Release notes 3.2.0#

Product

EclecticIQ Intelligence Center

Release version

3.2.0

Release date

Dec 2023

Time to upgrade

~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Time to migrate

For an instance with 2.67 million entities, 1.85 million observables:

  • PostgreSQL migration: 13m30s

  • Elasticsearch migration: 18m40s

Highlights#

Important: Upgrade operating system#

Important

EclecticIQ Intelligence Center 3.0.0 and newer requires one of these supported operating systems:

  • Red Hat Enterprise Linux 8

  • Rocky Linux 8

If you are using an older operating system such as CentOS 7 or RHEL 7, you must upgrade your operating system to one of the supported operating systems before attempting to install EclecticIQ Intelligence Center 3.0.

See:

What’s new#

Elasticsearch 8, PostgreSQL 14#

This release adds support for Elasticsearch 8 and PostgreSQL 14. When you upgrade EclecticIQ Intelligence Center to 3.2.0 using the Installation playbooks 3.x, the playbooks automatically manage these upgrades:

  • from Elasticsearch 7 to Elasticsearch 8

  • from PostgreSQL 11 to PostgreSQL 14

Retention policies: new and improved#

This release adds these policy actions:

  • Delete incoming feed packages action acts on incoming feeds to remove downloaded packages (blobs) from an incoming feed. This does not remove entities and observables already ingested by an incoming feed. Downloaded packages are saved so that users can inspect or reprocess these packages if needed, and are safe to remove.

  • Delete outgoing feed packages action acts on outgoing feeds to remove created packages (content blocks). This removes all packages available for download from a given outgoing feed. This affects outgoing feeds differently, depending on the update strategy selected, and whether the outgoing feed runs by pushing data to an external destination, or waits for an external service to poll and request data from it.

Updates these policy actions:

  • Delete observables and related entities option has been re-added as an Action. When this policy action is run, it deletes observables, their directly related entities, and any other observables that those entities are exclusive relations to.

For more information, see Create data policies

Improved CSV manual upload and incoming feed#

CSV manual uploads and the Advanced CSV incoming feed now have:

  • Data mapping, which allow you to create and save CSV-to-EclecticIQ mappings;

  • New UI for manual uploads.

Requires read/modify csv-mappings permissions. See EclecticIQ Intelligence Center permissions.

For more information, see Data mapping templates.

Outgoing feeds now allow setting per-feed package size#

Per-feed package sizes can be set for outgoing feeds. You can now set the maximum number of entities and relations per package in the Advanced settings of each outgoing feed. Each time an outgoing feed runs, it creates one or more packages for distribution. By default, these packages have a maximum of 25 entities and 125 relations, and are set globally in platform_settings.py. Now, you can override this default per outgoing feed.

For more information, see Create and configure outgoing feeds.

Improved incoming and outgoing feed settings#

Simplified UI for feed configuration. The UI for creating and editing both incoming and outgoing feeds is now simpler, reducing the time and effort for setting up a feed. Options that are most commonly used are closer to the top of the feed configuration view, and less commonly used options and options with defaults are now found under Show/Hide advanced options in feed configuration.

Important

The following defaults for feeds have changed:

  • Outgoing feeds

    • When creating new outgoing feeds, now does not include observables with Safe and Unknown observable states by default. Modify the Include/Exclude observable states option to change this.

  • Incoming and outgoing feeds

    • Default schedules have changed from None to the 1st of every month.

For more information, see Create and configure incoming feeds.

New UI for selecting MITRE ATT&CK classifications#

Adding and editing MITRE ATT&CK classifications for individual entities now has a new UI. To use the new UI, select + ATT&CK classification in the entity view when creating or editing an entity.

../../_images/mitre-attack-select-ui-320.png

Data configuration is now a vertical menu#

Data configuration is now a vertical collaspsible menu, giving you more control over your horizontal screen space.

Better readability in entity view#

Headings and content are more distinct and readable when viewing, creating, and editing entities.

Improvements#

  • Ansible playbooks have been significantly improved.

    See Installation playbooks 3.x.

  • Public API improvements

    • Reports retrieved with GET /entities now lists linked observables.

    • You can now filter reports with a query like GET /entities?filter[data.type]=report&filter[&data.title]='*elephan stomps*'.

      • Now available for &data.title and &data.description filters.

      • A single request can filter by either &data.title or &data.description, but not both at the same time.

  • Relational query improvements

  • General UI improvements

    • Improved consistency in visual and interactive experience across EclecticIQ Intelligence Center.

Fixes#

Fixed issues where:

  • Date and time could only be displayed as MM/DD/YYYY instead of allowing locale-specific date time formats.

  • Enrichers could not be updated without re-entering the API key or password for that enricher configuration.

  • PUT /entities requests using a payload with a filled id field causes a HTTP 500 error.

  • TAXII 2.1 feeds had slow performance.

  • TAXII 2.1 incoming feed can fail with a HTTP 404 error if it cannot resolve references. Now allows unresolved references.

  • HTML report content types for outgoing feeds create links that cannot be clicked on in Microsoft Edge, because of an encoding issue.

  • Viewing end editing outgoing feeds is slow.

  • Deleted taxonomies were visible when attempting to filter visible objects in graphs.

  • Deleting an outgoing feed could time out and fail.

Known issues#

  • Changes are lost if, while creating a new entity, the entity fails to publish

    While creating a new entity, if the entity fails to save when selecting Publish, the work-in-progress entity can be lost. To avoid this, select Save draft to save a draft before selecting Publish.

  • Queries that depend on an ATT&CK ID or name that has changed in v12 may fail

    MITRE ATT&CK classifications that have been renamed or relocated (ATT&CK ID has changed) in ATT&CK v12 will no longer be searchable by their older names or ID. Queries (e.g. used in Dynamic Datasets) that depend on an ATT&CK ID or name that has changed in v12 may fail because of this.

  • TLPs applied to relationship objects are not affected by TLP filters

    You can now add TLP colors to relationship objects. However, you cannot use TLP colors with TLP filters yet.

  • Selecting TLP in entity view to override it does not apply to exports

    Edit the entity to change its TLP, or override TLPs at feed level instead.

  • Certain entities added in 3.0 and newer will cause a STIX 1.2 outgoing feed to fail

    Including certain entities in an outgoing feed using the STIX 1.2 content type will cause the feed to fail. Entities affected: Location, Identity, and Malware Analysis.

  • Certain entities added in 3.0 and newer display an option to export as STIX 1.2, but cannot

    Nothing happens when Export > STIX 1.2 is selected for Location, Identity, and Malware Analysis entities. These entity types are not compatible with STIX 1.2 exports.

  • Exploit Target entities with references can create an invalid STIX 2.1 bundle on export

    Exploit Target entities have an optional Vulnerability characteristic where you can set additional information. When an Exploit Target with References set in the Vulnerability characteristic, exporting to STIX 2.1 by default sets the type of these references to CVE, which causes an invalid STIX 2.1 bundle to be created if the set references are not valid CVE-IDs.

  • STIX 2.1 for outgoing feeds: TLP override and filtering has side-effects

    See STIX 2.1 Known issues for a list of known issues.

  • When deleting content of an incoming feed, deleted observables are not included in the count of deleted objects.

  • Using STIX 2.1 content type to transmit data from one EclecticIQ Intelligence Center instance to another generates duplicates

    When using the STIX 2.1 content type to send intelligence from one EclecticIQ Intelligence Center instance (Instance A) to another (Instance B), any updates to entities on Instance A that has already been sent to Instance B will result in duplicate entities being sent to Instance B instead of updating existing entities there.

  • When upgrading from 2.14 to 3.0, entities with certain fields that contain null values may cause database migrations to fail

    In rare instances when upgrading from EclecticIQ Intelligence Center 2.14 to 3.0, older entities with null values in certain fields that don’t expect it may cause the database migration to fail, due to stricter validation of entity schemas. If this occurs, do not continue. Save the trace log and contact customer support for assistance to remediate.

  • Delete observable actions in policies may cause policies to run for excessively long periods of time.

    As of 2.12.0, Delete observable actions are skipped by default to allow policies to run more reliably.

  • Elasticsearch 7 encounters “Data too large” errors: See Elasticsearch 7: “Data too large”.

  • Systemd splits log lines exceeding 2048 characters into 2 or more lines.

    As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.

  • When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.

  • When creating groups in the graph, it is not possible to merge multiple groups into one.

  • If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.

  • Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.

  • Running multiple outgoing feed tasks may cause the Intelligence Center to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.

Public API compatibility#

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)

Public API package version(s)

Public API version

2.11 - 2.12

eclecticiq-extension-api==1.0.*

v1

2.13.0

eclecticiq-extension-api==1.*

v1

2.14.0 and newer

Now follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*

v1

3.0.0 and newer

EclecticIQ Intelligence Center 3.0 and newer uses Public API v2.

Follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.

v2

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

  • Be running one of the supported operating systems.

    See Important: Upgrade operating system.

  • Upgrade from EclecticIQ Intelligence Center 2.14.

    If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

    See Install Configure Upgrade.

Upgrade diagram

Upgrade diagram#