0.3.0

[misje]

0.3.0 - 2024-06-09

Added

• Search docker URLs when searching for URL SCOs
• Ignore observables with the empty SHA-256 hash (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855)
• Create file SCOs from Office 365 logs in enrichment
• Create directory SCOs from Office 365 logs in enrichment
• Use vulnerability score for vulnerability_incident_cvss3_score_threshold check if CVSS3 score is unavailable
• Search directories in Office 365
• Add a small sleep() of 100 ms, potentially solving #11
• New setting rule_exclude_list that allows for ignoring certain alert rules altogether
• New setting incident_rule_exclude_list that prevents incident creation for certain alert rules
• Mention in event creation in docs that incidents from sighted vulnerabilities are not created by default unless configured
• Document alert rules in glossary, with screenshots of the rule viewer in Wazuh
• Add a timeout to OpenSearch queries (default 20 s), preventing a complete freeze if OpenSearch fails to reply
• Add new setting vulnerability_incident_active_only that allows for only creating incidents for sighted vulnerabilities if they are no longer active

Changed

• OpenCTI 6.1.10 is used
• No longer enrich URLs without host and scheme by default (e.g. "/", "/foo/bar"), but leave the possibility as a new configuration option, *enrich_urls_without_host".
• If the vulnerability being enriched does not contain any CVSS3 information, extract this from alerts before running the logic in vulnerability_incident_cvss3_score_threshold. This allows for creating incidents based on CVSS score threshold even if this information is not present in the source entity.

Fixed

• Avoid crashing when enriching untriaged vulnerabilities (when published is not set)
• Set confidence explicitly for sightings as a workaround for OpenCTI bug

  6835. This ensures that sightings now get the correct confidence (that of

  the user/group running the connector).

• Fix bug in vulnerability_incident_cvss3_score_threshold logic
• Fix a number of typos and bugs in documentation
• Do not use months in timedeltas in tests, causing issues with 30/31 days in a month
• Remove "Observable" from incident description, since not all enriched entities are observables
• Do not match file names partially (regex mistake)

Removed

• Remove all traces of the Wazuh API. It was only partially implemented, and will be added back when development of this as a separate enhancement is completed.
• Remove some debug output