Back to Documentation

CTX/Soltra Edge Release Notes for 2.9

(Released 10/2016)

Enhancements

Search and Retrieval Enhancements

Search

Soltra Edge 2.9 adds a new full-text search capability that replaces the object catalog from previous versions. Searches can include full-text keywords and key/value terms. The new search capability provides results at human-interactive speed and scales to
millions of indicators stored in the database. Search results can be bookmarked in the browser and shared with other users using
the URL.

Example Parameters:

Tag tag:priority-high
Received Date year:2016 month:10 day:3
Intelligence Type type:ind
Intelligence Sub-Type subtype:ip-watchlist
XML Namespace (Alias) ns:opensource
Contributing User user:jsmith

Tags


Intelligence can now be tagged, helping users organize their threat intelligence. Tags appear on the Object Detail page, in search results, and may be used in searches (e.g., tag:tagname).

Users may customize tag colors for easy visual identification.

STIX/TAXII Handling Enhancements

Sharing Back: On-Demand Threat Sharing

The clipboard tool has been enhanced, enabling users to compile intelligence and send it to remote sites on demand.

DHS AIS (Automated Indicator Sharing) Support

Soltra Edge 2.9 Includes support for sending and receiving threat intelligence from the DHS Automated Indicator Sharing (AIS) program, as well as tools for incorporating sharing intelligence via AIS in your organization.

If you have access to AIS TAXII services, you can configure a Peer-to-Peer connection, just as with any other TAXII service. If data is received that includes DHS AIS handling details, those details will be displayed in the object detail page.

The clipboard can be used to assemble a collection of intelligence to share with AIS, and Soltra Edge’s AIS Submission tool will assist with marking the documents appropriately before sending it via TAXII.

Upload Validation Enhancements

The Upload tool has been enhanced to provide additional validation of STIX documents. The upload tool now validates:

  • Documents that contain DHS AIS markings

  • Documents that contain CISCP Indicator types Benign and Compromised


Peer-to-Peer Enhancements

When Soltra Edge is used to send data, users can now indicate the destination TAXII collection name(s). For TAXII, a more detailed HTTP User-Agent string is sent with requests indicating the Soltra Edge version information. This provides additional reporting information
for data providers or clearinghouses, and assists with troubleshooting interoperability issues.

Feed (Stored Query) Enhancements


Changes to System Feed Behavior

Previously, Administrators were unable to create new system-level feeds. Now, any administrator can create or modify a system feed.
All previous versions of Soltra Edge have included a built-in system.Default feed. The system.Default feed is no longer present on new installs of Soltra Edge; existing deployments retain the system.Default feed on upgrade. Administrators are free to configure all feeds to meet their needs.

Additional Filters

Two additional query filters were added to aid with data selection, as well as improve the quality of output data.

  • XML Namespace (URI) matching filter

  • Private IP Range (RFC 1918) Address exclusion

STIX Builder Enhancements

Local Namespace Search

Users of installations with large data repositories may find it difficult to find their own data when creating relationships or referencing existing Observables. To improve this situation, the Search system can now limit results to intelligence that was created by
the system’s configured namespace.

Reporting and Workflow Enhancements

Activity Log Email Link

When working with Activity entries, users may want to send an email with a reference to specific intelligence. Links have been added that can begin composing emails with STIX ID detail included in the body automatically.

Home View Statistics

The Home View’s Top Contributors, as well as other charts now link to search queries with appropriately related results.

User Management Enhancements

Full Name Transition

To make Soltra Edge more globally accessible, Full Names have replaced first and last names throughout the application. When upgrading from previous versions, existing name data will be coalesced to the new format automatically.

Flexible Administrator Names

Previous versions of Soltra Edge included a predefined, built-in Admin user account. Now, Administrators may have any username and there is no requirement to have an explicitly named Admin user.

TAXII Inbox Namespace Approval Lists

User Inbox submissions (TAXII) may now be restricted according to a pre-approved list of XML Namespaces. In mixed-use installations, such as intelligence hubs or clearinghouses, this helps prevent users from submitting unwanted or unauthorized reports and data.

Configuration and Tuning Enhancements

New Configuration Views and Real-time Parameter Changes

Soltra Edge 2.9 includes all new Configuration views with an improved user interface. All configuration options are now effective immediately and no software restart is required.

Tunable CNAME Verification with Client Certificates

For Soltra Edge servers that utilize https Client Certificates (Two-Way), CNAME / Login verification was performed previous to 2.9. Since this may not be appropriate in some configurations, it is now a tunable parameter. (Default: On)

New Appliance Configuration Backend

Edge 2.9 supports a broader range of configurations through better separation of the application from the underlying operating system. As a result, Edge 2.9 does not require sudo to operate. Edge configuration options related to sudo have been removed.

Bug fixes

  • Peer-To-Peer data now assigned to System user. Previously, received Peer-to-Peer data was assigned to the built-in admin account. Since this account is no longer a fixed user in 2.9, the data will appear as uploaded by System.
  • MapReduce jobs failed to run with a discrete MongoDB installation. In an environment with a discrete database service, MapReduce jobs would not honor the configuration properly.
  • System Restart not required during TAXII Directory Registration. Previously, the Directory registration process would need to restart services to apply configuration changes, but that is not necessary in Soltra Edge 2.9.
  • Invalid STIX serialization with SSDeep hash objects. A bug prevented the correct serialization of Observable data using SSDeep hashes.
  • Accidental mouse-click on backdrop closed the Observable Builder. To prevent accidental loss of data while using the Indicator Builder, the close-onbackdrop click behavior has been disabled for the Observable Builder.
  • Valid characters in STIX @id data may have caused an exception. STIX documents that contained a period (‘.’) in any @id field would raise an exception during processing.
  • Home view exception when loading Indicators without a subtype. Indicators that had no subtype specified would trigger an exception in the charting system.
  • Home view may have failed to load with certain Observables. Reference-only Observables could in some cases have caused an exception that prevented the home view from loading properly.
  • Serialization Errors may have occurred if idrefs have different TLP levels. Under certain conditions, invalid XML may have been generated if referenced objects have higher TLP access values than the referring object.
  • Denial-of-Service may have occurred if User Access table was large. A pathological query during login could have led to slow or denied service.
  • Long page-load times for large user collections. On systems with many users, the load time for the User administration pages may be unacceptably high. This has been resolved.

 

Download the Latest Release