CHANGELOG

v7.5.0

NewFeatures

  • Empowered AI - anomaly detection in text message - rare words probability
  • Empowered AI - anomaly detection in numbers
  • Empowered AI - anomaly detection in multi dimention numbers
  • Empowered AI - Root Cause tracing based on knowledge model
  • Empowered AI - Relations Mining builds knowledge model
  • Empowered AI - unsupervised data clustering
  • Empowered AI - forecasting alerting method
  • Empowered AI - AI input for network probe
  • Empowered AI - realtime processing for AI rules
  • Empowered AI - Model Library - save, store and upload AI models
  • Empowered AI - Model Library - reuse and retraint saved models
  • Empowered AI - Text Anomaly default alerts
  • Empowered AI - create manual incident based on AI results
  • Empowered AI - easy create alerts tab from AI rules config
  • Empowered AI - progress bar for started rules

BugFixes

  • Alert: added custom arguments to Energy SOAR integration
  • Alert: added support for external_link to Energy SOAR integration
  • Alert: groups management
  • Alert: missing url in alert_text arguments of the Energy SOAR method
  • Archive: clearing issue with empty with non existing file metadata
  • Archive: scrolling in case of visible warnings
  • CMDB: data fetching at the plugin startup
  • Integrations: built-in templates now use wildcards
  • SIEM Engine: improved alias refresh synchronization
  • Network Probe: deleting config files and handling deleted files from disk
  • Network Probe: filtering of probe’s statuses has been fixed
  • Network Probe: fixed when probes’ services statuses were unavailable
  • Network Probe: layout improvements and readability refinements
  • Network Probe: updated log messages to be more comprehensible
  • Network Probe: fixed permissions problem with external services
  • Reports: improved handling of time fields
  • SIEM Engine: improved RBAC mapping existence verification for non-admin users
  • SIEM Engine: updated to v4.7.4 due cve [CVE-2023-42463, CVE-2024-32038]
  • Task Management: improved filtering tasks by their duration

v7.4.3

NewFeatures

  • Query management: identify and stop long running query
  • Introducting Network-Probe as mandatory Input Layer
  • Archive: checksum verification on demand
  • Empowered-AI: default AI forecasting rules
  • License: GUI license upload with automatic distribution in cluster environment
  • Introducing “Status page”: showing health check in case of system problem without ability to log in
  • Free space warning on status and login page
  • Free space protection: Enabling Watermarks to keep system running in case of free space issue
  • Audit: enchancements to audit more GUI actions

Improvements

  • Alerts - Blacklist: wrong file name support
  • Alerts: Risk key can be set on non default field - SOAR integration
  • Alerts: secure und insecure webhook support
  • Archive: Date format change to epoch in milisec
  • Input layer uses Logstash-OSS 7.17.18
  • license-service: dedicated API
  • Skimmer: self monitoring of free space on cluster nodes
  • Skimmer: self monitoring of license API status
  • Support for Beats OSS Agents 7.17.18

BugFixes

  • Alerts: cannot select more than one index-pattern when creating/editing a rule
  • Alerts: empty role list when creating a rule without the admin role
  • Alerts: Energy SOAR method wrong WYSIWYG behavior
  • Alerts: errors when creating risks if any already exist
  • Alerts: Manual Incident: user without admin role cannot create an incident
  • Alerts: Manual Incident: user without admin role cannot see his incident
  • Alerts: notifications are not sent as a valid HTML email
  • Alerts: rule name change did not remove the old rule
  • Archive: partial restore
  • Archive: preparing data for archiving
  • Audit: exclusions on _nodes and _stats do not work
  • Audit: missing information about operations on users and roles
  • Audit: missing query content - if selected
  • Intelligence - view in discover: application not found
  • license-service: memory limitations
  • Login: AD login exception for users without mapped roles
  • Login: SSO login duplicate users
  • Reports: short link when creating docx report
  • SIEM Engine: Agent/Client updated to v4.5.4
  • SIEM Engine: permission denied after upgrade
  • status_page: missing branding
  • xlsx-import: fixing bug when writing more than 500 documents

v7.4.2

NewFeatures

  • Introducing Empowered-AI - Your data science module
  • Empowered-AI: Forecasting usecase !
  • Alerts: NEW rule type for Forecasting : Difference Multi Pattern - matches the difference between two index patterns calculated in a unit of time.
  • Archive: repository validation (automatic scan of archive files and indices)
  • SQL query support: query Your data with SQL query with dedicated GUI console
  • Integrations: NEW Labyrinth - Deception-based threat detection

Improvements

  • Archive: cataloging for better retention: $archivefolderpath/$year/$month
  • Archive: sorting, pagination and filtering on task lists
  • Archive: support for huge repositories
  • Disaster Recovery: improvements during cluster initialization and recovery
  • Disaster Recovery: logs for damaged indexes have been enriched with index_id
  • Disaster Recovery: possibility of disabling the authorization plugin
  • GUI: improvements in updating the client (browser) cache after Update
  • license-service: possibility to change log_level & default log_level changed to WARN
  • Reports: accept only the unix cron format in recurring reports
  • Reports: clear descriptions for settings which deletes obsolete files
  • Reports: dedicated MIME type for docx reports
  • Reports: filenames created by recurring reports now based on creation date
  • Sync: improved logging and error handling

BugFixes

  • Archive: delete the results file when deleting a search task
  • Archive: missing .zstd files and .dec files are not deleted after decryption
  • Archive: unable to prepare data for selected indices fix
  • Audit: user and role actions were filtered from audit queue due to missing username
  • configuration-backup & support-tool: now supports all logserver versions
  • E-doc: e-doc user requires gui-access to query the GUI authorization for a token
  • GUI: wait until refreshAliases finishes at user login
  • install.sh: problem with symlink when installing only the data-node
  • Login: deprecated route to the default home plugin
  • Reports: enable/disable for recurring report was not shown in GUI
  • Reports: impossible to delete a recurring report without assigned file
  • Reports: incorrect capture of “data table” and “tag cloud” visualization
  • Reports: incorrect formatting of email messages and the “mail” command
  • Reports: selected time field was not saved in the “data export” report
  • Reports: temporary jpeg file not deleted after creating pdf report
  • Reports: tsvb-based visualizations are incorrectly captured in docx reports
  • Scheduler: “Archive task updated, but error occured when updating scheduler object. Please retry” fix
  • Sync: tasks cannot be deleted
  • Sync: unable to create/update profile
  • xlsx-import: invalid file extension validation

SIEM Plan

  • Alerts: NEW rule type: Difference Multi Pattern - matches the difference between two index patterns calculated in a unit of time.
  • Alerts: bugfix: alert index rollover causes service errors
  • Alerts: bugfix: sorting alert risk on incident tab did not work properly
  • Alerts: bugfix: problem with updating alert rules
  • Alerts: bugfix: Energy SOAR + metric_aggregation does not create artifacts
  • Alerts: bugfix: Run Once old history after updating alert rule
  • SIEM Engine: bugfix: duplicate index-pattern siem*

v7.4.1

NewFeatures

  • Reports: DOCX support!

Improvements

  • Alert: multi-language support for alert rules
  • API: gui-access role is required to interact with the API
  • tlstool.sh: new ssl certificate management tool

BugFixes

  • Archive: support for “secure” and “insecure” mode (without valid certificates)
  • GUI: better-handled exceptions for custom plugins
  • GUI: defaultAppId directive has been restored
  • GUI: invalid directory for keystore
  • GUI: Module Access Control permission fix
  • GUI: users have aliases for different indexes after migration
  • Index Management: missing verification for “on save” action
  • Index Management: errors during rollover
  • Index Management: filtering using the “Enabled” column
  • Index Management: unable to update job after changing cron
  • Integrations: improved command for importing dashboards
  • Reports: custom logo moves the visualization on the dashboard
  • Reports: deleting reports (multi, single) does not refresh the list
  • Reports: enabling and disabling periodic reports by users
  • Reports: incorrect visualization titles are inserted when creating a Data Table report
  • Reports: long comment goes off the page when creating a PDF report
  • Reports: long title goes off the page when creating a PDF report
  • Reports: not translated statuses in the task list
  • Reports: problem with Tag Cloud visualization when creating PDF report
  • Reports: reports role paths to update, now require .reports
  • Scheduler: status table sorted by “start date” instead of “name”
  • Timeline/Timelion: regex not working due to an incorrectly built package

SIEM Plan

  • Alerts: bugfix: incorrect _id of the edited alert causes duplicates
  • Alerts: bugfix: unable to retrieve a list of risk key fields when updating a rule
  • SIEM Engine: better-handled exceptions in RBAC integration

v7.4.0

Upgrades

  • Complete database redefinition:
    • Segment replication
    • Searchable snapshots
    • Search backpressure feature can now cancel queries at the coordinator level
  • Complete user interface redefinition
  • Complete SIEM Engine redefinition:
    • New manager
    • New App
    • New Agent
  • Input layer uses Logstash-OSS 7.17.11
  • Support for Beats OSS Agents => 7.17.11

NewFeatures

  • Logserver: RBAC integration with Wazuh Engine (users can map roles between systems)

Improvements

  • CMDB: Browser-based Time Zone
  • Improved error handling when reloading a license (logserver/license/reload)
  • Archive: deleting tasks with multiselect option
  • Unification and organization of Energy Logserver system APIs
  • Alert: WebHook: added support for nested fields in http post payload
  • Agents: built-in agents templates updated to 7.17.11

BugFixes

  • CMDB: incorrect parsing of values in the date filter
  • Archive: blank line in index list on restore

v7.3.0

NewFeatures

  • Multi-Language Support

Improvements

  • Improved security by using response security headers
  • Network Probe: version lock prevents accidental updates
  • configuration-backup.sh activated by default

BugFixes

  • Reports: usage of “Include unmapped fields” cause “No data” when exporting csv
  • Agents: corrected manifest file for downloading agents
  • Archive: error while restoring encrypted archives
  • Cerebro: corrected auto-login after redirect

Integrations

  • VMware: Integration with dedicated dashboard and alerts
  • AWS: Integration with dedicated dashboard and alerts
  • Ruckus Networks: Integration with dedicated dashboard and alerts
  • Added Beats templates to beats integration

SIEM Plan

  • WatchGuard: Integration with dedicated dashboard and alerts
  • IDS Suricata: Integration with dedicated dashboard and alerts
  • Alerts: updated rule database with 90 new alert rules including new Windows Security Group
  • Alerts: bugfix: Jira integration
  • Alerts: bugfix: duplication of alarms in specific cases
  • Alerts: bugfix: top_count_keys doesn’t work properly with multiple query_keys
  • Alerts: bugfix: Broken Chain method TypeError
  • Alerts: bugfix: Exclude Fields for Logical/Chain body correlation
  • Alerts: NoLog rule for each alarm group

Network-Probe

  • Added support for sFlow - sfacctd service
  • Added IDS Suricata integration with dedicated dashboard and alerts

Required post upgrade

  • Recreate bundles/cache: rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibana

v7.2.0

Breaking changes

  • Login: changed how gui access is granted for administrative users - access for any administrator has to be explicitly granted
  • Wiki portal renamed to E-Doc

NewFeatures

  • CMDB: Infrastructure - create an inventory of all sources sending data to SIEM
  • CMDB: Relations - ability to create relation topology map based on sources inventory
  • Extended auditing support - each plugin can be enabled in GUI config to save its actions in the audit index
  • Syntax Assistant for Alerts, Agents, Index Management, Network Probe. Check YAML definition and structure

Improvements

  • Update process will not override /etc/sysconfig/elasticsearch config
  • Clear GUI message for expired license
  • Agents: improved services information display for not running agents
  • Archive: optimization and improvements; added multi threaded processing and Task Retry support
  • Login: redesigned audit selection and exclusion settings GUI
  • Reports: tasks edit is now more robust and allows modification of advanced parameters
  • Reports: moved settings into new Config tab in the plugin from Config -> Settings
  • Alerts: loading new alarm Rule Set during update process [install.sh]
  • Beats: updated to v7.17.8
  • Skimmer: negotiate highest TLS1.3 version if possible
  • Skimmer: fixes regarding ssl connection
  • Skimmer: added elasticsearch_ssl config option
  • Skimmer: added new metric: node_stats_fs_total_free_in_pct
  • Skimmer: updated to v1.0.22
  • Elasticdump updated to v6.79.4

BugFixes

  • Refreshing audit exclusions caused ELS node to freeze in rare cases
  • Update process on RedHat 7.9 could not be run caused by missing package
  • LDAP login: improved validation on username input
  • Table visualization: fix for “Count percenteges”, which was inacurate in some cases
  • Skimmer: sometimes did not start after installation
  • Agents: small GUI improvements
  • Alerts: long alert names presented outside the frame
  • Alerts: sorting alert risk on incident tab did not work properly
  • Intelligence: malware scanners would rise a false positive on one of the plugin dependencies
  • Reports: data export (csv) improvements on file integrity
  • Reports: a rare case of a race condition when removing temporary directories
  • E-Doc: improvements to https handling when using Elasticsearch as a search engine
  • install.sh: installation process always uses LC_ALL=C

Integrations

  • Added new integrations: FireEye, Infoblox, ArcSight Common Event Format

SIEM Plan

  • Agents: SIEM agents updated to 3.13.6
  • Alerts: new notification methods: ServiceNow, WebHook, TheHive, Jira
  • Alerts: risk values on incident tab formated for clarity
  • Alerts: example description supplied with new values regarding escalate and recovery
  • Alerts: all alerts in a goup can be seen with a proper row selection
  • Alerts: creating risks is now supported on no time based indices
  • Alerts: long alert names presented outside of message frame
  • Alerts: on incident tab sorting by risk did not work properly
  • Alerts: added Ransomware Detection rules

Network-Probe

  • Increased tolerance for status/verification calls

Security related

  • axios - CVE-2021-3749
  • qs - CVE-2022-24999
  • express - CVE-2022-24999
  • moment - CVE-2022-24785
  • moment - CVE-2022-31129
  • minimist - CVE-2021-44906
  • char.js - CVE-2020-7746
  • async - CVE-2021-43138
  • minimist - CVE-2021-44906
  • requestretry - CVE-2022-0654
  • xmldom - CVE-2022-39353
  • underscore - CVE-2021-23358
  • flask-cors - CVE-2020-25032
  • kibana - CVE-2022-23707

Required post upgrade

  • Recreate bundles/cache: rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibana
  • Wiki portal renamed to E-Doc: if data migration is required follow the steps of UPGRADE.md

v7.1.3

Security related

  • log4j updated to 2.19.0
  • kafka updated to 2.13-3.3.1 (log4j dependency removed)
  • logstash: removed obsolete bundled jdk

v7.1.2

NewFeatures

  • Energy SOAR: Redesigned and improved integration (Security Orchestration, Automation And Response)
  • Intelligence: Redesigned and improved Forecasting [experimental]
  • Masteragent: New feature: Configuration Templates
  • New plugin: CMDB - simple implementation of Configuration Management Database

Improvements

  • es2csv - Performance boost and Memory optimization
  • Reports: Support for large report files
  • Redirection of HTTPS connection to GUI enabled by default - 443 => 5601
  • Login: Home Page moved to Integrations Page
  • diagnostic-tool.sh - Added logstash logs
  • Elasticsearch: Global timeouts changed to 60s
  • Updated LICENSE in all components
  • Index Management: Prepare index has been moved from Config to Index-Management tab
  • Masteragent: Setting authorization with a client certificate by default
  • Masteragent: Possibility to fully disable the HTTP server on masteragent clients

BugFixes

  • Login: Fixed problems with sharing Short Links
  • Discovery: Fixed problem with index-patterns name overlapping
  • Index Management: Fixed execution time for builin logtrail policies
  • Masteragent: Fixed error when getting installed services

Integrations

  • windows-ad: Fixed error in Ad Accounts dashboard
  • beats - Fixes in waf ruby filter

SIEM Plan

  • Vectra.AI: Integration with dedicated dashboard and alerts
  • MITRE added to SIEM Dashboard
  • Agents: SIEM agents updated to 3.13.4
  • Agents: Vulnerability detection & feeds enabled by default
  • Alert: Simplified discover_url feature
  • Alert: theHive project - Improved integration
  • Alert: Fixed exception for risk query
  • Alert: SIEM alert group changed to “Correlated”
  • Alert: Fixed problem with TypeError: deprecated_search()
  • Alert: Fixed logs problem after rotating the file
  • Alert: Fixed permission problem in Run Once mode
  • Alert: Fixed indentation in query_string
  • [bugfix] Added missing library to Qualys Quard venv
  • [bugfix] Added missing ports 1514udp-tcp/1515tcp to install.sh

Required post upgrade

  • Recreate bundles/cache: rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibana
  • (SIEM only) Update/ReImport SIEM Dashboard for MITRE

v7.1.1

NewFeatures

  • Elasticsearch Join support - API level query

Improvements

  • es2csv - Breakthrough (50%) performance boost
  • es2csv - Renamed to els2csv
  • diagnostic-tool.sh - Added logs encryption
  • diagnostic-tool.sh - Renamed to support-tool.sh
  • Skimmer: Indices_stats: run only on master node
  • Skimmer: Added two metrics: indices_stats_patterns and indices_stats_regex
  • Skimmer: Added cached info about nodes when poll errors out
  • Logtrail: Disabled ratelimit in rsyslog for logtrail source files
  • Logtrail: Parsing in pipeline for alert,kibana,elasticearch,logstash [added standardized log_level field]
  • Logtrail: Added default filter showing only errors [”NOT log_level: INFO”]
  • Index Management: Added built-in index policies for common actions
  • Discovery: Default QueryLanguage changed to Lucene
  • Cerebro updated to v0.9.4
  • Curator updated to v5.8.4
  • Elasticdump updated to v6.79.4
  • Wiki.js updated to v2.5.274

BugFixes

  • Login: In case of unsuccessful login information about “redirection” is lost when using link sharing
  • Login: When logging using SSO auth, it doesn’t redirect when using link sharing
  • Login: Fixed “unable to parse url” when using link sharing
  • Login: Corrected Session expired message
  • Login: gui-access role added to role-mappings.yml
  • Login: When logging using SSO auth, sending the entered password as a default action
  • Skimmer: Index store value of _cat/shards in bytes
  • Skimmer: Disabled ssl handshake on logstash api
  • Logtrail: Corrected syntax highlighting
  • Logtrail: Fixed filter selector on columns
  • Discovery: Fixed timeout handling
  • Wiki: Removed gui-access group
  • Index Management: Wait for updates before refreshing the list
  • Index Management: Fixed id problem during custom update

Integrations

  • windows-ad/beats: fixed error in ruby{} filter
  • netflow - Fixes from 7.1.0
  • netflow - network_vis - Fixed incorrect filtering
  • netflow - network_vis - Added new option “skip null values”
  • syslog-mail - Fixes from 7.1.0

SIEM Plan

  • Added Log4j RCE attacks to Detection Rules [”Wazuh alert [HIGH] - rule group: custom - Log4j RCE”]
  • Alert: Fixed problem with modifying alertrulemethod
  • Alert: Fixed malfunction of Test Rule in case of “verify_certs: false” setting
  • Alert: Simplified Discovery URL
  • Alert: Logtrail - Cluster Services Error Logs added to Cluster-Health group

Security related

  • http-proxy - CVE-2022-0155
  • xlsx - CVE-2021-32013
  • json-schema - CVE-2021-3918
  • lodash - CVE-2021-23337
  • json-schema - CVE-2021-3918
  • pdf-image - CVE-2020-8132
  • angular-chart.js - CVE-2020-7746
  • pyyaml - CVE-2020-14343
  • cryptography - CVE-2020-25659
  • aws-sdk - CVE-2020-28472
  • pyyaml - CVE-2020-14343
  • nodemailer - CVE-2020-7769
  • objection - CVE-2021-3766
  • socket.io - CVE-2020-28481
  • nodejs - CVE-2021-44531

v7.1.0

NewFeatures

  • Added support for AlmaLinux and RockyLinux
  • Agents: Added local repository with GUI download links for agents installs
  • Archive: Added ‘Run now’ for scheduled archive tasks
  • Archive: Added option to enable/disable archive task
  • Archive: Added option to encrypt archived data
  • Audit: Added report of non-admin user actions in GUI
  • Elasticsearch: Added field level security access control for documents
  • Kibana: Added support for Saved Query object in access management
  • Kibana: Added support for TLS v1.3
  • Kibana: Added new plugin Index Management - automate index retention and maintanance
  • Reports: Added new report type created from data table visualizations - allows creating a raport like table visualization including all records (pagination splitted into pages)
  • Reports: Added option to specify report task name which sets destination file name

Improvements

  • Security: log4j updated to address vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, CVE-2021-4104
  • Added new directives for LDAP authenctication
  • Agents: Changed agent’s action name from drop to delete
  • Archive: Improvement and optimization of “resume” feature
  • Archive: Optimised archivization proces by saving data directly to zstd file
  • Archive: Multiple ‘Upload’ GUI improvements
  • Archive: Improved logs verbosity
  • Audit: Added template for audit index
  • Beats: Updated to v7.12.1
  • Curator: Added curator logs for rotation
  • Elasticsearch: Extended timeout for starting service
  • Elasticsearch: Updated engine to v7.5.2
  • install.sh: Improved update section for better handling of services restart
  • Kibana: Updated engine to v7.5.2
  • Kibana: Clean SSL info in logs
  • Kibana: Improved built-in roles
  • Kibana: Disabled telemetry
  • Kibana: Set Discovery as a default app
  • Kibana: Optimized RPM
  • Kibana: Improved handling of unauthorized access in Discovery
  • Kibana: small changes in UI - Improved Application RBAC, product version
  • Kibana: Added new logos
  • Kibana: Improved login screen, unauthorized access info
  • Kibana: Restricted access to specific apps
  • Kibana: Added option to configure default app
  • Logrotate: Added Skimmer
  • Logstash: Updated to v7.12.1
  • Network visualization: UI improvements
  • Object permission: Index pattern optimizations
  • Plugins: Moved Cluster Management inoto the right top menu, Scheduler and Sync moved to the Config
  • Reports: Added report’s time range info to raport details description
  • small_backup.sh: Added cerebro and alert configuration
  • Skimmer: Updated to v1.0.20
  • Skimmer: Added new metrics, pgpgin, pgpgout
  • Skimmer: Optimised duration_in_milis statistics
  • Skimmer: Added option to specify types
  • Skimmer: Added option to monitor disk usage
  • Wiki: Added support for nonstandard kibana port
  • Wiki: Several optimizations for roles
  • Wiki: Changed default search engine to elasticsearch
  • Wiki: Added support for own CAs
  • Wiki: Default authenticator improvements
  • XLSX Import: UI improvements

BugFixes

  • Archive: Fixed problems with task statuses
  • Archive: Fixed application crash when index name included special characters
  • Archive: Fixed ‘checksum mismatch’ bug
  • Archive: Fixed bug for showing unencrypted files as encrypted in upload section
  • Elasticsearch: Fixed bug when changing role caused client crash
  • Elastfilter: Fixed “_msearch” and “_mget” requests
  • Elastfilter: Fixed bug when index pattern creation as an admin caused kibana failure
  • Kibana: Fixed timeout handling
  • Kibana: Fixed a bug causing application crash when attempting to delete data without permission to it
  • Logstash: Fixed breaking geoip db when connection error occurred
  • Object permission: Fixed adding dashboard when all its related objects are already assigned
  • Reports: Added clearing .tmp files from corrupted csv exports
  • Reports: Fixed sending PDF instead of JPEG in scheduled reports
  • Reports: Fixed not working scheduled reports with domain selector enabled
  • Skimmer: Fixed expected cluster nodes calculation
  • Wiki: Added missing home page
  • Wiki: Added auto start of wiki service after installation
  • Wiki: Fixed logout behaviour

Integrations

  • Fixed labels in Skimmer dashboard
  • Fixed Audit dashboard fields
  • Updated Windows + AD dashboard and pipeline
  • Added Linux Mail dashboard and pipeline
  • Added Cisco ASA dashboard and pipeline
  • Added FortiGate dashboard and pipeline
  • Added Paloalto dashboard and pipeline
  • Added Oracle dashboard and pipeline
  • Added Waystream dashboard and pipeline
  • Added CEF dashboard and pipeline (CheckPoint, FireEye, Air-Watch, Infoblox, Flowmon, TrendMicro, CyberX, Juniper Networks)
  • Added monitoring of the alert module on Alert Dashboard

SIEM Plan

  • Updated SIEM dashboard
  • Updated QualysGuard integration
  • Updated Tenable.SC integration
  • Alert: Updated detection rules (370+)
  • Alert: Added Cluster-Health alert rules
  • Wazuh: Updated to v3.13.3
  • Wazuh: UI improvements
  • Alert: Improved groups management
  • Alert: Multiple UI/UX tweaks
  • Alert: Revised alerts’ descriptions and examples
  • Alert: Adding included fields when invert:true
  • Alert: Changed startup behaviour
  • Alert: Added field from ‘include’ to match_body
  • Alert: Optimised loading files with misp lists
  • Alert: Added option to set sourceRef in alert definition
  • Alert: Include & Exlcude in blacklist-ioc lists
  • Alert: Fixed several issue in chain and logical alerts
  • Alert: Fixed error when user tried to update alert from newly added group
  • Alert: Fixed top_count_keys not working with multiple query_key
  • Alert: Fixed bug when match in blacklist-ioc is breaking other rules
  • Alert: Fixed empty risk_key breaking alert rule
  • Alert: Fixed endless loop during scroll

Network-Probe

  • Added integration with license service
  • Changed plugin icon
  • Changed default settings
  • Changed logs mapping in logstash
  • Optimised netflow template to be more efficient
  • Updated .service files
  • Updated Network-Probe dashboard

API Changes

  • Elasticsearch: Updated API endpoints.
    • Following endpoints deprecated and update with:
      • /_auth/account -> /_logserver/accounts
      • /_license/reload -> /_logserver/license/reload
      • /_role-mapping/reload -> /_logserver/auth/reload
      • /user/updatePassword -> /_logserver/user/password
    • Following endpoint was removed and replaced with:
      • /_license -> /_logserver/license

Breaking changes

  • During the update, the “kibana” role will be removed and replaced by “gui-access”, “gui-objects”, “report”. The three will automatically be assigned to all users that prior had the “kibana” role. If you had a custom role that allowed users to log in to the GUI this WILL STOP WORKING and you will have to manually enable the access for users.
  • The above is also true for LDAP users. If role mapping has been set for role kibana this will have to be manually updated to “gui-access” and if required “gui-objects” and “report” roles.
  • If any changes have been made to the “kibana” role paths, those will be moved to “gui-objects”. GUI objects permissions also will be moved to “gui-objects” for “gui-access” cannot be used as a default role.
  • The “gui-access” is a read-only role and cannot be modified. By default, it will allow users to access all GUI apps; to constrain user access, assign user a role with limited apps permissions.
  • “small_backup.sh” script changed name to “configuration-backup.sh” - this might break existing cron jobs
  • SIEM plan is now a separate add-on package (requires an additional license)
  • Network-Probe is now a separate add-on package (requires an additional license)
  • (SIEM) Verify rpmsave files for alert and restore them if needed for following:
    • /opt/alert/config.yaml
    • /opt/alert/op5_auth_file.yml
    • /opt/alert/smtp_auth_file.yml

Required post upgrade

  • Role “wiki” has to be modified to contain only path: “.wiki” and all methods

v7.0.6

NewFeatures

  • Alert: Added 5 alerts to detect SUNBURST attack
  • Incidents: Added the ability of transferring the calculated risk_value to be sent in any alarm method
  • Indidents: Added visibility of unassigned incidents based on user role - security-tenant role
  • install.sh: Added the ability to update with ./install.sh -u

Improvements

  • Object permission: Object filtering optimization
  • Reports: Date verification with scheduler enabled tasks
  • Reports: UI optimization

BugFixes

  • Agents: CVE-2020-28168
  • Alert: Fixes problem with Syslog notifications
  • Alert: Fixes problem with Test Rule functionality
  • Alert: CVE-2020-28168
  • Archive: CVE-2020-28168
  • Cerebro: CVE-2019-12384
  • Kibana-xlsx-import: CVE-2020-28168
  • Login: CVE-2020-28168
  • Reports: CVE-2020-28168
  • Reports: Fixes errors related to background tasks
  • Sync: CVE-2020-28168

v7.0.5

NewFeatures

  • New plugin: Wiki - integration with wiki.js
  • Agents: Added index rotation using rollover function
  • Alert: Added counter with information about how many rules there are in a given group
  • Alert: Added index rotation using rollover function
  • Alert: First group will be expanded by default
  • Alert: New Alert method for Syslog added to GUI
  • Archive: Added compression level support - archive.compressionOptions [kibana.yml]
  • Archive: Added mapping/template import support
  • Archive: Added number of matches in files
  • Archive: Added regexp and extended regexp support
  • Archive: Added size information of created archive on list of files for selection
  • Archive: Added support for archiving a selected field from the index
  • Archive: Added timestamp field for custom timeframe fields
  • Audit: Added index rotation using rollover function
  • Config: Added configuration possibility for Rollover (audit/alert/.agents indexes) in Settings tab
  • Object Permission: When deleting an object to a role in “object permission” now is possible to delete related objects at the same time
  • Reports: Ability to delete multiple tasks at once
  • Reports: Added details field for each task that includes information about: user, time range, query
  • Reports: Added Scheduler for “Data Export” tab
  • Reports: Fields to export are now alphabetical, searchable list
  • Reports: Scheduled tasks supports: enable, disable, delete
  • Reports: Scheduled tasks supports: Logo, Title, Comments, PDF/JPEG, CSV/HTML
  • Installation support for Centos7/8, RedHat7/8, Oracle Linux7/8, Scientific Linux 7, Centos Stream
  • iFrame embedding support: new directive login.isSameSite in kibana.yml [”Strict” or “None”]

Improvements

  • Access management: Plugin Login for app management will show itself as Config
  • Alert: Added support for nested fields in blacklist-ioc alert type
  • Alert: Alert Dashboard rewritten to alert_status pattern - allows you to filter visible alarms per user
  • Alert: Cardinality - fix for _thread._local’ object has no attribute ‘alerts_sent’
  • Alert: Chain/Logical - few improvements for output content
  • Alert: Rule type example is hidden by default
  • Alert: RunOnce - improved results output
  • Alert: RunOnce - information that the process has finished
  • Alert: TestRule - improved error output
  • Archive: Added document sorting, which speeds up elasticsearch response
  • Archive: API security -> only admin can use (previously only visual information)
  • Archive: Archiving process uses a direct connection, bypassing the elastfilter - proxy
  • Archive: Changed UTC time to local time
  • Archive: Information about problems with reading/writing to the archive directory
  • Archive: Optimized function for loading large files - improved loading time
  • Archive: Optimized saving method to a temporary flat file
  • Archive: Optimized scroll time which speeds up elasticsearch response
  • Audit: Converted SEARCH _id: auditselection to GET _id: auditselection
  • Audit: Removed background task used for refresh audit settings
  • Beats: Updated to v6.8.14
  • Blacklist-IOC: Added Duplicates removal mechanism
  • Blacklist-IOC: Automatic configuration of repository access during installation [install.sh]
  • Cerebro: Updated to v0.9.3
  • Config: Character validation for usernames and roles - can consist only of letters a-z, A-Z, numbers 0-9 and characters _,-
  • Config: Deleting a user deletes his tokens/cookies immediately and causes logging out
  • Config: Securing the default administrator account against deletion
  • Config: Session timeout redirect into login screen from all modules
  • Config: Workaround for automatic filling of fields with passwords in modern browsers
  • Curator: Updated to v5.8.3 and added support for Python3 as default
  • ElasticDump: Updated to v6.65.3 and added support for backup all templates at once
  • Elasticsearch: Removed default user “scheduler” with the admin role - is a thing of history
  • Elasticsearch: Removed indices.query.bool.max_clause_count from default configuration - causes performance issues
  • Elasticsearch: Role caching improvements
  • GEOIP: Automatic configuration of repository access during installation [install.sh]
  • Incidents: Switching to the Incidents tab creates pattern alert* if not exist
  • install.sh: Added workaround for cluster.max_shards_per_node=1000 bug
  • Kibana: Removed kibana.autocomplete from default configuration - causes performance issues
  • License: Revision and update of license files in all system modules
  • Logstash: Updated logstash-codec-sflow to v2.1.3
  • Logstash: Updated logstash-input-beats to v6.1.0
  • Logstash: Updated to v6.8.14
  • Logtrail: Added default actionfile for curator - to clean logtrail indexes after 2 days
  • Network visualization: corrected legend and better colors
  • Reports: Added Switch button for filtering only scheduled tasks
  • Reports: Admin users should see all scheduled reports from every other user
  • Reports: Changed “Export Dashboard” to “Report Export”
  • Reports: Changed “Export Task Management” to “Data Export”
  • Reports: Crontab format validated before Submit in Scheduler
  • Reports: Default task list sorted by “start time”
  • Reports: Improved security by using kernel namespaces - dropped suid permissions for chrome_sandbox
  • Reports: Moved “Schedule Export Dashboard” to “Report Export” tab
  • Reports: Try catch for async getScheduler function
  • Skimmer: Added alerts: High_lag_on_Kafka_topic, High_node_CPU_usage, High_node_HEAP_usage, High_Flush_duration, High_Indexing_time
  • Skimmer: New metric - _cat/shards
  • Skimmer: New metric - _cat/tasks
  • Skimmer: Updated to v1.0.17
  • small_backup.sh: Added sync, archive, wiki support
  • small_backup.sh: Information about the completed operation is logged
  • Wazuh: Searching in the rule.description field

BugFixes

  • Access Management: Cosmetic issue in apps select box for default roles (like admin, alert, intelligence, kibana etc.)
  • Alert: Category name did not appear on the “Risk” list
  • Alert: Description update for find_match alert type
  • Alert: Fixes bug where after renaming the alert it is not immediately visible on the list of alerts
  • Alert: Fixes bug where editing of alert, causes it returns to the Other group
  • Alert: Fixes incorrect function alertMethodData - problem with TestRule operation [itrs op5 alert-method]
  • Alert: Fixes problem with ‘[]’ in rule name
  • Alert: Fixes process status in Alert Status tab
  • Alert: In groups, if there is pagination, it is not possible to change the page - does not occur with the default group “Others”
  • Alert: Missing op5_url directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Missing smtp_auth_file directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Missing username directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Overwrite config files after updating, now it should create /opt/alert/config.yml.rpmnew
  • Archive: Fixes exception during connection problems to elasticsearch
  • Archive: Missing symlink to runTask.js
  • Cerebro: Fixes problems with PID file after cerebro crash
  • Cerebro: Overwrite config files after updating, now it should create /opt/cerebro/conf/application.conf.rpmnew
  • Config: SSO login misreads application names entered in Access Management
  • Elasticsearch: Fixes “No value present” message log when not using a radius auth [properties.yml]
  • Elasticsearch: Fixes “nullPointerException” by adding default value for licenseFilePath [properties.yml]
  • Incidents: Fixes problem with vanishing status
  • install.sh: Opens the ports required by logstash via firewall-cmd
  • install.sh: Set openjdk11 as the default JAVA for the operating system
  • Kibana: Fixes exception during connection problems to elasticsearch - will stop restarting
  • Kibana: Fixes URL shortening when using Store URLs in session storage
  • Logtrail: Fixes missing logrotate definitions for Logtrail logfiles
  • Logtrail: Overwrite config files after updating, now it should create /usr/share/kibana/plugins/logtrail/logtrail.json.rpmnew
  • Object Permission: Fixes permission verification error if the overwritten object’s title changes
  • Reports: Fixes Image Creation failed exception
  • Reports: Fixes permission problem for checkpass Reports API
  • Reports: Fixes problems with AD/Radius/LDAP users
  • Reports: Fixes problem with choosing the date for export
  • Reports: Fixes setting default index pattern for technical users when using https
  • Skimmer: Changed kafka.consumer_id to number in default mapping
  • Skimmer: Fixes in indices stats monitoring
  • Skimmer: Overwrite config files after updating, now it should create /opt/skimmer/skimmer.conf.rpmnew

v7.0.4

NewFeatures

  • New plugin: Archive specified indices
  • Applications Access management based on roles
  • Dashboards: Possibility to play a sound on the dashboard
  • Tenable.SC: Integration with dedicated dashboard
  • QualysGuard: Integration with dedicated dashboard
  • Wazuh: added installation package
  • Beats: added to installation package
  • Central Agents Management (masteragent): Stop & start & restart for each registered agent
  • Central Agents Management (masteragent): Status of detected beats and master agent in each registered agent
  • Central Agents Management (masteragent): Tab with the list of agents can be grouped
  • Central Agents Management (masteragent): Autorolling documents from .agents index based on a Settings in Config tab
  • Alert: New Alert method for op5 Monitor added to GUI.
  • Alert: New Alert method for Slack added to GUI.
  • Alert: Name-change - the ability to rename an already created rule
  • Alert: Groups for different alert types
  • Alert: Possibility to modify all alarms in selected group
  • Alert: Calendar - calendar for managing notifications
  • Alert: Escalate - escalate alarm after specified time
  • Alert: TheHive integration

Improvements

  • Object Permission: When adding an object to a role in “object permission” now is possible to add related objects at the same time
  • Skimmer: New metric - increase of documents in a specific index
  • Skimmer: New metric - size of a specific index
  • Skimmer: New metric - expected datanodes
  • Skimmer: New metric - kafka offset in Kafka cluster
  • Installation script: The setup script validates the license
  • Installation script: Support for Centos 8
  • AD integration: Domain selector on login page
  • Incidents: New fieldsToSkipForVerify option for skipping false-positives
  • Alert: Added sorting of labels in comboxes
  • User Roles: Alphabetical, searchable list of roles
  • User Roles: List of users assigned to a given role
  • Audit: Cache for audit settings (performance)
  • Diagnostic-tool.sh: Added cerebro to audit files
  • Alert Chain/Logical: Few improvements

BugFixes

  • Role caching fix for working in multiple node setup.
  • Alert: Aggregation schedule time
  • Alert: Loading new_term fields
  • Alert: RecursionError: maximum recursion depth exceeded in comparison
  • Alert: Match_body.kibana_discover_url malfunction in aggregation
  • Alert: Dashboard Recovery from Alert Status tab
  • Reports: Black bars after JPEG dashboard export
  • Reports: Problems with Scheduled reports
  • Elasticsearch-auth: Forbidden - not authorized when querying an alias with a wildcard
  • Dashboards: Logserver_table is not present in 7.X, it has been replaced with basic table
  • Logstash: Mikrotik pipeline - failed to start pipeline

v7.0.3

NewFeatures

  • Alert: new type - Chain - create alert from underlying rules triggered in defined order
  • Alert: new type - Logical - create alert from underlying rules triggered with defined logic (OR,AND,NOR)
  • Alert: correlate alerts for Chain and Logical types - alert is triggered only if each rule return same value (ip, username, process etc)
  • Alert: each triggered alert is indexed with uniqe alert_id - field added to default field schema
  • Alert: Processing Time visualization on Alert dashboard - easy to identify badly designed alerts
  • Alert: support for automatic search link generation
  • Input: added mikrotik parsing rules
  • Auditing : added IP address field for each action
  • Auditing : possibility to exclude values from auditing
  • Skimmer: indexing rate visualization
  • Skimmer: new metric: offset in Kafka topics
  • SKimmer: new metric: expected-datanodes
  • MasterAgent: added possibility for beats agents restart and the master agent itself (GUI)

Improvements

  • Search and sort support for User List in Config section
  • Copy/Sync: now supports “insecure” mode (operations without certificates)
  • Fix for “add sample data & web sample dashboard” from Home Page -> changes in default-base-template
  • Skimmer: service status check rewriteen to dbus api
  • Masteragent: possibility to exclude older SSL protocols
  • Masteragent: now supports Centos 8 and related distros
  • XLSX import: updated to 7.6.1
  • Logstash: masteragent pipeline shipped by default
  • Blacklist: Name field and Field names in the Fields column & Default field exclusions
  • Blacklist: runOnce is only killed on a fatal Alert failure
  • Blacklist: IOC excludes threats marked as false-positive
  • Incidents: new design for Preview
  • Incidents: Note - new feature, ability to add notes to incidents
  • Risks: possibility to add new custom value for risk, without the need to index that value
  • Alert: much better performance with multithread support - now default
  • Alert: Validation of email addresses in the Alerts plugin
  • Alert: “Difference” rule description include examples for alert recovery function
  • Logtrail: improved the beauty and readability of the plugin
  • Security: jquery updated to 3.5.1
  • Security: bootstrap updated to 4.5.0
  • The HELP button (in kibana) now leads to the official product documentation
  • Centralization of previous alert code changes to single module

BugFixes

  • Individual special characters caused problems in user passwords
  • Bad permissions for scheduler of Copy/Sync module has been corrected
  • Wrong Alert status in the alert status tab
  • Skimmer: forcemerge caused under 0 values for cluster_stats_indices_docs_per_sec metric
  • diagnostic-tool.sh: wrong name for the archive in output
  • Reports: export to csv support STOP action
  • Reports: scroll errors in csv exports
  • Alert: .alertrules is not a required index for proper system operation
  • Alert: /opt/alerts/testrules is not a required directory for proper system operation
  • Alert: .riskcategories is not a required index for proper system operation
  • Malfunction in Session Timeout
  • Missing directives service_principal_name in bundled properties.yml
  • Blacklist: Removal of the doc type in blacklist template
  • Blacklist: Problem with “generate_kibana_discover_url: true” directive
  • Alert: Overwriting an alert when trying to create a new alert with the same name
  • Reports: When exporting dashboards, PDF generates only one page or cuts the page
  • Wrong product logo when viewing dashboards in full screen mode

v7.0.2

NewFeatures

  • Manual incident - creating manual incidents from the Discovery section
  • New kibana plugin - Sync/Copy between clusters
  • Alert: Analyze historical data with defined alert
  • Indicators of compromise (IoC) - providing blacklists based on Malware Information Sharing Platform (MISP)
  • Automatic update of MaxMind GeoIP Databases [asn, city, country]
  • Extended LDAP support
  • Cross cluster search
  • Diagnostic script to collect information about the environment, log files, configuration files - utils/diagnostic-tool.sh
  • New beat: op5beat - dedicated data shipper from op5 Monitor

Improvements

  • Added _license API for elasticsearch (it replaces license path which is now deprecated and will stop working in future releases)
  • _license API now shows expiration_date and days_left
  • Visual indicator on Config tab for expiring license (for 30 days and less)
  • Creating a new user now requires reentering the passoword
  • Complexity check for password fields
  • Incidents can be supplemented with notes
  • Alert Spike: more detailed description of usage
  • ElasticDump added to base installation - /usr/share/kibana/elasticdump
  • Alert plugin updated - frontend
  • Reimplemented session timeout for user activity
  • Skimmer: new metrics and dashboard for Cluster Monitoring
  • Wazuh config/keys added to small_backup.sh script
  • Logrotate definitions for Logtrail logfiles
  • Incidents can be sorted by Risk value
  • UTF-8 support for credentials
  • Wazuh: wrong document_type and timestamp field

BugFixes

  • Audit: Missing Audit entry for succesfull SSO login
  • Report: “stderr maxBuffer length exceeded” - export to csv
  • Report: “Too many scroll contexts” - export to csv
  • Intelligence: incorrect work in updated environments
  • Agents: fixed wrong document type
  • Kibana: “Add Data to Kibana” from Home Page
  • Incidents: the preview button uses the wrong index-pattern
  • Audit: Missing information about login errors of ad/ldap users
  • Netflow: fix for netflow v9
  • MasterAgent: none/certificade verification mode should work as intended
  • Incorrect CSS injections for dark theme
  • The role could not be removed in specific scenarios

v7.0.1

  • init
  • migrated features from branch 6 [ latest:6.1.8 ]
  • XLSX import [kibana]
  • curator added to /usr/share/kibana/curator
  • node_modules updated! [kibana]
  • elasticsearch upgraded to 7.3.2
  • kibana upgraded to 7.3.2
  • dedicated icons for all kibana modules
  • eui as default framework for login,raports
  • bugfix: alerts type description fix