Minor release 3.7#
Product |
EclecticIQ Intelligence Center |
|---|---|
Release version |
3.7.0 |
Release date |
March 2026 |
Time to upgrade |
~40 minutes to upgrade an instance with 2.67 million Entities, 1.85 million Observables.
|
Time to migrate |
For an instance with 2.67 million Entities, 1.85 million Observables:
|
Important
IC 3.5.0 also contains PostgreSQL and Elasticsearch migrations. If you are upgrading from a version earlier than IC 3.5.0, read the 3.5.0 release notes.
Highlights#
This release brings a major leap forward in intelligence coverage, analyst efficiency, and platform flexibility. A curated TIP bundle delivers immediate access to high-value third-party intelligence streams, included for a limited evaluation period. Our Defense TIP configuration aligns cyber threat intelligence with military doctrine, while our deduplication capability delivers a transparent and controlled approach to entity consolidation. We’re also expanding our AI capabilities with on-demand web enrichment, so analysts never have to leave the platform to close an intelligence gap, and introducing native DISARM integration for influence operations analysis. Add content blocks for embedded platform visuals and custom attributes for standard entities, and this release has something for every analyst workflow. Read about everything below and plan your update today.
What’s new#
TIP Bundle#
A curated set of third-party data sources and services, included for a limited time. TIP Bundles available include: Bitdefender Sandbox Analyzer, ReversingLabs Spectra Analyze and Intelligence, ENISA EUVD vulnerability feeds, Modat Magnify Device DNA, VMRay UniqueSignal feeds, TruePattern feeds, and IntelFinder takedown requests.
Get started
See our Integrations to get started.
Defense TIP#
Defense TIP is a configurable capability that aligns Intelligence Center workflows with military doctrine, enabling defense and national security organizations to operate using terminology, metadata, and reporting structures consistent with established standards. It removes the need to reformat or retrofit commercial intelligence outputs, delivering analysis that is immediately actionable by commanders, planners, and mission partners without additional translation overhead.
Get started
See our Defense TIP documentation to get started. get started.
Deduplication#
Deduplication consolidates duplicate STIX entities from multiple intelligence sources into a single, enriched view without sacrificing source fidelity or analyst control. Rather than relying on opaque automation, you control how certain fields are merged and retain full source attribution throughout. Manual merge and decouple actions allow for ongoing adjustments as new intelligence arrives, and all changes are logged for transparency and audit readiness.
Get started
See our Deduplication documentation to get started.
Web enrichment with AI#
Analysts can now search the web for additional context on any entity directly within the platform — no more context-switching to external tools mid-investigation. Powered by Perplexity AI, Web enrichment lets you ask targeted questions, review results, and immediately apply them by adding to notes, replacing or appending descriptions, or spinning off new entities. Follow-up questions support deeper exploration, and bulk enrichment streamlines updates across multiple entities at once.
Get started
See our Web enrichment with AI documentation to get started.
DISARM framework integration#
EclecticIQ Intelligence Center now natively integrates the DISARM framework, an open-source taxonomy for disinformation and influence operations analysis. Analysts can tag observed TTPs directly against the DISARM matrix, visualize tactic patterns, and share structured intelligence in STIX 2.1 and EIQ-JSON formats. Heatmaps, dashboards, and graph views surface connections across campaigns and support attribution as influence operations evolve.
Get started
See our DISARM documentation to get started.
Content blocks#
Analysts can now embed snapshots of platform visuals, such as graphs, dashboard widgets, and heatmaps, directly into entities, captured at the point of insertion. This eliminates manual screenshot-and-paste workflows and keeps visual context where it belongs: inside the intelligence record. Snapshots can be refreshed to capture an updated view when needed.
Telegram#
Analysts can now collect and analyze intelligence from Telegram channels directly within the platform. This removes the need to manually monitor Telegram outside the platform and brings collection, triage, and analysis into a single, unified environment.
Get started
See our Telegram to get started.
Improvements#
Custom attributes for standard entities#
Standard STIX entities can now carry custom attributes, giving analysts the ability to capture specialized intelligence that falls outside predefined schema fields. Custom attributes support filtering, correlation, and scoring, and move critical context out of free text notes and into the structured entity record where it can be acted on consistently.
Fixes#
AI configuration issues
Fixed an error that prevented model selection for the natural language to search query feature, causing all options to return an invalid response.
Editor image caption alignment issue
Fixed an issue where image caption alignment was not applied correctly in the entity editor.
Graph observable to indicator link error
Fixed an error that caused some observable-to-indicator links to fail when publishing from the graph view.
SAML users unable to change locale setting
Fixed an issue where SAML users were incorrectly prompted for a password when saving profile settings, preventing them from updating locale and other non-authentication profile fields
Feed password not loading correctly
Fixed an issue where passwords for existing feeds were not loaded correctly, causing feed discovery and collection retrieval to fail.
TAXII inbox feed ingestion error on duplicate detection
Fixed an issue where certain ingested packages triggered an “Update must match found duplicate” error during the deduplication phase. The error occurred when incoming STIX objects lacked a guaranteed ID field, causing the duplicate detection logic to fail incorrectly.
SFTP feed: Subfolder ingestion support
SFTP feeds can now be configured to ingest files from subfolders automatically. A new “Include subfolders” option in the feed configuration lets you set a scan depth of up to three subfolder levels, removing the need to create and maintain separate feeds when source folder structures change.
Configuration changes#
Users upgrading manually, without Ansible playbooks, must run an additional online migration step as part of the upgrade process. For details, see our documentation here
Database and Elasticsearch migrations#
Database and Elasticsearch migrations for releases are run as part of the
installation playbooks, or as part of the upgrade procedure
(eiq-platform database upgrade and eiq-platform search upgrade commands).
For this release, check that your PostgreSQL and Elasticsearch hosts have the required available disk space before running these migrations.
PostgreSQL required available disk space#
For the PostgreSQL host, you must have available disk space equal to at least the sum of disk space used by these tables:
audit_trailextract
To find the total disk space used by these tables, run this SQL command:
SELECT
relname AS table_name,
pg_size_pretty(pg_total_relation_size(relid)) AS total_size,
pg_size_pretty(pg_table_size(relid)) AS table_size,
pg_size_pretty(pg_indexes_size(relid)) AS indexes_size
FROM
pg_catalog.pg_statio_user_tables
WHERE
relname in ('audit_trail', 'extract');
Elasticsearch required available disk space#
For the Elasticsearch hosts, you must have available disk space across your cluster equal to the size of the following indices:
extracts-unique_v*
In addition, make sure that the following parameters in
/etc/eclecticiq/platform_settings.py are set to values that
match your deployment:
SEARCH_INDEX_SHARDS
Example:
SEARCH_INDEX_SHARDS = {
"stix": 3,
"relations": 3,
"extracts-unique": 3,
"extracts": 3,
}
Set this to equal the existing number of primary shards your
deployment has for the extracts-unique index if you do not want to
reshard this index.
Increase the number if you explicitly
want to reshard the extracts-unique index during the
Elasticsearch data migration process.
(To decrease the shard count of an existing index, you will need to
perform a manual reindexing operation before attempting the upgrade)
See update platform_settings.py.
To find disk usage in your Elasticsearch cluster, use the Get shard allocation information endpoint. E.g.:
curl -sLk 'https://localhost:9200/_cat/allocation?v' -u <user>:<pass>
To see the number of primary shards your extracts-unique index has, use the
Get shard information
endpoint. E.g.:
curl -sLk 'https://localhost:9200/_cat/shards/extracts-unique?v' -u <user>:<pass>
To see the disk usage of your extracts-unqiue index, use the
Get index information
endpoint. E.g.:
curl -sLk 'https://localhost:9200/_cat/indices/extracts-unique?v'
The total available disk space across your cluster must be at least
be equal to the current store.size of your extracts-unique index
in order for the Elasticsearch data migration to succeed.
Known issues#
Changes and Known issues with TAXII 2.1
Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1
introduced changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1.
Deleted Intelligence Requirements will still be linked to the Entities they matched.
In Observable scoring, the Number of Sources parameter shows wrong count. The count includes all sources, even though it was intended to exclude Enrichment sources.
Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.
If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.
The Observable Risk Score preview only works if you’ve already saved the policy.
In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.
Assigning a model to NLP to Lucene or AI intelligence requirements matching capability may take a few minutes.
Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.
Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are
U+FFFE,U+FFFF, and all UCS surrogates.When External references are hidden, the counts given for filters still include these references.
External references are included in relational searches, but excluded from the Neighbourhood tab.
Tactics currently appear in ascending ID order instead of following the logical attack progression shown in official MITRE documentation
Reports ingested via feed may generate additional untitled or empty attachment files when edited and published
Widgets created on private dashboards are visible in the navigation menu to read-only users.
CSV export using “Current Columns” does not include all visible fields such as Custom Object name or Observable Risk Score
Workaround: Use Export > Custom Columns to include these fields
Entities added to the graph while the timebar is enabled are not visible until published
Public API compatibility#
EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. It follows EclecticIQ Intelligence Center versioning scheme, e.g.,
EclecticIQ Intelligence Center 3.0.2 is compatible with
eclecticiq-extension-api==3.0.*,EclecticIQ Intelligence Center 3.1.0 is compatible with
eclecticiq-extension-api==3.1.*, etc.
Download#
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL |
|
|---|---|
EclecticIQ Intelligence Center extensions |
|
Upgrade#
See the following for upgrade instructions:
In order to upgrade to EclecticIQ Intelligence Center 3.0 and later, you must, be running one of the supported operating systems See: - Rocky Linux’ documentation: * for migrating to Rocky Linux * for upgrading Rocky Linux - RHEL’s documentation: * for upgrading 7 > 8 * for upgrading 8 > 9