Skip to content

Version 5.4.0
Compare
Choose a tag to compare
@SamuelHassine SamuelHassine released this 18 Nov 17:39
· 3734 commits to master since this release
5.4.0
3f3fdce
This commit was signed with the committer’s verified signature.
richard-julien Julien Richard
GPG key ID: 5A3D156BFCC8BAA7
Learn about vigilant mode.

🔔DING! DING!🔔 Dear community, we are so proud to announce that OpenCTI version 5.4.0 has been released 💥! This was a huge joint effort from the brand new Filigran engineering team as well as all community contributors 🍻. Thank you everyone for your continuous efforts to make OpenCTI the world leading threat intelligence platform 🙏!

This milestone contains important new features but also the implementation of more systematic development best practices (TypeScript, pure functions, etc.) 🧩 that will allow us to speed-up future milestones in the months and years to come 🚀.

First of all, OpenCTI 5.4.0 brings long-awaited features 🎁:

  • bulk search of entities and observables in the platform 🔍;
  • customization of workflow statuses for all types of entity 🛠️;
  • introduce an analyst workbench to modelize entities and relationships massively and easily before create the knowledge in the platform 👩‍💻;
  • new inference rules to propagate reports to parent entities (sectors / locations) 🗺️;
  • performances improvement due to the new way to validate indicators syntax (creation of indicators speed x10) 🚅;
  • it is now possible to deny connectors from creating new labels and keep a set of pre-defined labels in the platform ✨;
  • country flags for IPs when located-at relationship is set to a specific country 🏴;
  • new specific capabilities for notes and opinions to allow feedback even from read-only users ✍️;
  • implement the STIX 2.1 "Grouping" entity type to allow information clustering without creating a report when it is not relevant 📦;
  • Japanese translation, OpenTelemetry, investigation improvements and much more 💝...

Last but not least, this release introduces a major new data segregation and sharing capability by organization 🏢. This allows administrators to associate users to organizations (organizations can belong to parent organizations as well) and to distribute knowledge across one or multiple organizations in the platform 🔓.

It is also possible to set a default organization for the whole platform to restrict all data and starting to share progressively information 🌎. A demonstration video will be published to better explain this new feature which will help organizations to open access to third-parties / constituents with full confidence about the confidentiality of the data 🥳.

⚠️ All internal-export-file connectors should now be launched with a user which has the Administrator role, because they now impersonate the user requesting the export to prevent data leak.

⚠️ All technical creators (users) of existing entities are no longer mapped on the history and then are displayed as "SYSTEM". New entities / relationships will be created with the correct creator fully modelized. If you would like to recover the creators information of your existing data, you can launch a background task (based on the history) on the selected entities (or all of them) using the mass operations toolbar Update => Replace => Creator.

⚙️ When using the organization segregation capability, it is recommended to enable the inference rule ORGANIZATION PROPAGATION VIA PARTICIPATION so it will propagate if a user A participates in organization B and organization B is part of organization C, then the user A also participates in organization C.

Since the last release, minio implements breaking change. If you decide to upgrade minio, a procedure must be applied. Please read https://min.io/docs/minio/linux/operations/install-deploy-manage/migrate-fs-gateway.html

Enhancements:

  • #2543 [api] Improve version checking of platform start
  • #2535 Be able to hide background tasks screen using RBAC capabilities
  • #2530 Add new attributes to the entity incident
  • #2502 Improv dev env by injecting a data set
  • #2483 Be able to use workflow status in the stream filters
  • #2475 Implement the "Grouping" STIX 2.1 entity as a container
  • #2470 Limit the history message length both in backend (when inserting) and frontend
  • #2464 Title and meta description of the platform
  • #2463 [api] Add usage of impersonate feature to connectors
  • #2456 Add Japanese translation
  • #2446 Add "Shodan" Pattern Type to Indicators
  • #2435 [api] Filters support multiples keys to search on
  • #2420 Add a quick filter for sighting lists (false / true positive)
  • #2408 Full refactor of pre-validation screen into an analyst workbench
  • #2414 Support "content_ref" for StixFile to Artifact (obs_content ?) relation
  • #2406 [Feature] Filter for 'Score less than' within Retention Policy Rules
  • #2401 Improve of performance indicator checkIndicatorSyntax function
  • #2397 Enhance the view of the rules definition in the frontend
  • #2341 [rules] Add report objects related rules
  • #2336 Bulk search of SDOs and SCOs
  • #2331 Mass delete labels
  • #2293 Add Infrastructure fields to UI when creating new Objects
  • #2263 Ability to search OpenCTI for a list of Observables (as opposed to one by one)
  • #2196 Finer access controls for Reports for feedback - Separate "Opinions" as a knowledge creation access control under roles.
  • #2188 Add organizations restrictions on top of markings to increase data segregation possibilities
  • #2163 Entity details edition during data import
  • #2116 Session refresh on user rights change
  • #2109 Create/Update notes and opinions specifying author with a different user
  • #2029 Add technical creator in data + ordering/filtering
  • #1991 Exporting Report details, Malware or Intrusion Sets is hard to do
  • #1943 Ability to create additional custom workflow status names straight from the UI if possible.
  • #1934 Ability to expand to any kind of entity from Investigations Workspace
  • #1867 Removing report
  • #1799 Bulk creation of knowledge around a threat entity
  • #1781 STIX ID standard is useless to analysts but have the most visible spot in item pages
  • #1757 Add Indicator to Report when Observable+Indicator created within the context of a Report
  • #1755 Be able to select labels to import
  • #1730 Add country flag icons to IPv4/IPv6 observables
  • #1596 Expose worker metrics for prometheus
  • #1468 Remove entities after report deletion
  • #1428 Suppressing an entity does not suppress its relations
  • #1182 Infrastructure, Systems and Vulnerabilities
  • #1071 No way to implement STIX's Windows Service (and Process) extensions

Bug Fixes:

  • #2550 Events/Incidents/Observables. Doesn't display more than 25 observables.
  • #2487 Empty channels type break the UI
  • #2448 Pending Imports UI potentially referencing incorrect path for STIX bundles when APP__BASE_PATH is set

Pull Requests:

New Contributors:

Full Changelog: 5.3.17...5.4.0

Contributors

richard-julien, SamuelHassine, and 5 other contributors
Assets 4
Loading