Release/v11.2.10 (#2238)

* update actions workflow

* fix(workflows): unblock PR checks on large diffs + private go modules

* fix(approver): use english in sticky PR comments

* Feature/cleanup rules and filters (#2091)

* refactor(filters): update macOS filter configuration

* chore(rules): remove Office365 brute force detection rule

* chore(rules): remove PowerShell Empire detection rule

* chore(rules): remove RDP brute force attacks rule

* fix[frontend](soar/create-rule): added fixed create/edit rule undefin… (#2087)

* fix[frontend](soar/create-rule): added fixed create/edit rule undefined id error

* chore[](): updated go packages

* fix[frontend](environment):environments on gitignore and removed the actual local dev environment

* chore[](): updated go packages

* feat[backed](elasticSearchService): added batch processing of request… (#2090)

* feat[backed](elasticSearchService): added batch processing of requests and auto rebuild on IO errors

* chore[backend](): updated go dependencies

* fix[backend](elastic-service): sanitized csv before exportation and changed error messages

* fix[frontend](socai): added default template for empty previous socai… (#2095)

* fix[frontend](build): added environment.ts (#2099)

* fix[backend](visualizations): removed utm-geoip legacy index references on region map visualizations (#2098)

Co-authored-by: Osmany Montero <osmontero@icloud.com>

* Hotfix/socai custom header (#2101)

* fix[frontend](socai): added default template for empty previous socai config (#2092)

* fix[frontend](socai): added default template for empty previous socai configuration

* fix[frontend](socai): setted customHeaders as password key type

* fix[frontend](socai): dont let empty description on modules

* fix[backend](socai): generate the modulegroup with new keys if no other exists on db

* fix[backend](changeset): added customHeader entries as password type

* fix(frontend): update nginx from 1.19.5 to 1.30.1

Remediate 22 known CVEs including CVE-2026-42945 (actively
exploited in the wild for RCE). nginx:1.19.5 (Oct 2020) was
affected by buffer overflows, memory disclosure, HTTP/2 injection,
SSL session reuse, and multiple other vulnerabilities patched in
the 1.30.1 stable release.

* Backlog/fix/socai module disabled (#2102)

* fix[backend](socai): changed socai default module keys

* fix[backend](modules): added default keys on module creation response

* fix[frontend](socai): handled empty (disabled) module configuration

* Backlog/fix/tag rules (#2106)

* fix[frontend](rules): improved post event count validation

* fix[frontend](tag_rules): added events related fields on tag rule creation

---------

Co-authored-by: Osmany Montero <osmontero@icloud.com>

* fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement (#2107)

* fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement

* chore[](): updated go packages

* fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium) (#2103)

- google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical)
- github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low)
- go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high)
- com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3)
- org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high)

Signed-off-by: Osmany Montero <osmontero@icloud.com>

* fix(deps): upgrade golang.org/x/sys from v0.44.0 to v0.45.0

* fix[frontend](alerts-view): add a duplication avoid on alert filter fields count (#2127)

* refactor(rules): drop "now-" prefix from within field (#2176)

* fix[backend](tags): removed false positive alerts from releaseToOpen schedule (#2178)

* fix[installer](setup): added lock on installer final phase (#2180)

* fix[frontend](alerts): properly handle update alerts errors (#2193)

* feat(rules/o365): add Inbox Forward Rule with Email Exfiltration detection rule (#2221)

* feat(rules/o365): add Audit Log Purge detection rule (#2220)

* feat(rules/o365): add Admin Role/Permission Granted detection rule (#2219)

* feat(rules/o365): add Admin Role Assignment detection rule (#2218)

* refactor(rules/google): update GCP correlation rules (#2194)

* feature(rules/google): add rule GCS Sensitive Data Access (#2187)

* feature(rules/google): add rule GCS Bucket Deleted (#2186)

* Tune bruteforce correlation and drop unreliable PTH rule (#2192)

* fix(rules/windows): tighten bruteforce_attack correlation scope

* fix(rules/windows): scope multi-failure-then-success rule by source

* chore(rules/windows): remove pass_the_hash_detection rule

* fix(rules/windows): fix of the redundant field 'origin.host' that appears twice in the deduplicateBy array.

* feature(rules/google): add rule Privileged Role Granted - Owner or Editor (#2190)

* feature(rules/google): add rule Cloud Logging Sink Modified (#2189)

* feature(rules/google): add rule Firewall Open Ingress (#2182)

* Update filters: GCP, Sophos XG, Windows (#2175)

* feat(filters/gcp): add Cloud Audit Logs (protoPayload) support

* fix(filters/sophos-xg): guard renames and actionResult against missing fields

* chore(filters/windows): rename log.data.SubStatus field

* fix(filters/sophos-xg): correct operator precedence in actionResult guard

* feature(rules/google): add rule Audit Logging Configuration Changed (#2181)

* Add GCP rule: IAM Policy Changed - Privilege Escalation (#2188)

* feature(rules/google): add rule IAM Policy Changed - Privilege Escalation

* fix(rule/google): changing 'exists(log.protoPayload.request.policy.auditConfigs)' to 'exists(log.protoPayload.request.policy.bindings) to improve detection logic

* feature(rules/google): add rule Firewall Rule Deleted (#2183)

* feature(rules/google): add rule GCS Bucket Created (#2185)

* fix(rules/google): rebalance CIA impact scores for GCP rules (#2227)

* feat[ci](pr-review): severity-based merge gate; exclude rules/filters/definitions from AI review

* fix[ci](pr-review): don't gate routine go.mod/go.sum bumps as Tier 3

* fix[backend](alert_responses): reduces schedule time to executeResponse se from 5mins to 15 seconds (#2230)

* fix[backend](alert_responses): reduces schedule time to executeResponse from 5mins to 15 seconds

* fix[backend](go_deps): updated go dependencies

* fix[backend](alert_responses): fixed powershell commands syntax errors (#2228)

* fix[backend](alert_responses): fixed powershell commands syntax errors

* fix[backend](go_deps): updated go dependencies

* fix[backend](incident_response_audit): enabled filters on agents-with command query (#2226)

* fix[backend](incident_response_audit): enabled filters on agents-with-command query

* fix[backend](go_deps): updated go dependencies

---------

Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com>
Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com>

* fix[backend](compilance_reports): migrated compilance reports from ol… (#2232)

* fix[backend](compilance_reports): migrated compilance reports from old table to new one

* fix[backend](compilance_reports): added rollback marker robustness and unconditional sentinel deletion

* chore: update golang dependencies

* fix[ci]: fix changelog script failing when tag doesn't exist yet and unblock installer on changelog failure

---------

Signed-off-by: Osmany Montero <osmontero@icloud.com>
Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com>
Co-authored-by: Jose L Quiñones Rojas <73146718+JocLRojas@users.noreply.github.com>
Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com>
Co-authored-by: Osmany Montero <osmontero@icloud.com>
Co-authored-by: developutm <development@utmstack.com>

Author: 5 people

.github/scripts/generate-changelog.sh

@@ -52,34 +52,50 @@ command -v git  >/dev/null || { echo "git is required";  exit 1; }
 : "${THREATWINDS_API_KEY:?THREATWINDS_API_KEY is required}"
 : "${THREATWINDS_API_SECRET:?THREATWINDS_API_SECRET is required}"
 
+# ─── Resolve current ref (tag may not exist yet when pipeline runs) ────────────
+if git rev-parse "$CURRENT_TAG" >/dev/null 2>&1; then
+    CURRENT_REF="$CURRENT_TAG"
+else
+    echo "Tag $CURRENT_TAG not found in repo yet, using HEAD"
+    CURRENT_REF="HEAD"
+fi
+
 # ─── Resolve previous tag if not provided ─────────────────────────────────────
 if [ -z "$PREVIOUS_TAG" ]; then
     echo "Auto-detecting previous tag..."
     ALL_TAGS=$(git tag --sort=-v:refname)
-    FOUND_CURRENT=false
-    for tag in $ALL_TAGS; do
-        if [ "$FOUND_CURRENT" = true ]; then
-            PREVIOUS_TAG="$tag"
-            break
-        fi
-        if [ "$tag" = "$CURRENT_TAG" ]; then
-            FOUND_CURRENT=true
-        fi
-    done
+    if [ "$CURRENT_REF" = "$CURRENT_TAG" ]; then
+        # Tag exists: find the tag immediately before CURRENT_TAG
+        FOUND_CURRENT=false
+        for tag in $ALL_TAGS; do
+            if [ "$FOUND_CURRENT" = true ]; then
+                PREVIOUS_TAG="$tag"
+                break
+            fi
+            if [ "$tag" = "$CURRENT_TAG" ]; then
+                FOUND_CURRENT=true
+            fi
+        done
+    else
+        # Tag doesn't exist yet: use the most recent existing tag
+        PREVIOUS_TAG=$(echo "$ALL_TAGS" | head -1)
+        [ -n "$PREVIOUS_TAG" ] && echo "Tag not yet created; using most recent existing tag: $PREVIOUS_TAG"
+    fi
     if [ -z "$PREVIOUS_TAG" ]; then
         PREVIOUS_TAG=$(git rev-list --max-parents=0 HEAD | head -1)
         echo "No previous tag found, using first commit: $PREVIOUS_TAG"
     fi
 fi
 
 echo "Current tag:  $CURRENT_TAG"
+echo "Current ref:  $CURRENT_REF"
 echo "Previous tag: $PREVIOUS_TAG"
 echo "Model:        $MODEL"
 echo
 
 # ─── Collect commits ──────────────────────────────────────────────────────────
-COMMITS=$(git log "${PREVIOUS_TAG}..${CURRENT_TAG}" --pretty=format:"- %h %s (%an)" --no-merges)
-COMMIT_COUNT=$(git rev-list --count "${PREVIOUS_TAG}..${CURRENT_TAG}" --no-merges)
+COMMITS=$(git log "${PREVIOUS_TAG}..${CURRENT_REF}" --pretty=format:"- %h %s (%an)" --no-merges)
+COMMIT_COUNT=$(git rev-list --count "${PREVIOUS_TAG}..${CURRENT_REF}" --no-merges)
 
 if [ -z "$COMMITS" ]; then
     echo "No commits found between $PREVIOUS_TAG and $CURRENT_TAG."

.github/workflows/v11-deployment-pipeline.yml

@@ -561,7 +561,7 @@ jobs:
   build_installer_release:
     name: Build & Upload Installer
     needs: [generate_changelog, setup_deployment]
-    if: ${{ needs.setup_deployment.outputs.tag != '' && needs.setup_deployment.outputs.environment == 'rc' }}
+    if: ${{ always() && needs.setup_deployment.result == 'success' && needs.setup_deployment.outputs.tag != '' && needs.setup_deployment.outputs.environment == 'rc' && needs.generate_changelog.result != 'cancelled' }}
     uses: ./.github/workflows/installer-release.yml
     with:
       version: ${{ needs.setup_deployment.outputs.tag }}