Skip to content

Version 6.2.0

Compare
Choose a tag to compare
@Filigran-Automation Filigran-Automation released this 28 Jun 11:40
· 619 commits to master since this release
91e6a60

Dear community, we're excited to announce the launch of OpenCTI 6.2! 🥳This update focuses on three main use cases: improving the platform usability to reduce analyst fatigue, aiding administrators in managing the application, and enhancing customization to cater to your needs.

In Cyber Threat Intelligence, there are a lot of ways to display and analyse characteristics of a threat, phase of attacks, and so on. Among them, the Diamond Model is a well known and useful analytic framework, but one that can be hard to harness and produce. OpenCTI 6.2 introduces an automatically generated Diamond Model for each Threats in the platform and each Incidents! 💎 This new view, accessible in the Knowledge tab of the entity, is based on all the knowle7dge accumulated around it. No manual work is required here and you can focus your precious time on analyzing the subject through the Diamond Model analytical framework! 🧠

Extracting structured knowledge from documents is a tedious and time-consuming task. Therefore, we've moved the content mapping to the content section for logical consistency and have improved the UX to be clearer and simpler to use. It is now available for all containers. 🤩 We've also added an auto-saving of the content, eliminating the need to manually save your work. 💾 Note that this auto-saving is not implemented for files you modify here, at the moment.
To further ease the process of mapping each entity within text content, we've introduced automatic mapping! This feature will recognize entities that already exist on your platform. Currently, there is no magic. Mapping suggestion are based on the current capability of the ImportDocument connector (used also when you generate an Analyst Workbench from the import of a file) and there is still noise created. This is our first step towards an AI-assisted (NLP) automatic mapping that will ensure smarter extraction and less noise! 🪄

In OpenCTI 6.2, we've also made it possible to automate the creation of Analyst Workbenches for External Reference coming from a specific source. For example, it can be used to automatically create an Analyst Workbench for Reports coming from an RSS feed, automating the ingestion process while ensuring data correctness. The RSS feed triggers the external ref connector, which triggers the import document, resulting in workbenches created for each new incoming report. 💯

For our Entreprise Edition users, we have also enhanced “Ask AI” functionality: it can now leverage files uploaded from External References! 💡

Talking about ingestion, we've enhanced the CSV feed ingestion with a feature that uses the default value set in your CSV mapper to populate the marking. This simplifies data classification control and ensures that only users with sufficient marking can access data imported from CSV feeds.

On the administrative side, the Role-Based Access Control (RBAC) capabilities have been reworked to allow administrators to manage access in a more granular way. This long awaited feature will help administrators to better control who has access to what. Each menus of the Settings are now linked to a specific Capability and now an administrator can grant management of labels to a user without granting them the ability to change the interface. 🔒
We've also introduced a new "Access security activity" capability that allows to see logs related to security related events. Without this capability, a user can only view events related to modification and access of Knowledge entities.

Some sources provide Reports containing Observables for characterizing potentially malicious events. Based on that, analyst can decide these technical elements are characteristic of an attack and want to send them for further security actions (detection for example). Best practice is to send Indicators, not Observables. With OpenCTI 6.2, it is now possible to easily add Indicators related to the contained Observables when you promote these Observables via massive operations’ toolbar! 🔥

Sharing has also been improved! Now, you can also decide whether relationships created from inference rules should be shared in the TAXII collection when creating a new one. Additionally, 6.2 introduces the ability to use Organization sharing through massive operations directly! Now, you can simply select all entities you want to share with a specific Organization and click on 'share' ! 🥰

In terms of integration, administrators can now clear the queue of a connector if it gets stuck, enhancing performance management.

The Crowdstrike Feed connector has been improved to use FalconPy library when importing Threats, Reports, and also YARA and SNORT rules! Community members brought also a lot of value with the development of connectors for Red Flag Domains (external-import), ShadowServer foundation (external-import) and ReversingLabs (internal-enrichment). The Zerofox connector has also been improved! Thanks a lot! ♥️

We're eager for your feedback on these enhancements!

⚠️ Breaking changes

Since OpenCTI version 6.2 there is an upgrade of passport-saml library that implies that for platform using SAML provider:

  • Document signatures are now required by default. Setting wantAuthenResponseSigned=false disables this feature and restores the prior, less secure behavior
  • Require all assertions be signed; new option wantAssertionsSigned can be set to false to enabled the older, less secure behavior.

It means that if it’s not already done, you should generate certificates and configure the SAML identity provider in a secure way. Or else in OpenCTI configuration parameters want_authn_response_signed and/or want_assertions_signed can be set to false:

  • PROVIDERS__SAML__CONFIG__WANT_AUTHN_RESPONSE_SIGNED=false
  • PROVIDERS__SAML__CONFIG__WANT_ASSERTIONS_SIGNED=false

Please read the passport-saml detailed changelog for more details.

Enhancements:

  • #6836 Ensure the valid_until date on Indicators is set to a greater value than valid_from when empty (compliance with STIX 2.1)
  • #6171 Ability to add indicator generated from the observables of a container in the container
  • #5550 Split capabilities to create labels / marking etc & update other capabilities to provide more clarity in RBAC
  • #5651 Content tab: Refactor & Add content tab in multiple entities
  • #6803 Content Tab: Auto Map content mapping & Create relation
  • #6836 In CSV Feed Ingester, take into account Default Marking definition options from CSV Mapper
  • #7467 Need more information at error level when a file cannot be download from S3
  • #6506 Upgrade saml-passport version to major 4.0.0 (4.0.4)
  • #7278 In the user overview, be able view all activities (read, etc.) in Operations / History
  • #7333 Infer usage of parent techniques
  • #5371 Have a workbench created automatically from RSS Feed
  • #5304 Introduce diamond model view
  • #7069 Share the result of inferrence rules in TAXII collections
  • #3781 Add a button to clear the queue of a specific connector
  • #6826 Leverage external ref's files with GenAI functions at entity level

Bug Fixes:

  • #7419 [CSV Mapper] Not possible to add labels to URL representation
  • #6887 [UI] light mode: csv mapper test result is hardly readable
  • #7114 [Playbook] Manipulating knowledge by replacing status does not work on all entities
  • #7494 First Seen seems to be auto populating with Dec/1969 on record creates via frontend
  • #7430 In Content tab of containers, when selecting "main content", it is displayed "No file selected" on the bottom
  • #7310 When merging 2 entities, the "result marking" displayed is always none
  • #7488 Reject unauthorized is not taken into account in proxy configuration
  • #7268 Unecessary error message at sighting edition
  • #7265 [Bulk Update] Revoked field not set after bulk edit of score
  • #7191 Lifecycle of an indicator is not updated when changing the score from a report "Entities" page
  • #6287 [CSV Mapper] External reference creation
  • #7174 Search keyword not taken into account for stix core relationships exports
  • #7442 Knowledge entity list is not automatically refreshed anymore
  • #7210 Cannot bulk delete External References when using a filter
  • #7291 Bad FR translation encrypted archives
  • #7269 Cannot enrich multiple observables when shift-selecting
  • #7315 Missing number formatter in some dashboard widgets

Pull Requests:

New Contributors:

Full Changelog: 6.1.13...6.2.0