Ignore observables with the empty SHA-256 hash
(e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855)
Create file SCOs from Office 365 logs in enrichment
Create directory SCOs from Office 365 logs in enrichment
Use vulnerability score for vulnerability_incident_cvss3_score_threshold
check if CVSS3 score is unavailable
Search directories in Office 365
Add a small sleep() of 100 ms, potentially solving
#11
New setting rule_exclude_list that allows for ignoring certain alert rules
altogether
New setting incident_rule_exclude_list that prevents incident creation for
certain alert rules
Mention in event creation in docs that incidents from sighted
vulnerabilities are not created by default unless configured
Document alert rules in glossary, with screenshots of the rule viewer in
Wazuh
Add a timeout to OpenSearch queries (default 20 s), preventing a complete
freeze if OpenSearch fails to reply
Add new setting vulnerability_incident_active_only that allows for only
creating incidents for sighted vulnerabilities if they are no longer active
Changed
OpenCTI 6.1.10 is used
No longer enrich URLs without host and scheme by default (e.g. "/",
"/foo/bar"), but leave the possibility as a new configuration option,
*enrich_urls_without_host".
If the vulnerability being enriched does not contain any CVSS3 information,
extract this from alerts before running the logic in
vulnerability_incident_cvss3_score_threshold. This allows for creating
incidents based on CVSS score threshold even if this information is not
present in the source entity.
Fixed
Avoid crashing when enriching untriaged vulnerabilities (when published is
not set)
Set confidence explicitly for sightings as a workaround for OpenCTI bug
6835. This ensures that sightings now get the correct confidence (that of
the user/group running the connector).
Fix bug in vulnerability_incident_cvss3_score_threshold logic
Fix a number of typos and bugs in documentation
Do not use months in timedeltas in tests, causing issues with 30/31 days in a
month
Remove "Observable" from incident description, since not all enriched
entities are observables
Do not match file names partially (regex mistake)
Removed
Remove all traces of the Wazuh API. It was only partially implemented, and
will be added back when development of this as a separate enhancement is
completed.
0.3.0 - 2024-06-09
Added
Changed
Fixed
6835. This ensures that sightings now get the correct confidence (that of
the user/group running the connector).
Removed