What's New?

Version 4.3

📅 Search Anywhere Framework version 4.3.0 released on January 31, 2025.

Core

Changes

• ⚡️ OpenSearch updated to version 2.18.0
• ⚡️ New dashboard implementation, optimized rendering of visualizations and the number of network requests when fetching data from storage.
• ⚡️ Added the ability to configure access rights to menu sections
• ⚡️ Added macros management interface

Improvements

• ⚡️ Redesigned the menu settings interface
• Now, when editing system scheduler tasks, dashboards, or tags, information is added to their user copy indicating that it was created from the system version

Fixes

• Fixed multiple updates of visualizations when moved within dashboards
• Fixed incorrect behavior of filters in dashboards when moved between panels
• Fixed incorrect operation of dependent filters whose options are generated by a search query
• Fixed behavior where multiple requests to the storage were triggered

Core: Engine

Changes

• ⚡️ Added support for macros, allowing for the reuse of query fragments in any other search queries
• Added the ability to export results of background queries
• A new nores parameter has been added to the outputlookup command, which allows clearing the search results after writing to the lookup table
• Added the ability to configure the maximum execution time, result retention period, and the number of events stored in a single file for background tasks

Improvements

• The SP-client prefix can now be set by default
• Optimized the execution process of background tasks
• The train command now supports the use of existing ML models
• In the outputlookup command, the logic for the keyfield parameter has been changed, now the field name is used as an argument, by the value of which the matches with the data in the lookup table are checked and updated
• Double quotes are no longer required for values without separators in the search command
• The search command now uses the logical operator AND by default

Fixes

• Fixed an issue where the loadjob command did not return results
• Fixed issues that occurred when deleting or stopping a background task
• Fixed the setting that overrides the directory for storing background task results
• Fixed an issue where the field order in background task results was not saved
• Fixed the calculation of the background task execution time
• Fixed an issue with canceling the execution of a background task

Core: Job Scheduler

Changes

• Added the ability to use mailing lists in the active action Send E-mail
• In the active action Create Incident, added the ability to configure the index suffix, which allows controlling the distribution of incidents across different indexes
• Added the ability to enable system tasks
• Added the ability to edit tags and access rights for system tasks
• Added validation for Host and Port fields in the active action Webhook

Improvements

• Now, in the active action Send E-mail, the field order in attached Excel/CSV files is preserved
• The active action MITRE ATT&CK® Techniques Logging now supports the use of tokens for layer specification
• Now, in the active action Create Incident, the incident card fields support tokens

Fixes

• Fixed the suppression mechanism when handling nested objects

User Behavior Analytics

Improvements

• Added the ability to ignore case sensitivity for object identification fields

SAF Beat Manager

Changes

• ⚡️ Up to 30 times faster interface response time with a large number of connected clients
• ⚡️ Now applications can be uploaded and deleted through the interface
• ⚡️ Added the ability to view, create, and edit applications in the interface
• Optimized algorithms for processing and storing information about connected clients
• When the client list is updated, a notification now appears with the option to refresh the data
• Completely redesigned the group management interface
• Added the ability to export the client list

Improvements

• Expanded the filter set on the client page, now it is possible to filter by applications, files, tags, versions, and also select clients without groups

Fixes

• Fixed the freeze that occurred when updating group configurations

SAF Beat

Changes

• Now, to determine the beat type for launching an application, instead of using a prefix in the name, you can use a property file

Inventory

Changes

• Added the ability to specify the lifetime of an asset, after which the asset will be deleted

Incident Manager

Changes

• ⚡️ Now, incident search supports the syntax of the search command
• Now, filter values on the Incident Manager page can be populated based on the search results

Improvements

• Added time zone display to all time fields
• Pagination for the incident list has been expanded

Fixes

• Fixed editing of comparison fields and functional fields in Incident Group Settings

Lookup Manager

Improvements

• In the dictionary configuration, it is now possible to specify the number of rows to display

Fixes

• Optimized dictionary data modification queries

MITRE ATTACK

Improvements

• Added the ability to collapse/expand all sub-techniques with one button
• Added the ability to display only the techniques that are involved in the rules

Fixes

• Fixed the issue where the layer selection did not work after SAF Systems reboot

Version 4.2

📅 Search Anywhere Framework version 4.2.0 was released on October 25, 2024.

Core

⚡️ Changes

• Introduced an interface for installation and content management
• Added an interface to monitor active searches
• Updated dark and light themes
• Theme selection now replaces style settings
• New themes added: Green, Blue, Night Blue, and Ocean

Improvements

• Expanded the set of modules and objects available for Spotlight search
• Global tag search is now available in Spotlight
• Significantly increased data migration speed to ClickHouse
• Updated the dompurify to version 2.5.4

Fixes

• Fixed an issue where the core.use_cluster_state setting value would reset after cluster restart
• Fixed an issue with configuration retrieval from Cluster State

Core: Search Interface

Fixes

• Fixed an issue with link generation when clicking the Share button

Core: Engine

⚡️ Changes

• Added Machine Learning support for SAF Language commands
• Added support for the following algorithms:
  • K-means
  • Linear regression
  • Random Cut Forest (RCF)
  • RCF Summarize
  • Localization
  • Logistic regression
• Added the train and predict commands
• Added the median function to stats, aggs, timechart, timeaggs, chart, eventstats, and streamstats commands

Improvements

• The perc (percentile) function is now available in chart, eventstats, and streamstats commands
• Added the option to disable the time filter in the source command using the timefield parameter

Fixes

• Fixed incorrect comparison of numbers with different data types in the eval command
• Fixed an issue where the random function generated identical values for different documents

Core: Job Scheduler

⚡️ Changes

• Added developer mode for editing tasks

Improvements

• Added SSL/TLS configuration option for the Webhook action
• Password for authorization in the Webhook action is now stored in Keystore with the prefix jobscheduler.webhook.password

Fixes

• Fixed an issue with the suppression mechanism for nested fields
• Fixed an issue where tasks could run on servers where the node_with_sme attribute was set to false

Core: Remote Executor

Improvements

• Updated the spring-boot-starter-parent to version 3.3.4

SAF Beat

⚡️ Changes

• Added the rotation.log_path configuration parameter to specify the log directory
• Added CN=<hostname> to the agent certificate (or SAF Beat if hostname is unavailable)

Improvements

• The server parameter group is now hidden by default in the configuration
• Default values set for ssl.cert_ca as ./cert/ca-cert.pem and manager.host as 127.0.0.1

Agent Management

⚡️ Changes

• Added CN=<hostname> to the agent certificate (or SAF Beat if hostname is unavailable)

Improvements

• Renamed the console command delete to remove (standardized with SAF Beat)
• Optimized data loading speed in the interface
• Expanded error descriptions in logs
• authorization.opensearch.host now defaults to https
• authorization.opensearch.ca_key is now hidden by default
• authorization.opensearch.ca_cert now defaults to ca-cert.pem
• authorization.opensearch.ssl_enabled is now optional and hidden by default

Inventory

⚡️ Changes

• Added the option to set a base field coefficient for more precise partial similarity tuning

Incident Manager

Fixes

• Fixed the Responsible filter functionality

Lookup Manager

Improvements

• Optimized data lookup search performance

Fixes

• Added a parameter in the directory settings to control the amount of data displayed in the interface

---

Version 4.1

📅 Search Anywhere Framework version 4.1.0 was released on July 11, 2024.

Core

⚡️ Changes

• Updated OpenSearch to version 2.13.0
• Added the ability to save SAF settings in Cluster State, allowing access to the cluster when it's overloaded
• Added the ability to manage Keystore via API
• Updated Radar Chart visualization
• Updated Sankey Diagram visualization
• Updated Table visualization

Improvements

• Added the ability to set a custom identifier when creating tags
• Notifications now feature a View Error button with detailed information
• In the Upload Data and Lookup Manager sections, the maximum import data size now refers to the server.maxPayloadBytes parameter
• Added the ability to drag and drop panels to new rows up or down

Fixes

• Fixed incorrect breadcrumb display with long text inside

Core: Search Interface

Improvements

• Added highlighting for string expressions in search queries
• Added the ability to delete words up to the nearest space using the Shift + Option + Backspace or Shift + Alt + Backspace key combination
• Improved query expression highlighting in dark mode
• Improved error display occurring during search execution
• Added additional connection checks (SSL, mandatory authentication) when accessing SME-RE

Fixes

• Fixed the inability to export data to Excel with multivalue fields

Core: Engine

⚡️ Changes

• Added perc (percentile) function to stats, aggs, timechart, timeaggs commands
• Added resource consumption control when sending data using SME Circuit Breaker

Improvements

• Optimized search result transfer between SAF modules

Core: Job Scheduler

⚡️ Changes

• Added the ability to specify roles under which a search will run within a task
• Added the ability to mass enable and disable tasks
• Removed Index Aggregation action

Improvements

• Added additional connection checks (SSL, mandatory authentication) when accessing SME-RE
• Added a driver for ClickHouse in JdbcOutputAction
• The database connection password in JdbcOutputAction is now stored in Keystore
• Added the ability to specify certificates and SSL protocol version in WebhookAction

Fixes

• Fixed incorrect task name truncation
• Fixed incorrect table behavior when adding a new column

User Behavior Analytics

⚡️ Changes

• Added count to the calculation settings function

Improvements

• Added the ability to change permissions for Object Types and Scoring Types

Fixes

• Fixed blocked create object button when types are missing
• Adjusted out-of-license message display

SAF Beat

⚡️ Changes

• Added agent.ip parameter to override localIp sent to Agent Management
• Added agent.tags configuration parameter to filter the list of agents in Agent Management
• Added sending all IPv4 addresses of network interfaces with a filled MAC address

Fixes

• Fixed DNS not displaying in the absence of a private IP
• Fixed application integrity control
• Fixed repeated TLS handshake error from : EOF messages

Agent Management

⚡️ Changes

• Added the ability to store backup user and password in environment variables

Fixes

• Fixed repeated TLS handshake error from : EOF messages

Inventory

⚡️ Changes

• Added the ability to store login and password for connecting to SA Data Storage in environment variables

Improvements

• Added a warning for duplicate names of base and additional fields in the configuration

Incident Manager

⚡️ Changes

• Added incident grouping results to the Incident Manager main page
• Added Incident Group Settings page for configuring incident grouping
• Added tags to grouped incidents

Improvements

• Search is now performed by the storage
• Added the ability to display user filters in Incident Manager based on their type
• Improved incident and incident group history, added incident_history_language flag to set the history language

Lookup Manager

Fixes

• Fixed page reload issue during file import into the directory

Knowledge Center

⚡️ Changes

• Added the ability to display Markdown articles (read-only)

Fixes

• Fixed error when there are no items in the permission group field

MITRE ATTACK

⚡️ Changes

• Role model can now be configured for MITRE ATTACK matrix layers

---

Version 4.0

📅 Search Anywhere Framework version 4.0.0 was released on April 12, 2024.

Core

⚡️ Changes

• Added Search Anywhere settings interface (connection to external data stores)
• Added auto-completion for database connection strings in Search Anywhere
• Added the ability to test connections to external storage
• Added scoring configuration options

Improvements

• JDBC query configuration is now integrated into Search Anywhere
• The Upload Data and Active Tasks links have been moved to the left menu
• The xlsx library was updated to version 0.20.1

Fixes

• Fixed the filter-saving mechanism in the address bar

Core: Search Interface

⚡️ Changes

• Added a new visualization type: Heatmap

Core: Engine

⚡️ Changes

• Support for searching Clickhouse using Search Language
• Added Timeline and Sidebar for Clickhouse queries
• Time parameter passing is now available for Clickhouse storage queries

Core: Job Scheduler

⚡️ Changes

• Added the ability to select which columns to display in the Task List

Improvements

• The MITRE ATT&CK action now supports multi-selection of techniques

⚡️ User Behavior Analytics

⚡️ Changes

• Added module configuration on first launch
• Added new profiling algorithms: Dictionary, Statistics, Frequency, and Chronology
• Added UBA object profile page and object information card
• Added warning for UBA object duplicates
• Added the ability to configure the type of object profiling
• Added the ability to link scoring type to an object
• Added automatic object list population by schedule
• Added support for running multiple profiling algorithms in policies
• Added the ability to use a custom function for scoring calculation
• Added the ability to view profiling policy results
• Added statistics on runs for each object
• Added server filtering options for running calculations

Improvements

• Added deletion confirmation in module settings
• Added scoring deletion confirmation

Incident Manager

⚡️ Changes

• Added incident group creation mechanism (aggregations)
• Added incident group configuration
• Added the ability to choose the closure status for incident groups
• Added the ability to configure the display (incidents only or incidents and groups of incidents)
• Added the ability to edit incident groups with synchronized changes for each incident
• Added the ability to run Adhoc Actions for incident groups
• Added the ability to display MITRE techniques for incident groups
• Each incident group now has configurable group parameters

Improvements

• Incident or incident group description configuration can now be done with Markdown
• Added search by owners in the incident table search bar
• Added search by query results in the incident table search bar
• System and display names for incident groups are now configurable

Fixes

• Fixed the error that occurred when the incident list auto-refresh caused an issue due to lack of data

Knowledge Center

Fixes

• Fixed the display of tags on the Scenarios page
• Fixed the error when fetching the list on the Wikilogs page

MITRE ATTACK

Fixes

• Fixed the error in technique information display when mitigations were missing
• Fixed the error in getting statistics for triggered rules