments/86441694/workspace.svg-x24.png > {Workspace name}

    Then select Dashboard from the top of the screen.

    Browse

    In the top navigation bar, go to Intelligence > Browse.

    Global: To browse all entities, observables, files, and datasets on your platform instance, go to the left navigation bar and select Search (images/download/attachments/86441694/search.svg-x24.png ) > GO TO SEARCH AND BROWSE.

    Workspace: To browse entities, datasets, uploads, and saved graphs for a specific workspace, open that workspace (images/download/attachments/86441694/workspace.svg-x24.png ) and select Browse from the top of the screen.

    Production

    In the top navigation bar, go to Intelligence > Production.

    Items usually found in the Production tab can now be found in Create (+) > VIEW PRODUCTION.

    Discovery

    In the top navigation bar, go to Intelligence > Discovery.

    Access Discovery (images/download/attachments/86441694/target.svg-x24.png ) directly from the left navigation bar.

    Exposure

    In the top navigation bar, go to Intelligence > Exposure.

    Access Exposure (images/download/attachments/86441694/exposure.svg-x24.png ) directly from the left navigation bar.

Download

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Platform and dependencies for CentOS and RHEL

The platform dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Platform extensions

Upgrade

The following diagram describes the upgrade path you should take depending on the platform version you are upgrading from.

For example:

  • You can upgrade from version 2.9.1 of the platform to 2.10.0 directly,

  • To upgrade from 2.4.0 to 2.10.0, you must first upgrade to 2.5.0, then upgrade from 2.5.0 to 2.10.0.

When upgrading from 2.8.x and earlier to 2.9.x and later:

  • You must run the pre-upgrade script to allow it to work with Elasticsearch 7.9.1.

  • You must run the pre-upgrade script on the platform version you are upgrading from.

    For example, when upgrading from 2.8.0 to 2.10.0, you must run the pre-upgrade script on the platform while it is running version 2.8.0.

images/download/attachments/86441694/graphviz-65bc2d3c5a8725af0ee75643cd983777c3deddd1.svg

Upgrade diagram

From 2.5.0, the upgrades paths have been tested using the EclecticIQ Platform install script compiled by Rundoc.

The script only supports:

  • Single machine installs.

  • Instances installed using the platform install script.

and does not support platform instances installed in distributed environments.