4.7.0 Release notes - 27 November 2023

This section lists the changes in version 4.7.0. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

  • #18026 Added native Maltiverse integration. ThreatLockDown now leverages the Maltiverse API to enrich alerts. This enhancement supplements alert details with threat intelligence data following the Elastic Common Schema (ECS) standard. Acknowledgments to David Gil (@dgilm).

  • #16090 Added an option to customize the Slack integration.

  • #16008 An unnecessary sanity check related to Syscollector has been removed from wazuh-db.

  • #18570 Added support for Amazon Linux 2023 in Vulnerability Detector.

  • #20367 The manager now rejects agents with a higher version by default.

Agent

  • #17951 Added support for Custom AWS Logs in Buckets via AWS SQS. This enhancement improves visibility and troubleshooting in AWS environments.

  • #15582 Added geolocation for aws.data.client_ip field. The new GeoIP feature enables tracking of geographical locations of AWS ALB client IP addresses. This addition enhances visibility into network traffic and security monitoring. Acknowledgements to Arran Rhodes @rh0dy.

  • #15699 Added package inventory support for Alpine Linux in Syscollector.

  • #16117 Added package inventory support for MacPorts package manager in Syscollector. This enhancement improves compatibility with macOS.

  • #17982 Added package inventory support for Python PYPI and Node.js in Syscollector.

  • #15000 Added process information to the open ports inventory in Syscollector. This addition enhances ports inventory capabilities for better management and tracking on Linux systems.

  • #17966 The shared modules code has been sanitized according to the convention.

  • #18006 The package inventory internal messages have been modified to honor the schema compliance.

  • #20360 Added clarification to the agent connection log. The agent must connect to a manager of the same or higher version.

ThreatLockDown dashboard

  • #5680 Added the Status detail column in the Agents table.

  • #5738 The agent registration wizard now effectively manages special characters in passwords.

  • #5636 Changed the Network ports table columns for Linux agents.

  • #5707 Changed Timelion-type displays in the Management > Statistics section to line-type displays.

  • #5747 Removed views in JSON and XML formats from the Management settings.

RESTful API

  • #19726 Added new status_code field to GET /agents response.

  • #20126 Deprecated the following API endpoints.

    • PUT /vulnerability

    • GET /vulnerability/{agent_id}

    • GET /vulnerability/{agent_id}/last_scan

    • GET /vulnerability/{agent_id}/summary/{field}

Packages

  • #2568 Updated links to wazuh-dashboard-plugins repository.

  • #2555 Added firewall validation to the installation assistant.

Resolved issues

This release resolves known issues as the following:

Manager

Reference

Description

#16683

Fixed an unexpected cluster error when a worker gets restarted.

#16681

Fixed an issue that let the manager validate wrong XML configurations.

#19869

Fixed default value for multiarch field in syscollector packages.

#20081

Fixed WPK rollback rebooting the host in Windows agent.

Agent

Reference

Description

#17006

Fixed detection of osquery 5.4.0+ running outside the integration.

#16089

Fixed vendor data in package inventory for Brew packages on macOS.

#19811

Improved reliability of the signature verification mechanism.

RESTful API

Reference

Description

#16489

Addressed error handling for non-utf-8 encoded file readings.

#16914

Resolved an issue in the WazuhException class that disrupted the API executor subprocess.

#16918

Corrected an empty value problem in the API specification key.

Other

Reference

Description

#17040

Fixed the signature of the internal function OSHash_GetIndex().

ThreatLockDown dashboard

Reference

Description

#5591

Fixed problem with new or missing columns in the Agents table.

#5676

Fixed the color of the agent name in the groups section in dark mode.

#5597

Fixed the propagation event so that the flyout data, in the decoders, does not change when the button is pressed.

#5631

Fixed the tooltips of the tables in the Security section, and removed unnecessary requests.

Packages

Reference

Description

#2523

Fixed wrong condition when generating the RPM ThreatLockDown indexer package with an existent base file.

Changelogs

More details about these changes are provided in the changelog of each component: