2019-11-07 22:08:44 +00:00
|
|
|
# Release Notes
|
|
|
|
|
|
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
|
|
|
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
|
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
|
|
|
|
from version 0.14.0.
|
|
|
|
|
2021-02-23 20:27:14 +00:00
|
|
|
## 0.19 - 2021-02-23
|
|
|
|
|
|
|
|
### Added
|
|
|
|
|
|
|
|
* New parameters for Elastic backends
|
|
|
|
* Various field mappings
|
|
|
|
* FireEye Helix backend
|
|
|
|
* Generic log source image_load
|
|
|
|
* Kibana NDJSON backend
|
|
|
|
* uberAgent ESA backend
|
|
|
|
* SumoLogic CSE backend
|
|
|
|
|
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Updated mdatp backend fields
|
|
|
|
* QRadar query generation optimized
|
|
|
|
* MDATP: case insensitive search
|
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Fixing Qradar implementation for create valid AQL queries
|
|
|
|
* Nested conditions
|
|
|
|
* Various minor bug fixes
|
|
|
|
|
2020-08-25 21:58:04 +00:00
|
|
|
## 0.18.1 - 2020-08-25
|
|
|
|
|
|
|
|
Release created for technical reasons (issues with extended README and PyPI), no real changes done.
|
|
|
|
|
|
|
|
## 0.18.0 - 2020-08-25
|
|
|
|
|
|
|
|
### Added
|
|
|
|
|
|
|
|
* C# backend
|
|
|
|
* STIX backend
|
|
|
|
* Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
|
|
|
|
* More generic log sources
|
|
|
|
* Windows Defender log sources
|
|
|
|
* Generic DNS query log source
|
|
|
|
* AppLocker log source
|
|
|
|
|
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Improved backend and configuration descriptions
|
|
|
|
* Microsoft Defender ATP mapping updated
|
|
|
|
* Improved handling of wildcards in Elastic backends
|
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Powershell backend: key name was incorrectly added into regular expression
|
|
|
|
* Grouping issue in Carbon Black backend
|
|
|
|
* Handling of default field mapping in case field is referenced multiple from a rule
|
|
|
|
* Code cleanup and various fixes
|
|
|
|
* Log source mappings in configurations
|
|
|
|
* Handling of conditional field mappings by Elastic backends
|
|
|
|
|
2020-06-12 21:52:06 +00:00
|
|
|
## 0.17.0 - 2020-06-12
|
2020-03-01 21:21:30 +00:00
|
|
|
|
2020-04-08 21:39:38 +00:00
|
|
|
### Added
|
|
|
|
|
|
|
|
* LOGIQ Backend (logiq)
|
2020-06-12 21:52:06 +00:00
|
|
|
* CarbonBlack backend (carbonblack) and field mappings
|
|
|
|
* Elasticsearch detection rule backend (es-rule)
|
|
|
|
* ee-outliers backend
|
|
|
|
* CrowdStrike backend (crowdstrike)
|
|
|
|
* Humio backend (humio)
|
|
|
|
* Aggregations in SQL backend
|
|
|
|
* SQLite backend (sqlite)
|
|
|
|
* AWS Cloudtrail ECS mappings
|
|
|
|
* Overrides
|
|
|
|
* Zeek configurations for various backends
|
|
|
|
* Case-insensitive matching for Elasticsearch
|
|
|
|
* ECS proxy mappings
|
|
|
|
* RuleName field mapping for Winlogbeat
|
|
|
|
* sigma2attack tool
|
2020-04-08 21:39:38 +00:00
|
|
|
|
2020-06-05 22:49:57 +00:00
|
|
|
### Changed
|
|
|
|
|
2020-06-12 21:52:06 +00:00
|
|
|
* Improved usage of keyword fields for Elasticsearch-based backends
|
|
|
|
* Splunk XML backend rule titles from sigma rule instead of file name
|
2020-06-05 22:49:57 +00:00
|
|
|
* Moved backend option list to --help-backend
|
2020-06-12 21:52:06 +00:00
|
|
|
* Microsoft Defender ATP schema improvements
|
2020-06-05 22:49:57 +00:00
|
|
|
|
2020-03-01 21:21:30 +00:00
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Splunx XML rule name is now set to rule title
|
2020-06-05 23:03:02 +00:00
|
|
|
* Backend list deduplicated
|
2020-06-12 21:52:06 +00:00
|
|
|
* Wrong escaping of wildcard at end of value when startswith modifier is used.
|
|
|
|
* Direct execution of tools on Windows systems by addition of script entry points
|
2020-03-01 21:21:30 +00:00
|
|
|
|
2020-02-25 21:19:52 +00:00
|
|
|
## 0.16.0 - 2020-02-25
|
2019-11-07 22:08:44 +00:00
|
|
|
|
2019-11-11 22:35:16 +00:00
|
|
|
### Added
|
|
|
|
|
2019-12-09 15:31:07 +00:00
|
|
|
* Proxy field names to ECS mapping (ecs-proxy) configuration
|
2019-12-13 21:00:40 +00:00
|
|
|
* False positives metadata to LimaCharlie backend
|
|
|
|
* Additional aggregation capabilitied for es-dsl backend.
|
2020-02-24 21:30:36 +00:00
|
|
|
* Azure log analytics rule backend (ala-rule)
|
|
|
|
* SQL backend
|
|
|
|
* Splunk Zeek sourcetype mapping config
|
|
|
|
* sigma2attack script
|
2020-02-25 20:32:59 +00:00
|
|
|
* Carbon Black backend and configuration
|
|
|
|
* ArcSight ESM backend
|
|
|
|
* Elasticsearch detection rule backend
|
2019-12-09 15:31:07 +00:00
|
|
|
|
2020-01-30 10:30:01 +00:00
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Kibana object id is now Sigma rule id if available. Else
|
|
|
|
the old naming scheme is used.
|
2020-02-24 21:30:36 +00:00
|
|
|
* sigma2misp: replacement of deprecated method usage.
|
|
|
|
* Various configuration updates
|
2020-02-25 20:32:59 +00:00
|
|
|
* Extended ArcSight mapping
|
2020-02-24 21:30:36 +00:00
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Fixed aggregation queries for Elastalert backend
|
|
|
|
* Fixed aggregation queries for es-dsl backend
|
2020-02-24 21:59:59 +00:00
|
|
|
* Backend and configuration lists are sorted.
|
2020-02-25 20:32:59 +00:00
|
|
|
* Escaping in ala backend
|
2020-01-30 10:30:01 +00:00
|
|
|
|
2019-12-09 15:18:58 +00:00
|
|
|
## 0.15.0 - 2019-12-06
|
2019-11-07 22:08:44 +00:00
|
|
|
|
2019-11-11 22:35:16 +00:00
|
|
|
### Added
|
|
|
|
|
2019-12-06 21:13:44 +00:00
|
|
|
* sigma-uuid tool for addition and check of Sigma rule identifiers
|
|
|
|
* Default configurations
|
|
|
|
* Restriction of compared rules in sigma-similarity
|
|
|
|
* Regular expression support in es-dsl backend
|
|
|
|
* LimaCharlie support for proxy rule category
|
|
|
|
* Source distribution for PyPI
|
2019-11-07 22:08:44 +00:00
|
|
|
|
2019-11-12 19:54:11 +00:00
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Type errors are now ignored with -I
|
|
|
|
|
2019-12-06 21:13:44 +00:00
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Removed wrong mapping of CommandLine field mapping in THOR config
|
|
|
|
|
2019-12-09 15:18:58 +00:00
|
|
|
## 0.14 - 2019-11-10
|
2019-11-07 22:08:44 +00:00
|
|
|
|
|
|
|
### Added
|
|
|
|
|
|
|
|
* sigma-similarity tool
|
|
|
|
* LimaCharlie backend
|
|
|
|
* Default configurations for some backends that are used if no configuration is passed.
|
2019-11-08 21:31:02 +00:00
|
|
|
* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
|
2019-11-07 22:08:44 +00:00
|
|
|
* Value modifiers:
|
|
|
|
* startswith
|
|
|
|
* endswith
|
|
|
|
|
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Removal of line breaks in elastalert output
|
|
|
|
* Searches not bound to fields are restricted to keyword fields in es-qs backend
|
|
|
|
* Graylog backend now based on es-qs backend
|
2019-11-09 23:09:59 +00:00
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
|
|
|
|
process creation log source configuration.
|
2019-11-07 22:08:44 +00:00
|
|
|
|
2019-12-09 15:18:58 +00:00
|
|
|
## 0.13 - 2019-10-21
|
2019-11-29 23:34:17 +00:00
|
|
|
|
2019-11-07 22:08:44 +00:00
|
|
|
### Added
|
|
|
|
|
|
|
|
* Index mappings for Sumologic
|
2020-03-09 16:12:41 +00:00
|
|
|
* Malicious cmdlets in mdatp
|
2019-11-07 22:08:44 +00:00
|
|
|
* QRadar support for keyword searches
|
|
|
|
* QRadar mapping improvements
|
|
|
|
* QRadar field selection
|
|
|
|
* QRadar type regex modifier support
|
|
|
|
* Elasticsearch keyword field blacklisting with wildcards
|
|
|
|
* Added dateField configuration parameter in xpack-watcher backend
|
|
|
|
* Field mappings in configurations
|
|
|
|
* Field name mapping for conditional fields
|
|
|
|
* Value modifiers:
|
|
|
|
* utf16
|
|
|
|
* utf16le
|
|
|
|
* wide
|
|
|
|
* utf16be
|
|
|
|
|
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Improved --backend-config help text
|
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Backend errors in ala
|
|
|
|
* Slash escaping within es-dsl wildcard queries
|
|
|
|
* QRadar backend config
|
|
|
|
* QRadar field name and value escaping and handling
|
|
|
|
* Elasticsearch wildcard detection pattern
|
|
|
|
* Aggregation on keyword field in es-dsl backend
|
|
|
|
|
2019-12-09 15:18:58 +00:00
|
|
|
## 0.12.1 - 2019-08-05
|
2019-11-07 22:08:44 +00:00
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Missing build dependency
|
|
|
|
|
2019-12-09 15:18:58 +00:00
|
|
|
## 0.12 - 2019-08-01
|
2019-11-07 22:08:44 +00:00
|
|
|
|
|
|
|
### Added
|
|
|
|
|
|
|
|
* Usage of "Channel" field in ELK Windows configuration
|
|
|
|
* Fields to mappings
|
|
|
|
* xpack-watcher actions index and webhook
|
|
|
|
* Config for Winlogbeat 7.x
|
|
|
|
* Value modifiers
|
|
|
|
* Regular expression support
|
|
|
|
|
|
|
|
### Changed
|
|
|
|
|
|
|
|
* Warning/error messages
|
|
|
|
* Sumologic value cleaning
|
|
|
|
* Explicit OR for Elasticsearch query strings
|
|
|
|
* Listing of available configurations on missing configuration error
|
|
|
|
|
|
|
|
### Fixed
|
|
|
|
|
|
|
|
* Conditions in es-dsl backend
|
|
|
|
* Sumologic handling of null values
|
2020-02-24 21:30:36 +00:00
|
|
|
* Ignore timeframe detection keyword in all/any of conditions
|