Release notes 3.4.0

Product	EclecticIQ Intelligence Center
Release version	3.4.0
Release date	July 2024
Time to upgrade	~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables. From the previous release Using the installation script For an instance running on one machine
Time to migrate	For an instance with 2.67 million entities, 1.85 million observables: PostgreSQL migration: 13m30s Elasticsearch migration: 18m40s

Important: IC 3.4.0 and 3.4.1 affected by Kibana vulnerability (CVE-2024-37285)

Vulnerability without mitigation

As we communicated in EIQ-2024-0002, the Kibana version packaged with Intelligence Center (IC) version 3.4.0 and 3.4.1 is vulnerable to arbitrary code execution via YAML deserialization.

We therefore advise you not to upgrade to 3.4.0 or 3.4.1 at this time.

Please keep an eye on the EIQ-2024-0002 Security Advisory to learn when a mitigation has been found.

Highlights

EclecticIQ Intelligence Center 3.4 marks a major leap forward in our Threat Intelligence Platform, offering both continuity and state-of-the-art innovation. This release supercharges intelligence operations with powerful AI features, new tools for MITRE ATT&CK analysis, and a host of exciting new developments designed to empower users with real-time alerts, data-driven decision-making, increased operational efficiency, and improved collaboration

We’ve developed our AI provider configuration so you can seamlessly integrate with the latest large language models (LLMs). This provides the flexibility of choosing a specific LLM for every AI function as your natural language processing needs evolve. The AI-powered natural language search enables you to easily create search queries in multiple languages without learning new querying syntax to yield results, saving you valuable time in gathering relevant intelligence. Additionally, our AI writing assistant helps produce high-quality intelligence reports, freeing your time up to focus on critical analysis instead of manual editing.

The new ATT&CK analysis tools let you interactively navigate the ATT&CK matrix, build heatmaps that visualize TTP trends, and identify potential threat hotspots instantly. This means more accurate threat management and data-driven decision-making for prioritizing threat detection and mitigation. We’ve also updated the framework to the latest version (v.15.1) and expanded support to include Mobile and ICS matrices.

The other developments further enhance efficiency, prioritization, and collaboration. Extended STIX 2.1 support with the collaborative Note entity type enables seamless sharing of insights, while the Keyword-based watchlist offers precise monitoring and alerting. Users can now save and reuse relational search queries for faster data access, and extract intelligence from DOCX files without conversion. Improved file deletion via the UI declutters your workspace, and filtering and searching attachments help prioritize critical information. By executing Bulk actions, you streamline your workflows, while the Observable extraction opt-in and hiding External references enable you to conduct more focused and efficient analysis.

We’re excited for you to explore these innovations and trust they will greatly elevate your threat intelligence operations.

Important: Upgrade operating system

Upgrade operating system

To run EclecticIQ Intelligence Center 3.0.0 and newer, upgrade to one of these supported operating systems:

• Rocky 8, learn how to upgrade

• RHEL 8, learn how to upgrade

Important: eclecticiq-extension-commons package is deprecated

Caution

Only affects users who develop or customize EclecticIQ Intelligence Center extensions.

eclecticiq-extension-commons was deprecated in release 3.3, and has been removed in release 3.4.

If you have written your own extension, or modified an existing extension, that extension may contain references to the eclecticiq-extension-commons package.

In particular, if your extension:

• depends on eclecticiq-extension-commons

• imports from extension.common

Use our migration guide to remove or change those references in your extension before upgrading to the upcoming release 3.4.

What’s new

AI features

Our 3.4 release is a serious venture into offering embedded AI features where you need them, when you need them. The provider configuration lays the groundwork and offers customizability, with the AI-powered search and writing assistant the new contextual features.

AI-powered search

With AI-powered search, you’ll spend less time crafting search queries and more time on analysis. Now, you can enter a natural language search question instead of a search query, and the AI-powered search generates a query for you.

See our AI-powered search documentation. to learn more.

Writing assistant

With the writing assistant, every rich text field (such as the Analysis field on entities or the Summary field on Reports) becomes enhanced. Use the writing assistant to enhance existing text, or prompt it to generate new text.

See our AI writing assistant documentation to learn more.

Provider configuration

All AI features require you to configure an AI provider.

See our AI writing assistant documentation to get started.

MITRE ATT&CK updates

MITRE ATT&CK on EclecticIQ Intelligence Center has been updated:

• MITRE ATT&CK v15.1

• Now includes MITRE ATT&CK Enterprise, Mobile, and ICS matrices.

This release also adds the ATT&CK Analysis feature. Use it to build heat maps that help you assess the TTP trends in your data and see potential threat hot spots in the blink of an eye.

To get started, see the MITRE ATT&CK Analysis documentation.

Note entity

We’ve added the Note entity type. This entity type allows you to record thoughts and insights on entities that you don’t yet want to commit to a Report or an entity itself, but that you do want to make part of further analysis.

Improvements

Managing file uploads

When uploading files with + > Upload, you can now:

• Upload DOCX files

• Delete uploaded files.

Relational Search in dataset

Dynamic datasets now allow you to use the relational search query UI to write queries.

Improved bulk actions

From this release forward, in an entity table (such as Search > Go to Search and browse), selecting the checkbox in the top-left corner will select all the currently filtered items, not just the ones on the visible page.

Entity tables, such as the ones showing entities in Discovery, Exposure, or a Dataset, also allow you to change the TLP and Confidence of the selected entities in bulk.

Opt-in observable extraction

The Skip extraction of observables option when creating new incoming feeds or uploading files is replaced with Extract observables from unstructured text, and is disabled by default.

This switches the default behavior of incoming feeds and uploaded files so that they do not extract observables from an ingested entity’s unstructured text fields.

Keeping this option unchecked significantly reduces the number of observables ingested, and lowers the incidence of hot spots in your Intelligence Center.

Existing incoming feeds configurations are not are not impacted by this change.

External References not shown by default in search

By default, External References won’t be shown in search results, on graphs, or on the Neighborhood tab anymore.

You can still have External References be shown by selecting the toggle.

New filters in Search and Browse

When viewing entities in Search and Browse , you now have these options:

• In the Entities tab, use the Filter menu to display only entities that:

  • have Attachments

  • Are directly related to Note entities

• In the Observables tab, use the Filter menu to display only observables directly related to Note entities.

• Search for entities with attachments by adding _exists_:"attached_files" to your query.

Keyword watchlist

When creating Discovery rules, you can now create a watchlist of keywords to base the discovery on. The list will be run deduplicated and is case-insensitive.

Fixes

• Removed the JSON table from the Entity view.

• Moved system status badge indicator from “System settings” to “User profile”.

• Issue where empty rules could be saved or enabled. Existing rules are not modified. New rules cannot be saved or enabled if empty.

• Issue where entity rules that convert old entities to new STIX 2.1-based entity types did not work as expected.

• Improved ingestion performance when there is a large queue of ingestion jobs.

• Issue where count of permissions in the UI does not match actual permission count.

• Issue where the data mapping templates could not be opened due to invalid data mapping templates imported from an older IC version.

• Issue where rules inadvertently become unavailable for non-administrators.

• Issue where opening a retention policy detail pane can trigger unrelated errors in logs.

• Issue where valid Active Directory credentials could not be used to log into an IC instance with a valid external authentication configuration.

• In the feed download status of an incoming feed, “Data request running time” in the status view is now named “Fetched Data Range” and now displays the range of data fetched by that particular feed download task.

• Issue where saving feed schedule for “Every hour, [n] minutes past the hour” with 0 (zero) minutes past would result in an error.

• Issue where non-administrators would not be able to update a graph that contains objects that belong to sources that they are not granted permissions for.

• Issue where queries and filters may get an observable but with an outdated maliciousness classification.

Security improvements

• Minor hardening of web server rules.

Known issues

Changes and Known issues with TAXII 2.1

Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1 introduced changes and known issues to the TAXII 2.1 server.

For more information, see TAXII 2.1.

• Broken Discovery page
  A bug prevents the Discovery page from loading.
  This issue is mitigated in the upcoming 3.4.1 release.

• Adding Tags to graph Entities causes crash
  Selecting Entities on a graph and trying to add a Tag to them causes the Graph to fail.
  This issue is mitigated in the upcoming 3.4.1 release.

• Retention policies and Outgoing and Incoming feeds display the user’s timezone, but excute as if the entered time were in UTC.
  Treat any times set or encountered while configuring these feeds and policies as UTC.

• When adding intelligence to a Graph from Discovery, the table includes intelligence from outside of Discovery.
  If the Graph you want to add Entities from Discovery to already exists, you can instead use Bulk actions in Discovery to make sure you’re not adding Entities from outside of Discovery to the Graph.

• Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
  Be sure to assign the required TLP to the Relationship manually.

• When External references are hidden, the counts given for filters still include these references.
  

• In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hunderd Observables are added. Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.

• Data tables such as those on Observables’ Neighborhood tab can’t be sorted.
  

• Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.
  

Public API compatibility

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)	Public API package version(s)	Public API version
2.11 - 2.12	eclecticiq-extension-api==1.0.*	v1
2.13.0	eclecticiq-extension-api==1.*	v1
2.14.0 and newer	Now follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*	v1
3.0.0 and newer	EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. Follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.	v2

Download

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL	Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/ Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/ Note The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.
EclecticIQ Intelligence Center extensions	Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

• Upgrade EclecticIQ Intelligence Center on Rocky Linux

• Upgrade EclecticIQ Intelligence Center on RHEL

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

• Be running one of the supported operating systems.

  See Important: Upgrade operating system.

• Upgrade from EclecticIQ Intelligence Center 2.14.

  If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

  See Install Configure Upgrade.

Upgrade diagram