Version 2022.08.00 - In Development
Below are any bugs, vulnerabilities, features, and enhancements included in ReflexSOAR version 2022.08.00.
Bugs
- Fix for reflex-api#229 - When a Case Template had no tasks the UI would not display any Case Templates on the Case Templates Management page
- Fix fir reflex-api#255 - When no CA cert is supplied the agent would still populate the ca_file property causing Elastic to think HTTPS was expected.
- When dismissing an event the dismissed_by fields were not being populated
- When trying to add events to a case that does not exist, the API would return an Error 500
- When EventWorkers would try to save a task and the save action would time out the Event Worker would crash
- When streaming_bulk had BulkIndexErrors they were unhandled and it would cause EventWorkers to crash
- When RQL syntax was incorrect and Test Rule was sent, the API would return Internal Server Error due to an unhandled exception
- When ExpiredTokens are searched and a timeout occurs there were unhandled exceptions by the API process
- When multiple Threat/Intel Pollers are running (this should never happen), some inflight delete_by_query calls would result in an unhandled exception in the Threat/Intel poller
- EventWorkers were not properly propegating their logs to stdout
- When running Event Workers in dedicated mode and more than 10 organizations/tenants exist, only the first 10 organizations would get an Event Worker pool
- When memcached was down the API and EventWorkers would not gracefully handle the error causing them to have internal server errors or crash, respectively
- Agents Permissions did not default to having the permissions to run detections, poll/update inputs
- When sorting Agents on the Agent List page, paging the results would reset the sort column and order
- When part of the case UUID matched the wrong case history was presented to the API response Commit
- When merging cases using event rules they would fail due to
target_case_uuid
being spelled incorrectly Commit - When an RQL query has
contains <int>
the rule would fail Commit - When an admin in the default organization would create a user with a null organization it would clear out role membership Commit
- Fixed Case Title searching so that it can be a partial search and case insensitive Commit
- When creating a case from a series of Events, not all Events would be included reflex-api#317
- When using the Merge Into Case context menu, not all Events would merge in to the case reflex-api#317
- When events were merged in to a case they were merged as a list of lists of UUIDs instead of appending Commit
- EventProcessors were not bulking up events, they were processing one at a time Commit
Vulnerability
- Detection List page was not protected by a permission allowing any authenticated user to access this feature and view detections
Features
- Reflex now supports native detection rules. See the Detections page for more details.
- Reflex now provides an up to date MITRE ATT&CK matrix so users can see how their Detection rules align to MITRE without leaving the platform or having to export data
- Reflex now allows for notifications to specified channels. See the Notifications page for more details.
- Reflex now allows Security Teams to place a priority order on Event Rules which determines the order in which Event Rules are run, allowing for chaining Event Rules in new ways
- Reflex now allows for dedicated Event Processor Workers for each tenant. See the Event Processing page for more details.
- Reflex Event Rules can now automatically create new Cases for each matched event and apply a case template. See the Event Rules section for more details.
- Security Teams can now comment directly on individual Events to have a dialogue without merging the Event in to a case
- A new Tuning Advice field is available when dismissing an Event to provide feedback during reporting to detection engineers on how they can fix their detections
- Reflex now supports Agent Policy allowing users to control how all agents are configured from a central location
Enhancements
- Changes to UI components to be in align with WCAG 2.1
- Event Bulk Ingest now uses a pool of Memcached clients instead of spawning a new client per bulk ingest request. This is a performance enhancement and a bug fix, the previous method was exhausting available TCP ports.
- Added documentation for Organizations
- Added documentation for Detections
- Agent List now shows Agent Healthy and lists any issues with the agent
- Event Rule List has had columns reworked to reduce screen space, now also shows who created and modified a rule
- Added the ability to control JWT expiration in tenant global settings
- When selecting a close reason for Event dismissal, the Dismiss Comment will automatically fill with the Close Reason description
- New default close reasons and changes to descriptions
- When new default Reflex values are added in the future they will populate across all organizations (e.g. new Close/Dismiss Reasons)
- The API will now wait for a Case to finish creating before redirecting users to the Case page. Fixes an issue with a Case paged serving a 404.
- Allow
InCIDR
to accept an array of CIDR ranges not only a single string - Dismiss information now shows up in the Event Drawer of a dismissed Event
- Changes to the Dashboard page, replaced Charts.js for ApexCharts and tabs now separate distinct charting topics
- Enhancement from reflex-api#257 - Users can now search on the Case List page by the case title, description, comments and observables on the case
- The
InCIDR
RQL operator can now be paired with theIntel
function to see if an Event fields value is on an intel list of CIDR addresses. Exampleobservable.value InCIDR intel("Microsoft IPS")
- Intel Lists can now change the
IOC
,Safe
andSpotted
flags on observables that match a value on the list during Event ingest - When creating a case from a series of Events use UpdateByQuery instead of the Event Processor
- Leveraging UpdateByQuery instead of the Event Processor for merging Events in to Cases
- When creating a case from events or adding events to a case, the API will only make 2 calls to the backend instead of 1 call per event. This should significantly improve performance when creating cases from large numbers of events.