Skip to content

0.3.0

Latest
Latest
Compare
Choose a tag to compare
@misje misje released this 09 Jun 18:29
0.3.0
3a98569

0.3.0 - 2024-06-09

Added

  • Search docker URLs when searching for URL SCOs
  • Ignore observables with the empty SHA-256 hash
    (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855)
  • Create file SCOs from Office 365 logs in enrichment
  • Create directory SCOs from Office 365 logs in enrichment
  • Use vulnerability score for vulnerability_incident_cvss3_score_threshold
    check if CVSS3 score is unavailable
  • Search directories in Office 365
  • Add a small sleep() of 100 ms, potentially solving
    #11
  • New setting rule_exclude_list that allows for ignoring certain alert rules
    altogether
  • New setting incident_rule_exclude_list that prevents incident creation for
    certain alert rules
  • Mention in event creation in docs that incidents from sighted
    vulnerabilities are not created by default unless configured
  • Document alert rules in glossary, with screenshots of the rule viewer in
    Wazuh
  • Add a timeout to OpenSearch queries (default 20 s), preventing a complete
    freeze if OpenSearch fails to reply
  • Add new setting vulnerability_incident_active_only that allows for only
    creating incidents for sighted vulnerabilities if they are no longer active

Changed

  • OpenCTI 6.1.10 is used
  • No longer enrich URLs without host and scheme by default (e.g. "/",
    "/foo/bar"), but leave the possibility as a new configuration option,
    *enrich_urls_without_host".
  • If the vulnerability being enriched does not contain any CVSS3 information,
    extract this from alerts before running the logic in
    vulnerability_incident_cvss3_score_threshold. This allows for creating
    incidents based on CVSS score threshold even if this information is not
    present in the source entity.

Fixed

  • Avoid crashing when enriching untriaged vulnerabilities (when published is
    not set)
  • Set confidence explicitly for sightings as a workaround for OpenCTI bug
    #6835. This ensures that sightings now get the correct confidence (that of
    the user/group running the connector).
  • Fix bug in vulnerability_incident_cvss3_score_threshold logic
  • Fix a number of typos and bugs in documentation
  • Do not use months in timedeltas in tests, causing issues with 30/31 days in a
    month
  • Remove "Observable" from incident description, since not all enriched
    entities are observables
  • Do not match file names partially (regex mistake)

Removed

  • Remove all traces of the Wazuh API. It was only partially implemented, and
    will be added back when development of this as a separate enhancement is
    completed.
  • Remove some debug output
Assets 2
Loading
0 Join discussion