Wazuh Versions Save

Manager

Added

• Added new query "rollback" to wazuh-db. (#16058)

Changed

• Vulnerability Detection refactor. (#21201)
• Improved wazuh-db detection of deleted database files. (#18476)
• Added timeout and retry parameters to the VirusTotal integration. (#16893)
• Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle. (#18988)
• Replaced Filebeat's date index name processor. (#19819)
• Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools. (#18466)
• Upgraded docker-compose V1 to V2 in API Integration test scripts. (#17750)
• Refactored how cluster status dates are treated in the cluster. (#17015)

Fixed

• Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. (#17886)

Agent

Added

• Added snap package manager support to Syscollector. (#15740)
• Added event size validation for the external integrations. (#17932)
• Added new unit tests for the AWS integration. (#17623)
• Added mapping geolocation for AWS WAF integration. (#20649)

Changed

• Disabled host's IP query by Logcollector when ip_update_interval=0. (#18574)
• The MS Graph integration module now supports multiple tenants. (#19064)
• FIM now buffers the Linux audit events for who-data to prevent side effects in other components. (#16200)
• The sub-process execution implementation has been improved. (#19720)
• Refactored and modularized the AWS integration code. (#17623)

Fixed

• Fixed process path retrieval in Syscollector on Windows XP. (#16839)
• Fixed detection of the OS version on Alpine Linux. (#16056)
• Fixed Solaris 10 name not showing in the Dashboard. (#18642)

RESTful API

Added

• Added new GET /manager/version/check endpoint to obtain information about new releases of Wazuh. (#19952)
• Introduced an auto option for the ssl_protocol setting in the API configuration. This enables automatic negotiation of the TLS certificate to be used. (#20420)

Fixed

• Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC. (#20527)

Removed

• Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead. (#20119)

Ruleset

Added

• Added new SCA policy for Amazon Linux 2023. (#17780)
• Added new SCA policy for Rocky Linux 8. (#17784)
• Added rules to detect IcedID attacks. (#19528)

Changed

• SCA policy for Ubuntu Linux 18.04 rework. (#18721)
• SCA policy for Ubuntu Linux 22.04 rework. (#17515)
• SCA policy for Red Hat Enterprise Linux 7 rework. (#18440)
• SCA policy for Red Hat Enterprise Linux 8 rework. (#17770)
• SCA policy for Red Hat Enterprise Linux 9 rework. (#17412)
• SCA policy for CentOS 7 rework. (#17624)
• SCA policy for CentOS 8 rework. (#18439)
• SCA policy for Debian 8 rework. (#18010)
• SCA policy for Debian 10 rework. (#17922)
• SCA policy for Amazon Linux 2 rework. (#18695)
• SCA policy for SUSE Linux Enterprise 15 rework. (#18985)
• SCA policy for macOS 13.0 Ventura rework. (#19037)
• SCA policy for Microsoft Windows 10 Enterprise rework. (#19515)
• SCA policy for Microsoft Windows 11 Enterprise rework. (#20044)
• Update MITRE DB to v13.1. (#17518)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.8.5. (#20003)
• Upgraded external cryptography library dependency version to 41.0.4. (#20003)
• Upgraded external numpy library dependency version to 1.26.0. (#20003)
• Upgraded external grpcio library dependency version to 1.58.0. (#20003)
• Upgraded external pyarrow library dependency version to 14.0.1. (#20003)
• Upgraded embedded Python version to 3.10.13. (#20003)

Manager

Added

• Added minimum time constraint of 1 hour for Vulnerability Detector feed downloads. (#21142)

Fixed

• wazuh-remoted now includes the offending bytes in the warning about invalid message size from agents. (#21011)
• Fixed a bug in the Windows Eventchannel decoder on handling Unicode characters. (#20658)
• Fixed data validation at Windows Eventchannel decoder. (#20735)

Agent

Added

• Added timeouts to external and Cloud integrations to prevent indefinite waiting for a response. (#20638)

Fixed

• The host_deny Active response now checks the IP parameter format. (#20656)
• Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events. (#20594)
• The AWS integration now finds AWS configuration profiles that do not contain the profile prefix. (#20447)
• Fixed parsing for regions argument of the AWS integration. (#20660)

Ruleset

Added

• Added new SCA policy for Debian 12. (#17565)

Fixed

• Fixed AWS Macie fields used in some rules and removed unused AWS Macie Classic rules. (#20663)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.9.1. (#20798)
• Upgraded pip dependency version to 23.3.2. (#20632)

Manager

Added

• Added new query "rollback" to wazuh-db. (#16058)

Changed

• Vulnerability Detection refactor. (#21201)
• Improved wazuh-db detection of deleted database files. (#18476)
• Added timeout and retry parameters to the VirusTotal integration. (#16893)
• Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle. (#18988)
• Replaced Filebeat's date index name processor. (#19819)
• Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools. (#18466)
• Upgraded docker-compose V1 to V2 in API Integration test scripts. (#17750)
• Refactored how cluster status dates are treated in the cluster. (#17015)

Fixed

• Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. (#17886)

Agent

Added

• Added snap package manager support to Syscollector. (#15740)
• Added event size validation for the external integrations. (#17932)
• Added new unit tests for the AWS integration. (#17623)
• Added mapping geolocation for AWS WAF integration. (#20649)

Changed

• Disabled host's IP query by Logcollector when ip_update_interval=0. (#18574)
• The MS Graph integration module now supports multiple tenants. (#19064)
• FIM now buffers the Linux audit events for who-data to prevent side effects in other components. (#16200)
• The sub-process execution implementation has been improved. (#19720)
• Refactored and modularized the AWS integration code. (#17623)

Fixed

• Fixed process path retrieval in Syscollector on Windows XP. (#16839)
• Fixed detection of the OS version on Alpine Linux. (#16056)
• Fixed Solaris 10 name not showing in the Dashboard. (#18642)

RESTful API

Added

• Added new GET /manager/version/check endpoint to obtain information about new releases of Wazuh. (#19952)
• Introduced an auto option for the ssl_protocol setting in the API configuration. This enables automatic negotiation of the TLS certificate to be used. (#20420)

Fixed

• Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC. (#20527)

Removed

• Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead. (#20119)

Ruleset

Added

• Added new SCA policy for Amazon Linux 2023. (#17780)
• Added new SCA policy for Rocky Linux 8. (#17784)
• Added rules to detect IcedID attacks. (#19528)

Changed

• SCA policy for Ubuntu Linux 18.04 rework. (#18721)
• SCA policy for Ubuntu Linux 22.04 rework. (#17515)
• SCA policy for Red Hat Enterprise Linux 7 rework. (#18440)
• SCA policy for Red Hat Enterprise Linux 8 rework. (#17770)
• SCA policy for Red Hat Enterprise Linux 9 rework. (#17412)
• SCA policy for CentOS 7 rework. (#17624)
• SCA policy for CentOS 8 rework. (#18439)
• SCA policy for Debian 8 rework. (#18010)
• SCA policy for Debian 10 rework. (#17922)
• SCA policy for Amazon Linux 2 rework. (#18695)
• SCA policy for SUSE Linux Enterprise 15 rework. (#18985)
• SCA policy for macOS 13.0 Ventura rework. (#19037)
• SCA policy for Microsoft Windows 10 Enterprise rework. (#19515)
• SCA policy for Microsoft Windows 11 Enterprise rework. (#20044)
• Update MITRE DB to v13.1. (#17518)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.8.5. (#20003)
• Upgraded external cryptography library dependency version to 41.0.4. (#20003)
• Upgraded external numpy library dependency version to 1.26.0. (#20003)
• Upgraded external grpcio library dependency version to 1.58.0. (#20003)
• Upgraded external pyarrow library dependency version to 14.0.1. (#20003)
• Upgraded embedded Python version to 3.10.13. (#20003)

Manager

Fixed

• wazuh-remoted now includes the offending bytes in the warning about invalid message size from agents. (#21011)
• Fixed a bug in the Windows Eventchannel decoder on handling Unicode characters. (#20658)
• Fixed data validation at Windows Eventchannel decoder. (#20735)

Agent

Added

• Added timeouts to external and Cloud integrations to prevent indefinite waiting for a response. (#20638)

Fixed

• The host_deny Active response now checks the IP parameter format. (#20656)
• Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events. (#20594)
• The AWS integration now finds AWS configuration profiles that do not contain the profile prefix. (#20447)
• Fixed parsing for regions argument of the AWS integration. (#20660)

Ruleset

Added

• Added new SCA policy for Debian 12. (#17565)

Fixed

• Fixed AWS Macie fields used in some rules and removed unused AWS Macie Classic rules. (#20663)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.9.1. (#20798)
• Upgraded pip dependency version to 23.3.2. (#20632)

Manager

Changed

• Improved WPK upgrade scripts to ensure safe execution and backup generation in various circumstances. (#20616)

Fixed

• Fixed a bug causing the Canonical feed parser to fail in Vulnerability Detector. (#20580)
• Fixed a bug that allowed two simultaneous updates to occur through WPK. (#20545)
• Fixed a thread lock bug that slowed down wazuh-db performance. (#20178)
• Fixed a bug in Vulnerability detector that skipped vulnerabilities for Windows 11 21H2. (#20386)
• The installer now updates the merged.mg file permissions on upgrade. (#5941)
• Fixed an insecure request warning in the shuffle integration. (#19993)
• Fixed a bug that corrupted cluster logs when they were rotated. (#19888)

Agent

Fixed

• Fixed a bug that prevented the local IP from appearing in the port inventory from macOS agents. (#20332)
• Fixed the default Logcollector settings on macOS to collect logs out-of-the-box. (#20180)
• Fixed a bug in the FIM decoder at wazuh-analysisd that ignored Windows Registry events from agents under 4.6.0. (#20169)
• Fixed multiple bugs in the Syscollector decoder at wazuh-analysisd that did not sanitize the input data properly. (#20250)
• Added the pyarrow_hotfix dependency to fix the pyarrow CVE-2023-47248 vulnerability in the AWS integration. (#20284)

RESTful API

Fixed

• Fixed inconsistencies in the behavior of the q parameter of some endpoints. (#18423)
• Fixed a bug in the q parameter of the GET /groups/{group_id}/agents endpoint. (#18495)
• Fixed bug in the regular expression used to to reject non ASCII characters in some endpoints. (#19533)

Other

Changed

• Upgraded external certifi library dependency version to 2023.07.22. (#20149)
• Upgraded external requests library dependency version to 2.31.0. (#20149)
• Upgraded embedded Python version to 3.9.18. (#18800)

Manager

Changed

• Improved WPK upgrade scripts to ensure safe execution and backup generation in various circumstances. (#20616)

Fixed

• Fixed a bug causing the Canonical feed parser to fail in Vulnerability Detector. (#20580)
• Fixed a bug that allowed two simultaneous updates to occur through WPK. (#20545)
• Fixed a thread lock bug that slowed down wazuh-db performance. (#20178)
• Fixed a bug in Vulnerability detector that skipped vulnerabilities for Windows 11 21H2. (#20386)
• The installer now updates the merged.mg file permissions on upgrade. (#5941)
• Fixed an insecure request warning in the shuffle integration. (#19993)
• Fixed a bug that corrupted cluster logs when they were rotated. (#19888)

Agent

Fixed

• Fixed a bug that prevented the local IP from appearing in the port inventory from macOS agents. (#20332)
• Fixed the default Logcollector settings on macOS to collect logs out-of-the-box. (#20180)
• Fixed a bug in the FIM decoder at wazuh-analysisd that ignored Windows Registry events from agents under 4.6.0. (#20169)
• Fixed multiple bugs in the Syscollector decoder at wazuh-analysisd that did not sanitize the input data properly. (#20250)
• Added the pyarrow_hotfix dependency to fix the pyarrow CVE-2023-47248 vulnerability in the AWS integration. (#20284)

RESTful API

Fixed

• Fixed inconsistencies in the behavior of the q parameter of some endpoints. (#18423)
• Fixed a bug in the q parameter of the GET /groups/{group_id}/agents endpoint. (#18495)
• Fixed bug in the regular expression used to to reject non ASCII characters in some endpoints. (#19533)

Other

Changed

• Upgraded external certifi library dependency version to 2023.07.22. (#20149)
• Upgraded external requests library dependency version to 2.31.0. (#20149)
• Upgraded embedded Python version to 3.9.18. (#18800)

Manager

Added

• Added new query "rollback" to wazuh-db. (#16058)

Changed

• Improved wazuh-db detection of deleted database files. (#18476)
• Added timeout and retry parameters to the VirusTotal integration. (#16893)
• Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle. (#18988)
• Replaced Filebeat's date index name processor. (#19819)
• Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools. (#18466)
• Upgraded docker-compose V1 to V2 in API Integration test scripts. (#17750)
• Refactored how cluster status dates are treated in the cluster. (#17015)

Fixed

• Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. (#17886)

Agent

Added

• Added snap package manager support to Syscollector. (#15740)
• Added event size validation for the external integrations. (#17932)
• Added new unit tests for the AWS integration. (#17623)

Changed

• Disabled host's IP query by Logcollector when ip_update_interval=0. (#18574)
• The MS Graph integration module now supports multiple tenants. (#19064)
• FIM now buffers the Linux audit events for who-data to prevent side effects in other components. (#16200)
• The sub-process execution implementation has been improved. (#19720)
• Refactored and modularized the AWS integration code. (#17623)

Fixed

• Fixed process path retrieval in Syscollector on Windows XP. (#16839)
• Fixed detection of the OS version on Alpine Linux. (#16056)
• Fixed Solaris 10 name not showing in the Dashboard. (#18642)

RESTful API

Added

• Added new GET /manager/version/check endpoint to obtain information about new releases of Wazuh. (#19952)

Removed

• Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead. (#20119)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.8.5. (#20003)
• Upgraded external cryptography library dependency version to 41.0.4. (#20003)
• Upgraded external numpy library dependency version to 1.26.0. (#20003)
• Upgraded external grpcio library dependency version to 1.58.0. (#20003)
• Upgraded embedded Python version to 3.10.13. (#20003)

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)
• The manager now rejects agents with a higher version by default. (#20367)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fixed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent connection log has been updated to clarify that the agent must connect to an agent with the same or higher version. (#20360)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)
• Fixed WPK rollback restarting host in Windows agent (#20081)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Deleted

• Deprecated PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints. In future versions, the Wazuh indexer REST API can be used instead. (#20126)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)
• The manager now rejects agents with a higher version by default. (#20367)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fieed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent connection log has been updated to clarify that the agent must connect to an agent with the same or higher version. (#20360)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)
• Fixed WPK rollback restarting host in Windows agent (#20081)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Deleted

• Deprecated PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints. In future versions, the Wazuh indexer REST API can be used instead. (#20126)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)
• The manager now rejects agents with a higher version by default. (#20367)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fieed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent connection log has been updated to clarify that the agent must connect to an agent with the same or higher version. (#20360)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)
• Fixed WPK rollback restarting host in Windows agent (#20081)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Deleted

• Deprecated PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints. In future versions, the Wazuh indexer REST API can be used instead. (#20126)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)