Release notes 2.3.0

EclecticIQ Platform 2.3.0 is a minor release. It contains new features as well as bug fixes.

The new features revolve around two themes:

• Collaboration with external parties within the Platform

• Data management

Release 2.3.0 provides enhanced collaboration within the platform and delegated administrative responsibilities for groups. The enhanced sharing capabilities of workspaces, datasets and graphs ensures that analysts have better control over who can view and collaborate within these features. These features not only improve the cooperation among analysts, but the organization is assured that confidentiality is more easily protected at a granular level.

With release 2.3.0, data retention management allows system administrators to automatically purge threat intelligence in accordance with your organizational policies. The automated deletion of threat intelligence makes it simpler to remove irrelevant information and only retain intelligence that you need.

• For more details about new features introduced in this version, see What's new below.

• For more details about bugs we fixed, see Important bug fixes below.

Upgrade

Upgrade path from release 2.0.x(.x) to 2.3.0:

What's new

Delegated group administration

Group administration feature allows EclecticIQ Platform administrators to delegate management of users to their team leaders, making the user administration of the EclecticIQ Platform more scalable and convenient for multiple teams working on the same platform.

Collaboration with external organizations in the platform

This privacy enhancements ensures that only relevant users have the ability to view and collaborate in the associated workspaces, datasets, graphs, and tasks meaning an organization is assured that data confidentiality is protected.

The extended sharing feature provides more granular control over access to better manage sharing the sensitive data.

Policies - Deletion of Entities

System wide policies allows user to delete threat intelligence after a fixed time period automatically. This feature useful from a general data management perspective and also helps in meeting the Global Data Protection Regulation (GDPR) in an efficient way.

Provenance chain enhancements

Both source and Information source provide information about how the threat Intelligence has come into the system. We have improved the following features:

• Synchronization of sources allow you to keep your threat intelligence synchronized across multiple EclecticIQ Platform platforms within your own boundaries. With this change, you can keep your sources, secure your intelligence to the correct teams, and keep traceability in the environments.

• Information source set up on uploads provides information on creator and creation time of the intelligence. This helps other analysts evaluate the reliability of the source for reports uploaded externally.

Extending STIX 1.2 export to include EclecticIQ metadata

This feature comes in handy if you have built in-house threat intelligence solutions which are based strictly on STIX 1.2. We added metadata in our STIX 1.2 exports using extension mechanisms available in STIX 1.2 and Cybox to allow you to use additional capabilities EclecticIQ Platform and EclecticIQ Fusion Center which go above and beyond STIX 1.2.

This is strictly recommended for customers with STIX 1.2-only solutions who decide not to upgrade to this release.

What’s changed

Deprecated dependencies

In previous releases, the platform used StatsD to aggregate metrics. As of this release, we replaced StatsD with Statsite:

• Statsite is compatible with StatsD: existing StatsD mappings and indices work with Statsite.

• Node.js and statsd-elasticsearch-backend are no longer required.

If you use the platform install script to perform a fresh install or an upgrade from a previous release, the script takes care of the details.
If you manually upgrade the platform, you should remove Node.js and statsd-elasticsearch-backend before you begin the upgrade.

User access control on graphs, datasets, and tasks

Non-private graphs and datasets used to be publicly accessible for viewing to all signed-in platform users.
Now these objects are private by default: upon creation, you need to add them to one or more workspaces. This means that only workspace collaborators can access them.
You can change these settings to allow non-collaborators to view them at a later time.

For further details about user access control for these objects, refer to the following sections:

• About workspace access control

• About dataset access control

• About graph access control

• About task access control

Important bug fixes

This section does not contain all the bugs, only the ones we think are important to mention.

• In Entity rules, filters only display all the sources the current screen.

• The Collection name entered when creating an outgoing feed is displayed after saving.

• HTML report digest for outgoing feed is fixed.

Known issues

• Editing/updating entities creates an external reference for the same entity.

• If a user manually adds a sighting to an entity as a characteristic – in the entity editor, under Characteristics, select Characteristic > Sighting – the manually added sighting is not counted in the Exposure view.

• If a dataset does not belong to any workspaces, any signed-in platform user can view it.
  Current workaround: add it to a workspace.

• Feed ingestion is slow when processing interconnected data.

• Feed ingestion fails intermittently. We have an automatic retry mechanism in place to reprocess failed packages, in case this does not work as expected it is recommended to Retry failed packages from the detail pane.

Security

The table below includes the known security issues, their severity and mitigation actions. The state indicates whether a bug is still open or if it has been fixed in this release.

Contact

For any questions, and to share your feedback about the documentation, contact us at [email protected] .

^ back to top