Release notes 2.2.0

Product	EclecticIQ Platform
Release version	2.2.0
Release date	2018-06-29
Summary	Entities retain information from multiple data sources ACL for observables Exclude enrichments from outgoing feeds Search online documentation
Upgrade impact	-
Time to upgrade	-
Time to migrate	-

Highlights

EclecticIQ Platform 2.2.0 brings you more flexibility and more granular control over the data stored in the platform, and who can access it.

The platform records all ingestion sources for an entity to preserve all the available context about an entity origin as the entity evolves, is edited, updated, and shared across communicating platform instances.

Observables inherit their access permissions from their parent entities; this keeps the access pipeline transparent and predictable.

When you set up an outgoing feed to publish intelligence, you can exclude specific enrichment data, so that the published feed content does not include sensitive data that should not be shared outside of the organization, or enrichment data that is not supposed to be redistributed, according to licensing terms.

Last but not least: the platform documentation is available online: log in to https://docs.eclecticiq.com/ with your EclecticIQ login credentials to find guides and articles that help you with installation, configuration, upgrade, and other tasks.

Further on in this section you can read a short recap of the main new features shipping with EclecticIQ Platform 2.2.0.

For more details about new features introduced in this version, see What's new below.
For more details about enhancements and improvements, see What's changed below.
For more details about bugs we fixed, see Important bug fixes below.

Multiple data sources

The platform can ingest the same entity from more than one source. While the entity data is deduplicated during ingestion, available information about the data sources the entity originates from is retained in a list of sources.

Before this release, during deduplication any ingested duplicate entities were dropped. As a consequence, any additional timestamps, tags, taxonomies, and source overrides were lost, and entity access control was tied only to the original data source.

Now entities retain relationships to all the data sources they are ingested from:

Identical entities ingested from multiple sources are processed again through the appropriate rules;
Duplicate properties such as TLP and half-life are merged intelligently;
Entity access control depends on all the data sources the entity comes from: the right to access one data source grants users access to the entity.

This provides more insight and it allows to more accurately assess data ingested from more than one source. It also enables data exchange between two platform instances without losing the original data source information of the entities.

CSV format compatibility

The EclecticIQ JSON and CSV document formats are updated to include this feature.

Therefore, they are not compatible with older releases of the platform (2.1.2 and previous versions), and they are not compatible with integrations that consume EclecticIQ JSON and CSV document formats that do not support multiple sources, such EclecticIQ Platform App for Splunk.

Consider upgrading apps and other integrations to their corresponding latest versions to consume the latest EclecticIQ JSON and CSV document formats.

ACL for observables

Before this release, any platform user could view any observables stored in the platform because observables had unrestricted access. If platform access is shared among heterogeneous groups of users, this could expose sensitive metadata, such as many Tor exit node IP addresses.

Now observable access is based on inheritance: observables inherit the same set of access controls and permissions as the entities or enrichment objects they are related to.

Exclude enrichment content from outgoing feeds

You can filter out selected enrichment data from outgoing feeds to exclude from publication any data related to the specified enrichment sources.
This option allows selective publishing, so that you can share meaningful information while withholding any sensitive enrichment data not meant for redistribution.

Online documentation

As per this release the platform documentation is available online, and it is fully searchable: log in to https://docs.eclecticiq.com/ with the EclecticIQ login credentials you normally use to access the Customer Support Portal.

We update the platform online documentation regularly; therefore, we encourage you to use it as the main documentation source for the platform.
Making the documentation available online is a first step toward applying a continuous delivery process to it.

Offline documentation is shipped with this release, but we are phasing out offline documentation availability: it will be deprecated from release 2.3.0.

What's new

New features

Ingestion and enrichment

You can manually set TLP override and source reliability values value to manually uploaded files with the new Override TLP and Source reliability drop-down menu options. (15981)
These actions are not part of the manual upload process, so that you can add these flags to make sure that sensitive information is shared with the appropriate audience, and to help other user assess how accurate and trustworthy the uploaded information is.

Dissemination

When you configure outgoing feeds, you can select one or more enrichment sources whose enrichment data you do not want to include in the outgoing feed content. (16752, 16753, 19014)
Based on your selection in the Exclude enrichments from the following sources option, the outgoing feed excludes from publication any data related to the specified enrichment sources.
This option allows selective publishing, so that you can share meaningful information while withholding any sensitive enrichment data not meant for redistribution.
Data exchange reliability improvements means that the UI provides more complete and clearer information on feed status. (18901)
This makes it easier to decide when you need to act – for example, in case of failures. Transparent status information provide more explicit actionable context to help users understand what action they should carry out.

Ingesting data through incoming feeds is a multi-step process:
- Data ingestion: the incoming feed fetches the content to download it to the platform
- Data processing: the platform processes the downloaded content to unpack the data, deduplicate it, create entities and observables, wire relationships, and store the results to the database.
The UI displays separate status information for the data ingestion/data download step, and for the data processing one. In case of failures or errors, it is easier to understand which step requires attention and possibly action from users.
When necessary, you can decide whether you want to download the content again – you may want to do this if ingestion fails; or if you want to process again the already downloaded content – you may want to do this when the feed could download the content, but it failed processing the data.
The latter option allows processing again already downloaded packages that did not correctly complete the data processing step, except any failed packages flagged to be ignored.

If you experience repeated ingestion or processing failures, it is likely that the issue lies with the feed content – for example, the package may be damaged or corrupt.
Besides deleting the package, you can now choose to simply ignore failed packages. This option hides future error messages for the selected package to ignore. However, the package content is stored in the platform, in case you want to try and download it in the future for further analysis or investigation.

You can access this feature on the incoming feed detail pane:
- In the top navigation bar click Data configuration > Incoming feeds > ${incoming_feed_name} > Ingested packages tab > Retry ingesting all failed
- In the top navigation bar click Data configuration > Incoming feeds > ${incoming_feed_name} > Ingested packages tab > Ignore all failed

Disseminating data through outgoing feeds is a multi-step process as well:

Data packaging: the outgoing feed fetches the content from the platform and packages it for publication.
Data delivery: the outgoing feed delivers the packaged content.

Similarly to incoming feeds, outgoing feeds show separate status information in the UI for the data packaging step, and for the data delivery one.
When necessary, you can decide whether you want to trigger again the last delivery run – you may want to do this when when you experience connectivity issues.

Depending on the configured transport type for an outgoing feed, the delivery mechanism can be based on pushing content or polling for content.
You can manually trigger delivery runs only when the transport mechanism pushes content.

You can access this feature on the outgoing feed detail pane:

In the top navigation bar click Data configuration > Outgoing feeds > ${outgoing_feed_name} > Details tab > Run now

Entities and observables

You can search for entities by selecting more than one data source from the Sources quick filter. (17318)
When an entity has more than one data source, a counter is displayed next to the main entity data source name under the Source column.
Click it to view a tooltip with a list of all the data sources the entity refers to.

Multiple entity data sources with the Sources quick filter selection

Multiple data sources for an entity are indexed, and they are searchable.
Multiple data source information for an entity is stored in the sources JSON field as an object array.

{

"sources": [

{

"name": "TAXII Stand Samples Cypress",

"source_id": "09d01570-476d-4515-a458-faddb43hse86",

"source_type": "incoming_feed"

},

{

"name": "test.taxiistand.com",

"source_id": "0bd6014d-e0b4-a8d5-83ac-c107fd034855",

"source_type": "incoming_feed"

},

{

"name": "TAXII Stand Samples",

"source_id": "fc602bf6-f653-1234-8dde-b939f2bb13bd",

"source_type": "incoming_feed"

}

]

}

Access control list (ACL) for observables.
Observable access is based on inheritance: observables inherit the same set of access controls and permissions as the entities or enrichment objects they are related to.
Manual deletion of single or multiple observables at once (17021)
Observable information can change quickly, and your cyber threat data model needs to keep up with real-life changes to remain accurate. You can manually select and delete observables that are not linked to any other data in the platform, or that have become redundant.
You can manually delete dangling observables, that is, the result of manual creation at some point in the past, or whose related entity may have been deleted. You can also delete observables with relationships, if they are not valuable any longer. In the latter case, after deleting the platform creates a new version of the entity without a relationship to the now deleted observable.

You can delete observable one by one or in bulk.
Single deletion:in the top navigation bar click Intelligence > All intelligence > Browse or Intelligence > All intelligence > Production , and then the Observable tab.
On the observable overview select the observable you want to delete, then click > Delete observable.
Alternatively:
On the observable overview select the observable you want to delete.
On the observable detail pane select Actions > Delete observable.

Bulk deletion:in the top navigation bar click Intelligence > All intelligence > Browse or Intelligence > All intelligence > Production , and then the Observable tab.
On the observable overview click the checkboxes to select the observables you want to delete, and then on the top-right corner above the overview table click > Delete observables.
You can now apply more granular access control list (ACL) permissions on observables to make sure that sensitive information is shared with the appropriate audience, and to prevent inadvertently disclosing sensitive observable information to unintended audiences. (19185)

Whereas ACL at entity level is based on allowed sources and TLP flags, ACL at observable level is based on inheritance: observables inherit access rights and permissions from either the entities or the enrichment object – an enrichment observable or an enrichment entity – they have direct relationships with.
Therefore, you can see an observable if it has at least one direct relationship with an entity or with an enrichment object you have read access to.

Observables with no direct relationships to any entities or with any enrichment objects inherit user access control rights from the source they originate from.

UI

User management

Administrators can demote themselves to non-admin only if there is at least another active platform administrator profile. (16959, 17156)
If there is only one platform administrator profile, they first need to promote another user to admin, and then they can demote themselves to non-admin.
Administrators can request users to reset their password to regain access to their account, for example if they get locked out or if their account gets compromised.
Users can request an account password reset to change or to reset their current password.
They may wish to click the Reset password link on the sign-in page if they forget their password, or in case they suspect that their account is compromised.

System

You can install the platform in offline mode. If you opt for an offline installation, you can mirror our package repositories from downloads.eclecticiq.com to a target location on your network, so that you can install the platform onto offline or air-gapped systems.
EclecticIQ Platform packages and all required dependencies are available on downloads.eclecticiq.com.
To retrieve the necessary resources for an offline platform installation you need to mirror the appropriate OS package repository – either CentOS, RHEL, or Ubuntu – the EPEL extra packages, if your target OS is either CentOS or RHEL, and downloads.eclecticiq.com.
You can use rundoc to upgrade EclecticIQ Platform as a virtual appliance shipped as a VM image.
As per this release, The 2.2 VM requires our “recommended” CPU and memory settings. Previously we required our “minimal” CPU and memory settings. To run the 2.2 VM 8 CPUs and 32G of memory are required. Customers can lower these requirements but, depending on usage, the correct behavior of the platform is not guaranteed.