v3.4.0

This release introduces a new CyberWatch threat intelligence module, an interactive world map, resizable and draggable dashboard panels, SSO/OIDC federated authentication, automated UDRP case tracking, per-module KPI statistics panels, a user profile page with theme and layout management, permission guards across all modules, and a full infrastructure upgrade to Python 3.12 and Django 6.0.5.

Update Procedure

⚠️ This release includes database schema changes. Run migrations after updating. No other breaking changes or configuration are required. Please follow the standard update process.

New environment variables (all have working defaults):

# CyberWatch
CYBER_WATCH_CVE_API_URL
CYBER_WATCH_RANSOMWARE_GROUPS_URL
CYBER_WATCH_RANSOMWARE_VICTIMS_URL
CYBER_WATCH_RANSOMLOOK_GROUPS_URL
CYBER_WATCH_RANSOMLOOK_RECENT_URL
CYBER_WATCH_RANSOMLOOK_ACTORS_URL

# SSO / OIDC (optional - disabled by default)
LOGIN_MODE=form_only          # form_only | sso_only | both
OIDC_COMPANY_NAME
OIDC_RP_CLIENT_ID
OIDC_RP_CLIENT_SECRET

What's New

CyberWatch Module

A new standalone module that continuously fetches, correlates, and surfaces external threat intelligence directly inside Watcher.

• CVE monitoring - fetches CVEs from cve.circl.lu on a 30-minute schedule; stores CVE ID, severity, CVSS score, description, and references.
• Ransomware intelligence - pulls group and victim data from ransomware.live and ransomlook.io; stores victim name, group, country, sector, and attack date.
• Watch Rule engine - keyword-based rules scoped to CVEs, ransomware victims, or both; matches are deduplicated automatically and managed from the CyberWatch dashboard.
• Notifications - full support across all four channels (Email, Slack, Citadel, TheHive) for new CVE, CVE rule hit, new victim, and victim rule hit events.
• Full CRUD dashboard with a CyberWatchStats KPI panel, accessible from the main navigation.

UDRP Tracking (Site Monitoring)

Automated UDRP (Uniform Domain-Name Dispute-Resolution Policy) case monitoring integrated into the Site Monitoring module.

How it works

• Two new fields on the Site model: udrp_status (pending / won / lost / unknown) and udrp_last_checked.
• A scheduled job (check_udrp_statuses, every 6 hours) queries the WIPO UDRP database for every site where legal_team = True.
• The UDRPDiscovery class fetches and parses WIPO case pages; get_decision() returns the current outcome.
• When a case is won, the domain is automatically transferred to Legitimate Domains via transfer_to_legitimate_domains().

Interactive World Map

A new map panel in the Threats Watcher dashboard powered by MapLibre GL, visualising RSS source distribution and ransomware victim counts by country as choropleth overlays. Supports dark/light basemap, zoom controls, and hover tooltips. All 220+ RSS sources have been enriched with country metadata.

Resizable Dashboard Panels

All six module dashboards now use a free-form drag-and-drop grid layout. Panels can be resized and moved freely; visibility and layout preferences are persisted automatically in localStorage.

Statistics KPI Panels - All Modules

New KPI panels added to every module with key counters at a glance, sourced from dedicated /statistics/ API endpoints.

Interactive API Documentation (Swagger / OpenAPI)

Watcher now ships with fully auto-generated REST API documentation powered by drf-spectacular. Swagger UI is available at /api/docs/ and the OpenAPI 3 schema is downloadable at /api/schema/. All six modules and /statistics/ endpoints are covered.

SSO / OpenID Connect Authentication

Watcher now supports federated login via any OpenID Connect (OIDC) provider (Keycloak, Azure AD, etc.).

• Login page behaviour is controlled by LOGIN_MODE: form_only (default) / sso_only / both. OIDC_ENABLED has been removed.
• On SSO success a Knox token is issued and the SPA is redirected to /?sso_token=<token>, bypassing Django sessions entirely. Failures redirect to /?sso_error=1#/login.
• PKCE and RS256 enforced by default. SECURE_PROXY_SSL_HEADER and USE_X_FORWARDED_HOST added for correct behaviour behind Traefik/nginx.
• Callback URL to register with your provider: https://<your-domain>/api/auth/oidc/callback/

User Profile Page

A new /profile route provides a centralised settings and preferences hub with three sections:

• Account Settings - displays avatar, username, email, role badges, and group permissions; direct link to the password change page.
• Theme Picker - all 15 Bootswatch themes shown as cards with preview thumbnails; selecting a theme applies it immediately.
• Dashboard Layout Manager - all six module dashboards listed with a live MiniGrid preview of the current layout. Clicking a card opens a modal with named presets (Default, Compact, Analytics) and a free-form drag-and-drop custom editor. Layout changes broadcast instantly to open dashboards without a page reload.

Permission Guards - All Modules

Every create / edit / delete action in every module is now protected by explicit canAdd and canManage permission flags derived from the authenticated user object. Add buttons, edit icons, and delete icons are conditionally rendered based on these flags instead of the bare isAuthenticated check, applied uniformly across all six modules.

ThreatsWatcher Statistics Carousel - Performance Fix

The progress bar previously used a requestAnimationFrame loop calling setState up to 60 times per second. It has been rewritten as a pure CSS @keyframes animation with no JavaScript timer. shouldComponentUpdate added to the three stats components to prevent unnecessary re-renders.

Monitored Keywords - User-Managed from Dashboard

Users can now add, edit, and delete tracked keywords directly from the Threats Watcher dashboard (previously admin-only). Activity level escalates automatically: Warm (≥ 1 hit) → Hot (≥ 3) → Super Hot (≥ 10).

Full Changelog: v3.3.0...v3.4.0