Release notes 2.10.0#
Product |
EclecticIQ Platform |
---|---|
Release version |
2.10.0 |
Release date |
29 June 2021 |
Summary |
Minor release |
Upgrade impact |
Medium |
Time to upgrade |
~18 minutes to upgrade an instance with 4 million entities.
Additional ~6 minutes to run pre-upgrade scripts for upgrading from 2.8.x and earlier. |
Time to migrate |
|
Highlights#
EclecticIQ Platform 2.10.0 is a minor release. It contains new features, improvements to existing functionality, as well as bug fixes.
This 1st release of the year delivers a significant step forward towards becoming fully interoperable with the STIX & TAXII 2.1 standards for intelligence exchange. Release 2.10 now supports ingesting and sharing of Indicators, Observed Data, Sightings, Courses of Action and Reports in STIX 2.1 format over TAXII 2.1. We’re adding objects as prescribed by the OASIS STIX 2 Preferred self-certification program. By following this program, we ensure that EclecticIQ Intelligence Center can reliably exchange threat data with the growing number of intelligence providers and security controls that are implementing support for these standards.
This release also brings many new features and improvements that are part of a series of new long-term initiatives which boost the functionality and overall usability of EclecticIQ Intelligence Center. This includes:
the integration of MITRE ATT&CK framework, which helps you to better understand the context of a threat, the phase of attacks and thus prioritize next steps accordingly.
the addition of Knowledge Packs, which lets you instantly start tracking relevant, timely threats without spending any time or effort on manually configuring the workspace.
the redesign of the navigation interface to streamline your way of working and improve workflow.
We hope you enjoy reading these release notes – once again accompanied by short feature videos for your convenience – and watching the quick tour video from the team.
Upcoming#
EclecticIQ Platform to be renamed EclecticIQ Intelligence Center
2.10 is the last release using the EclecticIQ Platform name. As of release 2.11 we will rename the product to EclecticIQ Intelligence Center and update all documentation.
What’s new#
MITRE ATT&CK support
The platform now allows you to add MITRE ATT&CK classifications to entities.
Entities have a new field for MITRE ATT&CK classifications, allowing you to add Enterprise ATT&CK tactics, techniques, and sub-techniques. Adding ATT&CK classifications to entities allows you to search and filter them by ATT&CK IDs when working with the platform.
For more information, see the documentation.
Note
This release adds MITRE ATT&CK support to the platform, but does not:
Add the ability for extensions to map MITRE ATT&CK data from vendor data to ATT&CK classifications in ingested platform entities.
Automatically convert MITRE ATT&CK data in existing entities that are not already set as MITRE ATT&CK classifications.
Major user interface improvements
In this release, we take the first of many steps towards a new and improved UI for the platform. We’ve introduced:
Cleaner UI: Less visual clutter and better overall readability.
New navigation bar: We’ve improved how you move through the platform by streamlining the navigation bars. Important features are now accessible through the main navigation bar on the left, allowing you to get productive faster.
For more information, see New navigation below.
Azure AD: OAuth 2.0 and SAML support
You can now set up the platform to use OAuth 2.0 and SAML to authenticate users against Azure AD (Active Directory).
The platform allows you to:
Use Azure AD as a SAML identity provider.
Configure the platform to act as a resource server in Microsoft identity platform OAuth 2.0 flows
For more information, see the documentation.
STIX 2.1: Sightings and Course of Action
This release moves the platform closer to STIX 2 Preferred status by adding support for the following STIX 2.1 objects:
Sighting SRO (Ingestion only)
Report SDO (Ingestion only)
Course of Action SDO (Ingestion and export)
For more information, see the documentation.
Knowledge Packs
This release introduces knowledge packs to the platform.
Knowledge packs are pre-configured bundles that you can install on your platform instance to add collections of workspaces, datasets, and rules that you can use and build upon.
For this release, knowledge packs curated by EclecticIQ threat analysts are available to install.
To view and install knowledge packs, go to Data configuration > Knowledge packs on the platform.
Note
To allow your platform instance to retrieve knowledge packs from EclecticIQ servers, allow outgoing requests to
https://cti.eclecticiq.com/list-published-configuration-bundles
.Add images to reports
You can now add images to the Summary or Analysis sections of a report when creating or editing a Report entity. Images (GIF, JPG, PNG) added to reports are added to that report entity as attachments, and are displayed in the Summary or Analysis section they are added to.
Important bug fixes#
A user’s session token should be invalidated after password change
ADDENDUM
This fix is incorrectly listed as part of the 2.10.0 release. It will be delivered as part of 2.11.0 instead.
Fixed issue where a user’s old session token would remain valid after changing their password, allowing the old session token to be used for subsequent requests. Session tokens are now correctly invalidated.
Slow performance in UI when using entity builder
Fixed issue where creating or editing entities using the entity builder would cause the platform to slow down.
Observables would not show up in global search
Fixed issue where observables would not show up in search results when using global search on the platform. The platform now correctly updates the view state when viewing the Observables tab in search results.
Reports from RSS feed would crash UI when edited
Fixed issue where editing reports ingested through the RSS feed incoming feed would crash the UI when a user edits them in the entity builder. The issue is not specific to the RSS feed transport itself, but applies to any report entity containing HTML markup in its description.
The crash occurs when the entity build attempts to display a report containing incomplete HTML microdata. The platform now ignores incomplete microdata, preventing similar crashes.
Incoming feed can get stuck in “Ingesting” state
Fixed an issue where an incoming feed would be stuck in the “Ingesting” state because one or more entities contain external references that it cannot resolve, causing the platform to endless attempt to reprocess that entity.
The platform now handles these unresolvable references gracefully.
Error when editing objects in the graph by selecting Edit from the context menu
Fixed an issue where editing an object in the graph by right-clicking the object and selecting Edit opens the entity builder that displays: “There was an error while loading, please try again.”
Known issues#
When you configure the platform databases during a platform installation or upgrade, you must specify passwords for the databases.
Systemd splits log lines exceeding 2048 characters into 2 or more lines.
As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.
When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.
When creating groups in the graph, it is not possible to merge multiple groups into one.
If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.
Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.
Running multiple outgoing feed tasks may cause the platform to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.
Security issues and mitigations#
To see a detailed list of security issues and their mitigations, go to All security issues and mitigations.
ID |
CVE |
Description |
Severity |
Status |
Affected versions |
---|---|---|---|---|---|
- |
Users could create entities in Source Groups indirectly assigned through Groups, instead of only being able to create entities in Groups they are directly assigned to. |
1 - LOW |
2.9.1 and earlier. |
||
- |
SVG file upload could allow cross-site scripting (XSS) |
2 - MEDIUM |
2.9.1 and earlier. |
||
- |
HTML injection through the GUI |
2 - MEDIUM |
2.9.1 and earlier. |
||
CairoSVG is vulnerable to regular expression denial of service |
2 - MEDIUM |
2.9.1 and earlier. |
|||
PySAML2 improper verification of cryptographic signature |
2 - MEDIUM |
2.9.1 and earlier. |
|||
Pillow is vulnerable to buffer overflows |
2 - MEDIUM |
2.9.1 and earlier. |
Download#
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Platform and dependencies for CentOS and RHEL |
Note The platform dependencies URL for versions 2.9 and later is
|
---|---|
EclecticIQ Platform extensions |
|
Upgrade#
The following diagram describes the upgrade path you should take depending on the platform version you are upgrading from.
For example:
You can upgrade from version 2.9.1 of the platform to 2.10.0 directly,
To upgrade from 2.4.0 to 2.10.0, you must first upgrade to 2.5.0, then upgrade from 2.5.0 to 2.10.0.
When upgrading from 2.8.x and earlier to 2.9.x and later:
You must run the pre-upgrade script to allow it to work with Elasticsearch 7.9.1.
You must run the pre-upgrade script on the platform version you are upgrading from.
For example, when upgrading from 2.8.0 to 2.10.0, you must run the pre-upgrade script on the platform while it is running version 2.8.0.
From 2.5.0, the upgrades paths have been tested using the EclecticIQ Intelligence Center install script compiled by Rundoc.
The script only supports:
Single machine installs.
Instances installed using the Intelligence Center install script.
and does not support Intelligence Center instances installed in distributed environments.