SigmaHQ/CHANGELOG.md

# Release Notes

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.

## Unreleased

### Added

* LOGIQ Backend (logiq)

### Fixed

* Splunx XML rule name is now set to rule title

## 0.16.0 - 2020-02-25

### Added

* Proxy field names to ECS mapping (ecs-proxy) configuration
* False positives metadata to LimaCharlie backend
* Additional aggregation capabilitied for es-dsl backend.
* Azure log analytics rule backend (ala-rule)
* SQL backend
* Splunk Zeek sourcetype mapping config
* sigma2attack script
* Carbon Black backend and configuration
* ArcSight ESM backend
* Elasticsearch detection rule backend

### Changed

* Kibana object id is now Sigma rule id if available. Else
  the old naming scheme is used.
* sigma2misp: replacement of deprecated method usage.
* Various configuration updates
* Extended ArcSight mapping

### Fixed

* Fixed aggregation queries for Elastalert backend
* Fixed aggregation queries for es-dsl backend
* Backend and configuration lists are sorted.
* Escaping in ala backend

## 0.15.0 - 2019-12-06

### Added

* sigma-uuid tool for addition and check of Sigma rule identifiers
* Default configurations
* Restriction of compared rules in sigma-similarity
* Regular expression support in es-dsl backend
* LimaCharlie support for proxy rule category
* Source distribution for PyPI

### Changed

* Type errors are now ignored with -I

### Fixed

* Removed wrong mapping of CommandLine field mapping in THOR config

## 0.14 - 2019-11-10

### Added

* sigma-similarity tool
* LimaCharlie backend
* Default configurations for some backends that are used if no configuration is passed.
* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
* Value modifiers:
    * startswith
    * endswith

### Changed

* Removal of line breaks in elastalert output
* Searches not bound to fields are restricted to keyword fields in es-qs backend
* Graylog backend now based on es-qs backend

### Fixed

* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
  process creation log source configuration.

## 0.13 - 2019-10-21

### Added

* Index mappings for Sumologic
* Malicious cmdlets in mdatp
* QRadar support for keyword searches
* QRadar mapping improvements
* QRadar field selection
* QRadar type regex modifier support
* Elasticsearch keyword field blacklisting with wildcards
* Added dateField configuration parameter in xpack-watcher backend
* Field mappings in configurations
* Field name mapping for conditional fields
* Value modifiers:
    * utf16
    * utf16le
    * wide
    * utf16be

### Changed

* Improved --backend-config help text

### Fixed

* Backend errors in ala
* Slash escaping within es-dsl wildcard queries
* QRadar backend config
* QRadar field name and value escaping and handling
* Elasticsearch wildcard detection pattern
* Aggregation on keyword field in es-dsl backend

## 0.12.1 - 2019-08-05

### Fixed

* Missing build dependency

## 0.12 - 2019-08-01

### Added

* Usage of "Channel" field in ELK Windows configuration
* Fields to mappings
* xpack-watcher actions index and webhook
* Config for Winlogbeat 7.x
* Value modifiers
* Regular expression support

### Changed

* Warning/error messages
* Sumologic value cleaning
* Explicit OR for Elasticsearch query strings
* Listing of available configurations on missing configuration error

### Fixed

* Conditions in es-dsl backend
* Sumologic handling of null values
* Ignore timeframe detection keyword in all/any of conditions