What's New?
Version 5.0
📅 Search Anywhere Framework version 5.0.0 released on April 30, 2025.
Core
⚡️Changes- A new feature
Notes
has been added, allowing users to quickly create and update notes from any section of the interface. Notes can include incidents, visualizations, Inventory module assets, files, images, and free-form text - Enhancements to
Search Anywhere
: a new data source typeAPI
has been introduced, enabling data retrieval viaREST API
- A new visualization
Quick State
has been added. It consists of dynamic cards that are automatically generated based on search query results. Each card displays a key metric with color indicators and an icon - A new visualization
Tree Map
has been added. It displays search results as rectangles of varying sizes, with each rectangle’s area proportional to the numeric value of the corresponding data partition
- By default, the sidebar in the search interface now displays only the most frequently used source fields
Table
visualization: tooltips showing the column name are now displayed when hovering over a column- When a line in the search query is highlighted, all occurrences of that line are now also highlighted
- Tooltips have been added in the search interface for the
Export
,Notifications
, andShare buttons
- The row count display options on the search results page have been extended — options
100
and200
are now available - Pages with object lists now show the total number of items
- Fixed an issue where values from visualizations were incorrectly substituted into text and multi-select filters
Core: Engine
⚡️Changes- A new option is available that allows excluding indices from processing at search runtime using a pattern, if their data falls outside the specified time filter
- The name of a
cross-cluster
connection can now be specified in the search query without single quotes - The
search
command now supports thein
function, which checks if a field's value is within a specified set - It is now possible to specify multiple addresses for connecting to
SA Engine RE
- Query parsing errors now display the correct line number where the error occurred
- Fixed the behavior of
ceil
andfloor
functions when used with large numbers in theeval
command
Core: Job Scheduler
Fixes- Fixed suppression behavior for
multivalue
field
User Behavior Analytics
⚡️Changes- Added support for configuring
Exceptions
in profiling policies - Added partial recalculation support for
Dictionary
andStatistics
algorithms in profiling policies
RSM
⚡️Changes- Beta version of
RSM 2.0
released, featuring a new interface, updated logic, and enhanced metric-service linking
- Added automatic model update capabilities within the interface
- Added bulk editing for models, metrics, and indicators
- Optimized rendering performance of the model view page
SAF Beat Manager
⚡️Changes- Added support for a new agent type:
Vector
- Added support for new service installation flags:
--ignore-systemd
- skips installing the service in systemd--ignore-selinux
- ignores SELinux checks and execution permissions--directory
- specifies custom installation directory--group
- sets file permissions for a specific group
- Fixed an issue where group setting changes (applications or files) were not reflected in the agent list
- Fixed an issue where a client was not removed from a group
- Fixed notification logic for new data availability
- Fixed missing updates after invoking the
reload
API method - Fixed an issue where deleted applications or files were still shown in the agent info panel
SAF Beat
⚡️Changes- Added support for the
Vector
data collection and processing agent.
- Added support for new service installation flags:
--ignore-systemd
: skips installing the service in systemd--ignore-selinux
: bypasses SELinux permission setup--directory
: allows custom installation directory--group
: sets permissions for a specified group
- Added support for setting
Linux capabilities
forAuditbeat
during service installation - Revised and optimized logging format and volume during service installation
Inventory
⚡️Changes- The module now has a mechanism for building relationships between assets, which allows you to configure rules for automatically linking configurations, as well as provides visualizations of the resulting relationships
- The calculation module no longer requires a separate installation and is now integrated into the system
- Asset update calculations are now executed as scheduled tasks
- Each configuration calculation includes a
Run Statistics
section detailing execution status and phases
- Module configuration is now accessible via the UI
- Improved user experience with redesigned interface components
Incident Manager
⚡️Changes- The
Create Incident
action in the Task Scheduler now includes anInventory Link
section for mapping asset configurations to incident fields - IDs now follow a new format:
- Incidents:
INC-[<installation prefix>]-<YYMMDD>-<sequence number>
- Aggregations:
AGG-[<installation prefix>]-<YYMMDD>-<sequence number>
- Incidents:
- Added ability to define time bounds for
Search
type drilldowns - For aggregations, it is now possible to configure an index suffix to control result distribution across indices
- Column width in the
Incident Manager
page is now adjustable
- Fixed issue where the client info field was not populated in
Service Provider
mode - Default value for
Select
fields in the incident card settings can now be cleared
MITRE ATTACK
Improvements- A new
Detection Methods
section was added to technique descriptions - Added the ability to view tactic descriptions
- The
Detection Matrix
now calculates results based on the selected layer
SA Engine RE
Fixes- Fixed an issue where parameters containing delimiter characters could not be used
Cyber Security
⚡️Changes- A rule import mechanism for the
Sigma
format has been added. Sigma rules can now be integrated into the system and used to generate search tasks with automatic query generation inSML
. More than3000
rules are available for import
Version 5.0.1
📅 Search Anywhere Framework version 5.0.1 released on June 20, 2025.
Core
Fixes- Fixed an issue where some visualizations on the dashboard were not updating after changing the time filter
- Fixed an issue where the dynamic filter inside the dashboard did not return search results when the time token was missing
- Fixed an issue with incorrect array display in search results
- Fixed an issue with incorrect value list output in the visualization color scheme
- Fixed handling of
prefix
andsuffix
in dashboard dynamic options - Fixed an issue where the visualization selection window did not close properly
- Fixed recognition of index patterns without single quotes for cross-cluster search
- Fixed an issue where system dashboards could not be edited
- Fixed display of tooltip values when updating the
Pie Chart
visualization - Fixed
drilldown
behavior when editing the query in thePie Chart
visualization - Fixed color scheme handling in the
Table
visualization - Fixed an issue where columns were duplicated in the
Table
visualization when a field was renamed in the query - Fixed an issue where color scheme settings were reset when switching between settings tabs in the
Table
visualization - Fixed macro name validation when many parameters are used
- Fixed an issue where the list of
JDBC drivers
failed to load if it contained a driver with a large file size
Core: Engine
ImprovementsThe regex
function in the search
command is now case-insensitive by default. Case sensitivity can be enabled using the sens
flag
- Fixed a high memory usage issue when saving background task results to disk
- Fixed a search issue where a query or subquery starting with a pipeline was not processed correctly if preceded by a comment
- Fixed an issue where the
qsize
parameter limit for the amount of requested data was not applied
Core: Job Scheduler
Fixes- Fixed an issue where the
Save
button was disabled when editing a search task - Fixed the display of the query editor in dark theme
- Fixed the display of the
HTML
editor in the activeSend E-mail
action - Fixed a tokenization issue caused by escaping special characters in active actions
- Fixed an issue where the
Severity
field with an integer value in theCreate Incident
active action was saved as a floating-point number - Fixed a focus loss issue when entering values in the
Result Fields
andLocal Parameters
of theCreate Incident
active action
Knowledge Center
Improvements- Added support for configuring note access using cluster-level permissions:
cluster:admin/sm/kwc/notebook/read_all
– read accesscluster:admin/sm/kwc/notebook/write_all
– edit and deletecluster:admin/sm/kwc/notebook/create
– create
- Fixed an issue where notes were inaccessible despite having read permissions
RSM 2.0
Improvements- Added the ability to configure layer-level access permissions
- Added the ability to enable or disable metrics
SAF Beat Manager
Improvements- Added support for binding clients by tags in group filter configuration
- The
Clients
page search now supports theTag
field
SAF Beat
Improvements- Application metadata and logs are no longer deleted when applications are modified
Incident Manager
Improvements- Added sorting for additional fields in
AdHoc
actions - Full incident information is now passed to
AdHoc
actions
- Fixed an issue with incorrect creation time for empty incidents
- Fixed a
NullPointerException
when loading the dynamic filter - Fixed clearing of aggregation settings from memory when they are deleted