- observer a server prioritising the deleted flag index when filtering attributes, leading to a massive performance loss
- hacky solution to make deleted and object_id (during flattening) indeces unusable
- Added result count to restsearch API via the x-result-count header
- Added the includeProposals parameter to the attribute level restsearch
- Readability of events controller improved
- Fixed a bug blocking malware samples from being added using /events/add when the encrypt=1 flag was set for raw sample inclusion
- if not set, only return published events / to_ids flagged events by default
- setting ignore:0 will result in the default behaviour
- setting ignore:1 will result in unpublished events and non to_ids attributes being filtered out
- fixed a bug that broke the CSV api if ignore:0 was passed
- cache several objects that were loaded over and over before on bulk exports
- includeGranularCorrelations internal flag added to include/exclude correlations from the export for certain types
- some cleanup
- performance gains
- first step in unifying all APIs
- moved the CSV data lookup into fetchattributes
- internal pagination is now more clever with a watchdog flag that can prevent unneeded executions by whatever calls fetchattributes
Export using automation functionnality for ids does not clean the special char like CRLF.
When there is a carriage return in the event info, the csv is broken.
- GET on /events/getEditStrategy/[id]
- where id can be either a local ID or a UUID
- returns a JSON dictionary with the following fields:
- strategy: edit | extend (edit if it's an own event, extend otherwise)
- extensions: list of dictionaries with existing extensions created by the user's org (containing the id, uuid, info fields)
- The algorithms implementing this should prioritise as such:
1. Check if user can edit the event (strategy == edit) - if yes, edit
2. If no, check if extensions exist - if yes, edit one of those
3. If no, create a new extension to the original event
- select and run a set of enrichments on all applicable attributes of the event
- exposed to the API
- exposed to the command line tool
- adheres to attribute distributions
- when adding/editing an event, add another event's UUID as an extended event UUID to extend the targeted event with the current
- extender events can be viewed in the merged event view
- As reported by Christophe Vandeplas
- stix export: Ungraceful handling of attempted access of unauthorised event (no unauthorised data returned)
- import module: Allows creation of proposals to unauthorised events (no unauthorised data returned, proposals are for new attributes only meaning no automatic override triggered)
- saveFreetext: same as import module