Version 4.0.0

🎉 DING DING!! 🎉

We are so happy to finally announce the release of OpenCTI version 4.0.0 🎀, after more than 8 months of tremendous collective work by the core development team. In this release, we have tackled all known main needs and issues our community has expressed over the past few months 🔨🔨.

We enhanced the data model 📉, we simplified the technological stack, we increased (a lot) the performances 🛫 and, above all, we developed much more features which will allow everyone to store, organize and share Cyber Threat Intelligence at the level we expected in the first place and within a full Open Source product 👐.

Even if we are a non profit organization, we know the wait might have seemed a bit long ⏲️, this is why we are already committed to resume a much more effective release rate in 2021, to provide all OpenCTI users with all the capabilities already planned in the strategic roadmap 🧭: integration with SOC and SIEM, analysts workflow, graph investigation, customizable dashboards, data science, etc..

We hope that you will love this release, and if you found OpenCTI difficult to install or to spawn in the past, please do not give up and try this one!

🚨This release introduces breaking changes in the data model and the schema. You cannot upgrade directly on V3.X data and you have to follow the migration procedure.

⚠️ Grakn Core Server is no longer part of our stack for the moment and has been removed from dependencies, you do not need to deploy it. ElasticSearch >= 7.10.X is required.

🖴 If you are using Docker, please do not forget to use volumes for persistence on ElasticSearch, Redis, Minio and RabbitMQ. All dependencies need to be persistent now.

Enhancements:

• #928 Knowledge section of CAMPAIGNS is missing the "Victimology" tab
• #908 Show only entities of the selected filter, when associating a report to one/more entities
• #907 Remove the predefined list of items when associating a report with any entity
• #905 Display a confirmation message / error message upon actions
• #901 Username authentication cases sensible
• #887 Limit the number of lazy queries in GraphQL
• #873 Filter list is not sorted alphabetically
• #871 Global refactoring of export workflow (entity & list)
• #865 Existance of more Aliases for an entity isn't imediately obvious
• #863 Passwords appear in cleartext in logs when auth fails
• #841 Provide option to disable auto-enrichment of Observables
• #830 Do not acknowledge messages on the worker if an entity is missing (4 retries)
• #818 Notes cannot be reached from the search panel
• #813 Be able to add tags to notes
• #802 Unable to change the value of an observable
• #800 Please add domain resolve to IP relationship
• #792 Migration script to V4
• #791 IDs generation
• #782 "Detection" section for MITRE Att&ck - Attack patterns not present
• #777 Import sha1 and sha256 is not in the STIXv2 format
• #774 Merge of 2 intrusion sets dans OpenCTI
• #773 External reference should be opened as new tab
• #757 OpenCTI Virtual Template Connection Issue
• #754 External references & reports : simplification
• #726 add the country of origin of an APT
• #695 Sightings - threats targeting this org
• #692 Allow users to display tags as "type:value" instead of just "value" in the web UI.
• #676 Set score field to STIX2 confidence
• #673 Apply Grakn schema only when needed, improve migration system
• #665 Attack patterns : relationship to indicators (sigma, yara, etc)
• #637 Additional observables
• #617 Rename the relation "localized-in" to "located-in"
• #572 Not possible to have multiple tags with the same value but not the same type
• #562 How to upgrade from ver 3.0.2 to 3.0.3
• #553 Create a new inference - part-of type
• #539 Improve connector stack to limit concurrent injection on same elements
• #501 Dates should not always be required
• #498 Sync OpenCTI instances together
• #491 Markdown editor
• #389 Enhance geographic entities views
• #387 Migation to STIX 2.1
• #296 Connector work monitoring & management
• #270 Most active threats by country
• #176 Introduce geographic maps and geo codes

Bug Fixes:

• #929 Duplicate Entry
• #924 [OPENCTI] GraphQL initialization fail
• #923 Export of Observables/Indicators is not working when a filter was applied
• #919 Documentation Zip is corrupted in release
• #909 Export of reports is bugging
• #902 Error when connecting to opencti behind a reverse proxy
• #897 new docker install error: manifest for opencti/platform:4.0.0 not found: manifest unknown: manifest unknown
• #894 Stable Docker Compose File- Nothing Works SO Far and bit frustrating
• #893 new docker install error: manifest for opencti/platform:4.0.0 not found: manifest unknown: manifest unknown
• #889 Full JSON export fails - GRAPHQL_VALIDATION_FAILED
• #886 "ImportFileStix2" Connector Fails on .json created by "ExportFileStix" connector
• #885 FrontEnd does not display "Sighting" relationship when imported with "Import-File-STIX" connector
• #860 Threat Actor relation to an Identity don't exist
• #859 Note card does not exist
• #857 Failed to create missing observables
• #856 An export in .CSV gives a file in .FALSE
• #855 Cities cannot be exported
• #854 Cannot filter on person, observables
• #853 Relationship delete history
• #847 Still grakn Issues
• #845 SHA-1 and SHA-256 indicators do not automatically create observables
• #843 demo.opencti.io
• #839 Grakn schema initialization fails
• #838 cant import json file
• [#826](https://github.com/OpenCTI-Platform/opencti/issues...

Version 3.3.2

OpenCTI 3.3.2 has been released! A lot of bug fixes including one that induces a new inconsistent behavior on entities deletion. A lot of new enhancements on current connectors, especially the introduction of new features/filters on the MISP one.

We are currently working hard on the next major releases, which will be a new step for the OpenCTI project!

⚠️ Dependency change ⚠️
ElasticSearch has been upgraded to 7.8.0.

Enhancements:

• #765 Bump Apollo version (security fix)

Bug Fixes:

• #762 GraphQL initialization fail
• #760 Error Displaying Intrusion Sets Knowledge section
• #756 Unable to associate a Malware to an other Malware via the API
• #750 Frontend loop on the user page due to an error on the graphql reply
• #743 Cannot load element (need to reindex)
• #547 Grakn Seems Down

Version 3.3.1

OpenCTI 3.3.1 is out! This version fixes some bugs on entities deletion that leaded to inconsistent behavior. Also other bugs have been fixed in connectors and MITRE Mobile ATT&CK has been added to the MITRE connector.

We also confirmed the compatibility with Grakn version 1.7.2 so feel free to update. Next milestone will be focus on visualization, workspaces/dashboards, and light theming!

Enhancements:

• #749 Upgrade to Grakn 1.7.2

Bug Fixes:

• #735 Element deletion are partial in some use cases
• #734 Race condition on relationship indexing

Version 3.3.0

Dear community, OpenCTI 3.3.0 has been released! This version introduces many new features and also fixes several bugs reported by the community: more progresses in taking STIX 2.1 into account, enhancing the victimology overview in threats, warning users about potential duplicate entities at creation, etc.

One of the major enhancements of this version is the improvement of platform integration performance. Just as we fixed more than 30 bugs during the introduction of integration tests at the release of the version 3.1.0, the implementation of performance tests allowed us to identify multiple areas for improvement. In this version, we have increased by 30% the ingestion speed compared to the previous version. And that's just the beginning! We plan to publish the results of these tests as well as a monitoring dashboard in the coming days.

Another important change is the syntax validation of all indicators imported/created in OpenCTI. STIX patterns, YARA rules, SIGMA rules, Suricata signatures and SNORT rules are now subject to syntax check, allowing all third-party software integrated with OpenCTI to be sure that the indicators provided are valid. Also, merging entities together is now stable if users need to advanced data curation.

⚠️ Breaking changes ⚠️

Grakn Core Server has been upgraded from 1.6.2 to version 1.7.1. We tested the migration process of existing data with several organizations and it is fully transparent (just start Grakn Server 1.7.1 on your current Grakn data). OpenCTI 3.3.0 is not compatible with Grakn 1.6.2 anymore since the Grakn driver has been updated and is only compatible with Grakn 1.7.X. You can also update your ElasticSearch to version 7.7.0 which is now the recommended version but this is not mandatory.

Last but not least, we are glad to announce the release of 4 new connectors. We really wish to thank @rhaist from DCSO for his amazing works during the last weeks: Malpedia connector, Valhalla connector, Python library documentation and testing, starting to work on a Go client as well as on the CORTEX connector, with progressive ideas and quality source codes. Stay tuned for next release which will be focus on vizualisation and workspaces!

Enhancements:

• #699 [UI] Remove trailing whitespaces at the creation of an observable
• #693 Migration to grakn 1.7.1
• #687 Add customized observable type by admin when creating an observable
• #645 Implement performances test infrastructure
• #640 Possibility to filter vulnerabilities on Score and Severity field
• #635 Organization should implement gathering relations
• #632 Syntax validation of indicators
• #601 Support Active Directory of TLS/SSl
• #554 Display persons in victimology
• #470 Prevent users from accidentally creating duplicate objects (e.g. threat actors).
• #462 Observables dates (creation and modification) required seconds precision
• #370 Add new observable types
• #368 Add contact_information to entity object
• #362 Observables export

Bug Fixes:

• #723 Display bug in Attack Patterns
• #710 Merging entities : recurring bug
• #707 Requesting creator through log fail if the action was executed by SYSTEM_ADMIN
• #703 UI Display of connectors - Not showing connectors after page cut-off.
• #701 Broken page for Malware attribution
• #700 Migration failed due to incorrect function call
• #691 Unable to Add Victimology to Custom Threat Actors or Incidents

Version 3.2.2

OpenCTI 3.2.2 has been released! This version fixes a few minor bugs affecting the merging of entities and the LDAP authentication. We are committed to fix all bugs the community reported as fast as we can. But this version also introduces a very important feature for the integration of OpenCTI with the whole cybersecurity ecosystem.

The sightings (true positive and false positive) are now available for observables and indicators. As provided by the STIX 2 standard, sightings could originate from an organization, a person or from any location (region, country or city).

This version also introduce a lot of enhancements in the Python library: ingestion performances have been increased (you will be able to see that in our future performance monitoring infrastructure) and you are now able to use the API pagination directly in the *.list methods.

Enhancements:

• #55 Observables / Indicators: Sighting

Bug Fixes:

• #685 Redirect to empty page when check the vulnerability relations of indicator
• #679 Data management wont show
• #677 Additional Bugs With Merging
• #646 Trying to set up authentication with active directory

Version 3.2.1

OpenCTI 3.2.1 has been released! This version fixes a few minor bugs introduced in the previous version but also enhances and adds some connectors. The next major release will be focus on two very important needs.

First of all, the deployment of performances tests, with the generation of daily public reports about performances of the platform for various infrastructure templates. Then monitoring of the platform itself to allow you to know exactly what's going on during the ingestion processes that are implemented in OpenCTI. The objective is to be able to follow the progression of ingestions and potential errors.

As usual, do not hesitate to report any bugs or ask the features you need on Github!

Enhancements:

• #671 Improve LDAP authentication error logging
• #642 Introduce new migrations directory for pre-schema initialization

Bug Fixes:

• #674 View as author for organizations / persons is global
• #669 Worker does not restart thread if terminated
• #668 Error Merging Entities
• #634 Person belonging to Organization shows up under organization.

Version 3.2.0

Dear community, we are so proud to announce the release of OpenCTI 3.2.0! This is a major version introducing more than 16 new features. As you can see on the demonstration instance, we refreshed the whole user interface for a better experience. We introduced analysis notes and comments for all objects (including relations), using the corresponding STIX 2.1 entity. Also, you are now able to filter all lists of entities with much more options (for instance the last 24 hours observables/indicators).

But one of the most interesting feature is creation of the knowledge history, which is available in all screens so you can understand what's going on on entities and relations. Using dedicated tokens for your connectors, you will see modifications and new relations. This history is logged in STIX 2 so it will be used for future implementation of platforms synchronization (including other TIPs).

As written in the documentation, we encourage OpenCTI administrators to use dedicated tokens for each connector of the platform to ensure consistent history.

Last but not least, code coverage of the API is now at 84% and almost all critical methods are covered. We would like to thank all community members and developers who were involved in this new release. More to come! Especially documentation on the data model :)

Enhancements:

• #647 Global enhancement of the user interface
• #633 Introduce functional logs / comments
• #627 Enforce versions in the worker requirements.txt
• #622 Ability to export indicators based on additional filters
• #600 Full test coverage of files in the directory database
• #596 [api] Allow filtering indicators by name
• #566 Reports : "imported by XYZ"
• #559 List and export with date filters everywhere
• #479 Improve filtering / sorting of reports
• #474 Introduce technical logs
• #431 OpenCTI class diagram/blueprints
• #406 Automating the OpenCTI Manual Install Process
• #340 Reports & Organizations (authors)
• #265 Organization display mode should be a user choice
• #264 Manual filters and tags display enhancement
• #239 Multiple authors for reports
• #172 Implement list filtering on some fields
• #56 Syntax validation of observables

Bug Fixes:

• #657 Fix "Granted by Default" Toggle Switch in Roles Web UI
• #629 Elasticsearch exception when searching URL
• #606 Release of 3.1.0 have incorrect node_modules directory
• #594 Failure to update from 3.0.3 to 3.1.0 - GraphQL initialization fail

Version 3.1.0

Dear community, OpenCTI 3.1.0 has been released! This major version marks another step towards the stable and professional platform that we want to build over the long term. Thanks to the amazing work of @richard-julien, the implementation of the test coverage of critical functions of the platform has solved no less than 30 major bugs. Above all, this integration tests coverage now allows the community to grow in serenity, since we have more and more organizations that want to contribute to the development of OpenCTI.

We have also improved integration performance for reports containing a large number of indicators. We can now start the ambitious construction of the next milestones alongside CERT-EU and ANSSI: analytics and visualizations, collaboration and notification functions, integration with SIEMs and EDRs, etc.

Enhancements:

• #513 Introduce test coverage of critical database functions (API)

Bug Fixes:

• #569 Indicator pattern update failed
• #560 Unable to update author of a relation on the frontend

Version 3.0.3

OpenCTI 3.0.3 has been released! This version fixes some bugs found by community members in the platform as well as in the Python library. Thanks to the amazing work of @maertv from the @certeu, the CrowdStrike (Falcon CTI platform) connector has been released too!

For the next major release, @richard-julien is working hard on the full test coverage of the API source code and we will introduce a lot of new features in future works (refactoring the workspaces, generalization of graphs and enhancing a lot of visualizations). Also, be ready for engagement features: analysts comments, modification/audit logs, sightings, etc.

Enhancements:

• #537 Additional fields for filtering indicators
• #531 Order tags in list
• #480 Merge duplicates entities
• #246 Implement a bulk data manager for entities/relations (delete, merge, split, etc.)

Bug Fixes:

• #551 Bug with report publish date in UTC
• #540 GraphQL initialization fail > TypeError: Cannot read property 'node' of undefined

Version 3.0.2

Dear community, OpenCTI 3.0.2 has been released! We fixed a lot of bugs related to the new RBAC system as well as some slowness in the ingestion process provided by workers. We also released a first version of the VirusTotal connector and enhanced the vulnerabilities entities with new attributes (CVSS3).

We are working hard on the next release to dramatically extend the test coverage and develop the data curation features (de-duplicate, merge, split, bulk edit/delete).

Enhancements:

• #503 Have a more detailed view of description when adding entities
• #469 Drop-down selection options/suggestions don't appear until you type something
• #429 "Edit this Doc" button URL
• #322 Documentation/Default Script to be updated
• #257 Enhance vulnerability entity
• #147 Vulnerability : add external information
• #49 Implement vulnerability enrichment

Bug Fixes:

• #523 Lower performances of the ingestion process since 3.X
• #521 Unable to delete relations in reports
• #520 Unable to delete a tag on an actor
• #519 Disrepectancies between the general search field and the search field to add entities in a report
• #500 Display issue in the pannel to add entities to the knowledge of a report
• #451 Dates for very long term relations