Release notes 2.14.0#

Product

EclecticIQ Intelligence Center

Release version

2.14.0

Release date

27 Oct 2022

Summary

Minor release

Upgrade impact

Medium

Time to upgrade

~18 minutes to upgrade an instance with 4 million entities.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Additional ~6 minutes to run pre-upgrade scripts for upgrading from 2.8.x and earlier.

Time to migrate

  • PostgreSQL database: ~6 minutes per 4 million entities

  • Elasticsearch database: ~1 minute per 4 million entities

  • Neo4j database: ~1 minute per 4 million entities.

Highlights#

EclecticIQ Intelligence Center 2.14.0 is a minor release. We plan on making it the last release in the 2.x series before we move onto EclecticIQ Intelligence Center 3.0. With release 2.14 we are bringing features and UI enhancements that analysts will appreciate.

When it comes to the way Intelligence Center ingests new threat data, release 2.14 lets you define passive incoming feeds over TAXII 2.1​. New entities that are received can also be cleaned up more easily during ingestion. The enhanced entity rules feature now lets you automatically add missing or override TLP and replace supplier tags with your own.

Release 2.14 also removes some restrictions that make it easier to create intelligence. Analysts will be pleased to hear that they no longer need to ensure that the images they add to reports are less than 2MB in size. We have increased the size limit for inline images to 10MB. But you don’t have to worry about cluttering your outgoing feeds​ as Intelligence Center automatically compresses all images down to 2MB again. Furthermore, we are relaxing our mandatory field requirements for adding a Snort Test Mechanism to indicators. Now you only must add the Signature field and Intelligence Center is ready to share entity information with external tools and systems.

Finally, we have optimized elements of the user interface for a better user experience. Editing comprehensive entity texts can now happen more easily in full-screen mode. Creating, sharing, and consuming Knowledge Packs is easier thanks to several UI improvements. And we are introducing a new UI component called the “slide out” to the profile page. This way your profile page will be temporarily overlaid on top of your current view, and you can continue where you left off when you have completed updating your profile. This is the first step in the introduction of these slide outs, and you will see them appear for other tools as well.

As mentioned, we are working on Intelligence Center 3.0, an exciting next step containing long-awaited changes. We plan to add objects for a more granular data model and support for flexible relationships as defined by STIX 2.1. Our Public REST API will also need to be updated to version 2 to ensure that the endpoints make full use of the expanded data model. We intend to replace support for the CentOS operating system with Rocky Linux and introduce support for Red Hat Enterprise Linux 8 to be able to keep receiving security updates. And we are removing the Neo4J database to increase responsiveness and scalability. Stay tuned for more details as we move closer to its official release. If you have any questions in the time being and would like to get ready for these changes, please do not hesitate to reach out to your customer service representative via csm@eclecticiq.com.

We hope you enjoy reading these release notes – once again accompanied by short feature videos for your convenience.

What’s new#

New actions for entity rules#

Entity rules can now trigger two new actions : Override TLP, and Remove tags.

New entity rule action, TLP override

Video: New entity rule action, TLP override#

New entity rule action, Remove tags

Video: New entity rule action, Remove tags#

Adds TAXII 2.1 inbox incoming feed#

You can now set up a TAXII 2.1 inbox incoming feed to host a collection that remote TAXII 2.1 clients can push data into.

See Incoming feed - TAXII 2.1 inbox.

Improved knowledge packs user experience#

General improvements have been made to the user experience for knowledge packs.

UI improvements for knowledge packs

Video: UI improvements for knowledge packs#

User profile page is now a slideout#

Selecting your profile picture now opens your user profile page as a slideout. This keeps your work in the background, letting you return to where you left off when you close the user profile page.

Full screen text editor#

You can now edit text in full screen when creating or editing entities. When editing the Description or Analysis fields of an entity, you can now switch to the full screen text editor for a distraction-free writing experience.

Full screen text editor

Video: Full screen text editor#

Increased max image attachment size for reports#

When creating report entities, you can now attach images of up to 10MB in size each. Images larger than 2MB are compressed.

Add inline images up to 10MB

Video: Add inline images up to 10MB#

Stream audit logs to Splunk#

You can now stream audit logs to Splunk using the sample pipeline included here:

Stream audit logs to Splunk

Improvements#

  • Creating SNORT test mechanisms has fewer required fields

    Now, only the Signature field is required when creating a SNORT test mechanism.

  • Large outgoing feeds now loads ‘Created Packages’ tab faster

    Outgoing feeds with a large number of runs may take a long time to load. This has been optimized.

Fixes#

  • UI would only allow administrators to send users a password reset once

    Fixed issue where administrators would be able to select Force Password Reset only once. This sends a password reset token to the user’s email address. UI now allows administrators to select Force Password Reset mutiple times.

  • Manual uploads would allow you to select no target source

    When performing a manual upload, you could clear the Source field and attempt to upload files, which would fail as a target source group must be selected. You now must select a source when performing a manual upload.

  • Graph thumbnail shows incorrect graph

    Fixed issue where when creating a new empty graph, the Graphs page would display the thumbnail of the last saved graph instead of an empty graph for the newly saved graph.

  • Adding links to a report has various issues

    Fixed issue where when adding links to a report entity’s Summary or Analysis fields by highlighting text and then selecting the Insert reference button in the text editor, the Add link modal would display either an unexpected Title or URL value.

  • Resizing inline images in report editor would not save new size

    Fixed issue where resizing an inline image in the report editor, and then selecting Publish to save the report, would not save the new size of the image.

  • Pre-upgrade script to prepare system to upgrade from Elasticsearch 6 to 7 fails to run

    Fixed issue where the pre-upgrade script to prepare an Elasticsearch 6 instance for an upgrade to Elasticsearch 7 would fail to run.

  • Users could delete a parent taxonomy to remove a taxonomy tree, but leaves dangling references to its children

    When users delete a taxonomy, the IC also removes it from all entities it is used to tag. If a parent taxonomy is removed, both parent and children taxonomies are removed, but children taxonomies were not being removed from entities they were used to tag.

    As a result, entities previously tagged with these now removed children taxonomies are now tagged with taxonomy ids that are no longer valid.

  • Issue where reports tagged with a non-existent tag or taxonomy cannot be exported as PDFs

    If a report is tagged with a non-existent tag or taxonomy (possibly as a result of Users could delete a parent taxonomy to remove a taxonomy tree, but leaves dangling references to its children), attempts to export that report as a PDF will fail. This is now gracefully handled by the IC.

  • Incorrect response for invalid token on TAXII 2 endpoints

    Fixes an issue where attempting to access authenticated TAXII 2 endpoints (/taxii2/...) would result in a HTTP 500 error instead of a HTTP 401. Fixed by upgrading Opentaxii to 0.9.3.

Security fixes#

Tip

To see a detailed list of security issues and their mitigations, go to All security issues and mitigations.

  • EIQ-2021-0015

    Users with only modify workspace-comments and read workspace permissions can edit and delete comments in workspaces where they are set as a collaborator. Permissions are now correctly enforced.

Known issues#

  • STIX 2.1 for outgoing feeds: TLP override and filtering has side-effects

    See STIX 2.1 Known issues for a list of known issues.

  • Entity rules: predefined Path items for content criteria may not work

    When creating entity rules, you can choose from a list of predefined Paths when setting up Content criteria.

    These predefined Paths currently do not work. Instead, set up Content criteria for your rules by manually entering JSON paths.

  • Delete observable actions in policies may cause policies to run for excessively long periods of time.

    As of 2.12.0, Delete observable actions are skipped by default to allow policies to run more reliably.

  • Elasticsearch 7 encounters “Data too large” errors: See Elasticsearch 7: “Data too large”.

  • Systemd splits log lines exceeding 2048 characters into 2 or more lines.

    As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.

  • When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.

  • When creating groups in the graph, it is not possible to merge multiple groups into one.

  • If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.

  • Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.

  • Running multiple outgoing feed tasks may cause the Intelligence Center to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.

Public API compatibility#

From IC 2.12.0 onward, the public API is packaged together with the IC.

The following reference table lists the versions of the public API package and the IC versions they are compatible with:

Intelligence Center version(s)

Public API package version(s)

2.11.x - 2.12.x

eclecticiq-extension-api==1.0.*

2.13.0

eclecticiq-extension-api==1.*

2.14.0 and newer

Now follows IC versioning scheme.

E.g., IC 2.14.x is now compatible with eclecticiq-extension-api==2.14.*

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for CentOS and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

  • Python 3.8: https://downloads.eclecticiq.com/intelligence-center-dependencies-rpm/centos/7/x86_64/python/3.8

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The following diagram describes upgrade paths available.

When upgrading from 2.8.x and earlier to 2.9.x and later:

  • You must run the pre-upgrade script to allow it to work with Elasticsearch 7.9.1.

  • You must run the pre-upgrade script on the Intelligence Center version you are upgrading from.

    For example, when upgrading from 2.8.0 to 2.10.1, you must run the pre-upgrade script on the Intelligence Center while it is running version 2.8.0.

When upgrading from 2.11.x and earlier to 2.12.x and later, you must install the EIQ-provided python38 package. For more information, see the upgrade instructions for your OS.

Upgrade diagram

Upgrade diagram#

These upgrades paths have been tested using the EclecticIQ Intelligence Center install script compiled by Rundoc.

The script only supports:

  • Single machine installs.

  • Instances installed using the Intelligence Center install script.

and does not support Intelligence Center instances installed in distributed environments.