Version 6.9.8

Enhancements:

• #6669 Ability to remove labels using automation/playbook

Bug Fixes:

• #14025 Issue loading a report in Firefox browser in both Linux & Android
• #13999 'import from hub' for dashboards is not working
• #13996 "Update indexing fail” on CSV Feed update
• #13683 Using date ranges in custom dashboard causes a crash

Pull Requests:

• [deps] Update dependency body-parser to v2.2.2 by @renovate[bot] in #13963
• [deps] Update dependency react-router-dom to v6.30.3 by @renovate[bot] in #13985
• [deps] Update graphql-tools monorepo by @renovate[bot] in #13961
• [deps] Update aws-sdk-js-v3 monorepo to v3.965.0 by @renovate[bot] in #13988
• [deps] Update dependency build to ~=1.4.0 - autoclosed by @renovate[bot] in #13992
• [deps] Update devDependencies (non-major) by @renovate[bot] in #13989
• [frontend] fix: use new dashboard import url (#13999) by @Kroustille in #14000
• [backend] Fix index at feed update (#13996) by @Archidoit in #13997
• [client/backend] implement upsert operation for playbooks (#6669) by @SarahBocognano in #13784
• [deps] Update dependency @graphql-tools/utils to v11 by @renovate[bot] in #13962
• [deps] Lock file maintenance by @renovate[bot] in #14014
• [frontend] add h1 size for fintel template preview (#13445) by @delemaf in #13998
• [frontend] Fix widget multi horizontal bars (#13683) by @lndrtrbn in #14023
• [frontend] fix deps issue causing crashes on Graphs (#14025) by @lndrtrbn in #14029
• [frontend/backend] - (OCTI Stream) Add Service Account for OCTI Streams #13926 by @hervyt in #13935
• Issue/13926 Add import/export of OpenCTI Streams #13926 by @hervyt in #13958
• Enhance content section with file upload details by @nino-filigran in #14018
• [deps] Update dependency react-force-graph-3d to v1.29.0 by @renovate[bot] in #9354

Full Changelog: 6.9.7...6.9.8

Version 6.9.7

Enhancements:

• #13990 Implement new inference rules
• #13975 Support multiple files upload at creation of entities
• #13971 [client] Upload file at creation of entities instead of after the creation
• #13944 [client] Add support of file download during import process
• #11383 Create inference rule on attribution
• #10505 [Rules Engine] If Report contains IP, and IP belongs to ASN then Report contains ASN

Bug Fixes:

• #13940 Unable to add personal notifiers
• #13933 Redirect the learn more of the OCTI demo banner to the Hub public trial page
• #13901 Users add relations in orga admin context
• #13897 Status renaming is not taken into account
• #13888 Form Intakes cannot be launched when using "Toggle" field type on Malware is_family
• #13818 AI Insights returns text in Markdown format instead of HTML.
• #13792 Campaigns do not display Security Coverage Icons if there is an Associated Security Coverage
• #13753 Simple Mailer {"variableName":"escape"} Error
• #13624 Channel Entity Does Not Display Channel Type in GUI
• #13610 Domain import fails when using “domain name” in CSV Mapper
• #13058 Generated PDFs of RSS Feed For The Record Are Not Properly Created
• #12445 "Interval" for the bookmark widget serves no purpose
• #11800 GraphQL internal server error

Pull Requests:

• [frontend] - (XTMHub - FreeTrials) Change redirection URL on learn more #13933 by @hervyt in #13934
• [backend] users add relations in orga admin context (#13901) by @Archidoit in #13902
• [frontend] channel types display in Channel details (#13624) by @Archidoit in #13900
• [backend] refresh status cache at status template modification (#13897) by @Archidoit in #13898
• [client] refactor recursive import retries to iterative (#13253) by @JeremyCloarec in #13247
• [client] Add support of file download during import process (#13944) by @SamuelHassine in #13945
• [backend] fix some mismatch between graphql API and entities from schema(#11800) by @JeremyCloarec in #12673
• [docs] Add copilot instructions for repository onboarding by @Copilot in #13952
• [backend] return null when id cannot be generated for input (#13610) by @JeremyCloarec in #13920
• [deps] Update dependency file-type to v21.3.0 by @renovate[bot] in #13916
• [deps] Update dependency ws to v8.19.0 by @renovate[bot] in #13947
• [deps] Update dependency uuid to v13 by @renovate[bot] in #12783
• Fix AI Insights Containers Digest returning Markdown instead of HTML by @Copilot in #13967
• Add missing securityCoverage resolver for Campaign entities by @Copilot in #13970
• Fix Form Intakes Toggle field ignoring defaultValue on initialization by @Copilot in #13966
• Remove unused Interval parameter from bookmark widget configuration by @Copilot in #13979
• [backend/client] Support multiple files upload at creation of entities (#13975) by @SamuelHassine in #13982
• [backend] Implement new inference rules (#13990, #11383, #10505) by @SamuelHassine in #13991

Full Changelog: 6.9.6...6.9.7

Version 6.9.6

Enhancements:

• #13918 Support re-ordering of fields in form intakes
• #13913 In Form Intakes, allow creation on the fly of entities in lookup
• #13912 Add support for files in playbook container wrapper
• #13911 Set form intakes to full width in import dialog and fix background in dark mode
• #13893 [FEATURE] Resolve x_mitre_id from attack pattern name
• #13848 [Taxii feeds] - Ability to import/export taxii feeds
• #13268 Support automatic defanging/de-sanitization of observables in Form Intakes
• #10183 Add a limit on number of sessions a user can have

Bug Fixes:

• #13908 Unbounded buffering on SSE responses can cause OOM with slow clients
• #13880 Playbooks and live triggers are not working after modifying a label
• #13837 Knowledge Graph widget includes Has Label meta-relations
• #13810 Tooltip on AI configuration is not correct in CE
• #13604 When using open vocabulary in form intake, form cannot be validated
• #13246 Relationships representative not displayed in Indicator Knowledge
• #12510 FINTEL Template Preview Does Not Update if Changes are Made

Pull Requests:

• [frontend] Add has-label in relationship type filter values for knowledge widgets (#13837) by @Archidoit in #13859
• [frontend] ai powered label and tooltip in CE (#13810) by @Archidoit in #13814
• [frontend] Move component KillchainPhasesField to Typescript (#13845) by @lndrtrbn in #13749
• [docs] update documentation on yarn command for tests (#13317) by @aHenryJard in #13740
• [frontend/backend] - (TaxiiFeeds) Add import/export of taxii feeds #13848 by @hervyt in #13860
• [frontend] fix ISO format for security coverage time period by @antoinemzs in #13787
• [backend] Cache decoded EE license (#13823) by @xfournet in #13824
• [deps] Update dependency @escape.tech/graphql-armor to v3.2.0 by @renovate[bot] in #13864
• [deps] Update dependency globals to v17 by @renovate[bot] in #13877
• [deps] Update devDependencies (non-major) by @renovate[bot] in #13875
• [deps] Lock file maintenance by @renovate[bot] in #13680
• [frontend/backend] Dynamic PIR filters format refacto to handle several PIR ids (#13344) by @Archidoit in #13273
• [backend] Rework enrich connector component for playbooks by @SarahBocognano in #13642
• [client] Add x_mitre_id in aliases of attack patterns (#13893) by @SamuelHassine in #13895
• [deps] Update dependency react-pdf to v10.3.0 by @renovate[bot] in #13873
• [backend] Resolve x_mitre_id from the name (#13893) by @SamuelHassine in #13896
• [CI] Mocking the EE for integration tests (#13736) by @MTorbay-Filigran in #13750
• [backend] refresh label/marking in resolved filter cache when it is updated (#13880) by @JeremyCloarec in #13883
• [ci] Add SAML and OpenId autoconfiguration for local test (#13418) by @aHenryJard in #13881
• [backend/frontend] Add a limit on number of sessions a user can have (#10183) by @richard-julien in #13910
• [frontend] Set form intakes to full width in import dialog and fix background in dark mode (#13911) by @SamuelHassine in #13914
• [backend/frontend] Add support for files in playbook container wrapper (#13912) by @SamuelHassine in #13915
• [frontend] In Form Intakes, allow creation on the fly of entities in lookup (#13913, #13268, #13604, #13918) by @SamuelHassine in #13917
• [frontend] - (TaxiiFeeds) Fix fileName Export taxii #13848 by @hervyt in #13919
• [frontend] Relationships representative not displayed in Indicator Knowledge (#13246) by @Gwendoline-FAVRE-FELIX in #13887
• [backend] SSE message backpressure mechanism by @xfournet in #13909
• [ci] Add tag EE/CE on end to end tests (#13770) by @aHenryJard in #13746
• [frontend] - (TaxiiFeeds - CSV) Update order for Export in popover #13848 by @hervyt in #13925

New Contributors:

• @antoinemzs made their first contribution in #13787

Full Changelog: 6.9.5...6.9.6

Version 6.9.5

Enhancements:

• #13840 Improve license management supporting official OIDs and grace period
• #13725 Document prometheus exposed metrics

Bug Fixes:

• #13856 [Playbook] Manual Playbook trigger ignores Playbook filters
• #13826 Users cache is not refreshed when changing some group attributes
• #13822 .csv export fails
• #13811 Layout on history tab is broken
• #13471 x_content_parse_exception on getAuthorizedMembers
• #12320 Unable to Export Finished Intelligence if Content Contains Images
• #11811 Setting default dashboard for a group does not apply

Pull Requests:

• [backend] Fix default dashboard for a group not taken into account (#11811) by @marieflorescontact in #13817
• [DOC] Update CONTRIBUTING.md to add more components on title convention (#13783) by @Gwendoline-FAVRE-FELIX in #13788
• [backend] Users cache is not refreshed when changing some group attributes (#13826) by @richard-julien in #13827
• [frontend] fix spacing in history tab (#13811) by @marieflorescontact in #13839
• [frontend] AutocompleteField to Typescript (#13845) by @lndrtrbn in #13741
• [backend] Improve template engine by @xfournet in #13831
• [frontend] TypesField & SelectField to ts (#13845) by @CelineSebe in #13721
• [deps] Update dependency nodemailer to v7.0.12 by @renovate[bot] in #13834
• [deps] Update dependency slack to v6.1.2 by @renovate[bot] in #13836
• [deps] Update dependency file-type to v21.2.0 by @renovate[bot] in #13843
• [deps] Update dependency typescript-eslint to v8.50.1 by @renovate[bot] in #13842
• [deps] Update GitHub Artifact Actions (major) by @renovate[bot] in #13704
• [deps] Update dependency html-react-parser to v5.2.11 by @renovate[bot] in #13813
• [deps] Update dependency pdfmake to v0.2.21 by @renovate[bot] in #13835
• [frontend/backend] - (TaxiiFeeds) Add service account #13848 by @hervyt in #13852
• [backend] Check available playbooks for an entity according to filters (#13856) by @Archidoit in #13861
• [backend] Improve license management supporting official OIDs and grace period (#13840) by @richard-julien in #13841

Full Changelog: 6.9.4...6.9.5

Version 6.9.4

Enhancements:

• #13762 Upsert 'created' field under condition
• #13254 OpenCTI manager live listening after restart lead to missing events

Bug Fixes:

• #13785 Starts_with error in webhooks notifiers
• #13070 filigran-chatbot dependency is downloaded from GitHub, preventing build in air-gapped CI
• #13069 Connector manifest download from GitHub prevent build in air-gapped CI

Pull Requests:

• [backend] add stream type managers state tracking & state recovery (#13254) by @JeremyCloarec in #13257
• [docs] Backport of minor docs improvements from legacy repository (#13720) by @xfournet in #13760
• [frontend] Use Filigran Chatbot dependency from NPM (#13070) by @xfournet in #13674
• [backend] Allow to customize URL and headers for manifest fetch during build (#13069) by @xfournet in #13703
• [worker] add missing user agent on push handler by @JeremyCloarec in #13711
• [deps] Update aws-sdk-js-v3 monorepo to v3.948.0 by @renovate[bot] in #13679
• [deps] Update elasticsearch Docker tag to v8.19.9 by @renovate[bot] in #13804
• [deps] Update dependency convert to v5.14.1 by @renovate[bot] in #13774
• [deps] Update dependency webpack to v5.104.1 by @renovate[bot] in #13795
• [deps] Update opensearchproject/opensearch Docker tag to v3.4.0 by @renovate[bot] in #13797
• [deps] Update opensearchproject/opensearch-dashboards Docker tag to v3.4.0 by @renovate[bot] in #13798
• [deps] Update kibana Docker tag to v8.19.9 by @renovate[bot] in #13805
• [deps] Update dependency validator to v13.15.26 by @renovate[bot] in #13802
• [deps] Update rabbitmq Docker tag to v4.2.2 by @renovate[bot] in #13796
• [deps] Update aws-sdk-js-v3 monorepo to v3.955.0 by @renovate[bot] in #13809
• [deps] Update devDependencies (non-major) by @renovate[bot] in #13808
• [deps] Update dependency @datadog/pprof to v5.13.1 by @renovate[bot] in #13794
• [deps] Update otel/opentelemetry-collector-contrib Docker tag to v0.142.0 by @renovate[bot] in #13799
• [backend] Support upsert on created is before the existing one and confidence is correct (#13762) by @SamuelHassine in #13812
• Revert "[backend] Ability to run a given migration from the API (#13713) by @Archidoit in #13815
• [backend] conf load development file correctly (#13821) by @lndrtrbn in #13806
• [backend] Fix ejs escape option for undefined values (#13785) by @Archidoit in #13789

Full Changelog: 6.9.3...6.9.4

Version 6.9.3

Bug Fixes:

• #13744 Import data dialog randomly reverts back to 1st Import mode step
• #13709 Some file can have markings no longer existing in the platform

Pull Requests:

• [docs] Move github pages configuration (#13720) by @aHenryJard in #13722
• [CI] change integration test to run test:ci-integration-sync instead of test:ci-integration by @JeremyCloarec in #13751
• Rename feature request template for OpenCTI by @nino-filigran in #13739
• [ci] Handle Docker build in GitHub action CI for fork (#13627) by @efaure in #13698
• [deps] Update react monorepo to v19.2.3 by @renovate[bot] in #13678
• [deps] Update dependency rate-limiter-flexible to v9.0.1 by @renovate[bot] in #13717
• [oob] add nx to octi/opencti repo (#13767) by @delemaf in #13743
• [ci] Remove docker compose and worker from unit tests action by @aHenryJard in #13754
• [backend] Ability to run a given migration from the API (#13713) by @Archidoit in #13712
• [oob] fix update main yarn lock (#13767) by @delemaf in #13761
• [Backend] Filtered missing markings by @MTorbay-Filigran in #13710
• [deps] Update devDependencies (non-major) by @renovate[bot] in #13677
• [frontend] Fix import data dialog step back (#13744) by @Archidoit in #13773
• Revert "[oob] add nx to octi/opencti repo (#13767)" by @delemaf in #13778
• [backend] Missing attribute validation in "Manage Authorized Member" causes entity inaccessible (#13764) by @richard-julien in #13766
• [backend] refactor & split concerns for stream by @JeremyCloarec in #13272

Full Changelog: 6.9.2...6.9.3

Version 6.9.2

Bug Fixes:

• #13641 Array.isArray() function shall not be forbidden in Platform notifier
• #8928 [CI] Drone build is failing on release branch because client-python is clone from master instead of release branch

Pull Requests:

• [backend] Allow Array function in platform notifier (#13641) by @Archidoit in #13655
• [backend] Refactor api-test folders (#13317) by @aHenryJard in #13318

Full Changelog: 6.9.1...6.9.2

Version 6.9.1

Enhancements:

• #13659 [client] Ability to configure connectors to automatically create their associated service account
• #13626 Resolve creator in the logs

Bug Fixes:

• #13696 Some filters can be broken on old ES mappings
• #13690 Exclusion decay rule: error when creating an indicator matching an exclusion decay rule in draft
• #13688 Toolbar disapeared from container's entity/observable tabs
• #13681 Playbook - Replace Does not work
• #13675 In form intakes, observable syntax verification is not working
• #13656 SSH key: key type does not fetch the key type open vocab
• #13637 A user with manage creds but no org can login in platforms with Org segregation
• #13614 [ci] backend check ts and lint are missing in github actions
• #13301 Security Coverage is not displayed succesfully
• #13280 Technical error on correlation view
• #13033 [XTM-Composer] The composer tries to connect to OpenCTI for some time, then get stuck and does not retry
• #12494 Malformed IPs with leading zeros can be created
• #12078 External Reference URL regex issue with ending /
• #11064 Playbooks: Promote Observable to Indicator - No File Type

Pull Requests:

• [ci] Move pycti-examples from Drone to Github actions (#13361) by @Archidoit in #13638
• [frontend] Playbooks: Promote Observable to Indicator - No File Type (#11064) by @SarahBocognano in #12949
• [backend] Only allow bypass user to login without organisations (#13637) by @delemaf in #13644
• [backend] Separate Special filter keys conversion logic (#13347) by @Archidoit in #13643
• [backend] resolve creator in logs (#13626) by @marieflorescontact in #13599
• [backend] Improve catalog loading and simplify cache reset for testing by @richard-julien in #13603
• [doc] Create bug report for PYCTI (#13580) by @nino-filigran in #13581
• [ci] Reduce integration tests duration (#13540) by @MTorbay-Filigran in #13573
• [client] remove entirely deprecated methods (#13521) by @JeremyCloarec in #13617
• [client] implement 'remove_label' in opencti_stix_core_relationship (#13523) by @JeremyCloarec in #13564
• [client] add resolve_result_indicators parameter in opencti_stix_cyber_observable create (#13525) by @JeremyCloarec in #13549
• [backend] Fix IPv4 validation to reject leading zeros (#12494) by @maelv-filigran in #13489
• [backend] type on formattedIndicator (#7066) by @ValentinBouzinFiligran in #13661
• fix(frontend): normalize correlation graph filters from URL by @amiraifori in #13281
• [deps] Update dependency react-grid-layout to v1.5.3 by @renovate[bot] in #13589
• [deps] Update dependency winston to v3.19.0 by @renovate[bot] in #13631
• [deps] Update dependency slack to v6.1.1 by @renovate[bot] in #13590
• [backend] Refactor OTP to use a directive to allow specific API by @richard-julien in #13587
• [deps] Update dependency build to ~=1.3.0 by @renovate[bot] in #13185
• [deps] Update dependency pytest_randomly to v4 by @renovate[bot] in #13196
• [deps] Update dependency dompurify to v3.3.1 by @renovate[bot] in #13651
• [deps] Update dependency fastapi to >=0.124.0,<0.125.0 by @renovate[bot] in #13630
• [deps] Update actions/setup-python action to v6 by @renovate[bot] in #13672
• [deps] Update dependency filigran-icon to v0.21.0 by @renovate[bot] in #13671
• [deps] Update dependency sphinx to v9 by @renovate[bot] in #13468
• [backend] Fix form intakes observable syntax check (#13675) by @SamuelHassine in #13676
• [ci] revert vitest upgrade to 4+ , go back to 3.X and add timers on test steps. by @aHenryJard in #13667
• [frontend] prevent relationship to be null in Security Coverage (#13301) by @delemaf in #13328
• [frontend/backend] improve eslint config by @lndrtrbn in #13401
• [ci] Start only required service for integration test by @efaure in #13665
• [backend] fix storeUpdateEvent call (#10089) by @marieflorescontact in #13689
• [frontend] Playbook - Replace Does not work (#13681) by @SarahBocognano in #13684
• [frontend/backend] SSH key open vocab in Observable forms (#13656) by @Archidoit in #13658
• [frontend] feat(trials): prevent user from unregistering trial instance (#13686) by @jbanety in #13687
• [backend] Improve entity type validation in deletion operations by @maelv-filigran in #13356
• [frontend] Toolbar disapeared from container's entity/observable tabs (#13688) by @SarahBocognano in #13693
• [backend/frontend] feat(xtmhub): ability to contact Sales team from Trials banner (#13563) by @jbanety in #13538
• [frontend] allow URL with trailing slashes (#12078) by @marieflorescontact in #13701
• Replaced Stix-Core-Relationship with stix-core-relationship by @MTorbay-Filigran in #13694
• [ci] Fix flake on raw-test labels count by @aHenryJard in #13706
• [frontend] Remove FF FREE_TRIALS (#13699) by @jpkha in #13700

New Contributors:

• @amiraifori made their first contribution in #13281

Full Changelog: 6.9.0...6.9.1

Version 6.9.0

Dear community, we're excited to announce the launch of OpenCTI 6.9.0! 🥳

This release focuses on solving key pain points and unlocking new use cases:

• Make Priority Intelligence Requirements actionable
• CTI-driven assessment by integrating OpenCTI & OpenAEV
• Draft Authorize members, to protect from unwanted modification or approval
• Avoid some IOC to decay by introducing Decay Exclusion Rules
• Framework to import data in the platform via Form Intake
• UI & UX improvements
• Many other improvements (new capa for playbooks, pattern matching for IOC…)
• New Integrations/Connectors

🌟 Make Priority Intelligence Requirements actionable (EE)

• A new Threat Map widget in PIRs provides instant visual insight into your highest-priority threats, enabling faster threat assessment and prioritization.
• Priority Intelligence Requirements are now actionable within playbooks through intelligent filtering based on identified threats and scores. This enhancement transforms PIRs from passive threat awareness into actionable automation.
  • Trigger enrichment and processing workflows upon threat detection
  • Automatically initiate actions based on PIR threat scores
  • Selective processing of entities (indicators, vulnerabilities, etc.) linked to specific PIR threats

This allows teams to move beyond static threat lists and automatically respond to prioritized threats. Playbooks now execute targeted actions on the threats that matter most to your organization, reducing noise and accelerating response times to high-priority threats.

🤖 CTI driven assessment by integrating OpenCTI & OpenAEV (CE)

Security assessments can now be initiated from threat intelligence in OpenCTI, executed as simulations in OpenAEV, and results automatically imported back into OpenCTI as actionable gap analyses, within a new entity type Security coverage. Additionally, the creation and generation of security coverages can now be fully automated through our playbook engine. This capability, combined with the ability to trigger playbooks based on PIR events, enables you to automatically test your defense posture against threats identified as relevant for your organization.

This first implementation lays the foundation for transforming security assessments from manual processes into automated, threat-driven continuous validation

See details in our documentation.

💡 Draft Authorize members, to protect from unwanted modification or approval & Service Account bypass (CE)

To get an approval workflow for draft, the first step has been for us to enable Authorize Members on Drafts.

This way, when creating a draft manually or via file upload, you will be able to define authorized members at draft creation. This will ensure no user will be able to validate your draft on your behalf or even modify it without your consent.

This change required us to introduce another related change: Service Account now bypasses Authorize Members. The rationale behind this behavior is that Service Accounts should be able to enrich observables within a Draft, even if the draft has some Authorize Members enabled. To be clear: even if Service Accounts are not added as Authorized Members, they will get the Edit permission on the entity (draft, containers). This bypass is a default behavior that cannot be changed.

👤 Avoid some IOC to decay by introducing Decay Exclusion Rules (CE)

Some IOCs should never expire: for instance, Yara rules (or any detection rules) should never be revoked, to avoid having any tools like your SIEM, XDR, EDR… failing to detect a malicious IOC.

This is the purpose of Decay Exclusion Rules: you can filter on some IOC attributes to avoid having the matching IOCs fall under a decay rule. Ultimately, it prevents your IOCs from being automatically revoked.

Please be careful with the decay exclusion rules:

• Decay exclusion rules are always first against a decay rule: if an IOC matches both a Decay rule & a Decay Exclusion rule, the decay exclusion will apply.
• An IOC that is currently matching a decay rule, will fall under a decay exclusion rule at upsert if the upsert matches the filters applied the decay exclusion rule.
• It will not be possible for an IOC under a decay exclusion rule to be changed so that a decay rule is applied.

This feature should also help you if you use sources that also manage the lifecycle of your IOCs to avoid having 2 automated lifecycle management applied to your IOCs.

See details in our documentation.

🛡️ Framework to import data in the platform via Form Intake (CE)

Creating data in the platform can be a complex task, especially because:

• Not all users are STIX experts.
• Administrators need a way to enforce data collection consistently.

As a result, we’re proud to introduce the Form Intake, to streamline the collection of threat intelligence data from external sources and stakeholders through structured forms.

Form intakes allow Administrators to define a form to specify which entities should be created and their needed mandatory fields. Also, Administrators can decide to automatically create relationships between entities created via the form and to create them as a draft or not. Additionally, the administrator can also label the entity or a specific field with a non-STIX label: this helps users not familiar with the platform and/or STIX to easily enter information in the platform.

This feature has proven (since available from 6.8.X) to be useful in the FIMI context, sharing communities such as ISACs or even Incident reporting.

Please provide as much feedback as possible on this feature, which should help you consolidate your database with consistent data.

🎨 UI & UX improvements (CE)

We keep working on the UI & UX part to provide a better experience to users.

• Improvement of the bulk search module to make it more useful and actionable, by allowing differentiated management of found entities (knowns) and not found entities (unknowns). Known entities now support bulk operations, and all unknown entities can be created simultaneously.
• The create Relationship floating action button has been replaced on all entity tabs across the platform. You can now create relationships from any tab using the button located next to the Update button.
• Custom themes are now available. Organizations can now align the platform’s visual design with their corporate branding guidelines.
• The Composer catalog now adapts seamlessly to your screen size, providing a better experience on any device.
• Open files in another tab in draft: when opening a file in a draft, it will open another tab, which should simplify usage of the app.
• Clarify the Add behavior on Authorized Members: the “+” to add authorized members was confusing. Therefore, a proper button ADD has been introduced instead to clarify the behavior.

💡 Many other improvements (new capa for playbooks, pattern matching for IOC…)

• New observable to model SSH keys (CE): a new observable type, SSH key, has been introduced to help the modelization of SSH keys.

• Email notifier improvements (CE): In the current implementation of our platform's mailer notifier, the content is generated in HTML format. However, the description field of an entity is formatted in Markdown by default. We introduce a solution for converting Markdown-formatted content to HTML to ensure consistency and proper rendering in the mail notifications.

• Pattern matching filter (CE/EE): now also available for indicators in playbook, Live streams, CSV Feeds, and TAXII Collection.

• Composer configuration (EE): for configuring a global HTTP/HTTPS proxy for connector network connectivity.

• Change the capability linked to playbooks (EE): Playbook capability has been split into two capabilities:

  • Manage playbooks: to allow users to create and manage playbooks
  • Use playbooks: to allow users to trigger playbooks manually and automatically.

  This should help administrators in managing the RBAC with a fine-grained approach. See details in our documentation.

• Change of capability for Delete & Merge knowledge (CE): After some feedback from the community, we have decided to change the capability to merge & delete, to ensure that that now merge and delete are now two specific capabilities.

• Add original value in the logs (CE): Understanding the changes on an entity in detail is key in Cybersecurity. Therefore, we have improved data traceability by allowing users to view the detailed changes about an entity. Now, each line of the history of an entity is clickable, to give you more details about the initial value and the new one.

• Send to template in playbook (EE): a new box “Send email from template has been introduced”, allowing you to send email using the templates defined in parameters/security. The end goal is to send an email to users, leveraging the HTML capabilities of the Email template Editor. This template only supports user-related variables and not entity-related variables. Additionally, this capability supports some dynamic variables, such as selecting “dynamic objects from the object in bundle” (organization), to extract directly the users from the organization triggering the playbook. More info on our documentation page.

• Introduction of an onboarding email template (EE): for new platforms, an email template for user onboarding will be prepopulated, to help administrators save time in setting...

Version 6.8.17

Enhancements:

• #13625 Add ability to specify a provider in API client user agent and specify one in worker
• #13623 Implement duration, type affinity and platforms affinity in security coverage to drive scenario generation
• #13136 Create Security Coverage through playbooks

Pull Requests:

• [deps] Update vitest monorepo to v4 (major) by @renovate[bot] in #12940
• [deps] Update dependency black to v25.11.0 by @renovate[bot] in #13153
• [deps] Update dependency pytest-cov to v7 by @renovate[bot] in #13197
• [deps] Update dependency pre-commit to ~=4.5.0 by @renovate[bot] in #13188
• [worker/client] add ability to specify a provider in API client user agent by @JeremyCloarec in #13444
• [ci] Release - Wait for connector manifest on the tag before OpenCTI build by @efaure in #13536
• [backend/frontend] Add fields to security coverage and introduce playbook component (#13136, #13623) by @SamuelHassine in #13619

Full Changelog: 6.8.16...6.8.17