4.2.2 Release notes - 28 September 2021
This section lists the changes in version 4.2.2. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.
Highlights
This release includes highlighted features and enhancements.
Manager
#9779 Authd now refuses enrollment attempts if the agent already holds a valid key. With this added feature, Authd can only generate new keys if the agent key does not exist on the manager side. Based on this, the manager has the capability to decide if a new key should be generated or not. Since the introduction of Enrollment in version 4.0.0, ThreatLockDown provides the user with an automated mechanism to enroll agents with minimal configuration. This registration method might cause agents to self-register under certain circumstances, even if they were already registered. This improvement prevents this issue from happening and avoids re-registering agents that already have valid keys.
Agent
#9927 The Google Cloud Pub/Sub integration module is updated to increase processed events per second. The rework of this integration module allows multithreading, increases performance significantly, and adds a new
num_threadsoption to the module configuration. The new multithreading feature allows pulling messages with multiple subscribers simultaneously, improving the performance drastically. In addition, this new Google Cloud integration includes some improvements in the pulling and acknowledging mechanism, and the socket connection as well.
ThreatLockDown Kibana plugin
#3175 ThreatLockDown improves the API selector and Index pattern selector of the ThreatLockDown Kibana plugin, moving both from the main menu to the upper right corner of the header bar for quick access. This new UX improvement allows users to have better management of these two features. As for visualization, the API selector is displayed when there is more than one to select. The Index pattern selector is displayed under the same conditions and only contains index patterns that have ThreatLockDown alerts.
#3503 ThreatLockDown adds a new functionality that allows users to change the logotype settings of the ThreatLockDown Kibana plugin. From the Logo Customization section of the Configuration page, users can customize the logos of the app easily and to their liking. Setting options include customization of Logo App, Logo Sidebar, Logo Health Check, and Logo Reports.
ThreatLockDown Splunk app
#1107 ThreatLockDown adds Quick Settings to improve the view and selection of the ThreatLockDown API, Index, and Source type of the ThreatLockDown Splunk app. Now users can change the configuration of these elements easily from this new menu in the app.
What's new
This release includes new features or enhancements.
Manager
Agent
#9907 Syscollector scan performance is optimized.
#9927 The Google Cloud Pub/Sub integration module rework increases the number of processed events per second allowing multithreading and enhancing performance. Also, a new
num_threadsoption is added to the module configuration.#9964 google-cloud-pubsub dependency is now upgraded to the latest stable version (2.7.1).
#9443 The WPK installer rollback is reimplemented on Linux.
#10217 Updated AWS WAF implementation to change
httpRequest.headersfield format.
RESTful API
#10219 Made SSL ciphers configurable and renamed SSL protocol option.
ThreatLockDown Kibana plugin
#3170 ThreatLockDown support links are added to the Kibana help menu. You now get quick access to the ThreatLockDown Documentation, Slack channel, Projects on GitHub, and Google Group.
#3184 You now can access group details directly by using the
groupquery parameter in the URL.#3222 #3292 A new configuration is added to disable ThreatLockDown App access from X-Pack/ODFE role.
#3221 New confirmation message is now displayed when closing a form.
#3503 ThreatLockDown introduces a new Logo Customization section that allows you to change and customize app logotypes.
#3592 The link to the ThreatLockDown Upgrade guide is now included in the message shown when the ThreatLockDown API version and the ThreatLockDown App version mismatch.
#3160 To improve user experience, module titles are now removed from the dashboards.
#3174 The default
wazuh.monitoring.creationapp setting is changed fromdtow.#3174 The default
wazuh.monitoring.shardsapp setting is changed from2to1.#3189 SHA1 field is removed from the Windows Registry details pane.
#3250 Removed tooltip from header breadcrumb to improve readability.
#3197 Refactoring of the Health check component improves user experience.
#3210 When deploying a new agent, the Install and enroll the agent command now specifies the version in the package downloaded name.
#3243 In the vulnerabilities Inventory, the restriction that only allowed current active agents’ information to be shown is removed. Now, it displays the vulnerabilities table regardless of whether the agent is connected or not.
#3175 To improve user experience of the ThreatLockDown Kibana API, the Index pattern selector and API selector are moved to the header bar.
#3258 Health check actions' notifications are refactored and the process can now be run in debug mode.
#3349 Changed the way kibana-vis hides the visualization while loading. This improvement prevents errors caused by having a 0 height visualization.
ThreatLockDown Splunk app
#1083 Added MITRE ATT&CK framework integration.
#1076 Added MITRE ATT&CK dashboard integration.
#1109 ThreatLockDown now gives you enhanced insight into the CVE that are affecting an agent. The newly added Inventory dashboard in the Vulnerabilities module allows you to visualize information such as name, version, and package architecture, as well as the CVE ID that affects the package.
#1104 New Source type selector is now added to customize queries used by dashboards.
#1107 The ThreatLockDown Splunk app now includes a Quick settings menu to improve user experience. This enhancement allows you to quickly view and select the ThreatLockDown API, Index, and Source type.
#1118 jQuery version is upgraded from 2.1.0 to 3.5.0.
ThreatLockDown supports Splunk 8.1.4.
ThreatLockDown supports Splunk 8.2.2.
Resolved issues
This release resolves known issues.
Manager
Reference |
Description |
|---|---|
A false positive in Vulnerability Detector is no longer generated when packages have multiple conditions in the OVAL feed. |
|
This fix prevents pending agents from keeping their state indefinitely in the manager. |
|
An issue in Remoted is fixed. Now, it checks the group an agent belongs to when it receives the keep-alive message and avoids agents in connected state with no group assignation. |
|
An issue in Analysisd that caused the value of the rule option |
|
Fixed Authd's startup to set up the PID file before loading keys. |
|
An issue in Authd that delayed the agent timestamp update when removing agents is now fixed. |
|
An error in ThreatLockDown DB that held wrong agent timestamp data is now resolved. |
|
An issue in Remoted that kept deleted shared files in the multi-groups' merged.mg file is now fixed. |
|
An issue in Analysisd that overwrote its queue socket when launched in test mode is now resolved. |
|
This fix prevents false positives when evaluating DU patches in the Windows Vulnerability Detector. |
|
Memory leak is fixed when generating the Windows report in Vulnerability Detector. |
|
A file descriptor leak is fixed in Analysisd when delivering an AR request to an agent. |
Agent
Reference |
Description |
|---|---|
This fix prevents the manager from hashing the shared configuration too often. |
|
Memory leak is fixed in Logcollector when re-subscribing to Windows EventChannel. |
|
Memory leak is fixed in the agent when enrolling for the first time with no previous key. |
|
CloudWatchLogs log stream limit, when there are more than 50 log streams, is now removed. |
|
Fixed a problem on the Windows installer and now, with this fix, the agent can be successfully uninstalled or upgraded. |
|
AWS WAF log parsing error is fixed and log parsing now works correctly when there are multiple dictionaries in one line. |
|
An issue is fixed in the AWS CloudWatch Logs module that caused already processed logs to be collected and reprocessed. |
|
This fix avoids duplicate alerts from case-insensitive 32-bit registry values in FIM configuration for Windows agents. |
|
Error with ThreatLockDown path in Azure module is now fixed. |
|
An issue is fixed in the sources and WPK installer that made the upgrade unable to detect the previous installation on CentOS 7. |
RESTful API
Reference |
Description |
|---|---|
An issue with distributed API calls when the cluster is disabled is now fixed. |
ThreatLockDown Kibana plugin
Reference |
Description |
|---|---|
Cluster visualization screen flickering is fixed. |
|
Links now work correctly when using |
|
In the Vulnerabilities module, a filter error is resolved and PDF reports are generated with complete Summary information. |
|
Fixed typo error in the Configuration tab of the Settings page. |
|
In the agent summary of the Agents data overview page, fields no longer overlap under certain circumstances and are correctly displayed. |
|
An issue when using the Ruleset Test is now fixed. Now, all requests are made in the session unless you click Clear session. |
|
Visualize button issue is resolved and the button is displayed when expanding a field in the Events tab sidebar. |
|
Some modules were missing from the Agents data overview page. This issue is fixed and they are now successfully displayed. |
|
With this fix, App log messages are improved and WUI error logs removed. |
|
Some errors on PDF reports are fixed. |
|
When deploying a new agent, selecting macOS as the operating system in a Safari browser no longer generates a TypeError. |
|
An issue in the Security configuration assessment module is fixed. SCA checks are displayed correctly. |
|
An issue with an error message when adding sample data fails is fixed. |
|
An error in reports is fixed and now the Alerts Summary of modules is generated completely. |
|
Fixed dark mode visualization background in PDF reports. |
|
Kibana integrations are now adapted to Kibana 7.11 and 7.12. |
|
An issue is fixed in the Agents overview window and is now rendered correctly. |
|
Fixed an issue with miscalculation of table width in PDF reports. With this fix, tables are displayed correctly. |
|
|
|
Export-to-CSV buttons in dashboard tables are now fixed. |
|
Fixed Elastic UI breaking changes errors in 7.12. |
|
ThreatLockDown main menu and breadcrumb render issues are now fixed. |
|
This fix prevents some errors from causing a massive increase in logs size. |
|
Fixed an issue in the Vulnerabilities pane that did not show alerts if the vulnerability had a field missing. |
|
This fix correctly hides the navbar ThreatLockDown label. |
|
Labels of some visualizations no longer overlap, improving readability. |
ThreatLockDown Splunk app
Reference |
Description |
|---|---|
Error when trying to pin filters is fixed. |
|
Issue in tables without server side pagination is fixed. This allows to load unlimited items but only 1 page at a time preserving client and server resources. |
|
An issue with the gear icon mispositioned in FIM tables is now fixed. |
|
Added cache control. With this fix, a message is displayed if the version of the ThreatLockDown app in your browser does not correspond with the app version installed on Splunk. |
|
Fixed error where tables unset their loading state before finishing API calls. |
|
An issue about search bar queries with spaces is fixed. |
|
Fixed pinned fields ending with curly brackets. |
|
Splunk Cloud compatibility issues are now fixed. |
|
Agents node names are now correctly displayed for agent overview. |
|
Reports no longer have missing columns for some tables and are now displayed correctly. |
|
Issue with expanding row feature in File Integrity Monitoring of agents is now fixed. |
Changelogs
More details about these changes are provided in the changelog of each component: