Skip to main content
Version: 5.1

What's New?

Version 5.1

📅 Search Anywhere Framework version 5.1.0 released on August 1, 2025.

Critical changes

Please note the critical changes section.

New Module — Application Performance Monitoring (APM)

The Search Anywhere Framework now includes the APM module, which enables uploading OpenTelemetry-standard trace data and provides a tool for analyzing traces, services, and operations within a unified ecosystem alongside the resource-service model, inventory, and incident manager.

🔥 New

Core

⚡️Changes
  • Optimized interface performance—pages now load 30–50% faster, and the size of downloaded data has been reduced by half
  • Added the verbose search mode, enabling the viewing of source documents when using modifying commands
  • Introduced the client settings interface for SP client connections
  • Added the Trace Timeline visualization to display event sequences over time as traces
  • Added the Map visualization for building relationship maps between objects
Improvements
  • The search timeline is now interactive—selecting a time interval displays related data and statistics
  • Added a new set of options for quick searches on numeric fields:
    • Time-based average value
    • Time-based maximum value
    • Time-based minimum value
  • Added a preview of how a query will be modified in quick searches
  • Enabled exclusion searches by value in quick searches
  • When pinning fields in search, users can now display the entire event, with pinned fields appearing first and highlighted
  • Content Management now supports loading reference books from content modules
  • Access to the System Parameters navigation section can now be controlled via menu permissions
  • Spotlight now supports searching within notes
Fixes
  • Fixed an issue preventing visualization type switching when editing a dashboard
  • Fixed date-type field extraction from CSV when loading data into an index
  • Fixed an issue where columns in Table visualizations could not be hidden
  • Fixed a macro saving error when the macro contained the | symbol
  • Excluded the upper bound of color ranges in Single Value visualizations
  • Fixed incorrect display of negative values in Single Value visualizations
  • Fixed a field name display issue in Single Value visualizations
  • Fixed X-axis value display in Column Chart visualizations
  • Fixed an issue where color changes in Column Chart visualizations did not apply without modifying other settings
  • Fixed incorrect column name display in Column Chart and Line Chart visualizations
  • Fixed overlapping dynamic input elements in dashboards
  • Fixed missing time fields in index templates
  • Fixed duplicate magnifying glass icons in various system interfaces
  • Fixed JDBC query editor display in dark mode
  • Fixed an issue preventing modification of the Start time option in Snapshot Policy editing
  • Fixed spotlight search errors when lacking inventory configuration list permissions

Core: Engine

⚡️Changes
  • Added a memory monitoring mechanism to search, limiting query execution to prevent node crashes
  • Commands peval, aggs, and timeaggs now automatically use keyword-type fields
  • Added an auto-keyword setting for the search command to enable automatic use of keyword-type fields
  • Added the TEXT operator to search, forcing searches on text-type fields when auto-keyword is enabled
  • The SME module no longer requires installation on all cluster nodes, allowing dedicated search-only nodes
Improvements
  • Added new limits for background queries
  • The eval command now supports fields extracted from array objects
  • The format command’s output can now be modified by other commands when used in a search subquery
  • The inputlookup, lookup, and outputlookup commands now support the system parameter for using system reference books
Fixes
  • Fixed a search issue where incorrect fields were displayed in the table after executing timechart or timeaggs commands
  • Fixed a memory leak when saving background task results to disk
  • Fixed a search issue when a query or subquery began with a pipe character (|) preceded by a comment
  • Fixed an issue where using a single * character in a query wasn't possible
  • Fixed an issue in the search interface where null field values were displayed as undefined
  • Fixed parameter highlighting for packsize and nores in the outputlookup command
  • Fixed an error in string formatting using conditional operations in the eval command

Core: Job Scheduler

Improvements
  • Table column order from queries is now preserved when exporting via the Send Email active action
Fixes
  • Fixed a license check timeout issue in the Create Incident active action
  • Fixed an issue where it was impossible to disable mailing group usage in the Send Email active action

Incident Manager

⚡️ Changes
  • Redesigned the incident card interface
  • Added ability to create comments from the history interface
  • History comments now support Markdown
  • Added history search functionality
  • Added incident linking capability
  • Added configurable filter relationships to build dependencies between filter values
Improvements
  • Added exclusion filters
  • Added UI configuration for severity levels
  • The Severity filter can now be configured using dynamic options
  • Added a new Markdown field type to incident cards
  • Added incident tag editing capability
  • Workflow transition connections can now be moved via double-click in the transition settings interface
  • Increased working area in workflow transition settings
  • The Incident Statistics dashboard is now installed automatically, with updates trackable in Content Management
Fixes
  • Fixed missing notifications for workflow changes
  • Fixed an error when editing incidents
  • Fixed an issue with editing incident groups when the Synchronize with incidents in this group option was disabled
  • Fixed incorrect grouping settings deletion

RCM 2.0

⚡️ Changes
  • Implemented layer snapshotting to view system state at different time points
  • Added service search capability
Improvements
  • The RCM and Layers pages are now merged, with switching via toggle
  • Added service centering when clicked
Fixes
  • Fixed incorrect service width calculation in Firefox browser
  • Fixed incorrect connection rendering when switching between layers
  • Fixed disabled metric panel buttons when reselecting a service
  • Fixed an issue where the time field wasn't saved in metrics

User Behavior Analytics

⚡️Changes
  • Added support for configuring Exceptions in profiling policies
  • Added partial recalculation support for Dictionary and Statistics algorithms in profiling policies

RCM

Fixes
  • Fixed an issue where the interface displayed Error: Not Found message when models were missing

SAF Beat Manager

Improvements
  • SAF Beat Management access is now controlled based on cluster permissions of the current account:
    • cluster:admin/sm/sbm/view - full access (backward compatibility)
    • cluster:admin/sm/sbm/all_access - full access
    • cluster:admin/sm/sbm/read_only - read-only access
  • Added support for multiple SAF nodes for authorization checks
Fixes
  • Fixed an issue where logs stopped being recorded after clearing the log directory

SAF Beat

Fixes
  • Fixed an issue where the agent couldn't connect to the network interface after system reboot
  • Fixed user/group verification issues on zLINUX operating system
  • Fixed file descriptor leaks when accessing SAF Beat Manager

Inventory

Improvements
  • Added a filter in source configurations that uses conditional expressions to keep only relevant events for inventory
  • Added statistics for assets to the configuration list and asset page
  • Optimized asset configuration calculation runs
  • Added more detailed execution statistics
  • Added capability for self-linking assets
Fixes
  • Added automatic storage creation after asset configuration creation
  • Fixed incorrect display of list-type attributes in the related assets section

User Behavior Analytics

Improvements
  • Redesigned the interface for configuring coloring intervals in scoring calculations

Lookup Manager

Improvements
  • The reference interface now supports copy-paste operations for table data

MITRE ATTACK

Improvements
  • Dashboards, tasks, and references required for module operation are now installed automatically. Updates can be tracked in Content Management
Fixes
  • Fixed an issue where current time was displayed instead of actual creation/modification time for layers

Knowledge Center

Improvements
  • Added keyboard shortcuts for all editing options
Fixes
  • Fixed an issue where only one block was saved when adding multiple consecutive blocks
  • Fixed an issue when opening notes in new windows
  • Fixed missing pagination settings for rules list
  • Fixed highlighted text display in dark theme
  • Fixed interface errors when deleting images from notes
  • Fixed navigation behavior when deleting intermediate pages

MSSP

Fixes
  • Fixed cluster connection information display issues
  • Fixed request handling when connection to remote cluster is lost

Cyber Security

Improvements
  • Added capability to import Sigma rule archives

Search Anywhere Framework Installer

Improvements
  • Added capability for installation and updates without requiring root privileges
  • Logstash updated to version 8.13.4
  • Added option to select OpenSearch user account for updates
Fixes
  • Fixed incorrect automatic JVM heap size detection
  • Fixed user group handling for services
  • Fixed Logstash installation directory detection
  • Fixed installer config file directory reading
  • Fixed a bug in SA Web
  • Fixed build.number processing issue in SA Web

Critical Changes

  • Changed license storage path to <OS_HOME>/config/sm-core/<LICENSE_FILE>
  • Modified structure for linking incidents to Inventory module:
    • field inventory_name renamed to inventory_id
    • field index_name renamed to inventory_name