Maintenance release 3.7.2#
Product |
EclecticIQ Intelligence Center |
|---|---|
Release version |
3.7.2 |
Release date |
May 2026 |
Time to upgrade |
~40 minutes to upgrade an instance with 2.67 million entities, 1.85 million observables.
|
Time to migrate |
For an instance with 2.67 million entities, 1.85 million observables:
|
Certain entity or observable rules are incompatible with IC 3.7.2
Entity and observable rules which contain regular expressions
that end with the sequence <escape_char>.* will fail in IC 3.7.2.
You should validate and update these rules before upgrading to IC 3.7.2.
For information on how to validate your rules and fix them, see Validate rules
Changed#
Observable Maliciousness Resolution via Source Reliability
Extract rules now determine observable maliciousness based on source reliability hierarchy. When multiple sources report conflicting assessments, the platform applies rules from the highest-reliability source, ensuring consistent classifications regardless of ingestion order. Administrators can configure tie-break behavior for equal-reliability sources (most restrictive or most permissive) via the OBSERVABLE_MALICIOUSNESS_TIE_BREAK setting.
AI Content Generation Entity Linking
Fixed AI-generated Report entities to maintain proper relationships with the original entity selection that prompted generation. Reports now link directly to selected entities rather than only to common observables, improving discoverability and context within the graph.
Extract Rules Regex Optimization
Improved extract rule regex performance by switching to google-re2 non-backtracking regex engine for all user-provided regular expressions.
Fixes#
Public HTTP API Observable Handling
Fixed API-related errors in generation of empty and duplicate observable.
Intelligence Compass Requirement Fixes
Fixed Intelligence Requirement matching logic for unified entities in overview detail pane and column sorting persistence after updating records.
Bulk Tagging Operations
Fixed bulk add and remove tag operations to send all tags instead of only the first 10.
Entity Relationship Creation
Fixed issue where adding relationships to entities would break the application.
STIX Support Improvements
Fixed STIX label convention handling and added missing STIX 2.1 export option to graph context menu.
Dataset Workspace Field Requirement
Removed mandatory workspace field check for new dataset creation.
Threshold Type Validation
Fixed form error resulting from inactive entities threshold type validation.
Graph Node Opacity
Fixed graph node foreground opacity issue on entity selection.
IPv6 Address Validation
Adjusted IPv6 address regex validation to handle additional address formats.
Known issues#
Changes and Known issues with TAXII 2.1
Performance fixes for TAXII 2.1 in Intelligence Center 3.3.1
introduced changes and known issues to the TAXII 2.1 server.
For more information, see TAXII 2.1.
Deleted Intelligence Requirements will still be linked to the Entities they matched.
In Observable scoring, the Number of Sources parameter shows wrong count
In Observable Risk Scores, the Number of Sources parameter shows wrong count The count includes all sources, even though it was intended to exclude Enrichment sources.
Changing an Observable Risk Score policy will never result in the overall score of already scored Observables being lowered.
If an Observable Risk Score parameter is empty but enabled, it is still included in the parameter count for thresholds.
The Observable Risk Score preview only works if you’ve already saved the policy.
Observable scores can be exported as both EIQ JSON and CSV, but not ingested into an Intelligence Center instance.
In an Observable risk score policy, no warning is shown when a value in a parameter is assigned multiple Risk scores, even though this is not intended and results in an error.
Assigning model to NLP to Lucene capability may take a few minutes
Size limit for STIX 2.1 PDF attachment size does not apply for total size of the attachments, just to the size per attachment.
Incoming and Outgoing feeds fail if any Observable value in them includes a string that matches a character forbidden in XML. The forbidden XML characters are
U+FFFE,U+FFFF, and all UCS surrogates.Retention policies and Outgoing and Incoming feeds display the user’s timezone, but execute as if the entered time were in UTC.
Treat any times set or encountered while configuring these feeds and policies as UTC.Relationships created through Graphs aren’t assigned the default TLP if the Source entity was also created on the graph.
Be sure to assign the required TLP to the Relationship manually.When External references are hidden, the counts given for filters still include these references.
External references are included in relational searches, but excluded from the Neighbourhood tab.In Search and browse, when using Bulk actions to create a new Indicator or Sighting entity and add the selected Observables it, only two hundred Observables are added.
Be sure to portion out the Observables when using Bulk actions to add to an Indicator or Sighting entity.Data tables such as those on Observables’ Neighborhood tab can’t be sorted.
Going to the Observables tab of an Entity, selecting Observables, and selecting Remove from Entity does not work.
Public API compatibility#
EclecticIQ Intelligence Center 3.0 and newer uses Public API v2. It follows EclecticIQ Intelligence Center versioning scheme, e.g.,
EclecticIQ Intelligence Center 3.0.2 is compatible with
eclecticiq-extension-api==3.0.*,EclecticIQ Intelligence Center 3.1.0 is compatible with
eclecticiq-extension-api==3.1.*, etc.
Download#
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Intelligence Center and dependencies for Rocky Linux and RHEL |
|
|---|---|
EclecticIQ Intelligence Center extensions |
|
Upgrade#
See the following for upgrade instructions:
In order to upgrade to EclecticIQ Intelligence Center 3.0 and later, you must, be running one of the supported operating systems See: - Rocky Linux’ documentation: * for migrating to Rocky Linux * for upgrading Rocky Linux - RHEL’s documentation: * for upgrading 7 > 8 * for upgrading 8 > 9
Validate rules#
IC 3.7.2 introduced optimizations to entity and observable
rules regular expression handling that can break existing rules
that contain patterns that start or end with wildcard sequences .*.
For example, these patterns will cause rules that contain them to fail in IC 3.7.2:
.*?Match this string.*?https://example.com\.*
This causes functionality that depends on these rules to fail, in particular, ingestion of incoming feed packages.
To avoid this issue:
update your rules to remove beginning and trailing
.*sequences in your rules, ORenclose trailing
.*sequences in parentheses i.e..*is changed to(.*)
We have provided a package containing scripts that validate your platform’s entity and observable rules at validate_rules-latest.zip (validate_rules-latest.zip.sha256sum.txt)
Follow the instructions in the next section to validate your entity and observable rules.
Instructions to validate rules#
These instructions are for administrators who have experience running shell and Python scripts in a Bash shell or similar.
Run the following commands in your local terminal environment as a non-root user.
You need the following software installed in your local environment:
Create an API token for your platform instance. This user must be assigned a role with at least
read rulespermissions.For more information, see Create an API token.
On your local environment, create a temporary directory and navigate to it:
mkdir "tmp-validate-rules-$(date +%s)" && cd $_
Download this package and extract its contents into this temporary directory.
Create a Python virtual environment and activate it:
python3 -m venv .venv source .venv/bin/activate
Create a
.envfile. In it, set theEIQ_API_TOKENandEIQ_BASEURLenvironment variables:export EIQ_API_TOKEN=<API token from step 1> export EIQ_BASEURL=<platform URL. E.g. https://cti.example.com>
Load your
.envfile:source .env
Run
./get_rules.sh:chmod +x get_rules.sh ./get_rules.sh run
If your platform uses a self-signed TLS certificate, run with
--insecure(ignores certificate validation. You must trust the URL set atEIQ_BASEURL)If you are using a private CA, modify the
curlcommand inget_rules.shso that your CA certificate is passed to it.If the script runs successfully, you should see 2 new
*.jsonlfiles. E.g.entity-rules-1780306376.jsonlandobservable-rules-1780306376.jsonlRun
validate_rules.pyon each of these 2 new files.E.g.:
python validate_rules.py -f <FILENAME>
E.g.
python validate_rules.py -f observable-rules-1780306376.jsonl
When you run python validate_rules.py -f <FILENAME>, it processes the set of
rules contained in the JSONL file and reports if any patterns in your
platform’s rules will fail in IC 3.7.2.
Example of validate_rules.py finding problematic rules:
$ python validate_rules.py -f entity-rules-1780305540.json
Regex failed to compile: bad escape (end of pattern) at position 6
-- Possible invalid wildcard in 'adsf\.\.*'
-- Fix by removing the wildcard, or by enclosing the wildcard in parentheses e.g. '\.*' becomes '(\.*)'
[ENTITY RULE FAILED VALIDATION]: [ID - 1]: my rule
[SUMMARY]
1 patterns failed validation. See logged output. Please fix these patterns before upgrading to IC 3.7.2.
Finished validation.
Example of validate_rules.py finding no problematic rules:
$ python validate_rules.py -f observable-rules-1780305486.json
[SUMMARY]
PASSED. All rules in observable-rules-1780305486.json are valid
Finished validation.