What's new?
Version 4.2
📅 Search Anywhere Framework version 4.2.0 was released on October 25, 2024.
Core
⚡️ Changes- Introduced an interface for installation and content management
- Added an interface to monitor active searches
- Updated dark and light themes
- Theme selection now replaces style settings
- New themes added: Green, Blue, Night Blue, and Ocean
- Expanded the set of modules and objects available for Spotlight search
- Global tag search is now available in Spotlight
- Significantly increased data migration speed to ClickHouse
- Updated the dompurify to version 2.5.4
- Fixed an issue where the
core.use_cluster_state
setting value would reset after cluster restart - Fixed an issue with configuration retrieval from Cluster State
Core: Search Interface
Fixes- Fixed an issue with link generation when clicking the
Share
button
Core: Engine
⚡️ Changes- Added Machine Learning support for SAF Language commands
- Added support for the following algorithms:
- K-means
- Linear regression
- Random Cut Forest (RCF)
- RCF Summarize
- Localization
- Logistic regression
- Added the
train
andpredict
commands - Added the
median
function tostats
,aggs
,timechart
,timeaggs
,chart
,eventstats
, andstreamstats
commands
- The
perc
(percentile) function is now available inchart
,eventstats
, andstreamstats
commands - Added the option to disable the time filter in the
source
command using thetimefield
parameter
- Fixed incorrect comparison of numbers with different data types in the
eval
command - Fixed an issue where the
random
function generated identical values for different documents
Core: Job Scheduler
⚡️ Changes- Added developer mode for editing tasks
- Added SSL/TLS configuration option for the Webhook action
- Password for authorization in the Webhook action is now stored in Keystore with the prefix
jobscheduler.webhook.password
- Fixed an issue with the suppression mechanism for nested fields
- Fixed an issue where tasks could run on servers where the
node_with_sme
attribute was set tofalse
Core: Remote Executor
Improvements- Updated the spring-boot-starter-parent to version 3.3.4
SAF Beat
⚡️ Changes- Added the
rotation.log_path
configuration parameter to specify the log directory - Added
CN=<hostname>
to the agent certificate (or SAF Beat ifhostname
is unavailable)
- The
server
parameter group is now hidden by default in the configuration - Default values set for
ssl.cert_ca
as./cert/ca-cert.pem
andmanager.host
as127.0.0.1
Agent Management
⚡️ Changes- Added
CN=<hostname>
to the agent certificate (or SAF Beat ifhostname
is unavailable)
- Renamed the console command
delete
toremove
(standardized with SAF Beat) - Optimized data loading speed in the interface
- Expanded error descriptions in logs
authorization.opensearch.host
now defaults tohttps
authorization.opensearch.ca_key
is now hidden by defaultauthorization.opensearch.ca_cert
now defaults toca-cert.pem
authorization.opensearch.ssl_enabled
is now optional and hidden by default
Inventory
⚡️ Changes- Added the option to set a
base field coefficient
for more precise partial similarity tuning
Incident Manager
Fixes- Fixed the
Responsible
filter functionality
Lookup Manager
Improvements- Optimized data lookup search performance
- Added a parameter in the directory settings to control the amount of data displayed in the interface
Version 4.1
📅 Search Anywhere Framework version 4.1.0 was released on July 11, 2024.
Core
⚡️ Changes- Updated OpenSearch to version 2.13.0
- Added the ability to save SAF settings in Cluster State, allowing access to the cluster when it's overloaded
- Added the ability to manage Keystore via API
- Updated
Radar Chart
visualization - Updated
Sankey Diagram
visualization - Updated
Table
visualization
- Added the ability to set a custom identifier when creating tags
- Notifications now feature a
View Error
button with detailed information - In the
Upload Data
andLookup Manager
sections, the maximum import data size now refers to theserver.maxPayloadBytes
parameter - Added the ability to drag and drop panels to new rows up or down
- Fixed incorrect breadcrumb display with long text inside
Core: Search Interface
Improvements- Added highlighting for string expressions in search queries
- Added the ability to delete words up to the nearest space using the
Shift + Option + Backspace
orShift + Alt + Backspace
key combination - Improved query expression highlighting in dark mode
- Improved error display occurring during search execution
- Added additional connection checks (SSL, mandatory authentication) when accessing
SME-RE
- Fixed the inability to export data to Excel with multivalue fields
Core: Engine
⚡️ Changes- Added perc (percentile) function to
stats
,aggs
,timechart
,timeaggs
commands - Added resource consumption control when sending data using SME Circuit Breaker
- Optimized search result transfer between SAF modules
Core: Job Scheduler
⚡️ Changes- Added the ability to specify roles under which a search will run within a task
- Added the ability to mass enable and disable tasks
- Removed Index Aggregation action
- Added additional connection checks (SSL, mandatory authentication) when accessing
SME-RE
- Added a driver for ClickHouse in
JdbcOutputAction
- The database connection password in
JdbcOutputAction
is now stored in Keystore - Added the ability to specify certificates and SSL protocol version in
WebhookAction
- Fixed incorrect task name truncation
- Fixed incorrect table behavior when adding a new column
User Behavior Analytics
⚡️ Changes- Added count to the calculation settings function
- Added the ability to change permissions for
Object Types
andScoring Types
- Fixed blocked create object button when types are missing
- Adjusted out-of-license message display
SAF Beat
⚡️ Changes- Added
agent.ip
parameter to overridelocalIp
sent to Agent Management - Added
agent.tags
configuration parameter to filter the list of agents in Agent Management - Added sending all IPv4 addresses of network interfaces with a filled MAC address
- Fixed DNS not displaying in the absence of a private IP
- Fixed application integrity control
- Fixed repeated
TLS handshake error from : EOF
messages
Agent Management
⚡️ Changes- Added the ability to store backup user and password in environment variables
- Fixed repeated
TLS handshake error from : EOF
messages
Inventory
⚡️ Changes- Added the ability to store login and password for connecting to SM Data Storage in environment variables
- Added a warning for duplicate names of base and additional fields in the configuration
Incident Manager
⚡️ Changes- Added incident grouping results to the
Incident Manager
main page - Added
Incident Group Settings
page for configuring incident grouping - Added tags to grouped incidents
- Search is now performed by the storage
- Added the ability to display user filters in
Incident Manager
based on their type - Improved incident and incident group history, added
incident_history_language
flag to set the history language
Lookup Manager
Fixes- Fixed page reload issue during file import into the directory
Knowledge Center
⚡️ Changes- Added the ability to display Markdown articles (read-only)
- Fixed error when there are no items in the permission group field
MITRE ATTACK
⚡️ Changes- Role model can now be configured for MITRE ATTACK matrix layers
Version 4.0
📅 Search Anywhere Framework version 4.0.0 was released on April 12, 2024.
Core
⚡️ Changes- Added Search Anywhere settings interface (connection to external data stores)
- Added auto-completion for database connection strings in Search Anywhere
- Added the ability to test connections to external storage
- Added scoring configuration options
- JDBC query configuration is now integrated into Search Anywhere
- The
Upload Data
andActive Tasks
links have been moved to the left menu - The xlsx library was updated to version 0.20.1
- Fixed the filter-saving mechanism in the address bar
Core: Search Interface
⚡️ Changes- Added a new visualization type:
Heatmap
Core: Engine
⚡️ Changes- Support for searching Clickhouse using Search Language
- Added
Timeline
andSidebar
for Clickhouse queries - Time parameter passing is now available for Clickhouse storage queries
Core: Job Scheduler
⚡️ Changes- Added the ability to select which columns to display in the
Task List
- The
MITRE ATT&CK
action now supports multi-selection of techniques
⚡️ User Behavior Analytics
⚡️ Changes- Added module configuration on first launch
- Added new profiling algorithms:
Dictionary
,Statistics
,Frequency
, andChronology
- Added UBA object profile page and object information card
- Added warning for UBA object duplicates
- Added the ability to configure the type of object profiling
- Added the ability to link scoring type to an object
- Added automatic object list population by schedule
- Added support for running multiple profiling algorithms in policies
- Added the ability to use a custom function for scoring calculation
- Added the ability to view profiling policy results
- Added statistics on runs for each object
- Added server filtering options for running calculations
- Added deletion confirmation in module settings
- Added scoring deletion confirmation
Incident Manager
⚡️ Changes- Added incident group creation mechanism (aggregations)
- Added incident group configuration
- Added the ability to choose the closure status for incident groups
- Added the ability to configure the display (incidents only or incidents and groups of incidents)
- Added the ability to edit incident groups with synchronized changes for each incident
- Added the ability to run Adhoc Actions for incident groups
- Added the ability to display MITRE techniques for incident groups
- Each incident group now has configurable group parameters
- Incident or incident group description configuration can now be done with Markdown
- Added search by owners in the incident table search bar
- Added search by query results in the incident table search bar
- System and display names for incident groups are now configurable
- Fixed the error that occurred when the incident list auto-refresh caused an issue due to lack of data
Knowledge Center
Fixes- Fixed the display of tags on the
Scenarios
page - Fixed the error when fetching the list on the
Wikilogs
page
MITRE ATTACK
Fixes- Fixed the error in technique information display when
mitigations
were missing - Fixed the error in getting statistics for triggered rules