Skip to content

Latest commit

 

History

History
273 lines (200 loc) · 6.84 KB

CHANGELOG.md

File metadata and controls

273 lines (200 loc) · 6.84 KB

Release Notes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning from version 0.14.0.

0.20 - 2021-08-14

Added

  • Devo backend
  • Fields selection added to SQL backend
  • Linux/MacOS support for MDATP backend
  • Output results as generic YAML/JSON
  • Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
  • ALA AWS Cloudtrail and Azure mappings
  • Logrhytm backend
  • Splunk Data Models backend
  • Further log sources used in open source Sigma ruleset
  • CarbonBlack EDR backend
  • Elastic EQL backend
  • Additional conversion selection filters
  • Filter negation
  • Specify table in SQL backend
  • Generic registry event log source
  • Chronicle backend

Changed

  • Elastic Watcher backend populates name attribute instead of title.
  • One item list optimization.
  • Updated Winlogbeat mapping
  • Generic mapping for Powershell backend

Fixed

  • Elastalert multi output file
  • Fixed duplicate output in ElastAlert backend
  • Escaping in Graylog backend
  • es-rule ndjson output
  • Various fixes of known bugs

0.19.1 - 2021-02-28

Changed

  • Added LGPL license to distribution

0.19 - 2021-02-23

Added

  • New parameters for Elastic backends
  • Various field mappings
  • FireEye Helix backend
  • Generic log source image_load
  • Kibana NDJSON backend
  • uberAgent ESA backend
  • SumoLogic CSE backend

Changed

  • Updated mdatp backend fields
  • QRadar query generation optimized
  • MDATP: case insensitive search

Fixed

  • Fixing Qradar implementation for create valid AQL queries
  • Nested conditions
  • Various minor bug fixes

0.18.1 - 2020-08-25

Release created for technical reasons (issues with extended README and PyPI), no real changes done.

0.18.0 - 2020-08-25

Added

  • C# backend
  • STIX backend
  • Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
  • More generic log sources
  • Windows Defender log sources
  • Generic DNS query log source
  • AppLocker log source

Changed

  • Improved backend and configuration descriptions
  • Microsoft Defender ATP mapping updated
  • Improved handling of wildcards in Elastic backends

Fixed

  • Powershell backend: key name was incorrectly added into regular expression
  • Grouping issue in Carbon Black backend
  • Handling of default field mapping in case field is referenced multiple from a rule
  • Code cleanup and various fixes
  • Log source mappings in configurations
  • Handling of conditional field mappings by Elastic backends

0.17.0 - 2020-06-12

Added

  • LOGIQ Backend (logiq)
  • CarbonBlack backend (carbonblack) and field mappings
  • Elasticsearch detection rule backend (es-rule)
  • ee-outliers backend
  • CrowdStrike backend (crowdstrike)
  • Humio backend (humio)
  • Aggregations in SQL backend
  • SQLite backend (sqlite)
  • AWS Cloudtrail ECS mappings
  • Overrides
  • Zeek configurations for various backends
  • Case-insensitive matching for Elasticsearch
  • ECS proxy mappings
  • RuleName field mapping for Winlogbeat
  • sigma2attack tool

Changed

  • Improved usage of keyword fields for Elasticsearch-based backends
  • Splunk XML backend rule titles from sigma rule instead of file name
  • Moved backend option list to --help-backend
  • Microsoft Defender ATP schema improvements

Fixed

  • Splunx XML rule name is now set to rule title
  • Backend list deduplicated
  • Wrong escaping of wildcard at end of value when startswith modifier is used.
  • Direct execution of tools on Windows systems by addition of script entry points

0.16.0 - 2020-02-25

Added

  • Proxy field names to ECS mapping (ecs-proxy) configuration
  • False positives metadata to LimaCharlie backend
  • Additional aggregation capabilitied for es-dsl backend.
  • Azure log analytics rule backend (ala-rule)
  • SQL backend
  • Splunk Zeek sourcetype mapping config
  • sigma2attack script
  • Carbon Black backend and configuration
  • ArcSight ESM backend
  • Elasticsearch detection rule backend

Changed

  • Kibana object id is now Sigma rule id if available. Else the old naming scheme is used.
  • sigma2misp: replacement of deprecated method usage.
  • Various configuration updates
  • Extended ArcSight mapping

Fixed

  • Fixed aggregation queries for Elastalert backend
  • Fixed aggregation queries for es-dsl backend
  • Backend and configuration lists are sorted.
  • Escaping in ala backend

0.15.0 - 2019-12-06

Added

  • sigma-uuid tool for addition and check of Sigma rule identifiers
  • Default configurations
  • Restriction of compared rules in sigma-similarity
  • Regular expression support in es-dsl backend
  • LimaCharlie support for proxy rule category
  • Source distribution for PyPI

Changed

  • Type errors are now ignored with -I

Fixed

  • Removed wrong mapping of CommandLine field mapping in THOR config

0.14 - 2019-11-10

Added

  • sigma-similarity tool
  • LimaCharlie backend
  • Default configurations for some backends that are used if no configuration is passed.
  • Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
  • Value modifiers:
    • startswith
    • endswith

Changed

  • Removal of line breaks in elastalert output
  • Searches not bound to fields are restricted to keyword fields in es-qs backend
  • Graylog backend now based on es-qs backend

Fixed

  • Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic process creation log source configuration.

0.13 - 2019-10-21

Added

  • Index mappings for Sumologic
  • Malicious cmdlets in mdatp
  • QRadar support for keyword searches
  • QRadar mapping improvements
  • QRadar field selection
  • QRadar type regex modifier support
  • Elasticsearch keyword field blacklisting with wildcards
  • Added dateField configuration parameter in xpack-watcher backend
  • Field mappings in configurations
  • Field name mapping for conditional fields
  • Value modifiers:
    • utf16
    • utf16le
    • wide
    • utf16be

Changed

  • Improved --backend-config help text

Fixed

  • Backend errors in ala
  • Slash escaping within es-dsl wildcard queries
  • QRadar backend config
  • QRadar field name and value escaping and handling
  • Elasticsearch wildcard detection pattern
  • Aggregation on keyword field in es-dsl backend

0.12.1 - 2019-08-05

Fixed

  • Missing build dependency

0.12 - 2019-08-01

Added

  • Usage of "Channel" field in ELK Windows configuration
  • Fields to mappings
  • xpack-watcher actions index and webhook
  • Config for Winlogbeat 7.x
  • Value modifiers
  • Regular expression support

Changed

  • Warning/error messages
  • Sumologic value cleaning
  • Explicit OR for Elasticsearch query strings
  • Listing of available configurations on missing configuration error

Fixed

  • Conditions in es-dsl backend
  • Sumologic handling of null values
  • Ignore timeframe detection keyword in all/any of conditions