Release notes 3.1.0#

Product

EclecticIQ Intelligence Center

Release version

3.1.0

Release date

6 July 2023

Time to upgrade

~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Time to migrate

For an instance with 2.67 million entities, 1.85 million observables:

  • PostgreSQL migration: 13m30s

  • Elasticsearch migration: 18m40s

Highlights#

EclecticIQ Intelligence Center 3.1 a minor release that focuses on resolving identified issues and delivering an enhanced user experience. Building upon the maintenance releases 3.0.1 and 3.0.2, this version completes an important initiative to address unforeseen challenges during the transition from the 2.x series to Intelligence Center 3.0, as well as fulfill outstanding customer requests. With this release you get to enjoy all the new features and improvements that Intelligence Center 3.x has to offer with enhanced robustness.

In addition to bug fixes, release 3.1 elevates the visual experience of working with Intelligence Center in two notable ways. First, it incorporates three additional accent colors to choose from. Accent colors highlight various UI elements and create a visual hierarchy, drawing attention to important information. By assigning distinct accent colors to each instance in use, you can instantly identify your active environment, reducing the likelihood of errors. Alternatively, if you primarily work within a single instance, you have the freedom to customize the interface to suit your personal preferences, offering a more enjoyable experience beyond the default teal accents.

Secondly, we proudly present a stunning new font. The previous font had limitations in terms of narrowness and readability. Our carefully selected new font features a wider structure, larger x-height, and improved text clarity and accessibility. As a result, the differentiation between similar glyphs has been significantly enhanced, minimizing confusion and facilitating seamless reading. We are confident that you will find this font not only visually appealing but also a significant improvement in legibility.

We hope you find this information useful and enjoy the fixes and changed offered in this release.

Important#

Request EclecticIQ Intelligence Center 3.0 license key#

If you are upgrading from EclecticIQ Intelligence Center 2.x, please request a new license key for your EclecticIQ Intelligence Center 3.x instance. Existing EclecticIQ Intelligence Center 2.x license keys are not compatible with EclecticIQ Intelligence Center 3.0 and newer.

To get a license key for EclecticIQ Intelligence Center 3.0 and newer, please email EclecticIQ’s Customer Success team at csm@eclecticiq.com.

Upgrade operating system#

Important

EclecticIQ Intelligence Center 3.0.0 and newer requires one of these supported operating systems:

  • Red Hat Enterprise Linux 8

  • Rocky Linux 8

If you are using an older operating system such as CentOS 7 or RHEL 7, you must upgrade your operating system to one of the supported operating systems before attempting to install EclecticIQ Intelligence Center 3.0.

See:

What’s new#

Users can select themes#

Users now have a Theme setting for their accounts. There, they can select from predefined colour schemes to apply to EclecticIQ Intelligence Center when they log in.

Administrators can disable this option for users, and override the theme for all users in Settings Settings > General > Edit settings.

Readability improvements, font change#

This release brings changes to how text is displayed on EclecticIQ Intelligence Center, with an application-wide font change and general readability improvements.

Improvements#

  • Increased maximum number of observables allowed for selection in entity view to 500

    In the Observables tab of an open entity, the UI displays a Select all X items when there are more than the displayed observables connected to that entity.

    If X is more than 200, selecting Select all X items displays an error saying that you cannot select more than 200 observables from this view. This limit has now been increased to 500 observables.

Fixes#

  • Mini-graph in neighborhood tab encounters “Error while loading” error

    Fixed issue where some mini-graphs in the neighborhood tab of entities or observables would not load.

  • Attachments were broken when creating reports with attachments directly in graphs

    Only occurs when EclecticIQ Labs: Intelligence creation on graph is enabled. Fixed issue where attachments were missing in reports that were created directly in graphs.

  • Delete outgoing feed can timeout

    Fixed issue where deleting an outgoing feed can fail due to a timeout. Deleting an outgoing feed is now a background task.

  • Memory leak in ingestion workers

    Fixed issue where ingestion workers had a memory leak.

  • Editing tags for multiple entities in Browse view fails

    Fixed issue where attempting to edit tags while selecting multiple entities in Search Search icon > Go to search and browse > Entities fails.

  • [Public API] Too-strict validation of entity IDs

    Fixed issue where submitting valid STIX 2.1 IDs as entity IDs would result in Error 400 responses.

  • [Public API] Inconsistencies and vague error message for too-large ‘offset’ parameter

    When using the limit and offset query parameter to page results, users would encounter an error when the sum of offset and limit values were too large. The limit for the sum of offset and limit query parameter values have now been set to 10000 by default,

    If sum of offset and limit is too large, the error response returned is now more informative.

Known issues#

  • Changes are lost if, while creating a new entity, the entity fails to publish

    While creating a new entity, if the entity fails to save when selecting Publish, the work-in-progress entity can be lost. To avoid this, select Save draft to save a draft before selecting Publish.

  • Queries that depend on an ATT&CK ID or name that has changed in v12 may fail

    MITRE ATT&CK classifications that have been renamed or relocated (ATT&CK ID has changed) in ATT&CK v12 will no longer be searchable by their older names or ID. Queries (e.g. used in Dynamic Datasets) that depend on an ATT&CK ID or name that has changed in v12 may fail because of this.

  • TLPs applied to relationship objects are not affected by TLP filters

    You can now add TLP colors to relationship objects. However, you cannot use TLP colors with TLP filters yet.

  • Selecting TLP in entity view to override it does not apply to exports

    Edit the entity to change its TLP, or override TLPs at feed level instead.

  • Certain entities added in 3.0 and newer will cause a STIX 1.2 outgoing feed to fail

    Including certain entities in an outgoing feed using the STIX 1.2 content type will cause the feed to fail. Entities affected: Location, Identity, and Malware Analysis.

  • Certain entities added in 3.0 and newer display an option to export as STIX 1.2, but cannot

    Nothing happens when Export > STIX 1.2 is selected for Location, Identity, and Malware Analysis entities. These entity types are not compatible with STIX 1.2 exports.

  • Exploit Target entities with references can create an invalid STIX 2.1 bundle on export

    Exploit Target entities have an optional Vulnerability characteristic where you can set additional information. When an Exploit Target with References set in the Vulnerability characteristic, exporting to STIX 2.1 by default sets the type of these references to CVE, which causes an invalid STIX 2.1 bundle to be created if the set references are not valid CVE-IDs.

  • STIX 2.1 for outgoing feeds: TLP override and filtering has side-effects

    See STIX 2.1 Known issues for a list of known issues.

  • When deleting content of an incoming feed, deleted observables are not included in the count of deleted objects.

  • Using STIX 2.1 content type to transmit data from one EclecticIQ Intelligence Center instance to another generates duplicates

    When using the STIX 2.1 content type to send intelligence from one EclecticIQ Intelligence Center instance (Instance A) to another (Instance B), any updates to entities on Instance A that has already been sent to Instance B will result in duplicate entities being sent to Instance B instead of updating existing entities there.

  • When upgrading from 2.14 to 3.0, entities with certain fields that contain null values may cause database migrations to fail

    In rare instances when upgrading from EclecticIQ Intelligence Center 2.14 to 3.0, older entities with null values in certain fields that don’t expect it may cause the database migration to fail, due to stricter validation of entity schemas. If this occurs, do not continue. Save the trace log and contact customer support for assistance to remediate.

  • Delete observable actions in policies may cause policies to run for excessively long periods of time.

    As of 2.12.0, Delete observable actions are skipped by default to allow policies to run more reliably.

  • Elasticsearch 7 encounters “Data too large” errors: See Elasticsearch 7: “Data too large”.

  • Systemd splits log lines exceeding 2048 characters into 2 or more lines.

    As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.

  • When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.

  • When creating groups in the graph, it is not possible to merge multiple groups into one.

  • If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.

  • Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.

  • Running multiple outgoing feed tasks may cause the Intelligence Center to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.

Public API compatibility#

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)

Public API package version(s)

Public API version

2.11 - 2.12

eclecticiq-extension-api==1.0.*

v1

2.13.0

eclecticiq-extension-api==1.*

v1

2.14.0 and newer

Now follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*

v1

3.0.0 and newer

EclecticIQ Intelligence Center 3.0 and newer uses Public API v2.

Follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, and so on.

v2

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

  • Be running one of the supported operating systems.

    See Upgrade operating system.

  • Upgrade from EclecticIQ Intelligence Center 2.14.

    If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

    See Install Configure Upgrade.

Upgrade diagram

Upgrade diagram#