Maintenance release 3.5.1

Product	EclecticIQ Intelligence Center
Release version	3.5.1
Release date	May 2025
Time to upgrade	~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables. From the previous release Using the installation script For an instance running on one machine
Time to migrate	For an instance with 2.67 million entities, 1.85 million observables: PostgreSQL migration: 13m30s Elasticsearch migration: 18m40s

Changed

• MITRE ATT&CK updated to v17
  

  MITRE ATT&CK is upgraded to v17.
  
  

• LDAP configuration now allows you to specify the LDAP attribute to map user names to with LDAP_USER_ID_ATTR

  You can now specify the LDAP attribute to map user names to by adding to /etc/eclecticiq/platform_settings.py:

  LDAP_USER_ID_ATTR="<LDAP_attribute_name>"
  

  By default, this is set as LDAP_USER_ID_ATTR="uid"

  Important

  If you encounter an issue where users cannot log in with their LDAP user names after upgrading, you may need to set this property.

Fixes

• MITRE ATT&CK heatmaps only shows up to 100 classifications per entity

  Fixes an issue where in the MITRE ATT&CK heatmaps, only 100 classifications per entity would be shown.

• LDAP Case insensitivity issue

  Fixes an issue where users logging in through LDAP would have multiple user accounts created on IC because the IdP allows case insensitive user names.

  IC now uses the uid LDAP attribute when determining the LDAP user’s user name instead. To use a different LDAP attribute, set LDAP_USER_ID_ATTR="<LDAP_attribute_name> in /etc/eclecticiq/platform_settings.py.
  
  

• Outgoing feed maintenance
  

  The Outgoing feeds received the fixes listed:

  • Setting the execution schedule to None now guarantees the feed doesn’t run (whereas before it would default to Every 30 minutes while appearing disabled).

  • Including more Reports in an Outgoing feed then the number set for Number of entities to be included in a package no longer results in an error.

  • EclecticIQ HTML Report Digests will no longer include broken links that were caused by missing “/”.

  • Fixed an issue where TAXII 2.1 Push would fail.
    
    

• Fixed images pasted into Reports

  Pasting images into Reports from your clipboard or saving a Report with images as a non-admin user will no longer result in errors.
  
  

• AI extraction overwriting existing Entity

  Fixes the issue where invoking AI extraction of Entities could override existing Entities and thereby delete information from the overwritten Entity.

Known issues

Changes and Known issues with TAXII 2.1

Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1 introduced changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1.

• Deleted Intelligence Requirements will still be linked to the Entities they matched.
  

• In Observable scoring, the Number of Sources parameter shows wrong count

• In Observable Risk Scores, the Number of Sources parameter shows wrong count The count includes all sources, even though it was intended to exclude Enrichment sources.
  

• Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.
  

• If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.

• The Observable Risk Score preview only works if you’ve already saved the policy.
  

• Observable scores can be exported as both EIQ JSON and CSV, but not ingested into an Intelligence Center instance.
  

• In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.
  

• OpenAI key lost if upgrading 3.3.x to 3.5.x
  If you are upgrading from 3.3.x directly to 3.5.x and had an OpenAI key configured, that key will be deleted during the upgrade. You will have to generate a new key and configure it after updating.

  This does not occur when updating from 3.4.x to 3.5.0.
  

• Assigning model to NLP to Lucene capability may take a few minutes
  

• Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.
  

• Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are U+FFFE, U+FFFF, and all UCS surrogates.
  

• Retention policies and Outgoing and Incoming feeds display the user’s timezone, but excute as if the entered time were in UTC.
  Treat any times set or encountered while configuring these feeds and policies as UTC.
  

• Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
  Be sure to assign the required TLP to the Relationship manually.
  

• When External references are hidden, the counts given for filters still include these references.
  External references are included in relational searches, but excluded from the Neighbourhood tab.
  

• In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hunderd Observables are added.
  Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.
  

• Data tables such as those on Observables’ Neighborhood tab can’t be sorted.
  
  

• Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.
  

Public API compatibility

From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.

The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:

Intelligence Center version(s)	Public API package version(s)	Public API version
2.11 - 2.12	eclecticiq-extension-api==1.0.*	v1
2.13.0	eclecticiq-extension-api==1.*	v1
2.14.0 and newer	Now follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 2.14 is now compatible with eclecticiq-extension-api==2.14.*	v1
3.0.0 and newer	EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. Follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*, EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.	v2

Download

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL	Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/ Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/ Note The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.
EclecticIQ Intelligence Center extensions	Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

• Upgrade EclecticIQ Intelligence Center on Rocky Linux

• Upgrade EclecticIQ Intelligence Center on RHEL

In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:

• Be running one of the supported operating systems.

  See Upgrade.

• Upgrade from EclecticIQ Intelligence Center 2.14.

  If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.

  See Manage | Install, Configure, and Upgrade.

Upgrade diagram