Version 2022.08.00 - In Development
Below are any bugs, vulnerabilities, features, and enhancements included in ReflexSOAR version 2022.08.00.
- Fix for reflex-api#229 - When a Case Template had no tasks the UI would not display any Case Templates on the Case Templates Management page
- Fix fir reflex-api#255 - When no CA cert is supplied the agent would still populate the ca_file property causing Elastic to think HTTPS was expected.
- When dismissing an event the dismissed_by fields were not being populated
- When trying to add events to a case that does not exist, the API would return an Error 500
- When EventWorkers would try to save a task and the save action would time out the Event Worker would crash
- When streaming_bulk had BulkIndexErrors they were unhandled and it would cause EventWorkers to crash
- When RQL syntax was incorrect and Test Rule was sent, the API would return Internal Server Error due to an unhandled exception
- When ExpiredTokens are searched and a timeout occurs there were unhandled exceptions by the API process
- When multiple Threat/Intel Pollers are running (this should never happen), some inflight delete_by_query calls would result in an unhandled exception in the Threat/Intel poller
- EventWorkers were not properly propegating their logs to stdout
- When running Event Workers in dedicated mode and more than 10 organizations/tenants exist, only the first 10 organizations would get an Event Worker pool
- When memcached was down the API and EventWorkers would not gracefully handle the error causing them to have internal server errors or crash, respectively
- Agents Permissions did not default to having the permissions to run detections, poll/update inputs
- When sorting Agents on the Agent List page, paging the results would reset the sort column and order
- When part of the case UUID matched the wrong case history was presented to the API response Commit
- When merging cases using event rules they would fail due to
target_case_uuidbeing spelled incorrectly Commit
- When an RQL query has
contains <int>the rule would fail Commit
- When an admin in the default organization would create a user with a null organization it would clear out role membership Commit
- Fixed Case Title searching so that it can be a partial search and case insensitive Commit
- When creating a case from a series of Events, not all Events would be included reflex-api#317
- When using the Merge Into Case context menu, not all Events would merge in to the case reflex-api#317
- When events were merged in to a case they were merged as a list of lists of UUIDs instead of appending Commit
- EventProcessors were not bulking up events, they were processing one at a time Commit
- Detection List page was not protected by a permission allowing any authenticated user to access this feature and view detections
- Reflex now supports native detection rules. See the Detections page for more details.
- Reflex now provides an up to date MITRE ATT&CK matrix so users can see how their Detection rules align to MITRE without leaving the platform or having to export data
- Reflex now allows for notifications to specified channels. See the Notifications page for more details.
- Reflex now allows Security Teams to place a priority order on Event Rules which determines the order in which Event Rules are run, allowing for chaining Event Rules in new ways
- Reflex now allows for dedicated Event Processor Workers for each tenant. See the Event Processing page for more details.
- Reflex Event Rules can now automatically create new Cases for each matched event and apply a case template. See the Event Rules section for more details.
- Security Teams can now comment directly on individual Events to have a dialogue without merging the Event in to a case
- A new Tuning Advice field is available when dismissing an Event to provide feedback during reporting to detection engineers on how they can fix their detections
- Reflex now supports Agent Policy allowing users to control how all agents are configured from a central location
- Changes to UI components to be in align with WCAG 2.1
- Event Bulk Ingest now uses a pool of Memcached clients instead of spawning a new client per bulk ingest request. This is a performance enhancement and a bug fix, the previous method was exhausting available TCP ports.
- Added documentation for Organizations
- Added documentation for Detections
- Agent List now shows Agent Healthy and lists any issues with the agent
- Event Rule List has had columns reworked to reduce screen space, now also shows who created and modified a rule
- Added the ability to control JWT expiration in tenant global settings
- When selecting a close reason for Event dismissal, the Dismiss Comment will automatically fill with the Close Reason description
- New default close reasons and changes to descriptions
- When new default Reflex values are added in the future they will populate across all organizations (e.g. new Close/Dismiss Reasons)
- The API will now wait for a Case to finish creating before redirecting users to the Case page. Fixes an issue with a Case paged serving a 404.
InCIDRto accept an array of CIDR ranges not only a single string
- Dismiss information now shows up in the Event Drawer of a dismissed Event
- Changes to the Dashboard page, replaced Charts.js for ApexCharts and tabs now separate distinct charting topics
- Enhancement from reflex-api#257 - Users can now search on the Case List page by the case title, description, comments and observables on the case
InCIDRRQL operator can now be paired with the
Intelfunction to see if an Event fields value is on an intel list of CIDR addresses. Example
observable.value InCIDR intel("Microsoft IPS")
- Intel Lists can now change the
Spottedflags on observables that match a value on the list during Event ingest
- When creating a case from a series of Events use UpdateByQuery instead of the Event Processor
- Leveraging UpdateByQuery instead of the Event Processor for merging Events in to Cases
- When creating a case from events or adding events to a case, the API will only make 2 calls to the backend instead of 1 call per event. This should significantly improve performance when creating cases from large numbers of events.