Minor release 3.5#
Product |
EclecticIQ Intelligence Center |
|---|---|
Release version |
3.5.0 |
Release date |
April 2025 |
Time to upgrade |
~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million Observables.
|
Time to migrate |
For an instance with 2.67 million entities, 1.85 million Observables:
|
Highlights#
This release brings major advancements across the board; both through AI-powered capabilities and
high-value features that don’t rely on AI.
The most eye-catching improvement has to be the platform’s complete UI revamp, however. It now has a
sleeker, more modern look, improved readability, and a new customizable menu bar that makes
navigation more intuitive than ever.
3.5.0 introduces new AI configuration options. You gain full flexibility in how AI is deployed and
configured. These new AI configuration options support integration with your own LLM via Ollama, enabling
AI capabilities even in airgapped environments. Whether on-premise or in the cloud, you can choose the
LLM that powers each AI feature use your own, a commercial provider’s, or one provided by EclecticIQ.
Our AI Assistant is a true timesaver and indispensible tool your threat analysis toolkit.
It will find the intelligence in your platform that answers your questions for you and generate
additional context for that intelligence from what it can find on the web. Alternatively, you can ask the
AI Assistant to provide you with intelligence from the web without reference to any intelligence in your
platform. This allows analysts to find the intelligence and add relevant, current
information without having to switch to switch tools.
The new Intelligence Compass is your central hub to define and manage all your intelligence
requirements in one place. It easy to track what matters most to your organization. The AI will scan
all new intelligence and alert you whenever something matches one of your requirements. Alternatively,
you can configure a requirement to match based on keywords, which means it can run without AI.
We’ve enriched the platform’s reporting capabilities with new, fully customizable Dashboards. These allow you to highlight the exact metrics that matter most to you and your organization. Easy snapshotting makes it simple to share data insights with stakeholders, and the Widgets used to build Dashboards are saved in a central Widget Library, which makes it easy to create and recreate Dashboards as needed.
This release also sees the addition of Observable Risk Scores which helps you estimate the threats posed by the Observables in your platform, the Malware Sandbox that allows you to have suspicious files and URLs investigated safely, and search improvements that enhance the ease of relational searching, saving queries as Datasets and reloading those saved queries.
In other words, 3.5.0 is a breakthrough release that advances AI-powered investigations, streamlines intelligence management, and enables precision threat prioritization—alongside a host of other functionalities that will make you more effective and your work a lot easier.
What’s new#
AI features#
Configure provider to use AI
Make sure you configure an AI provider to be able to use the AI features below, as well as the existing AI features.
Bring your own LLM#
EclecticIQ’s Bring your own LLM feature gives you the flexibility to choose how you deploy AI in your threat intelligence workflows:
Self-host on-prem: Deploy any models on your own infrastructure for full control over data and compliance.
Use the LLM of your choice or one recommended by EclecticIQ: hosted securely on EclecticIQ’s cloud, exclusively for your organization. This ensures privacy, flexibility, scalability, and operational efficiency while maintaining full ownership of your data.
Whichever option you choose, you stay in control, leveraging AI on your own terms.
AI Assistant#
EclecticIQ Intelligence Center 3.5.0 comes with our new AI Assistant, which is programmed
to help you answers questions by finding intelligence. When you ask the AI Assistant a
question, it will find intelligence in your platform that contains the answer. After
that, you can ask it to provide additional insights about the intelligence it found in your
platform. It will then search the web for relevant context and generate an answer based on
it. You can have the AI Assistant carry out a “cold” web search, that is, ask it to provide
intelligence from the web without reference to any intelligence in your platform.
The AI Assistant’s web lookups only work with a Perplexity.ai integration.
Intelligence Compass#
The Intelligence Compass allows you to stay on top of the threats you face by defining your
intelligence requirements and being alerted wherever Entities that match them are
ingested or created.
This scanning leverages either AI or keyword-based matching, can tag Entities, add them
to specific Datasets, and can notify whoever you add to that specific intelligence
requirement as a watcher.
AI Entity Extraction#
Sometimes, when Entities are added via feeds or file uploads, they include useful details that should really be represented as separate Entities. The Entity Extraction feature uses AI to scan the Title, Description, and Tags of these Entities, and then creates new Entities based on the information it finds.
Dashboards#
The new Dashboards allow you to create overviews that show you your important intelligence
metrics at a glance. Each Dashboard consists of Widgets that track specific data points, and both
Dashboards and Widgets are fully customizable, with the Widget library allowing you to
re-use Widgets on multiple Dashboards.
You can easily share your metrics with stakeholders by exporting snapshots of entire Dashboards or
specific Widgets.
Observable Risk Scores#
With Observable Risk Scores, you can configure policies that assign Risk scores to the Observables in your platform based on your organization’s priorities. These policies let you:
Target specific Observable types.
Customize scoring using multiple parameters like source reliability, TLP level, maliciousness rating, tags, or keywords.
Define how the final risk score is calculated from these parameters.
Malware Sandbox#
Use the Malware Sandbox to have suspicious files and URLs executed and/or analysed and learn whether they are actually malicious or not without exposing your own infrastructure to the potential threat. To do this, integrate with a detonation vendor and send it a file or URL. As a response, the vendor will send a report with analysis. The report may include valuable information, such as the file’s hash or threat actors associated with the URL, can be extracted as intelligence objects and added to the platform.
Intelligence Center life cycle#
We’ve defined the life cycle for EclecticIQ Intelligence Center minor releases. Each minor
release will be supported with bug fixes and security issue mitigations for at least one
year and until at least three subsequent versions will have been released. Once both
conditions have been met, a release will be considered End-of-Life (EoL) and will no longer
receive further updates.
Defining two update windows per year should ensure that you are always on a live release.
There is no strict End-of-Support. Whatever version of Intelligence Center you are on, you will always be able to request support by opening support tickets. However, support options may be limited for versions that have reached EoL, since they won’t receive bug fixes or other code changes.
Read our EoL policy to learn more.
Improvements#
Unified search#
We’ve reconfigured the Entity Search field and eliminated the drop-down menu for selecting a search query type. Instead, you now carry out both regular and relation searches from the same search field.
To carry out a relational search, use the RELATED TO operator between the two parts of your
search query (i.e. the part matching the Entities you want to find and the part matching the
Entities that the Entities you want to find need to be related to).
Read more about (relational) Entity search.
Saved search#
Additionally, saving search Entity queries as Datasets and loading Entity search queries that Datasets are based on has been made easier.
To save a query as a Dataset, enter one in the search field and then select + Save.
To load a query that a Dataset was based on, hover over the search field and select + Load. Loading and changing a saved query doesn’t impact its Dataset; the new query is treated as entirely separate and can be used as the basis of a new Dataset.
Read more about saving and loading Entity queries
PDF viewer#
We’ve introduced a PDF parsing library so you can better read ingested PDFs in the platform.
To read ingested PDFs, go to 
Search, open the Entities
tab, and select the Entity to which the PDF you want to read is attached.
Audit trail modals#
The audit trail
now shows truncated messages in the Message column. Select the
icon to read
the complete message in a modal.
Password management#
We’ve improved the flow for creating passwords to minimize frustration in this flow. During password creation, users:
will now see the requirement that have been set.
can show/hide the password they’re creating.
won’t be asked to enter it twice for confirmation.
will see whether caps lock is on or not.
will see the password requirements that have been set.
Allow multiple trusted domain names#
EclecticIQ Intelligence Center deployments that are accessed through more than 1 domain name should add those domain names to the TRUSTED_API_HOSTS list in /etc/eclecticiq/platform_settings.py.
For more information, see our platform settings documentation.
Fixes#
Session timeout hardcoded to 10 minutes
With 3.4.5, session timeout after user inactivity has been hardcoded to 10 minutes.
Added session token timeout
Settings > System settings > General now shows the Session token expiration
field. The tokens created when a user initiates a session will expire after the number
of minutes set in this field.
User session IP binding
You can now bind a session to the user’s IP, meaning the tokens associated with the session are only accepted if offered from the IP address from which the session was initiated.
To enable this setting, in settings.py set JWT_IP_ADDRESS_BINDING = TRUE. See
update platform settings.
Upgrades reset permission
Fixes a bug that would reset custom permission assignment to roles
with earlier versions. Upgrading to this current version does not reset permission
assignment to roles.
IndexError in eiqjson packer
Fixes an index error that prevented packing Entities with specific outgoing relations in them
into Outgoing eiqjson feeds.
This meant the runs of these feeds were succesful but incomplete, dropping the Entities with
those specific relations.
Increased limit on Outgoing feed drop-down menufor Dataset selector
Fixes an issue where the drop-down menufor selecting Datasets to be part of an
Outgoing feed would only show 100 feeds, even if there were more feeds in
the platform.
This limit has been increased to 1000 feeds.
Known issues#
Changes and Known issues with TAXII 2.1
Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1
introduced changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1.
Deleted Intelligence Requirements will still be linked to the Entities they matched.
In Observable scoring, the Number of Sources parameter shows wrong count
In Observable Risk Scores, the Number of Sources parameter shows wrong count The count includes all sources, even though it was intended to exclude Enrichment sources.
Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.
If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.
The Observable Risk Score preview only works if you’ve already saved the policy.
Observable scores can be exported as both EIQ JSON and CSV, but not ingested into an Intelligence Center instance.
In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.
OpenAI key lost if upgrading 3.3.x to 3.5.0
If you are upgrading from 3.3.x directly to 3.5.0 and had an OpenAI key configured, that key will be deleted during the upgrade. You will have to generate a new key and configure it after updating.
This does not occur when updating from 3.4.x to 3.5.0.Assigning model to NLP to Lucene capability may take a few minutes
Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.
Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are
U+FFFE,U+FFFF, and all UCS surrogates.Retention policies and Outgoing and Incoming feeds display the user’s timezone, but excute as if the entered time were in UTC.
Treat any times set or encountered while configuring these feeds and policies as UTC.Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
Be sure to assign the required TLP to the Relationship manually.When External references are hidden, the counts given for filters still include these references.
External references are included in relational searches, but excluded from the Neighbourhood tab.In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hunderd Observables are added.
Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.Data tables such as those on Observables’ Neighborhood tab can’t be sorted.
Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.
Public API compatibility#
From EclecticIQ Intelligence Center 2.12.0 onward, the public API is packaged together with EclecticIQ Intelligence Center.
The following reference table lists the versions of the public API package and EclecticIQ Intelligence Center versions they are compatible with:
Intelligence Center version(s) |
Public API package version(s) |
Public API version |
|---|---|---|
2.11 - 2.12 |
|
v1 |
2.13.0 |
|
v1 |
2.14.0 and newer |
Now follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 2.14 is now compatible with
|
v1 |
3.0.0 and newer |
EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. Follows EclecticIQ Intelligence Center versioning scheme. E.g., EclecticIQ Intelligence Center 3.0.2 is compatible with
|
v2 |
Download#
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL |
|
|---|---|
EclecticIQ Intelligence Center extensions |
|
Upgrade#
Important: Upgrade operating system
To run EclecticIQ Intelligence Center 3.0.0 and newer, upgrade to one of these supported operating systems:
The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:
In order to upgrade to EclecticIQ Intelligence Center 3.0, you must:
Be running one of the supported operating systems.
Upgrade to Rocky 8 or upgrade to RHEL 8.Upgrade through EclecticIQ Intelligence Center 2.14.
If you are running an older version of EclecticIQ Intelligence Center, you must upgrade to 2.14 before attempting to upgrade to EclecticIQ Intelligence Center 3.0.
Upgrade diagram#