Release notes 3.2.2#
Product |
EclecticIQ Intelligence Center |
---|---|
Release version |
3.2.2 |
Release date |
April 2024 |
Time to upgrade |
~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.
|
Time to migrate |
For an instance with 2.67 million entities, 1.85 million observables:
|
Important: Upgrade operating system#
Important
EclecticIQ Intelligence Center 3.0.0 and newer requires one of these supported operating systems:
Red Hat Enterprise Linux 8
Rocky Linux 8
If you are using an older operating system such as CentOS 7 or RHEL 7, you must upgrade your operating system to one of the supported operating systems before attempting to install EclecticIQ Intelligence Center 3.0.
See:
Fixes#
Fixes issue where “Ingested packages” tab in incoming feeds would fail to display if that incoming feed fails in a specific way.
Fixes issue where a non-administrator could not access observable rules.
TAXII 2.1 fixes
Important
This release also introduces changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1
Fixed issue where querying TAXII 2.1 endpoints could fail with a 504 Gateway Timeout error.
Fixed issue where TAXII 2.1 server would encounter performance issues when publishing large collections.
Fixed issue a sorting issue where querying a TAXII 2.1 collection may not return all objects.
Fixed issue where querying objects from a TAXII 2.1 collection would not return deterministic results
Fixed issue where a TAXII 2.1 outgoing feed would not generate a collection ID.
Known issues#
TAXII 2.1 known issues
If Intelligence Center has more than one possible user-facing domain name, generated links will only use the one that is configured
When generating links (e.g. CSV exports, outgoing feed URLs), Intelligence Center uses the host name that is configured in Settings > System settings > General > Hostname. However, it is possible that a given Intelligence Center instance may have more than one user-facing domain name. In this case, only the configured Hostname is used to generate links, and may cause users to be unable to follow those links.
Changes are lost if, while creating a new entity, the entity fails to publish
While creating a new entity, if the entity fails to save when selecting Publish, the work-in-progress entity can be lost. To avoid this, select Save draft to save a draft before selecting Publish.
Queries that depend on an ATT&CK ID or name that has changed in v12 may fail
MITRE ATT&CK classifications that have been renamed or relocated (ATT&CK ID has changed) in ATT&CK v12 will no longer be searchable by their older names or ID. Queries (e.g. used in Dynamic Datasets) that depend on an ATT&CK ID or name that has changed in v12 may fail because of this.
TLPs applied to relationship objects are not affected by TLP filters
You can now add TLP colors to relationship objects. However, you cannot use TLP colors with TLP filters yet.
Selecting TLP in entity view to override it does not apply to exports
Edit the entity to change its TLP, or override TLPs at feed level instead.
Certain entities added in 3.0 and newer will cause a STIX 1.2 outgoing feed to fail
Including certain entities in an outgoing feed using the STIX 1.2 content type will cause the feed to fail. Entities affected: Location, Identity, and Malware Analysis.
Certain entities added in 3.0 and newer display an option to export as STIX 1.2, but cannot
Nothing happens when Export > STIX 1.2 is selected for Location, Identity, and Malware Analysis entities. These entity types are not compatible with STIX 1.2 exports.
Exploit Target entities with references can create an invalid STIX 2.1 bundle on export
Exploit Target entities have an optional Vulnerability characteristic where you can set additional information. When an Exploit Target with References set in the Vulnerability characteristic, exporting to STIX 2.1 by default sets the
type
of these references to CVE, which causes an invalid STIX 2.1 bundle to be created if the set references are not valid CVE-IDs.STIX 2.1 for outgoing feeds: TLP override and filtering has side-effects
See STIX 2.1 Known issues for a list of known issues.
When deleting content of an incoming feed, deleted observables are not included in the count of deleted objects.
Using STIX 2.1 content type to transmit data from one EclecticIQ Intelligence Center instance to another generates duplicates
When using the STIX 2.1 content type to send intelligence from one EclecticIQ Intelligence Center instance (Instance A) to another (Instance B), any updates to entities on Instance A that has already been sent to Instance B will result in duplicate entities being sent to Instance B instead of updating existing entities there.
When upgrading from 2.14 to 3.0, entities with certain fields that contain
null
values may cause database migrations to failIn rare instances when upgrading from EclecticIQ Intelligence Center 2.14 to 3.0, older entities with
null
values in certain fields that don’t expect it may cause the database migration to fail, due to stricter validation of entity schemas. If this occurs, do not continue. Save the trace log and contact customer support for assistance to remediate.Delete observable actions in policies may cause policies to run for excessively long periods of time.
As of 2.12.0, Delete observable actions are skipped by default to allow policies to run more reliably.
Elasticsearch 7 encounters “Data too large” errors: See Elasticsearch 7: “Data too large”.
Systemd splits log lines exceeding 2048 characters into 2 or more lines.
As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.
When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.
When creating groups in the graph, it is not possible to merge multiple groups into one.
If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.
Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.
Running multiple outgoing feed tasks may cause the Intelligence Center to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.
Public API compatibility#
From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.
The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:
Intelligence Center version(s) |
Public API package version(s) |
Public API version |
---|---|---|
2.11 - 2.12 |
|
v1 |
2.13.0 |
|
v1 |
2.14.0 and newer |
Now follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 2.14 is now compatible with
|
v1 |
3.0.0 and newer |
EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. Follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with
|
v2 |
Download#
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL |
|
---|---|
EclecticIQ Intelligence Center extensions |
|
Upgrade#
The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:
In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:
Be running one of the supported operating systems.
Upgrade from EclecticIQ Intelligence Center 2.14.
If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.