Skip to content

Releases: OpenCTI-Platform/opencti

Version 3.2.0

28 Apr 09:59
Compare
Choose a tag to compare

Dear community, we are so proud to announce the release of OpenCTI 3.2.0! This is a major version introducing more than 16 new features. As you can see on the demonstration instance, we refreshed the whole user interface for a better experience. We introduced analysis notes and comments for all objects (including relations), using the corresponding STIX 2.1 entity. Also, you are now able to filter all lists of entities with much more options (for instance the last 24 hours observables/indicators).

But one of the most interesting feature is creation of the knowledge history, which is available in all screens so you can understand what's going on on entities and relations. Using dedicated tokens for your connectors, you will see modifications and new relations. This history is logged in STIX 2 so it will be used for future implementation of platforms synchronization (including other TIPs).

As written in the documentation, we encourage OpenCTI administrators to use dedicated tokens for each connector of the platform to ensure consistent history.

Last but not least, code coverage of the API is now at 84% and almost all critical methods are covered. We would like to thank all community members and developers who were involved in this new release. More to come! Especially documentation on the data model :)

Enhancements:

  • #647 Global enhancement of the user interface
  • #633 Introduce functional logs / comments
  • #627 Enforce versions in the worker requirements.txt
  • #622 Ability to export indicators based on additional filters
  • #600 Full test coverage of files in the directory database
  • #596 [api] Allow filtering indicators by name
  • #566 Reports : "imported by XYZ"
  • #559 List and export with date filters everywhere
  • #479 Improve filtering / sorting of reports
  • #474 Introduce technical logs
  • #431 OpenCTI class diagram/blueprints
  • #406 Automating the OpenCTI Manual Install Process
  • #340 Reports & Organizations (authors)
  • #265 Organization display mode should be a user choice
  • #264 Manual filters and tags display enhancement
  • #239 Multiple authors for reports
  • #172 Implement list filtering on some fields
  • #56 Syntax validation of observables

Bug Fixes:

  • #657 Fix "Granted by Default" Toggle Switch in Roles Web UI
  • #629 Elasticsearch exception when searching URL
  • #606 Release of 3.1.0 have incorrect node_modules directory
  • #594 Failure to update from 3.0.3 to 3.1.0 - GraphQL initialization fail

Version 3.1.0

02 Apr 00:54
Compare
Choose a tag to compare

Dear community, OpenCTI 3.1.0 has been released! This major version marks another step towards the stable and professional platform that we want to build over the long term. Thanks to the amazing work of @richard-julien, the implementation of the test coverage of critical functions of the platform has solved no less than 30 major bugs. Above all, this integration tests coverage now allows the community to grow in serenity, since we have more and more organizations that want to contribute to the development of OpenCTI.

We have also improved integration performance for reports containing a large number of indicators. We can now start the ambitious construction of the next milestones alongside CERT-EU and ANSSI: analytics and visualizations, collaboration and notification functions, integration with SIEMs and EDRs, etc.

Enhancements:

  • #513 Introduce test coverage of critical database functions (API)

Bug Fixes:

  • #569 Indicator pattern update failed
  • #560 Unable to update author of a relation on the frontend

Version 3.0.3

09 Mar 09:47
Compare
Choose a tag to compare

OpenCTI 3.0.3 has been released! This version fixes some bugs found by community members in the platform as well as in the Python library. Thanks to the amazing work of @maertv from the @certeu, the CrowdStrike (Falcon CTI platform) connector has been released too!

For the next major release, @richard-julien is working hard on the full test coverage of the API source code and we will introduce a lot of new features in future works (refactoring the workspaces, generalization of graphs and enhancing a lot of visualizations). Also, be ready for engagement features: analysts comments, modification/audit logs, sightings, etc.

Enhancements:

  • #537 Additional fields for filtering indicators
  • #531 Order tags in list
  • #480 Merge duplicates entities
  • #246 Implement a bulk data manager for entities/relations (delete, merge, split, etc.)

Bug Fixes:

  • #551 Bug with report publish date in UTC
  • #540 GraphQL initialization fail > TypeError: Cannot read property 'node' of undefined

Version 3.0.2

23 Feb 22:25
Compare
Choose a tag to compare

Dear community, OpenCTI 3.0.2 has been released! We fixed a lot of bugs related to the new RBAC system as well as some slowness in the ingestion process provided by workers. We also released a first version of the VirusTotal connector and enhanced the vulnerabilities entities with new attributes (CVSS3).

We are working hard on the next release to dramatically extend the test coverage and develop the data curation features (de-duplicate, merge, split, bulk edit/delete).

Enhancements:

  • #503 Have a more detailed view of description when adding entities
  • #469 Drop-down selection options/suggestions don't appear until you type something
  • #429 "Edit this Doc" button URL
  • #322 Documentation/Default Script to be updated
  • #257 Enhance vulnerability entity
  • #147 Vulnerability : add external information
  • #49 Implement vulnerability enrichment

Bug Fixes:

  • #523 Lower performances of the ingestion process since 3.X
  • #521 Unable to delete relations in reports
  • #520 Unable to delete a tag on an actor
  • #519 Disrepectancies between the general search field and the search field to add entities in a report
  • #500 Display issue in the pannel to add entities to the knowledge of a report
  • #451 Dates for very long term relations

Version 3.0.1

20 Feb 08:53
Compare
Choose a tag to compare

OpenCTI version 3.0.1 has been released! We hotfixed 6 bugs linked to the implementation of the RBAC capabilities. On the next milestone, we will work on the test coverage of the platform to strengthen our ability to develop the product and its features in depth. Thank you to all community members who reported these bugs.

Bug Fixes:

  • #488 First seen date can be more recent than last seen date
  • #511 Unable to add permissions to a group
  • #510 Problem when trying to add an external reference to a Threat Report
  • #509 Author field does not update after creation of the entity
  • #514 Incident view load indefinitely
  • #516 User roles/capabilities change doesn't clear the token cache

Version 3.0.0

19 Feb 16:00
63edd22
Compare
Choose a tag to compare

Dear OpenCTI community, we are proud to announce the release of OpenCTI version 3.0.0. This version is a turning point in the OpenCTI roadmap, as we worked hard on the following objective: allow you to deploy OpenCTI in production within your organization with the right level of security and the expected stability and performances, turn OpenCTI into an enterprise-grade product.

One of the most important enhancement in this version is the implementation of the RBAC system, associated to 3 new authentication strategies (LDAP/AD, OpenID, etc.). You are now able to create roles and assign roles to users to grant them capabilities (read knowledge, update knowledge, import, manage accesses, etc.). The other feature is about reports and data. The import/export system is now stable (with the observed-data management) and we improved again the performances of write operations. We also speeded-up a lot a views (report knowledge graph, listing of some relationships, etc.).

A lot of improvements not related to the main features of this release have been made. We published a new connector to analyze and extract IOCs from PDF files thanks to a member of our community. Many bugfixes on the API and the frontend, new content in the documentation and the creation of the virtual machine template hosting the whole stack for testing purposes. As we prepare a lot of new enrichment connectors for observables, we introduced the max TLP option to avoid leaking sensitive information. Other knowledge connectors will be soon published: AlienVault, CrowdStrike, TheHive, and other vendors.

In a few days, we will send you a message with the date of our first webinar, during which we will present how the platform could be used in different types of organization. As we often say, it is just the beginning of an exciting adventure, with soon much more community activities, data management, intelligent subsystems, visualizations and investigations capabilities.

Enhancements:

  • #487 Introduce kill chain view and diamond model
  • #484 Automatic completion of marking when creating links
  • #467 Enrichment connectors must have a "MAX TLP" config to avoid enrichment on sensitive data
  • #466 Report views enhancement
  • #442 Huge documentation enhancement
  • #403 Creating "targets" relation between an Attack Pattern and a Vulnerability
  • #398 Pre-installed OpenCTI iso or ready VM?
  • #380 Add inference when action is linked to a specific malware
  • #373 LDAP / SSO authentication
  • #372 Automatically populate reports
  • #330 threats to entities relations
  • #329 Organization to threat actor relations
  • #328 Organization to organization relations
  • #260 Automatically compute the marking of entities/relations from reports
  • #182 Change the behavior of auto-complete field
  • #148 Workspaces : Add type of entity when selecting an entity for widget creation
  • #86 Implement Lockheed Martin Cyber Kill Chain in model
  • #75 Implement the RBAC system
  • #62 Organisation : reliability

Bug Fixes:

  • #485 Have campaigns with no authors
  • #472 Create person fails with "Thing does not have exactly one key of type [user_email]." error.
  • #465 STIX2 file import error (example with the latest CERT-FR publication)
  • #456 Bad entity_type on stix_observable_relation

Version 2.1.4

29 Jan 20:17
f2e36e4
Compare
Choose a tag to compare

OpenCTI 2.1.4 has been released! This version hotfixes 4 bugs and introduces some technical enhancements in the migration system (no more errors when launching a fresh platform). We also fixed 2 bugs in the Python library that impacted the import of vulnerabilities through the CVE connector. Thank you to all community members who reported these bugs. We will now focus on the next milestone: workspaces, outputs and the full support of LDAP/SSO with roles and permissions (read only, read write, etc.).

Enhancements:

  • #445 Fresh platform should not apply migrations
  • #413 [Doc] nodejs version on Ubuntu 18.04 is too old

Bug Fixes:

  • #452 CVE import
  • #449 Too much log in console prevent to detect real errors
  • #447 Unable to add entities in report knowledge
  • #443 Add observables to report

Version 2.1.3

24 Jan 14:47
Compare
Choose a tag to compare

Dear community, OpenCTI version 2.1.3 has been released! We mainly focused our work on the stability of the whole product as well as the resolution of some major bugs. However, several new features have also been implemented, in particular the possibility of exporting lists of entities in STIX2 or CSV format: exporting campaign indicators, reports about an intrusion sets, all malwares, etc. We have completed the refactoring of the Python library and added all the methods that were still missing on some entity types as well as the file upload feature. For the next release, we will carry on our huge refactor of workspaces and statistics in general. We also plan to conduct a documentation working session to improve it in depth.

Last but not least, we will soon plan the organization of a webinar that will be didicated to OpenCTI basics but also a very interesting use case for both red teams and blue teams: how to put all knowledge about an incident in OpenCTI and replay it using Caldera. Double advantage of such a scenario: the capitalization of knowledge related to the incident as well as the ability to test the reaction of SOC / CSIRT in the event of a similar attack. Your feedback and your impressions are precious, do not hesitate to send us your use cases and the difficulties you encounter!

⚠️ Breaking changes ⚠️

Grakn Core Server has been upgraded from 1.5.9 to version 1.6.2. The migration process of existing data cannot be done automatically even if you are using the Grakn Docker container. You have to follow the migration procedure Upgrading an Existing Installation to Grakn Core 1.6.x. available in the Grakn documentation. If you have any trouble to make this work, we are available to help you on our Slack channel or you can reach the Grakn team directly on their channel.

Enhancements:

  • #424 Enhance searching of entities
  • #412 Add OR/AND option to filter Observables & Indicators
  • #396 Infinite loading lists in observables and entities of a report
  • #391 Export lists of objects (intrusion sets, indicators, etc.)
  • #390 Duplicate function askEnrich in the API
  • #388 Display the number of entities in each view/lists
  • #371 Migrate to Grakn 1.6.1
  • #360 Redirect to the requested page after login
  • #345 Add tagging for Tools/Vulnerabilities/Observables/Reports
  • #334 Tags for reports
  • #123 Implement CSV export

Bug Fixes:

  • #432 Uploading a PDF threat report results in "Cannot read property 'toLowerCase' of null" error
  • #427 Organisation type vs category
  • #419 Filter with no tag not working anymore
  • #416 infinite loading of reports using specific sort options
  • #415 Mutation intrusionSetAdd creates an intrusion set with the first_seen value as the last_seen value
  • #410 Exception when importing STIX 2 Indicators due to invalid default type in valid_from
  • #407 Mandatory properties are not filled for inferred relations
  • #405 Displaying an indicator constantly refreshes the page
  • #404 Cannot create an Indicator of type Mac-Addr or Directory
  • #381 New reports are added without a set "Processing Status"?

Version 2.1.2

21 Dec 11:32
Compare
Choose a tag to compare

Dear community, the OpenCTI platform version 2.1.2 has been released! This version provides users of the platform with many new features that will allow them to better modelize their CTI knowledge. We have resolved the gap that existed between the OpenCTI data model and the STIX2 schema by definitively separating the concepts of observables and indicators. It is now possible to create indicator in various formats: STIX Pattern, Snort, Sigma, YARA, etc.

All graphics and visuals are now based on ElasticSearch queries to increase performance. This will allow us to completely rework the workspaces and make them real monitoring tools in the next release. Also we have disabled all inferences rules on the platform by default, so a very important screen has been added to the settings section, allowing users to enable inferences rules if they really need it. The MISP connector has been fully refactored and a documentation is available. Finally, we have added many examples to the Python library.

Enhancements:

  • #383 Improve performance by using Elastic when searching for relations (when we can)
  • #375 Enhance display of relations and separate inferred/not inferred
  • #366 Use ElasticSearch for all statistics (timeseries, distribution, etc.)
  • #349 Enhance loaders/spinners everywhere
  • #335 Detection rules (yara, snort, suricata, sigma, etc)
  • #316 Split indicator/observable concepts, create indicators from observables
  • #162 Refactor the observables schema to match STIX2 references
  • #145 Enable/disable inferences rules in settings
  • #58 Observables : expiration date
  • #57 Observables : scoring/rating

Bug Fixes:

  • #369 Store the remote IDs in some ES entities is useless and performance killer

Version 2.1.1

07 Dec 10:21
Compare
Choose a tag to compare

OpenCTI 2.1.1 has been released! This version is hotfixing 5 bugs (4 in the API/Frontend and 1 in the Python library) found after the last release. Thank you to all people who reported these bugs so we can now work on the next milestone. The next milestone will be focused on: improving performances of charts and relations display in the UI, development of many outputs and graphics (killchains, diamond model, PDF export of knowledge, full refactor/enhancement of workspaces, graph view of entities, comparison of threats TTPs/infrastructure and introduction of indicator concept.

Bug Fixes:

  • #364 Reindex can timeout on purging orphan relations
  • #363 Relation attributed-to cannot be created (bad direction)
  • #361 Strange issue when sorting the list of entity type 'person' by date
  • #258 Update date of entities not updated