What's New?
Version 5.0
📅 Search Anywhere Framework version 5.0.0 released on April 30, 2025.
Core
⚡️Changes- A new feature
Noteshas been added, allowing users to quickly create and update notes from any section of the interface. Notes can include incidents, visualizations, Inventory module assets, files, images, and free-form text - Enhancements to
Search Anywhere: a new data source typeAPIhas been introduced, enabling data retrieval viaREST API - A new visualization
Quick Statehas been added. It consists of dynamic cards that are automatically generated based on search query results. Each card displays a key metric with color indicators and an icon - A new visualization
Tree Maphas been added. It displays search results as rectangles of varying sizes, with each rectangle’s area proportional to the numeric value of the corresponding data partition
- By default, the sidebar in the search interface now displays only the most frequently used source fields
Tablevisualization: tooltips showing the column name are now displayed when hovering over a column- When a line in the search query is highlighted, all occurrences of that line are now also highlighted
- Tooltips have been added in the search interface for the
Export,Notifications, andShare buttons - The row count display options on the search results page have been extended — options
100and200are now available - Pages with object lists now show the total number of items
- Fixed an issue where values from visualizations were incorrectly substituted into text and multi-select filters
Core: Engine
Changes- A new option is available that allows excluding indices from processing at search runtime using a pattern, if their data falls outside the specified time filter
- The name of a
cross-clusterconnection can now be specified in the search query without single quotes - The
searchcommand now supports theinfunction, which checks if a field's value is within a specified set - It is now possible to specify multiple addresses for connecting to
SA Engine RE
- Query parsing errors now display the correct line number where the error occurred
- Fixed the behavior of
ceilandfloorfunctions when used with large numbers in theevalcommand
Core: Job Scheduler
Fixes- Fixed suppression behavior for
multivaluefield
User Behavior Analytics
Changes- Added support for configuring
Exceptionsin profiling policies - Added partial recalculation support for
DictionaryandStatisticsalgorithms in profiling policies
RSM
Changes- Beta version of
RSM 2.0released, featuring a new interface, updated logic, and enhanced metric-service linking
- Added automatic model update capabilities within the interface
- Added bulk editing for models, metrics, and indicators
- Optimized rendering performance of the model view page
SAF Beat Manager
Changes- Added support for a new agent type:
Vector
- Added support for new service installation flags:
--ignore-systemd: skips installing the service in systemd--ignore-selinux: ignores SELinux checks and execution permissions--directory: specifies custom installation directory--group: sets file permissions for a specific group
- Fixed an issue where group setting changes (applications or files) were not reflected in the agent list
- Fixed an issue where a client was not removed from a group
- Fixed notification logic for new data availability
- Fixed missing updates after invoking the
reloadAPI method - Fixed an issue where deleted applications or files were still shown in the agent info panel
SAF Beat
Changes- Added support for the
Vectordata collection and processing agent.
- Added support for new service installation flags:
--ignore-systemd: skips installing the service in systemd--ignore-selinux: bypasses SELinux permission setup--directory: allows custom installation directory--group: sets permissions for a specified group
- Added support for setting Linux capabilities for
Auditbeatduring service installation - Revised and optimized logging format and volume during service installation
Inventory
Changes- Introduced a relationship-building engine that enables configuring auto-linking rules between assets and provides visualizations of those links
- The calculation module no longer requires a separate installation and is now integrated into the system
- Asset update calculations are now executed as scheduled tasks
- Each configuration calculation includes a
Run Statisticssection detailing execution status and phases
- Module configuration is now accessible via the UI
- Improved user experience with redesigned interface components
Incident Manager
Changes- The
Create Incidentaction in the Task Scheduler now includes anInventory Linksection for mapping asset configurations to incident fields - IDs now follow a new format:
- Incidents:
INC-[<installation prefix>]-<YYMMDD>-<sequence number> - Aggregations:
AGG-[<installation prefix>]-<YYMMDD>-<sequence number>
- Incidents:
- Added ability to define time bounds for
Searchtype drilldowns - For aggregations, it is now possible to configure an index suffix to control result distribution across indices
- Column width in the
Incident Managerpage is now adjustable
- Fixed issue where the client info field was not populated in
Service Providermode - Default value for
Selectfields in the incident card settings can now be cleared
MITRE ATTACK
Improvements- A new
Detection Methodssection was added to technique descriptions - Added the ability to view tactic descriptions
- The
Detection Matrixnow calculates results based on the selected layer
SA Engine RE
Fixes- Fixed an issue where parameters containing delimiter characters could not be used
Cyber Security
Changes- A rule import mechanism for the
Sigmaformat has been added. Sigma rules can now be integrated into the system and used to generate search tasks with automatic query generation inSML. More than3000rules are available for import