Skip to main content
Version: 5.0

What's New?

Version 5.0

📅 Search Anywhere Framework version 5.0.0 released on April 30, 2025.

Core

⚡️Changes
  • A new feature Notes has been added, allowing users to quickly create and update notes from any section of the interface. Notes can include incidents, visualizations, Inventory module assets, files, images, and free-form text
  • Enhancements to Search Anywhere: a new data source type API has been introduced, enabling data retrieval via REST API
  • A new visualization Quick State has been added. It consists of dynamic cards that are automatically generated based on search query results. Each card displays a key metric with color indicators and an icon
  • A new visualization Tree Map has been added. It displays search results as rectangles of varying sizes, with each rectangle’s area proportional to the numeric value of the corresponding data partition
Improvements
  • By default, the sidebar in the search interface now displays only the most frequently used source fields
  • Table visualization: tooltips showing the column name are now displayed when hovering over a column
  • When a line in the search query is highlighted, all occurrences of that line are now also highlighted
  • Tooltips have been added in the search interface for the Export, Notifications, and Share buttons
  • The row count display options on the search results page have been extended — options 100 and 200 are now available
  • Pages with object lists now show the total number of items
Fixes
  • Fixed an issue where values from visualizations were incorrectly substituted into text and multi-select filters

Core: Engine

⚡️Changes
  • A new option is available that allows excluding indices from processing at search runtime using a pattern, if their data falls outside the specified time filter
Improvements
  • The name of a cross-cluster connection can now be specified in the search query without single quotes
  • The search command now supports the in function, which checks if a field's value is within a specified set
  • It is now possible to specify multiple addresses for connecting to SA Engine RE
Fixes
  • Query parsing errors now display the correct line number where the error occurred
  • Fixed the behavior of ceil and floor functions when used with large numbers in the eval command

Core: Job Scheduler

Fixes
  • Fixed suppression behavior for multivalue field

User Behavior Analytics

⚡️Changes
  • Added support for configuring Exceptions in profiling policies
  • Added partial recalculation support for Dictionary and Statistics algorithms in profiling policies

RSM

⚡️Changes
  • Beta version of RSM 2.0 released, featuring a new interface, updated logic, and enhanced metric-service linking
Improvements
  • Added automatic model update capabilities within the interface
  • Added bulk editing for models, metrics, and indicators
Fixes
  • Optimized rendering performance of the model view page

SAF Beat Manager

⚡️Changes
  • Added support for a new agent type: Vector
Improvements
  • Added support for new service installation flags:
    • --ignore-systemd - skips installing the service in systemd
    • --ignore-selinux - ignores SELinux checks and execution permissions
    • --directory - specifies custom installation directory
    • --group - sets file permissions for a specific group
Fixes
  • Fixed an issue where group setting changes (applications or files) were not reflected in the agent list
  • Fixed an issue where a client was not removed from a group
  • Fixed notification logic for new data availability
  • Fixed missing updates after invoking the reload API method
  • Fixed an issue where deleted applications or files were still shown in the agent info panel

SAF Beat

⚡️Changes
  • Added support for the Vector data collection and processing agent.
Improvements
  • Added support for new service installation flags:
    • --ignore-systemd: skips installing the service in systemd
    • --ignore-selinux: bypasses SELinux permission setup
    • --directory: allows custom installation directory
    • --group: sets permissions for a specified group
  • Added support for setting Linux capabilities for Auditbeat during service installation
  • Revised and optimized logging format and volume during service installation

Inventory

⚡️Changes
  • The module now has a mechanism for building relationships between assets, which allows you to configure rules for automatically linking configurations, as well as provides visualizations of the resulting relationships
  • The calculation module no longer requires a separate installation and is now integrated into the system
  • Asset update calculations are now executed as scheduled tasks
  • Each configuration calculation includes a Run Statistics section detailing execution status and phases
Improvements
  • Module configuration is now accessible via the UI
  • Improved user experience with redesigned interface components

Incident Manager

⚡️Changes
  • The Create Incident action in the Task Scheduler now includes an Inventory Link section for mapping asset configurations to incident fields
  • IDs now follow a new format:
    • Incidents: INC-[<installation prefix>]-<YYMMDD>-<sequence number>
    • Aggregations: AGG-[<installation prefix>]-<YYMMDD>-<sequence number>
Improvements
  • Added ability to define time bounds for Search type drilldowns
  • For aggregations, it is now possible to configure an index suffix to control result distribution across indices
  • Column width in the Incident Manager page is now adjustable
Fixes
  • Fixed issue where the client info field was not populated in Service Provider mode
  • Default value for Select fields in the incident card settings can now be cleared

MITRE ATTACK

Improvements
  • A new Detection Methods section was added to technique descriptions
  • Added the ability to view tactic descriptions
Fixes
  • The Detection Matrix now calculates results based on the selected layer

SA Engine RE

Fixes
  • Fixed an issue where parameters containing delimiter characters could not be used

Cyber Security

⚡️Changes
  • A rule import mechanism for the Sigma format has been added. Sigma rules can now be integrated into the system and used to generate search tasks with automatic query generation in SML. More than 3000 rules are available for import

Version 5.0.1

📅 Search Anywhere Framework version 5.0.1 released on June 20, 2025.

Core

Fixes
  • Fixed an issue where some visualizations on the dashboard were not updating after changing the time filter
  • Fixed an issue where the dynamic filter inside the dashboard did not return search results when the time token was missing
  • Fixed an issue with incorrect array display in search results
  • Fixed an issue with incorrect value list output in the visualization color scheme
  • Fixed handling of prefix and suffix in dashboard dynamic options
  • Fixed an issue where the visualization selection window did not close properly
  • Fixed recognition of index patterns without single quotes for cross-cluster search
  • Fixed an issue where system dashboards could not be edited
  • Fixed display of tooltip values when updating the Pie Chart visualization
  • Fixed drilldown behavior when editing the query in the Pie Chart visualization
  • Fixed color scheme handling in the Table visualization
  • Fixed an issue where columns were duplicated in the Table visualization when a field was renamed in the query
  • Fixed an issue where color scheme settings were reset when switching between settings tabs in the Table visualization
  • Fixed macro name validation when many parameters are used
  • Fixed an issue where the list of JDBC drivers failed to load if it contained a driver with a large file size

Core: Engine

Improvements

The regex function in the search command is now case-insensitive by default. Case sensitivity can be enabled using the sens flag

Fixes
  • Fixed a high memory usage issue when saving background task results to disk
  • Fixed a search issue where a query or subquery starting with a pipeline was not processed correctly if preceded by a comment
  • Fixed an issue where the qsize parameter limit for the amount of requested data was not applied

Core: Job Scheduler

Fixes
  • Fixed an issue where the Save button was disabled when editing a search task
  • Fixed the display of the query editor in dark theme
  • Fixed the display of the HTML editor in the active Send E-mail action
  • Fixed a tokenization issue caused by escaping special characters in active actions
  • Fixed an issue where the Severity field with an integer value in the Create Incident active action was saved as a floating-point number
  • Fixed a focus loss issue when entering values in the Result Fields and Local Parameters of the Create Incident active action

Knowledge Center

Improvements
  • Added support for configuring note access using cluster-level permissions:
    • cluster:admin/sm/kwc/notebook/read_all – read access
    • cluster:admin/sm/kwc/notebook/write_all – edit and delete
    • cluster:admin/sm/kwc/notebook/create – create
Fixes
  • Fixed an issue where notes were inaccessible despite having read permissions

RSM 2.0

Improvements
  • Added the ability to configure layer-level access permissions
  • Added the ability to enable or disable metrics

SAF Beat Manager

Improvements
  • Added support for binding clients by tags in group filter configuration
  • The Clients page search now supports the Tag field

SAF Beat

Improvements
  • Application metadata and logs are no longer deleted when applications are modified

Incident Manager

Improvements Fixes
  • Fixed an issue with incorrect creation time for empty incidents
  • Fixed a NullPointerException when loading the dynamic filter
  • Fixed clearing of aggregation settings from memory when they are deleted

Version 5.0.2

📅 Search Anywhere Framework version 5.0.2 released on October 16, 2025.

Core

Improvements
  • Global search now supports searching through notes
  • The Upload Data section now displays detailed information about encountered errors
  • Improved display of long values on the axes for the Column Chart visualization with the Vertical Layout parameter enabled
Fixes
  • Fixed an error in the global search that occurred when a user did not have access to the Inventory module asset settings
  • Fixed errors when retrieving information about connected Service Provider clients
  • A long search query in dynamic filter settings on a dashboard no longer overlaps other input fields
  • Fixed issues when switching visualization types on the dashboard editing page
  • Fixed an error where the modal window did not close after saving permissions for JDBC queries
  • Fixed incorrect parsing of fields containing dates when loading data via the interface
  • Fixed the application of default values in select and multi-select type filters when opening a dashboard
  • Fixed errors that occurred when copying a query from the search history
  • Fixed incorrect parsing of the Path to trust store field in Search Anywhere connections
  • Fixed incorrect display of negative fractional values in the Metric visualization
  • Fixed incorrect application of the Palette color scheme in the Table visualization
  • Fixed the display of null values in the Table visualization
  • The api command has been added to the list of available commands when setting up limits
  • Fixed the lack of syntax highlighting for the qsize, packsize, and nores parameters in search

Core: Engine

Improvements
  • Accelerated the calculation of frequent values for the Field Bar in the search interface
  • Added the ability to use the coalesce, nullif, case, if and validate functions of the eval command for string concatenation
  • Added time-based filtering for fields with DateTime and DateTime64 types in ClickHouse sources
  • The eval command can now work with fields from an object extracted from an array
Fixes
  • Fixed a search error where incorrect fields were displayed in the table after executing the timechart or timeaggs commands
  • Any commands can now be used after the format command
  • Fixed an error when using the * character in the rename command
  • Fixed an error that prevented using the body_type=text parameter for the api command
  • Fixed filtering by fields with integer types for ClickHouse sources in the search command
  • Fixed an error when searching by array-type fields in ClickHouse sources

Core: Job Scheduler

Fixes
  • Fixed the lack of job selection options in the Run another search active action when the Service Provider mode is enabled
  • Fixed incorrect display of multi-select type fields in the Additional Fields section of the Creating in Incident active action

Knowledge Center

Fixes
  • Fixed incorrect link generation when opening a note in a new tab
  • Fixed an error where only the last block was saved when adding multiple blocks to a note
  • Fixed an error that occurred when deleting an image from a note

Lookup Manager

Fixes
  • Fixed an error where the record order changed after editing a lookup table

RSM 2.0

Fixes
  • Fixed an error that occurred when editing a range for a string metric
  • Fixed incorrect saving of the time interval in a metric

Incident Manager

Improvements
  • The Incident Manager page now requires fewer system resources to load
Fixes
  • Fixed editing an aggregation with the Synchronize with incidents of this group option disabled
  • Fixed incorrect filtering by Multiline Text type fields
  • Fixed an error when running an Active Action when the field for the token from the Incident Description Format setting is missing in the incident
  • Fixed incorrect pagination behavior when changing filters or the time range

Inventory

Fixes
  • Added automatic storage creation for an asset when creating a configuration
  • Fixed incorrect display of arrays in the Related Assets section

User Behavior Analytics

Improvements
  • Added wildcard support for object search
  • Optimized search on the UBA Objects page when a large number of objects are present
Fixes
  • Fixed the behavior of the default selection button in the UBA Object Types section

Move to ClickHouse

Improvements
  • Added SSL support for ClickHouse connections
  • Added the ability to configure time to live for a ClickHouse table
  • Added the ability to move data from old indices
Fixes
  • Fixed an error when moving indices with special characters in their names
  • It is now possible to specify a ClickHouse connection string without a database name

MITRE ATTACK

Fixes
  • Fixed incorrect display of creation and update times in the permission editing modal window on the Layer Editor page

SAF Beat

Fixes
  • Fixed the wait logic for network interface initialization during system reboot