CHANGELOG

v7.0.5

NewFeatures

  • New plugin: Wiki - integration with wiki.js
  • Agents: Added index rotation using rollover function
  • Alert: Added counter with information about how many rules there are in a given group
  • Alert: Added index rotation using rollover function
  • Alert: First group will be expanded by default
  • Alert: New Alert method for Syslog added to GUI
  • Archive: Added compression level support - archive.compressionOptions [kibana.yml]
  • Archive: Added mapping/template import support
  • Archive: Added number of matches in files
  • Archive: Added regexp and extended regexp support
  • Archive: Added size information of created archive on list of files for selection
  • Archive: Added support for archiving a selected field from the index
  • Archive: Added timestamp field for custom timeframe fields
  • Audit: Added index rotation using rollover function
  • Config: Added configuration possibility for Rollover (audit/alert/.agents indexes) in Settings tab
  • Object Permission: When deleting an object to a role in “object permission” now is possible to delete related objects at the same time
  • Reports: Ability to delete multiple tasks at once
  • Reports: Added details field for each task that includes information about: user, time range, query
  • Reports: Added Scheduler for “Data Export” tab
  • Reports: Fields to export are now alphabetical, searchable list
  • Reports: Scheduled tasks supports: enable, disable, delete
  • Reports: Scheduled tasks supports: Logo, Title, Comments, PDF/JPEG, CSV/HTML
  • Installation support for Centos7/8, RedHat7/8, Oracle Linux7/8, Scientific Linux 7, Centos Stream
  • iFrame embedding support: new directive login.isSameSite in kibana.yml [”Strict” or “None”]

Improvements

  • Access management: Plugin Login for app management will show itself as Config
  • Alert: Added support for nested fields in blacklist-ioc alert type
  • Alert: Alert Dashboard rewritten to alert_status pattern - allows you to filter visible alarms per user
  • Alert: Cardinality - fix for _thread._local’ object has no attribute ‘alerts_sent’
  • Alert: Chain/Logical - few improvements for output content
  • Alert: Rule type example is hidden by default
  • Alert: RunOnce - improved results output
  • Alert: RunOnce - information that the process has finished
  • Alert: TestRule - improved error output
  • Archive: Added document sorting, which speeds up elasticsearch response
  • Archive: API security -> only admin can use (previously only visual information)
  • Archive: Archiving process uses a direct connection, bypassing the elastfilter - proxy
  • Archive: Changed UTC time to local time
  • Archive: Information about problems with reading/writing to the archive directory
  • Archive: Optimized function for loading large files - improved loading time
  • Archive: Optimized saving method to a temporary flat file
  • Archive: Optimized scroll time which speeds up elasticsearch response
  • Audit: Converted SEARCH _id: auditselection to GET _id: auditselection
  • Audit: Removed background task used for refresh audit settings
  • Beats: Updated to v6.8.14
  • Blacklist-IOC: Added Duplicates removal mechanism
  • Blacklist-IOC: Automatic configuration of repository access during installation [install.sh]
  • Cerebro: Updated to v0.9.3
  • Config: Character validation for usernames and roles - can consist only of letters a-z, A-Z, numbers 0-9 and characters _,-
  • Config: Deleting a user deletes his tokens/cookies immediately and causes logging out
  • Config: Securing the default administrator account against deletion
  • Config: Session timeout redirect into login screen from all modules
  • Config: Workaround for automatic filling of fields with passwords in modern browsers
  • Curator: Updated to v5.8.3 and added support for Python3 as default
  • ElasticDump: Updated to v6.65.3 and added support for backup all templates at once
  • Elasticsearch: Removed default user “scheduler” with the admin role - is a thing of history
  • Elasticsearch: Removed indices.query.bool.max_clause_count from default configuration - causes performance issues
  • Elasticsearch: Role caching improvements
  • GEOIP: Automatic configuration of repository access during installation [install.sh]
  • Incidents: Switching to the Incidents tab creates pattern alert* if not exist
  • install.sh: Added workaround for cluster.max_shards_per_node=1000 bug
  • Kibana: Removed kibana.autocomplete from default configuration - causes performance issues
  • License: Revision and update of license files in all system modules
  • Logstash: Updated logstash-codec-sflow to v2.1.3
  • Logstash: Updated logstash-input-beats to v6.1.0
  • Logstash: Updated to v6.8.14
  • Logtrail: Added default actionfile for curator - to clean logtrail indexes after 2 days
  • Network visualization: corrected legend and better colors
  • Reports: Added Switch button for filtering only scheduled tasks
  • Reports: Admin users should see all scheduled reports from every other user
  • Reports: Changed “Export Dashboard” to “Report Export”
  • Reports: Changed “Export Task Management” to “Data Export”
  • Reports: Crontab format validated before Submit in Scheduler
  • Reports: Default task list sorted by “start time”
  • Reports: Improved security by using kernel namespaces - dropped suid permissions for chrome_sandbox
  • Reports: Moved “Schedule Export Dashboard” to “Report Export” tab
  • Reports: Try catch for async getScheduler function
  • Skimmer: Added alerts: High_lag_on_Kafka_topic, High_node_CPU_usage, High_node_HEAP_usage, High_Flush_duration, High_Indexing_time
  • Skimmer: New metric - _cat/shards
  • Skimmer: New metric - _cat/tasks
  • Skimmer: Updated to v1.0.17
  • small_backup.sh: Added sync, archive, wiki support
  • small_backup.sh: Information about the completed operation is logged
  • Wazuh: Searching in the rule.description field

BugFixes

  • Access Management: Cosmetic issue in apps select box for default roles (like admin, alert, intelligence, kibana etc.)
  • Alert: Category name did not appear on the “Risk” list
  • Alert: Description update for find_match alert type
  • Alert: Fixes bug where after renaming the alert it is not immediately visible on the list of alerts
  • Alert: Fixes bug where editing of alert, causes it returns to the Other group
  • Alert: Fixes incorrect function alertMethodData - problem with TestRule operation [itrs op5 alert-method]
  • Alert: Fixes problem with ‘[]’ in rule name
  • Alert: Fixes process status in Alert Status tab
  • Alert: In groups, if there is pagination, it is not possible to change the page - does not occur with the default group “Others”
  • Alert: Missing op5_url directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Missing smtp_auth_file directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Missing username directive in /opt/alert/config.yaml [itrs op5 alert-method]
  • Alert: Overwrite config files after updating, now it should create /opt/alert/config.yml.rpmnew
  • Archive: Fixes exception during connection problems to elasticsearch
  • Archive: Missing symlink to runTask.js
  • Cerebro: Fixes problems with PID file after cerebro crash
  • Cerebro: Overwrite config files after updating, now it should create /opt/cerebro/conf/application.conf.rpmnew
  • Config: SSO login misreads application names entered in Access Management
  • Elasticsearch: Fixes “No value present” message log when not using a radius auth [properties.yml]
  • Elasticsearch: Fixes “nullPointerException” by adding default value for licenseFilePath [properties.yml]
  • Incidents: Fixes problem with vanishing status
  • install.sh: Opens the ports required by logstash via firewall-cmd
  • install.sh: Set openjdk11 as the default JAVA for the operating system
  • Kibana: Fixes exception during connection problems to elasticsearch - will stop restarting
  • Kibana: Fixes URL shortening when using Store URLs in session storage
  • Logtrail: Fixes missing logrotate definitions for Logtrail logfiles
  • Logtrail: Overwrite config files after updating, now it should create /usr/share/kibana/plugins/logtrail/logtrail.json.rpmnew
  • Object Permission: Fixes permission verification error if the overwritten object’s title changes
  • Reports: Fixes Image Creation failed exception
  • Reports: Fixes permission problem for checkpass Reports API
  • Reports: Fixes problems with AD/Radius/LDAP users
  • Reports: Fixes problem with choosing the date for export
  • Reports: Fixes setting default index pattern for technical users when using https
  • Skimmer: Changed kafka.consumer_id to number in default mapping
  • Skimmer: Fixes in indices stats monitoring
  • Skimmer: Overwrite config files after updating, now it should create /opt/skimmer/skimmer.conf.rpmnew

v7.0.4

NewFeatures

  • New plugin: Archive specified indices
  • Applications Access management based on roles
  • Dashboards: Possibility to play a sound on the dashboard
  • Tenable.SC: Integration with dedicated dashboard
  • QualysGuard: Integration with dedicated dashboard
  • Wazuh: added installation package
  • Beats: added to installation package
  • Central Agents Management (masteragent): Stop & start & restart for each registered agent
  • Central Agents Management (masteragent): Status of detected beats and master agent in each registered agent
  • Central Agents Management (masteragent): Tab with the list of agents can be grouped
  • Central Agents Management (masteragent): Autorolling documents from .agents index based on a Settings in Config tab
  • Alert: New Alert method for op5 Monitor added to GUI.
  • Alert: New Alert method for Slack added to GUI.
  • Alert: Name-change - the ability to rename an already created rule
  • Alert: Groups for different alert types
  • Alert: Possibility to modify all alarms in selected group
  • Alert: Calendar - calendar for managing notifications
  • Alert: Escalate - escalate alarm after specified time
  • Alert: TheHive integration

Improvements

  • Object Permission: When adding an object to a role in “object permission” now is possible to add related objects at the same time
  • Skimmer: New metric - increase of documents in a specific index
  • Skimmer: New metric - size of a specific index
  • Skimmer: New metric - expected datanodes
  • Skimmer: New metric - kafka offset in Kafka cluster
  • Installation script: The setup script validates the license
  • Installation script: Support for Centos 8
  • AD integration: Domain selector on login page
  • Incidents: New fieldsToSkipForVerify option for skipping false-positives
  • Alert: Added sorting of labels in comboxes
  • User Roles: Alphabetical, searchable list of roles
  • User Roles: List of users assigned to a given role
  • Audit: Cache for audit settings (performance)
  • Diagnostic-tool.sh: Added cerebro to audit files
  • Alert Chain/Logical: Few improvements

BugFixes

  • Role caching fix for working in multiple node setup.
  • Alert: Aggregation schedule time
  • Alert: Loading new_term fields
  • Alert: RecursionError: maximum recursion depth exceeded in comparison
  • Alert: Match_body.kibana_discover_url malfunction in aggregation
  • Alert: Dashboard Recovery from Alert Status tab
  • Reports: Black bars after JPEG dashboard export
  • Reports: Problems with Scheduled reports
  • Elasticsearch-auth: Forbidden - not authorized when querying an alias with a wildcard
  • Dashboards: Logserver_table is not present in 7.X, it has been replaced with basic table
  • Logstash: Mikrotik pipeline - failed to start pipeline

v7.0.3

New Features

  • Alert: new type - Chain - create alert from underlying rules triggered in defined order
  • Alert: new type - Logical - create alert from underlying rules triggered with defined logic (OR,AND,NOR)
  • Alert: correlate alerts for Chain and Logical types - alert is triggered only if each rule return same value (ip, username, process etc)
  • Alert: each triggered alert is indexed with uniqe alert_id - field added to default field schema
  • Alert: Processing Time visualization on Alert dashboard - easy to identify badly designed alerts
  • Alert: support for automatic search link generation
  • Input: added mikrotik parsing rules
  • Auditing : added IP address field for each action
  • Auditing : possibility to exclude values from auditing
  • Skimmer: indexing rate visualization
  • Skimmer: new metric: offset in Kafka topics
  • SKimmer: new metric: expected-datanodes
  • MasterAgent: added possibility for beats agents restart and the master agent itself (GUI)

Improvements

  • Search and sort support for User List in Config section
  • Copy/Sync: now supports “insecure” mode (operations without certificates)
  • Fix for “add sample data & web sample dashboard” from Home Page -> changes in default-base-template
  • Skimmer: service status check rewriteen to dbus api
  • Masteragent: possibility to exclude older SSL protocols
  • Masteragent: now supports Centos 8 and related distros
  • XLSX import: updated to 7.6.1
  • Logstash: masteragent pipeline shipped by default
  • Blacklist: Name field and Field names in the Fields column & Default field exclusions
  • Blacklist: runOnce is only killed on a fatal Alert failure
  • Blacklist: IOC excludes threats marked as false-positive
  • Incidents: new design for Preview
  • Incidents: Note - new feature, ability to add notes to incidents
  • Risks: possibility to add new custom value for risk, without the need to index that value
  • Alert: much better performance with multithread support - now default
  • Alert: Validation of email addresses in the Alerts plugin
  • Alert: “Difference” rule description include examples for alert recovery function
  • Logtrail: improved the beauty and readability of the plugin
  • Security: jquery updated to 3.5.1
  • Security: bootstrap updated to 4.5.0
  • The HELP button (in kibana) now leads to the official product documentation
  • Centralization of previous alert code changes to single module

BugFixes

  • Individual special characters caused problems in user passwords
  • Bad permissions for scheduler of Copy/Sync module has been corrected
  • Wrong Alert status in the alert status tab
  • Skimmer: forcemerge caused under 0 values for cluster_stats_indices_docs_per_sec metric
  • diagnostic-tool.sh: wrong name for the archive in output
  • Reports: export to csv support STOP action
  • Reports: scroll errors in csv exports
  • Alert: .alertrules is not a required index for proper system operation
  • Alert: /opt/alerts/testrules is not a required directory for proper system operation
  • Alert: .riskcategories is not a required index for proper system operation
  • Malfunction in Session Timeout
  • Missing directives service_principal_name in bundled properties.yml
  • Blacklist: Removal of the doc type in blacklist template
  • Blacklist: Problem with “generate_kibana_discover_url: true” directive
  • Alert: Overwriting an alert when trying to create a new alert with the same name
  • Reports: When exporting dashboards, PDF generates only one page or cuts the page
  • Wrong product logo when viewing dashboards in full screen mode

v7.0.2

New Features

  • Manual incident - creating manual incidents from the Discovery section
  • New kibana plugin - Sync/Copy between clusters
  • Alert: Analyze historical data with defined alert
  • Indicators of compromise (IoC) - providing blacklists based on Malware Information Sharing Platform (MISP)
  • Automatic update of MaxMind GeoIP Databases [asn, city, country]
  • Extended LDAP support
  • Cross cluster search
  • Diagnostic script to collect information about the environment, log files, configuration files - utils/diagnostic-tool.sh
  • New beat: op5beat - dedicated data shipper from op5 Monitor

Improvements

  • Added _license API for elasticsearch (it replaces license path which is now deprecated and will stop working in future releases)
  • _license API now shows expiration_date and days_left
  • Visual indicator on Config tab for expiring license (for 30 days and less)
  • Creating a new user now requires reentering the passoword
  • Complexity check for password fields
  • Incidents can be supplemented with notes
  • Alert Spike: more detailed description of usage
  • ElasticDump added to base installation - /usr/share/kibana/elasticdump
  • Alert plugin updated - frontend
  • Reimplemented session timeout for user activity
  • Skimmer: new metrics and dashboard for Cluster Monitoring
  • Wazuh config/keys added to small_backup.sh script
  • Logrotate definitions for Logtrail logfiles
  • Incidents can be sorted by Risk value
  • UTF-8 support for credentials
  • Wazuh: wrong document_type and timestamp field

BugFixes

  • Audit: Missing Audit entry for succesfull SSO login
  • Report: “stderr maxBuffer length exceeded” - export to csv
  • Report: “Too many scroll contexts” - export to csv
  • Intelligence: incorrect work in updated environments
  • Agents: fixed wrong document type
  • Kibana: “Add Data to Kibana” from Home Page
  • Incidents: the preview button uses the wrong index-pattern
  • Audit: Missing information about login errors of ad/ldap users
  • Netflow: fix for netflow v9
  • MasterAgent: none/certificade verification mode should work as intended
  • Incorrect CSS injections for dark theme
  • The role could not be removed in specific scenarios

v7.0.1

  • init
  • migrated features from branch 6 [ latest:6.1.8 ]
  • XLSX import [kibana]
  • curator added to /usr/share/kibana/curator
  • node_modules updated! [kibana]
  • elasticsearch upgraded to 7.3.2
  • kibana upgraded to 7.3.2
  • dedicated icons for all kibana modules
  • eui as default framework for login,raports
  • bugfix: alerts type description fix