Maintenance release 3.5.1#

Product

EclecticIQ Intelligence Center

Release version

3.5.1

Release date

May 2025

Time to upgrade

~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Time to migrate

For an instance with 2.67 million entities, 1.85 million observables:

  • PostgreSQL migration: 13m30s

  • Elasticsearch migration: 18m40s

Changed#

  • MITRE ATT&CK updated to v17

    MITRE ATT&CK is upgraded to v17.

  • LDAP configuration now allows you to specify the LDAP attribute to map user names to with LDAP_USER_ID_ATTR

    You can now specify the LDAP attribute to map user names to by adding to /etc/eclecticiq/platform_settings.py:

    LDAP_USER_ID_ATTR="<LDAP_attribute_name>"
    

    By default, this is set as LDAP_USER_ID_ATTR="uid"

    For Microsoft Active Directory, set this to

    LDAP_USER_ID_ATTR="sAMAccountName"
    

    Use LDAP_USER_ID_ATTR="uid" if your LDAP server is OpenLDAP or a similar RFC 2307-compliant directory.

    Important

    If you encounter an issue where users cannot log in with their LDAP user names after upgrading, you may need to explicitly set this property.

Fixes#

  • MITRE ATT&CK heatmaps only shows up to 100 classifications per entity

    Fixes an issue where in the MITRE ATT&CK heatmaps, only 100 classifications per entity would be shown.

  • LDAP Case insensitivity issue

    Fixes an issue where users logging in through LDAP would have multiple user accounts created on IC because the IdP allows case insensitive user names.

    IC now uses the uid LDAP attribute when determining the LDAP user’s user name instead. To use a different LDAP attribute, set LDAP_USER_ID_ATTR="<LDAP_attribute_name> in /etc/eclecticiq/platform_settings.py.

  • Outgoing feed maintenance

    The Outgoing feeds received the fixes listed:

    • Setting the execution schedule to None now guarantees the feed doesn’t run (whereas before it would default to Every 30 minutes while appearing disabled).

    • Including more Reports in an Outgoing feed then the number set for Number of entities to be included in a package no longer results in an error.

    • EclecticIQ HTML Report Digests will no longer include broken links that were caused by missing “/”.

    • Fixed an issue where TAXII 2.1 Push would fail.

  • Fixed images pasted into Reports

    Pasting images into Reports from your clipboard or saving a Report with images as a non-admin user will no longer result in errors.

  • AI extraction overwriting existing Entity

    Fixes the issue where invoking AI extraction of Entities could override existing Entities and thereby delete information from the overwritten Entity.

Known issues#

Changes and Known issues with TAXII 2.1

Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1 introduced changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1.

  • Deleted Intelligence Requirements will still be linked to the Entities they matched.

  • In Observable scoring, the Number of Sources parameter shows wrong count

  • In Observable Risk Scores, the Number of Sources parameter shows wrong count The count includes all sources, even though it was intended to exclude Enrichment sources.

  • Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.

  • If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.

  • The Observable Risk Score preview only works if you’ve already saved the policy.

  • Observable scores can be exported as both EIQ JSON and CSV, but not ingested into an Intelligence Center instance.

  • In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.

  • OpenAI key lost if upgrading 3.3.x to 3.5.x
    If you are upgrading from 3.3.x directly to 3.5.x and had an OpenAI key configured, that key will be deleted during the upgrade. You will have to generate a new key and configure it after updating.

    This does not occur when updating from 3.4.x to 3.5.0.

  • Assigning model to NLP to Lucene capability may take a few minutes

  • Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.

  • Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are U+FFFE, U+FFFF, and all UCS surrogates.

  • Retention policies and Outgoing and Incoming feeds display the user’s timezone, but excute as if the entered time were in UTC.
    Treat any times set or encountered while configuring these feeds and policies as UTC.

  • Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
    Be sure to assign the required TLP to the Relationship manually.

  • When External references are hidden, the counts given for filters still include these references.
    External references are included in relational searches, but excluded from the Neighbourhood tab.

  • In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hunderd Observables are added.
    Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.

  • Data tables such as those on Observables’ Neighborhood tab can’t be sorted.

  • Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.

Public API compatibility#

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)

Public API package version(s)

Public API version

2.11 - 2.12

eclecticiq-extension-api==1.0.*

v1

2.13.0

eclecticiq-extension-api==1.*

v1

2.14.0 and newer

Now follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*

v1

3.0.0 and newer

EclecticIQ Intelligence Center 3.0 and newer uses Public API v2.

Follows EclecticIQ Intelligence Center versioning scheme.

E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.

v2

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

  • Be running one of the supported operating systems.

    See Upgrade.

  • Upgrade from EclecticIQ Intelligence Center 2.14.

    If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

    See Install Configure Upgrade.

Upgrade diagram

Upgrade diagram#