All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog
v3.1.2 - 2019-10-04
- Alerts can be turned on/off via web ui
- GeoModel alert to compare locations and determine if travel is possible
- New Query model (SubnetMatch) to match documents on ip and subnets
- LDAP Bruteforce Alert
- Make target (lint) for running pep8 checks against codebase
- Uptycs alert event cron script
- Modified regex statements to be proper python3 statements
- Auth0 script to consume new depnote events
- Moved benchmark and examples directory into scripts directory with sample ingest scripts
v3.1.1 - 2019-07-25
- Ability to get open indices in ElasticsearchClient
- Documentation on installing dependencies on Mac OS X
- AWS Managed Elasticsearch/Kibana version to 6.7
- Disk free/total in /about page shows at most 2 decimal places
- Connections to SQS and S3 without access key and secret
- Ability to block IPs and add to Watchlist
v3.1.0 - 2019-07-18
- Captured the AWS CodeBuild CI/CD configuration in code with documentation
- Support for HTTP Basic Auth in AWS deployment
- Docker healthchecks to docker containers
- Descriptions to all AWS Lambda functions
- Support for alerts-* index in docker environment
- Alert that detects excessive numbers of AWS API describe calls
- Additional AWS infrastructure to support AWS re:Inforce 2019 workshop
- Documentation specific to MozDef installation now that MozDef uses Python 3
- Config setting for CloudTrail notification SQS queue polling time
- Config setting for Slack bot welcome message
- Kibana port from 9443 to 9090
- AWS CloudFormation default values from "unset" to empty string
- Simplify mozdef-mq logic determining AMQP endpoint URI
- SQS to always use secure transport
- CloudTrail alert unit tests
- Incident summary placeholder text for greater clarity
- Display of Veris data for easier viewing
- All Dockerfiles to reduce image size, pin package signing keys and improve clarity
- Workers starting before GeoIP data is available
- Mismatched MozDefACMCertArn parameter name in CloudFormation template
- Duplicate mozdefvpcflowlogs object
- Hard coded AWS Availability Zone
- httplib2 by updating to version to 0.13.0 for python3
- mozdef_util by modifying bulk queue to acquire lock before saving events
- Dashboard Kibana URL
- Unnecessary and conflicting package dependencies from MozDef and mozdef_util
- get_indices to include closed indices
v3.0.0 - 2019-07-08
- Support for Python3
- Support for Python2
- Usage of boto (boto3 now preferred)
v2.0.1 - 2019-07-08
- Ensure all print statements use parenthesis
- Improved broFixup plugin to handle new zeek format
v2.0.0 - 2019-06-28
- Source IP and Destination IP GeoPoints
- Elasticsearch 6.8 Support
- Kibana 6.8 Support
- All doc_types have been set to _doc to support Elasticsearch >= 6
- Elasticsearch <= 5 Support
- Kibana <= 5 Support
- Specifying AWS keys in S3 backup script, moved to Elasticsearch Secrets
v1.40.0 - 2019-06-27
- Alertplugin for ip source enrichment
- Alertplugin for port scan enrichment
- Bulk message support in loginput
- Vidyo2Mozdef cron script to https://github.com/mozilla/mozdef-deprecated/blob/master/cron/vidyo2MozDef.py
v1.39.0 - 2019-05-29
- Pagination of Web UI tables
- Added support for SQS in replacement of Rabbitmq for alerts
- Support for no_auth for watchlist
- Cron script for closing indexes
- Documentation on AlertActions
- Removed dependency on '_type' field in Elasticsearch
- Slackbot reconnects successfully during network errors
- Relative Kibana URLs now work correctly with protocol
v1.38.5 - 2019-04-09
- Support for CSS themes
- The CI/CD order to now build docker images in CodeBuild, upload them to DockerHub and then pull them down in the packer instance. Updated docs.
- Assert TravisCI Python version in advance of change of Travis default to 3.6
- Dashboard error on docker spinup
v1.38.4 - 2019-04-08
- Docker image tagging for git version tag builds
- Correctly propagate the source ip address to the details.sourceipaddress in Duo logpull
- Invalid literal in squidFixup.py destionationport field
- Lowercase TAGS in squidFixup.py
- Adding check for None type object in date fields to address GuardDuty null date
- Documentation on the CI/CD process
- A summary to squidFixup.py
- Tags assertions to tests
v1.38.3 - 2019-04-01
- AWS CodeBuild tag semver regex
v1.38.2 - 2019-03-29
- Remaining references to old alertplugins container
v1.38.1 - 2019-03-29
- Enable CI/CD with AWS CodeBuild
- Create AMIs of MozDef, replicate and share them
- Link everything (container images, AMIs, templates) together by MozDef version
- Publish versioned CloudFormation templates
- RabbitMQ configured to use a real password
v1.38 - 2019-03-28
- Create alert plugins with ability to modify alerts in pipeline
- Renamed existing alertplugin service to alertactions
- Updated rabbitmq docker container to 3.7
- Resolved sshd mq plugin to handle more types of events
v1.37 - 2019-03-01
- Watchlist - use the UI to quickly add a term (username, IP, command, etc.) that MozDef alerts on
- Generic Deadman - use a simple config file to validate that expected events are appearing in a given time window (and alert an Error when they do not)
- Improve error handling on Slack bot
- Improve Slack bot alert format for better readability
- Minor UI adjustments
- Some Duo events were not correctly displaying the source IP address. It is now always the access device IP
- Fixed defaults for Slack bot to ensure more consistency each time it loads
- Added checks on sending SQS messages to only accept intra-account messages
- Improved docker performance and disk space requirements