Skip to content

@SamuelHassine SamuelHassine released this Sep 14, 2021


Dear community, we are glad to announce the release of OpenCTI 5.0.0 🎁, after 3 months of collective work from the whole OpenCTI community. This new version is based on two fundamental principles:

  • Make OpenCTI more reactive and intelligent with the data while we ensure consistency and robustness of our current components 🧠.
  • Build the roots of more collaboration, sharing and engagement on threat intelligence structured data 🤝.

In this major release, we have entirely reworked most of our essential components, especially the data streams to enable community sharing and synchronization between platforms 📡. Furthermore, this milestone re-introduces a global reasoning mechanism on the data, allowing analysts to visualize accurate and exhaustive knowledge without constantly pivoting between entities and relationships 📉.

A lot of new features described in our blog post are available in OpenCTI 5.0.0: subscriptions / digests, content viewer / enriched editor, custom workflows, dashboard widgets, etc 🚀. Among all these changes, more than 50 bugfixes are part of this release, whether related to the core platform or the connectors/libraries ecosystem 🔨🔨.

We are working on updating our strategic roadmap so it will reflect where we stand, but next steps have been already planned in the different Luatix development committees: garbage collector, case management, connectors and widgets will be our main focus in the coming months 🎇.

Please note that the subscription manager is enabled by default. This means you will be required to provide the API with SMTP access. If you don't have a SMTP server, just disable the Subscription manager with:

"subscription_scheduler": {
  "enabled": false

in your configuration.


  • #1550 Allow file upload in external refereance
  • #1534 how can i add the relation "CONSISTS_OF" between INFRASTRUCTURE and OBSERVED_DATA
  • #1530 Implement a generic status for all entities
  • #1521 OpenIDConnect Strategy doesn't support roles from claims
  • #1486 Increase body-parser express limit to prevent "request entity too large"
  • #1467 Marking column is missing
  • #1455 Improve elastic-searching from platform. (global searching, author searching, individual entity screen searching)
  • #1453 Ability to filter on types of Report Type in Report's Correlation view
  • #1449 Add an option to automatically add new marking to certain groups
  • #1447 Clickable links on Attack Matrix View
  • #1444 Observed data upsert management (first_seen, last_seen, number_observed)
  • #1438 [frontend] Report can't create Course of Action
  • #1437 Enhance the large graph performances
  • #1435 Remove this red cross sign when no access in observable
  • #1433 Feed subscription / bulletin / digests
  • #1425 'belongs-to' is not a permissible relation between IP and ASN
  • #1419 Re-implement inferences and automatic rules of computing
  • #1402 Importing STIX file from Report doesn't associate objects from the report
  • #1359 Get Alert / Notification from OpenCTI
  • #1358 Refactor sightings (viewing Sighting Description)
  • #1351 Create Exportable list of Courses of Action per Incident, based on related Attack Patterns
  • #1347 List Widget for Dashboarding
  • #1324 Missing permissions to prevent access to Data/Entities and Data/Background tasks
  • #1322 Implement system identity objects
  • #1319 Creating relationships between entities in the context of investigations
  • #1312 Enable Tree Mode in Knowledge Graph while forces are in disabled
  • #1304 Refactor sightings and display history of relations
  • #1303 Refactor notes & opinions to be more "user friendly"
  • #1287 Add dashboard widget to display indicators lifecycle
  • #1275 Default connector role and mutation
  • #1265 The description content is different from the preview page.
  • #1063 Filtering based on area of concern & Watch List feature request
  • #912 Rules for correlation
  • #904 "Rich text editor" (report creator + export PDF)
  • #876 Referenced all platform information
  • #874 Make a backup of the platform
  • #788 Targeted organisations should be able to connect to locations/regions
  • #753 Add description of infered relations
  • #649 Inferences - threat actors -intrusion sets
  • #183 Implement a timeline visualization for multiple entities

Bug Fixes:

  • #1559 Line break in description fields for notes and relations is not displayed
  • #1558 Plateform freezing when creating a new entity without an author
  • #1552 URLs are incorrectly rewritten when using a reverse proxy
  • #1548 Investigations error when contains resolves-to relationship
  • #1539 ElasticSearchMetrics GraphQL error: Int cannot represent non 32-bit signed integer value
  • #1538 Custom colour setting hex-code handling
  • #1531 Setting x_mitre_id to None Causes webUI Crash
  • #1529 Can not delete "marking definition" on incident page
  • #1525 Unable to manually create "observed data" entry
  • #1524 Check why standard_id is in other STIX IDs and create a migration
  • #1502 Error Displaying Intrusion Sets
  • #1489 CVEs Identified in OpenCTI
  • #1480 Observables missing from the menu to create a new entity in Reports
  • #1479 Bug with bookmarks when an entity is suppressed
  • #1478 Internal server error when launching pdf file import
  • #1471 Report titles appear blank when creating relationships
  • #1465 Bug when expand TTP in investigation menu
  • #1448 Unable to change time period in custom dashboards with a "Read Only" role
  • #1446 [frontend] Report entities can't select check box
  • #1443 Exporting of entities in a Threat Report exports all entities when filtered.
  • #1439 Creation of embedded relations broken in the latest release
  • #1430 Filter by marking not working in graph view
  • #1418 Uploading from python connector stopped working
  • #1369 Elasticsearch multi-node connexion
Assets 4

@SamuelHassine SamuelHassine released this Jun 18, 2021

Dear community, OpenCTI 4.5.5 has been released 🥳! A lot of bug fixes and tiny enhancements in this new minor version 🧭.

The authentication system now supports SAML standard and LDAP groups mapping 🔑. Some improvements have been implemented in graph views and forms 🎨. Also, multiple minor bugs mainly impacting the UI side have been fixed 🪲.

The next major milestone is under development and will contain significant enhancements over all our components, from automated rules engine to report advanced editor and notification systems 🚀🚀🚀.


  • #1414 Implement the SAML SSO system
  • #1399 Improve Workers statistics screen
  • #1422 Unable to update "confidence" relations
  • #1393 Have a "part-of" relation for threat actors
  • #1391 Be able to filtrate analysis by type:report or note or opinion
  • #1390 Incident confidence level cannot be modified
  • #1389 Have the name of the author automatically filled
  • #1387 Have the confidence level field available when creating a new object or relation
  • #1386 Notes : be able to modify the date
  • #1376 Configure attribute mapping from LDAP
  • #1311 LDAP Group import v2
  • #1195 Easily organize objects in Knowledge Graph
  • #1175 Prevent elastic database from corrupting itself if reverting platform versions

Bug Fixes:

  • #1416 Adding same External Reference to Report twice Deletes both
  • #1408 Unable to change author for an indicator
  • #1406 Issue displaying the md formatting features in the description box
  • #1394 [frontend] Sort report observables causes crash
  • #1421 No related indicator is create when creating an observable of type 'email-message' with option: CreateIndicator
  • #1388 Relations creation : have the last seen field filled by default
  • #1413 OpenCTI with Elasticsearch https
Assets 4

@SamuelHassine SamuelHassine released this May 31, 2021

Dear community, OpenCTI version 4.5.4 has been released 🤯! This iteration fixes some minor bugs and introduces a bunch of new features 🚀. Among them, we are proud to announce the global availability of the OpenCTI light theme 🎉, including the ability for organizations to customize colors and logos of their OpenCTI instances 💅🏻. This new feature comes with more advanced export capabilities (theme selection, transparent backgrounds, etc.) for basically every visualizations in the platform ⚙️.

Also, the enrichment APIs and screens have been moved to the global meta entity Stix-Core-Object, which covers STIX Cyber observables but also STIX Domain Objects 🏖️. This move prepares the work around new STIX Domain Object enrichment connectors for vulnerabilities, organizations, incidents, etc. such as Wikipedia, CRMs, ticket management systems... 🏠

Last but not least, a few connectors have been enhanced 🦋. The AlienVault connector has new options to enable/disable relationships between Attack Patterns and Indicators (which may lead to have a lot of relationship for each pulse). It's also possible to fully disable relationships.

The ImportFilePdfObservables connector has been replaced by a fully rewritten ImportReport connector which also supports plain text files. A huge thank you to @nor3th for this amazing work 🙏!

We are preparing an update of our strategic roadmap to give everyone more visibility on where we are and what is coming. Our focus remains on analysts centric features, logical inferences and reports builder 💻.


  • #1380 Add "Attack Pattern" to Incident timeline
  • #1367 Bug in the custom dashboard : campaign activity and incidents activity displaying "not implemented yet"
  • #1307 Background task for confidence level
  • #1305 Enhance the observable knowledge section
  • #1191 Create relationships between similar objects in bulk
  • #779 Course of Action for Threat Hunting
  • #530 Implement a light theme (and allow users to select the theme)

Bug Fixes:

  • #1377 Donut visualization of the threat or arsenal item perspective is not restricted to the selected entity
  • #1373 The relationship type belongs-to is not allowed between IPv4-Addr and Autonomous-System although offered by UI
  • #1371 Vulnerability Severity can't be set to CRITICAL
  • #1370 Can't modify Observable network-traffic object
  • #1365 Bug in the dashboards - can't see the day/date when picking the last 7 days period
  • #1364 Bug when switching the type of relationship between a country and an intrustion set
Assets 4

@SamuelHassine SamuelHassine released this May 19, 2021

Dear community, OpenCTI 4.5.3 has been released 🥳! Docker images for ARM and PPC architectures are now available as well as knowledge export in PNG and PDF from the UI (dashboards, graphs, kill chains, etc.) 🚀.

Some minor bugs on CSV export and reports display have been fixed. Our next milestones will now be focused re-introducing logical reasoning rules on the knowledge 🔥 and on custom subscriptions/digests, alerting, analyst features such as comments, feedback on data, etc 🎁.


  • #1357 Edit indicator_types of an indicator
  • #1355 Be able to export views, graphs and dashboards in PNG/PDF
  • #1352 Ability to filter by "No Label"
  • #1350 Ability to Update Vulnerability Severity, Availability Impact via GUI
  • #1349 Unable to update Indicator valid_until
  • #1341 Ability to edit objects in bulk within the context of a report
  • #1271 Add ARM support by building OCTI with multi-arch

Bug Fixes:

  • #1354 Lines view under Analysis shows all reports in the system instead of just the relevant ones
Assets 4

@SamuelHassine SamuelHassine released this May 14, 2021

Dear community, OpenCTI 4.5.2 has been released 🚀! This is a hotfix for a bug affecting attack patterns management coming from the MITRE connector.

Bug Fixes:

  • #1345 Attack patterns standard IDs not correctly generated (merging is not coherent)
Assets 4

@SamuelHassine SamuelHassine released this May 13, 2021

Dear community, OpenCTI 4.5.1 has been released 🚀! This version introduces a lot of new features and minor bugfixes 🥳. First of all, as planned in our roadmap, we've tackled our brand new live streaming system 📡, which allows to create as many streams as needed (like TAXII 2.1 collections) 📰.

To demonstrate the power of this new system 💡, this release also brings the availability of 2 new and long-awaited connectors: Splunk KV Stores & ElasticSearch SIEM 🎁. Also, the Tanium connector has been entirely refactored to use this new streaming system.

Finally, our Synchronizer connector has been enhanced so we'll soon be able to start working on true exchange communities built on top of OpenCTI instances 🛰️.

📜 To know more about the live streams and our event format (STIX 2.1 compliant), don't hesitate to read our dedicated documentation.

Last but not least, this new version also contains some enhancements in the user interface with new capabilities in custom dashboards and investigations. Also, global graphs of knowledge for each entity have been introduced . They gather all the entities and relationships from the reports associated to the concerned entity 👍.

Next milestones will be focused on improving the overall engagement of OpenCTI users with a refactor of notes, opinions and the introduction of subscriptions and workflows 💝.

Be careful on the MITRE and the OpenCTI connectors, scopes have been modified.


  • #1334 Extend the Dashboards for "Sector or locations" to the entity "Organistion"
  • #1314 Description is not appearing in the Course of Action
  • #1313 Score filters for Observables & Indicators
  • #1302 Export full indicator via SSE upon deletion
  • #1297 Improve platform initialization to prevent concurrency problems
  • #1269 OpenCTI fails to start with clean Redis instance
  • #1261 Create a relational "master" graph in Intrusion-Set and Threat-Actor menu
  • #1232 Implement custom/filtered streams
  • #811 Possibility to obtain a synthesis report of knowledge

Bug Fixes:

  • #1344 Datetimepicker - wrong language on days header
  • #1343 Prevent creation conflict when user have no visibility on element creation
  • #1339 Organizations knowledge - Add new observables relationship doesn't work
  • #1333 Dashboards - changing the time window has no effect on the shown results
  • #1328 TAXII API - Filters (Score greater than) not working
  • #1323 First seen and last seen not updated for existing sighting
Assets 4

@SamuelHassine SamuelHassine released this Apr 29, 2021

Dear community, OpenCTI version 4.5.0 has been released 🥳! This new major branch introduces a lot of enhancements and some minor bug fixes 🏇🏼. We've also started to work on the API side to be able to build in the next versions the expected integrations with a lot of third-party systems 📡.

Among the various new features in this version, more filters are available in the TAXII collection API , it's now possible to upload artifacts in a dedicated section and to quickly display observables sighted in specific organizations or locations. Also, the detection attribute is now automatically disabled when an indicator is expired and LDAP group mapping with platform roles has been implemented 🚀.

We've also migrated the our custom Incident entity type to the new STIX 2.1 standard and enhanced the ability to create relationships between observables (resolves-to, contains, etc.) 🔨. Last but not least, the users are now able to pin entities as favorite in some views, which is the very beginning of massive work around analyst centric capabilities, users engagement, comments, subscriptions, etc 👨‍💻👩‍💻.


  • #1306 Implement expandable external references panel
  • #1299 Ability to Merge Observables of the same type
  • #1296 Add Infrastructure in Knowledge section of Threat Actors, Intrusion Sets and Malware
  • #1294 Introduce artifacts upload and enrichments/imports
  • #1286 Disable attribute "Detection" when an indicator has expired
  • #1285 Filter indicators by "Detection" value and by "Score" range
  • #1284 Display of attribute "Detection"
  • #1283 Display a correct error message when Github login profile have no public email
  • #1282 Refactor the knowledge section (and the root section) of organizations & individuals.
  • #1243 Add more filters on the export taxii module
  • #1235 Its says it has 1 indicator relationships BUT there is nothing listed under Indicators
  • #1185 Migrate Incidents to new STIX2.1 official entity
  • #1089 Unable to link observable Domain Name to IPv4 Address
  • #1049 Export Observables after Filtering by (Report)
  • #1007 LDAP Group import
  • #861 Changing relationship between two entities on report knowledge graph
  • #812 Multiple selection of SDOs in order to link them to another entity
  • #614 Support Azure AD integration
  • #587 Bookmark items
  • #507 Configurable logon banner

Bug Fixes:

  • #1310 Country is not always recognized by its aliases
  • #1308 Modification date of the observable is not updated after changing observable properties
  • #1298 No relationship with course of action in attack pattern overview
  • #1292 Long tasks on observables are not working (when select all)
Assets 4

@SamuelHassine SamuelHassine released this Apr 21, 2021

Dear community, OpenCTI 4.4.1 has been released 🥳! This version fixes minor bugs related to the authentication (LDAP and OpenID), the RabbitMQ SSL support (custom CA and worker compatibility) and the frontend in general 🚀. It also introduces a few enhancements in the knowledge section of entities .

We would like to thank all community members involved in this release for their great contributions and feedback 🙏!


  • #1281 Enhance the knowledge section to avoid re-rendering of the right menu
  • #1278 RabbitMQ SSL: fix bugs and add CA configuration
  • #1277 User cant login with LDAP in some use case

Bug Fixes:

  • #1276 Cant login using openID connect with AzureAD (roles scope is not valid)
  • #1268 Not possible to edit the field "Goals" of an intrusion set
  • #1267 Not possible to edit the field "Secondary Motivation" of an Intrustion Set
  • #1280 Filtering of relationships on "Stix-Domain-Object" doesn't work
Assets 4

@SamuelHassine SamuelHassine released this Apr 15, 2021

Dear community, the major version release OpenCTI 4.4.0 is out 🤯! We're glad to announce this version not only fixes all currently known bugs but also introduces a lot of important enhancements 🙀.

First of all, the implementation of background / long-running tasks now allow users to take massive actions from the interface such as bulk delete, bulk labeling or modification, etc 🚀. These tasks can be monitored and canceled if needed. Also, it's now possible to convert any observable to a STIX indicator and to update any malware attributes in the interface 🎀.

A new tactics matrix visualization has been developed for reports and attack patterns related to a specific threat 🧮, this will be enhanced and extended in custom dashboards in the future. We've also implemented new platform-related features such as client certificate authentication, audit logs, RabbitMQ over SSL, etc 🌠.

Last but not least, some important bugs, especially related to the history of entities and automatic import of file (PDF or STIX), have been fixed. We definitely encourage everyone to upgrade to this version as soon as possible 🙇🏽‍♂️. As we you may know, we're working hard on different integrations with SIEM, datalake and EDR systems, which should be included in the next release 🎠.

⚠️ The application log level configuration has been modified. Now, if you want to change this level from info to error for example you need to change the app > app_logs > logs_level configuration (for more information, please check the documentation).


  • #1264 Support for RabbitMQ over SSL
  • #1255 Make Optional - Automatically start connectors when upload a report
  • #1249 Migration to webpack 5
  • #1239 OpenCTI is failing to connect to Amazon MQ/RabbitMQ cluster
  • #1237 Promote observable to indicator
  • #1216 Want to edit the "Details" part of "Malware"
  • #1207 TTPs matrix in all entities (including reports)
  • #1170 Add Client Certificate Authentication
  • #1163 Selectable Date Types in Advanced Search
  • #1144 Creation of a checkbox to select all the info in data curation
  • #1045 Login and administration audit log Activity
  • #986 Top CVE Widget
  • #977 Export Indicators/Observables from Reports
  • #883 TTPs matrix in the product
  • #827 Improve federated SSO authentication
  • #771 Multiple entities selection action (tag / delete ...)
  • #730 select all under data-> data curation
  • #719 Be able to add generic "related-to" relations from knowledge

Bug Fixes:

  • #1259 Critical error in custom dashboards
  • #1254 Bug when add entity in investigation
  • #1251 The user id of UI action is now missing in the stream
  • #1246 Cannot create a X509 Observable
  • #1241 In relationship list view, the First Observed date is not the right one
  • #1238 Functional Error: "Only stix-core-relationhip can be created through this method" when creating "authored-by" relationships
  • #1223 First object added to Report not visible in Knowledge graph
Assets 4

@SamuelHassine SamuelHassine released this Apr 7, 2021

Dear community, OpenCTI version 4.3.5 has been released 🥳! Among a lot of bug fixes 🛠️, this version introduces one major enhancement regarding the sessions management: It's now possible to view (and kill) sessions of the users directly in the platform 🧍.

We've also fixed some bugs in the Python library and some new connectors have been added (details will be shared in dedicated blog posts) 🚀. SIEM/EDR integrations such as Splunk, Q-Radar, ElasticSearch, Azure Sentinel and others will be released soon! CORTEX XSOAR and Maltego announcements are coming as well 🎁.


  • #1234 Users sessions management (view/kill)
  • #499 Ask for confirmation before suppressing an entity from a graph from the pannel

Bug Fixes:

  • #1236 There seems to be a limit to how many entities are shown on a page
  • #1231 Workspaces standard IDs should be UUIDv4 to avoid problems in the creation
  • #1230 Changing the limit of objects in investigation expand raises errors
  • #1229 Data seggregation in graphs raises errors
  • #1226 No access control on some creation buttons
  • #1225 Adding an already existing relationship to a graph raises errors
Assets 4