0.3.0

[misje]

0.3.0 - 2024-06-09

Added

• Search docker URLs when searching for URL SCOs
• Ignore observables with the empty SHA-256 hash
  (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855)
• Create file SCOs from Office 365 logs in enrichment
• Create directory SCOs from Office 365 logs in enrichment
• Use vulnerability score for vulnerability_incident_cvss3_score_threshold
  check if CVSS3 score is unavailable
• Search directories in Office 365
• Add a small sleep() of 100 ms, potentially solving
  #11
• New setting rule_exclude_list that allows for ignoring certain alert rules
  altogether
• New setting incident_rule_exclude_list that prevents incident creation for
  certain alert rules
• Mention in event creation in docs that incidents from sighted
  vulnerabilities are not created by default unless configured
• Document alert rules in glossary, with screenshots of the rule viewer in
  Wazuh
• Add a timeout to OpenSearch queries (default 20 s), preventing a complete
  freeze if OpenSearch fails to reply
• Add new setting vulnerability_incident_active_only that allows for only
  creating incidents for sighted vulnerabilities if they are no longer active

Changed

• OpenCTI 6.1.10 is used
• No longer enrich URLs without host and scheme by default (e.g. "/",
  "/foo/bar"), but leave the possibility as a new configuration option,
  *enrich_urls_without_host".
• If the vulnerability being enriched does not contain any CVSS3 information,
  extract this from alerts before running the logic in
  vulnerability_incident_cvss3_score_threshold. This allows for creating
  incidents based on CVSS score threshold even if this information is not
  present in the source entity.

Fixed

• Avoid crashing when enriching untriaged vulnerabilities (when published is
  not set)
• Set confidence explicitly for sightings as a workaround for OpenCTI bug
  #6835. This ensures that sightings now get the correct confidence (that of
  the user/group running the connector).
• Fix bug in vulnerability_incident_cvss3_score_threshold logic
• Fix a number of typos and bugs in documentation
• Do not use months in timedeltas in tests, causing issues with 30/31 days in a
  month
• Remove "Observable" from incident description, since not all enriched
  entities are observables
• Do not match file names partially (regex mistake)

Removed

• Remove all traces of the Wazuh API. It was only partially implemented, and
  will be added back when development of this as a separate enhancement is
  completed.
• Remove some debug output

---

This discussion was created from the release 0.3.0.