Maintenance release 3.4.1#

Product

EclecticIQ Intelligence Center

Release version

3.4.1

Release date

August 2024

Time to upgrade

~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Time to migrate

For an instance with 2.67 million entities, 1.85 million observables:

  • PostgreSQL migration: 13m30s

  • Elasticsearch migration: 18m40s

Important: IC 3.4.0 and 3.4.1 affected by Kibana vulnerability (CVE-2024-37285)#

Vulnerability without mitigation

As we communicated in EIQ-2024-0002, the Kibana version packaged with Intelligence Center (IC) version 3.4.0 and 3.4.1 is vulnerable to arbitrary code execution via YAML deserialization.

We therefore advise you not to upgrade to 3.4.0 or 3.4.1 at this time.

Please keep an eye on the EIQ-2024-0002 Security Advisory to learn when a mitigation has been found.

Important: Upgrade operating system#

Important

EclecticIQ Intelligence Center 3.0.0 and newer requires one of these supported operating systems:

  • Red Hat Enterprise Linux 8

  • Rocky Linux 8

You must upgrade to one of the supported operating systems before installing EclecticIQ Intelligence Center 3.0 or newer.

See:

Important: eclecticiq-extension-commons package is deprecated#

Caution

Only affects users who develop or customize EclecticIQ Intelligence Center extensions.

eclecticiq-extension-commons was deprecated in release 3.3, and has been removed in release 3.4.

If you have written your own extension, or modified an existing extension, that extension may contain references to the eclecticiq-extension-commons package.

In particular, if your extension:

  • depends on eclecticiq-extension-commons

  • imports from extension.common

Use our migration guide to remove or change those references in your extension before upgrading to the upcoming release 3.4.

Important: read/modify saved-searches permissions removed from platform, modify attack added#

Removal of read/modify saved-searches permission impacts the “Team lead” and “Threat analyst” pre-defined roles. modify attack has been added to the “Threat analyst” and “System admin” roles.
Be sure to update any roles you have created for you own Intelligence Center.

Fixes#

  • Broken Discovery page
    Fixes a bug where the Discovery page wouldn’t load.

  • Tags via Graph crash UI
    Fixes a bug where adding a Tag to objects on a Graph would crash the platform.

  • Diff strategy on Outgoing feeds exports duplicate data Fixes a bug where Outgoing feeds created with the Diff update strategy would export intelligence that was already present in earlier runs, leading to very big packages with duplicate data.

Known issues#

Changes and Known issues with TAXII 2.1

Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1 introduced changes and known issues to the TAXII 2.1 server.

For more information, see TAXII 2.1.

  • Retention policies and Outgoing and Incoming feeds display the user’s timezone, but excute as if the entered time were in UTC.
    Treat any times set or encountered while configuring these feeds and policies as UTC.

  • When adding intelligence to a Graph from Discovery, the table includes intelligence from outside of Discovery.
    If the Graph you want to add Entities from Discovery to already exists, you can instead use Bulk actions in Discovery to make sure you’re not adding Entities from outside of Discovery to the Graph.

  • Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
    Be sure to assign the required TLP to the Relationship manually.

  • When External references are hidden, the counts given for filters still include these references.

  • In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hunderd Observables are added. Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.

  • Data tables such as those on Observables’ Neighborhood tab can’t be sorted.

  • Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.

Public API compatibility#

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)

Public API package version(s)

Public API version

2.11 - 2.12

eclecticiq-extension-api==1.0.*

v1

2.13.0

eclecticiq-extension-api==1.*

v1

2.14.0 and newer

Now follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*

v1

3.0.0 and newer

EclecticIQ Intelligence Center 3.0 and newer uses Public API v2.

Follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.

v2

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

  • Be running one of the supported operating systems.

    See Important: Upgrade operating system.

  • Upgrade from EclecticIQ Intelligence Center 2.14.

    If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

    See Install Configure Upgrade.

Upgrade diagram

Upgrade diagram#