Release notes 2.4.0


EclecticIQ Platform

Release version


Release date

22 May 2019


Minor release

Upgrade impact


Time to upgrade

~30 minutes to upgrade

  • From the previous release

  • Using the installation script

  • For an instance running on one machine.

Time to migrate

  • PostgreSQL database: ~less than 5 minutes per million entities

  • Elasticsearch database: ~25 minutes per million entities

  • Neo4j database: ~less than 5 minutes per million entities.

EclecticIQ Platform 2.4.0 is a minor release. It contains new features as well as bug fixes.

The new features are mainly usability improvements aimed at enhancing the overall user experience of EclecticIQ Platform.
This results in less repetition/scrolling/clicks/clutter, and more relevant information.
All these changes together make working with EclecticIQ Platform on a daily basis easier, faster, and more efficient.


Upgrade path from release 2.0.x(.x) to 2.4.0:


What's new

  • Bulk tagging
    Bulk tagging enables you to manage tags for multiple entities at once, directly from List or Graph views, rather than one entity at a time.
    This helps you to avoid tagging mistakes that typically result from performing repetitive actions.

  • SAML single logoff
    If your identity provider uses SAML to authenticate and authorize users for multiple service providers, the support for single logoff ensures that your analysts are logged out of EclecticIQ Platform, no matter which service triggers the logoff action.

    This means you do not have to worry about left-open sessions that might make services vulnerable to attacks.

  • Entity detail pane header
    The newly designed header of the detail pane provides a more consistent and common way of interacting with panes.

    It provides you with a fixed header and an action menu that is always visible, even when scrolling down.
    This makes working with the pane faster and more intuitive.

What's changed

  • UI improvements
    We updated the UI for Group admin and User groups and adjusted the documentation.

    The new layout matches the one used for setting feed filters, which makes the platform more cohesive.

  • Statsite replaced StasD
    For metrics aggregation, we replaced StasD with Statsite. Statsite is compatible with StasD, and uses the same protocol.

  • Detecting and refanging defanged URIs during ingestion
    We improved the refanging logic to detect and refang defanged URIs during ingestion to be more effective and accurate.
    More defanged URIs are now detected and refanged.

  • Ingestion performance
    We made various improvements to increase the ingestion performance of several known problematic scenarios.

  • External reference handling
    It is now possible to filter out external references, such as search, browse, discovery, and exposure, in entity tables.
    This gives you a clutter-free view, while still being able to see if external references exist.
    It also makes it easier to see the bigger picture, and if there is more intelligence available for the entity you are interested in.

  • Improved search tokenization
    We have improved our search tokenization, and the new means to tokenize allows you to be more specific in matching observables when creating searches, dynamic datasets, or rules.
    This increases the means of matching for data, giving higher confidence in that you find all relevant information.
    New fields are available side-by-side with existing ones, so that the changes to the tokenization mechanism do not break existing queries.

  • Tagging rules
    There were some inconsistencies in tagging rules execution. This has now been fixed.

  • Allowing package operations
    Users without access to a particular incoming feed were able to reprocess/purge packages from that feed.

    This should not have been possible, and has now been fixed.
    Users now have to properly check source access before allowing package operations.

  • Source access on observables
    In the Observables view, sources are now properly filtered according to the user's Allowed sources settings.

  • Audit logging
    The platform's audit logging to prevent credential exposure did not work correctly. This has now been fixed.

  • Updated permissions
    We updated our permissions. Some have been added, some have been removed, and some have been changed.

    Below is a list of the affected permissions.

    • New permissions:

      • modify discovery-rules (to align permissions across all types of rules)

      • modify enrichers (enables more granular access to the platform functionalities )

      • modify taxii-services (replaces the 4 removed modify permissions concerning -services)

      • read discovery-rules ( to align permissions across all types of rules)

      • read taxii-services (replaces the 5 removed read permissions concerning -services)

      • read traceback-logs (descriptive errors that contain sensitive information can now be hidden from users without this permission)

      • reset password (enables more granular user management actions control)

      • lock/unlock users (enables more granular user management actions control)

    • Removed permissions:

      • modify enrichment rule-criterions (this permission was too specific and already covered by other higher-level permissions)

      • modify collection-management-services (replaced by modify taxii-services)

      • modify discovery-services (replaced by modify taxii-services)

      • modify inbox-services (replaced by modify taxii-services)

      • modify poll-services (replaced by modify taxii-services)

      • modify notifications (this permission was not used or needed)

      • modify task-counters (this permission was too specific and already covered by other higher-level permissions)

      • read enrichment rule-criterions (this permission was too specific and already covered by other higher-level permissions)

      • read collection-management-services (replaced by read taxii-services)

      • read discovery-services (replaced by read taxii-services)

      • read inbox-services (replaced by read taxii-services)

      • read poll-services (replaced by read taxii-services)

      • read services (replaced by read taxii-services)

      • read task-counters (this permission was too specific and already covered by other higher-level permissions)

    • Updates permissions:

      • read history-events

      • read tasks

      • read enrichers

      • read entity-drafts

      • modify entity-drafts

      • read audit-trail

      • From now on, a permission to modify implies a permission to read.
        Users with a modify access permission for a resource do not need a separate read permission.

    Customers that use self-created user-groups/roles may need to review the permission sets involved.

Important bug fixes

This section is not an exhaustive list of all the important bug fixes we shipped with this release.

  • Timestamps
    EclecticIQ Platform now displays the timestamp from the successful and failed downloads.
    This means that even if the last run has failed, extensions that return timestamp in ctx.submit will resume correctly, even if their last poll failed.

  • Updating statsite
    We discovered that updating Statsite would cause the statsite service to stop running.
    This has been fixed by enabling and starting the statsite service manually, after the upgrade.

  • Running Outgoing feeds
    After creating and running an Outgoing feed with some observables, the widgets Exported observables by type and Exported observables by feed did not show any information.
    We discovered that the problem occurred when the statsite service was down.
    Once the statsite service was back on, the mentioned widgets were once again working as expected.

  • Purging large incoming feeds
    It was not possible to purge incoming feeds with more than 1 million ingested entities through the GUI.
    The task would start running, but the feed would not be correctly deleted, yet the relevant UI options would become unavailable in the GUI.
    The workaround required running a command in a Python shell. However, non-admin users often have no shell access.
    We fixed the problem, and it is now again possible to purge large incoming feeds.

  • Incorrect extra error message for invalid Override value
    When editing an entity, selecting the Override value option and entering an invalid value for half-life (such as -1), did not only display an error message below this option, but also an incorrectly displayed an error message below the Use default value option next to it.
    This has now been fixed. When you now enter an invalid Override value, only the correct error message is displayed.

  • Task widget not working
    The Task change widget was not working properly due to wrong third-party library import. This has now been fixed.

  • Execution schedule value
    In the Create outgoing feed view, under the Schedule section, it was not possible to select a value for Execution schedule.
    The drop-down menu closed as soon as it was opened. This has now been fixed.

  • UI/JS-errors
    Several minor UI- and JS-errors have been fixed.

  • Browse view did not display latest entities
    When sorting entities by ingestion date (Timestamp) in the Browse view, the most recently ingested entities would not be included, although it would be possible to retrieve them by running a targeted search.
    We have given searches have more time to complete execution. If they fail to complete because of a timeout, a message is displayed to notify users.

Security issues and mitigation actions

The following table lists known security issues, their severity, and the corresponding mitigation actions.
The state of an issue indicates whether a bug is still open, or if it was fixed in this release.

For more information, see All security issues and mitigation actions for a complete and up-to-date overview of open and fixed security issues.


For any questions, and to share your feedback about the documentation, contact us at [email protected] .

^ back to top