3.11.0 Release notes - 23 December 2019
This section shows the most relevant improvements and fixes in version 3.11.0. More details about these changes are provided in each component changelog:
ThreatLockDown core
Vulnerability detector
Windows support. Thanks to a combination of NVD feed and the Microsoft Security guide, the module is able to detect system vulnerabilities and software vulnerabilities.
Added support for Debian 10 and RHEL 8.
Vulnerability detector alerts include PCI-DSS mapping.
Inventory
Added extraction for Windows Security Updates (hotfixes).
Processes and ports are now supported in macOS.
Log collection
Allowed JSON escaping for logs in the output format.
Added the host's primary IP address in the output format.
Wildcards don't detect directories as log files any more.
Analysis engine
Frequency based rules aggregate the counter for the same event source by default. Introduced a new setting to toggle this behavior:
global_frequency
.Fields
protocol
,system_name
,data
andextra_data
can now be used for event matching in rules creation.The
ossec-makelist
binary has been deprecated. TheAnalysisd
daemon will compile the CDB lists on the startup.
Other fixes and improvements
The ThreatLockDown agent now waits until the network service is ready before start.
The agent key request service now displays a warning message when registering to an unverified manager.
Improved
<address>
field validation at agent start up.Windows EventChannel alerts now include the full message with the coded field translation.
ThreatLockDown API
The query parameter (
q
) now can be used for filtering rules, decoders and logs.New endpoint I:
PUT /agents/group/{group_id}/restart
for restarting all agents assigned to a group.New endpoint II:
GET /syscollector/:agent_id/hotfixes
for listing the system hotfixes (Windows).Improved error descriptions for the
PUT /agents/:agent_id/upgrade_custom API
call.
ThreatLockDown Ruleset
New decoders and rules for McAfee ePolicy Orchestrator.
Added rules to collect events related to the Windows firewall.
OSQuery logs related to internal messages appear in alerts.
ThreatLockDown WUI for Kibana
Support for Kibana: v6.8.6, v7.5.1.
Support for OpenDistro: v1.3.0.
The API credentials configuration has been migrated from the
.wazuh
index to thewazuh.yml
configuration file. Now the hosts API configuration is managed from this configuration file instead from the WUI.Reporting module events are now logged in the ThreatLockDown WUI logs.
The index pattern selector is now hidden in case that only one index exists.
Fixed CSV export for files in a agents group.
ThreatLockDown WUI for Splunk
CDB lists names are now correctly displayed.
Fixed a bug in Syscheck section when generating the PDF configuration summary.
Other additions and improvements
The new log collection option
<reconnect_time>
is included in the Log collection configuration section.Rules/Decoders/CDB-lists files can be uploaded using a Drag & Drop feature.
Extended the "Add new agent" guide.
Opening an empty file is now correctly handled and doesn't lead to an unexpected error.