Minor release 3.6#

Product

EclecticIQ Intelligence Center

Release version

3.6.0

Release date

October 2025

Time to upgrade

~40 minutes to upgrade an instance with 2.67 million Entities, 1.85 million Observables.

  • From the previous release

  • Using the installation script

  • For an instance running on one machine

Time to migrate

For an instance with 2.67 million Entities, 1.85 million Observables:

  • PostgreSQL migration: 13m30s

  • Elasticsearch migration: 18m40s

Important

This release contains configuration changes. Read Configuration changes before upgrading to IC 3.6.0.

IC 3.5.0 also contains PostgreSQL and Elasticsearch migrations. If you are upgrading from a version earlier than IC 3.5.0, read the 3.5.0 release notes.

Highlights#

This release packs some punch - we’re doubling down on our AI capabilities as well as majorly enhancing workflows that see a lot of use. Whether you need to easily produce branded reports from self-defined templates, model specialized intelligence with custom objects, or upload CSVs with high fidelity, this release delivers for you. We’ve also introduced entity detail propagation to automatically maintain consistent attribution across your knowledge graph, and inactive data marking to help you focus on current, actionable threats. Of course, this release adds a lot more besides. Read about all the added features, improvements, and fixes below, see all the value on offer, and plan your update today!

What’s new#

AI Suite#

Assist with content tasks: Summarize, translate, or create content Example: Summarize this technical report for executives.

  • Entity summary: Generate summaries from selected entities while working on reports or during investigations.

  • Content generation: C reate high-quality, audience-specific outputs such as such as executive briefs and reports from customizable templates

  • Translation : Translate entities (e.g., title, description, notes) directly within the platform to streamline understanding and incorporation of foreign language content into research and reporting.

  • Enhanced provider configuration: Support for Azure OpenAI, Mistral, and any other solution with an OpenAI compatible API.

Get started

See our AI Feature documentation to get started.

New Report experience#

The Complete Reporting Experience streamlines reporting from start to finish:

  • Create custom report templates with built-in branding, audience-specific layouts , and reusable structures so recurring reports are consistent, polished and ready to share.

  • Centralized template management: Search, organize, and govern all reporting assets in one place for faster collaboration and oversight.

This seamless approach allows CTI teams to focus on insights instead of formatting and empowers decision-makers with high-quality, actionable reports.

Get started

See our Report documentation to get started.

Custom objects#

Custom object modeling gives analysts the flexibility to define new intelligence object types with tailored attributes for specialized use cases. Users can create reusable attributes with specific data types, validation rules, and mandatory or optional fields to enforce data consistency. These custom objects integrate fully with platform workflows: they can be linked to standard STIX Entities for comprehensive analysis, used in automated rules and detection logic, and enriched with platform features like TLP markings, MITRE ATT&CK mapping, and tagging. Analysts can import and export custom data for sharing, reuse attribute definitions across object types for consistency, and validate data quality through type checking and field enforcement.

Get started

See our custom objects documentation to get started.

Entity detail propagation#

Entity detail propagation enables analysts to define rules for how intelligence properties—such as tags, MITRE ATT&CK techniques, PIRs, and TLP markings—are automatically copied from source Entities to related Entities. You control what propagates, how far it spreads (direct, multi-hop, or via Observables), and to which types of Entities it applies.

Get started

See our property propagation documentation to get started.

Inactive data marking#

Inactive data management: Control aging data by marking and hiding intelligence based on customizable age thresholds. Data is automatically flagged based on calculated relevance or threat end time, with enhanced filtering and search capabilities.

Get started

See our Inactive data documentation to get started.

Improvements#

Performance Improvements#

We’ve made performance enhancements to the ingestion pipeline. The platform now skips unnecessary processing when no actual changes are being made, reduces database contention by eliminating premature locking operations, and optimizes how it handles relationships between entities. These improvements result in faster ingestion times and better overall system responsiveness, particularly when processing large volumes of data or working with highly connected intelligence data.

CSV mapper#

The CSV mapper now supports concatenating multiple column values into a single field and mapping to various entity types. We’ve improved timestamp handling and added the ability to set maliciousness during upload. Additionally, you can now map column values to MITRE ATT&CK and parse multiple values in any column.

Get started

See our CSV mapper documentation to get started.

Multiple hostname support for TAXII endpoints#

The platform now supports configuring a dedicated TAXII endpoint hostname separate from the global platform hostname. This allows TAXII services to function correctly in environments where the platform must be accessible via multiple domain names, such as internal and external network configurations.

Get started

See our Configure OpenTAXII server to get started.

New observable types#

We’ve added new observable types to support tracking and correlating cloud and container-based threats, including container image name, container registry account name, user account, SSH public key, account ID, container cluster name, cloud storage bucket, device fingerprint, JARM, and various certificate-related observables.

Enhanced time-based filtering#

We’ve split the single “Date” filter into more granular time-based filters throughout the platform. Users can now filter by start time, observed time, and end time, providing more precise control over time-based queries across all searches and analysis workflows.

Added search query support in ATT&CK Analysis#

The ATT&CK Analysis feature now supports using search queries as a scope option, alongside existing options for Entities and Dataset. This allows analysts to define the scope of their ATT&CK analysis using refined or simplified queries for more targeted threat technique mapping.

Expand exportable fields for search and outgoing feeds#

Users can now export a wider range of data, including additional standard fields and custom attributes. This improvement provides more comprehensive data exports that meet business requirements without manual workarounds or technical assistance.

Fixes#

  • Notes tab now available on Note entities

Users can now add Notes to a Note entity directly via the Notes tab in the overview pane. Previously, this tab was greyed out, requiring workarounds through the graph or “add relationship” features.

  • PDF parsing no longer generates false IOCs from embedded images

PDF imports now correctly extract only legitimate indicators instead of generating checksums for every embedded image in the document. This prevents inflated IOC counts and ensures cleaner, more accurate intelligence ingestion.

  • Observables now visible in timeline view

Observables attached to entities now remain visible when using the timeline feature on the graph. Previously, observables would disappear when filtering by timespan, even though their parent indicators were displayed.

  • Observable maliciousness preserved during entity editing

Observable maliciousness values are now preserved when editing entity properties. Previously, updating an entity in the Overview tab would reset all associated observables’ maliciousness back to “Unknown”.

  • RSS feed processing now handles large attachments safely

We’ve implemented safeguards for RSS feeds that download thumbnails and images, a 10MB limit per file, and a total size cap for all attachments per entity. The system now provides meaningful warnings when limits are exceeded and prevents memory crashes from oversized content.

  • Retention policy stability improvements

We’ve resolved issues causing retention policy failures, including Observable retention policy errors, extract-deletion policy timeouts in Elasticsearch, and database deadlocks.

  • Retention policy and feed schedules now respect user timezone

Retention policies and feeds now execute according to the user’s configured timezone instead of always running in UTC. The system properly converts schedule times to UTC for execution while displaying times in the user’s local timezone, eliminating confusion between scheduled and actual execution times.

Configuration changes#

This release includes the following configuration changes.

Make these changes before attempting to upgrade to IC 3.6.0.

IC 3.5.0 also contains PostgreSQL and Elasticsearch migrations. If you are upgrading from a version earlier than IC 3.5.0, read the 3.5.0 release notes.

Database and Elasticsearch migrations#

Database and Elasticsearch migrations for releases are run as part of the installation playbooks, or as part of the upgrade procedure (eiq-platform database upgrade and eiq-platform search upgrade commands).

For this release, check that your PostgreSQL and Elasticsearch hosts have the required available disk space before running these migrations.

PostgreSQL required available disk space#

For the PostgreSQL host, you must have available disk space equal to at least the sum of disk space used by these tables:

  • audit_trail

  • extract

To find the total disk space used by these tables, run this SQL command:

SELECT
    relname AS table_name,
    pg_size_pretty(pg_total_relation_size(relid)) AS total_size,
    pg_size_pretty(pg_table_size(relid)) AS table_size,
    pg_size_pretty(pg_indexes_size(relid)) AS indexes_size
FROM
    pg_catalog.pg_statio_user_tables
WHERE
    relname in ('audit_trail', 'extract');

Elasticsearch required available disk space#

For the Elasticsearch hosts, you must have available disk space across your cluster equal to the size of the following indices:

  • extracts-unique_v*

In addition, make sure that the following parameters in /etc/eclecticiq/platform_settings.py are set to values that match your deployment:

  • ELASTICSEARCH_SHARDS_NUMBER, or

  • (New in 3.5.0, preferred) SEARCH_INDEX_SHARDS

Set this to equal the existing number of primary shards your deployment has for the extracts-unique index if you do not want to reshard this index.

Change the number in these parameters if you explicitly want to reshard the extracts-unique index during the Elasticsearch data migration process.

Example:

ELASTICSEARCH_SHARDS_NUMBER = 3

# OR set SEARCH_INDEX_SHARDS
# SEARCH_INDEX_SHARDS has higher precedence than ELASTICSEARCH_SHARDS_NUMBER
SEARCH_INDEX_SHARDS = {
    "stix": 3,
    "relations": 3,
    "extracts-unique": 3,
    "extracts": 3,
}

See update platform_settings.py.

To find disk usage in your Elasticsearch cluster, use the Get shard allocation information endpoint. E.g.:

curl -sLk 'https://localhost:9200/_cat/allocation?v' -u <user>:<pass>

To see the number of primary shards your extracts-unique index has, use the Get shard information endpoint. E.g.:

curl -sLk 'https://localhost:9200/_cat/shards/extracts-unique?v' -u <user>:<pass>

To see the disk usage of your extracts-unqiue index, use the Get index information endpoint. E.g.:

curl -sLk 'https://localhost:9200/_cat/indices/extracts-unique?v'

The total available disk space across your cluster must be at least be equal to the current store.size of your extracts-unique index in order for the Elasticsearch data migration to succeed.

Known issues#

Changes and Known issues with TAXII 2.1

Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1 introduced changes and known issues to the TAXII 2.1 server.

For more information, see TAXII 2.1.

  • Deleted Intelligence Requirements will still be linked to the Entities they matched.

  • In Observable scoring, the Number of Sources parameter shows wrong count. The count includes all sources, even though it was intended to exclude Enrichment sources.

  • Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.

  • If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.

  • The Observable Risk Score preview only works if you’ve already saved the policy.

  • In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.

  • OpenAI key lost if upgrading 3.3.x to 3.5.0
    If you are upgrading from 3.3.x directly to 3.5.0 and had an OpenAI key configured, that key will be deleted during the upgrade. You will have to generate a new key and configure it after updating. This does not occur when updating from 3.4.x to 3.5.0.

  • Assigning a model to NLP to Lucene or AI intelligence requirements matching capability may take a few minutes.

  • Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.

  • Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are U+FFFE, U+FFFF, and all UCS surrogates.

  • When External references are hidden, the counts given for filters still include these references.

  • External references are included in relational searches, but excluded from the Neighbourhood tab.

  • Tactics currently appear in ascending ID order instead of following the logical attack progression shown in official MITRE documentation

  • Reports ingested via feed may generate additional untitled or empty attachment files when edited and published

  • Widgets created on private dashboards are visible in the navigation menu to read-only users.

  • CSV export using “Current Columns” does not include all visible fields such as Custom Object name or Observable Risk Score
    Workaround: Use Export > Custom Columns to include these fields

  • Datasets without an assigned workspace are not visible in the ATT&CK Analysis menu

  • Entities added to the graph while the timebar is enabled are not visible until published

Public API compatibility#

EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. It follows EclecticIQ Intelligence Center versioning scheme, e.g.,

  • EclecticIQ Intelligence Center 3.0.2 is compatible with eclecticiq-extension-api==3.0.*,

  • EclecticIQ Intelligence Center 3.1.0 is compatible with eclecticiq-extension-api==3.1.*, etc.

Download#

For more information about setting up repositories, refer to the installation documentation for your target operating system.

EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL

  • Platform packages: https://downloads.eclecticiq.com/platform-packages-centos/

  • Platform dependencies: https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/

    Note

    The Intelligence Center dependencies URL for versions 2.9 and later is https://downloads.eclecticiq.com/platform-dependencies-centos-2.9/. It contains packages that are incompatible with versions 2.8 and earlier.

EclecticIQ Intelligence Center extensions

  • Platform extensions: https://downloads.eclecticiq.com/Extensions/

Upgrade#

The diagram below describes upgrade paths for EcelcticIQ Intelligence Center. See the following for upgrade instructions:

In order to upgrade to EclecticIQ Intelligence Center 3.0 and later, you must:

Upgrade diagram

Upgrade diagram#