Skip to main content
Version: 5.0

What's New?

Version 5.0

📅 Search Anywhere Framework version 5.0.0 released on April 30, 2025.

Core

⚡️Changes
  • A new feature Notes has been added, allowing users to quickly create and update notes from any section of the interface. Notes can include incidents, visualizations, Inventory module assets, files, images, and free-form text
  • Enhancements to Search Anywhere: a new data source type API has been introduced, enabling data retrieval via REST API
  • A new visualization Quick State has been added. It consists of dynamic cards that are automatically generated based on search query results. Each card displays a key metric with color indicators and an icon
  • A new visualization Tree Map has been added. It displays search results as rectangles of varying sizes, with each rectangle’s area proportional to the numeric value of the corresponding data partition
Improvements
  • By default, the sidebar in the search interface now displays only the most frequently used source fields
  • Table visualization: tooltips showing the column name are now displayed when hovering over a column
  • When a line in the search query is highlighted, all occurrences of that line are now also highlighted
  • Tooltips have been added in the search interface for the Export, Notifications, and Share buttons
  • The row count display options on the search results page have been extended — options 100 and 200 are now available
  • Pages with object lists now show the total number of items
Fixes
  • Fixed an issue where values from visualizations were incorrectly substituted into text and multi-select filters

Core: Engine

⚡️Changes
  • A new option is available that allows excluding indices from processing at search runtime using a pattern, if their data falls outside the specified time filter
Improvements
  • The name of a cross-cluster connection can now be specified in the search query without single quotes
  • The search command now supports the in function, which checks if a field's value is within a specified set
  • It is now possible to specify multiple addresses for connecting to SA Engine RE
Fixes
  • Query parsing errors now display the correct line number where the error occurred
  • Fixed the behavior of ceil and floor functions when used with large numbers in the eval command

Core: Job Scheduler

Fixes
  • Fixed suppression behavior for multivalue field

User Behavior Analytics

⚡️Changes
  • Added support for configuring Exceptions in profiling policies
  • Added partial recalculation support for Dictionary and Statistics algorithms in profiling policies

RSM

⚡️Changes
  • Beta version of RSM 2.0 released, featuring a new interface, updated logic, and enhanced metric-service linking
Improvements
  • Added automatic model update capabilities within the interface
  • Added bulk editing for models, metrics, and indicators
Fixes
  • Optimized rendering performance of the model view page

SAF Beat Manager

⚡️Changes
  • Added support for a new agent type: Vector
Improvements
  • Added support for new service installation flags:
    • --ignore-systemd - skips installing the service in systemd
    • --ignore-selinux - ignores SELinux checks and execution permissions
    • --directory - specifies custom installation directory
    • --group - sets file permissions for a specific group
Fixes
  • Fixed an issue where group setting changes (applications or files) were not reflected in the agent list
  • Fixed an issue where a client was not removed from a group
  • Fixed notification logic for new data availability
  • Fixed missing updates after invoking the reload API method
  • Fixed an issue where deleted applications or files were still shown in the agent info panel

SAF Beat

⚡️Changes
  • Added support for the Vector data collection and processing agent.
Improvements
  • Added support for new service installation flags:
    • --ignore-systemd: skips installing the service in systemd
    • --ignore-selinux: bypasses SELinux permission setup
    • --directory: allows custom installation directory
    • --group: sets permissions for a specified group
  • Added support for setting Linux capabilities for Auditbeat during service installation
  • Revised and optimized logging format and volume during service installation

Inventory

⚡️Changes
  • The module now has a mechanism for building relationships between assets, which allows you to configure rules for automatically linking configurations, as well as provides visualizations of the resulting relationships
  • The calculation module no longer requires a separate installation and is now integrated into the system
  • Asset update calculations are now executed as scheduled tasks
  • Each configuration calculation includes a Run Statistics section detailing execution status and phases
Improvements
  • Module configuration is now accessible via the UI
  • Improved user experience with redesigned interface components

Incident Manager

⚡️Changes
  • The Create Incident action in the Task Scheduler now includes an Inventory Link section for mapping asset configurations to incident fields
  • IDs now follow a new format:
    • Incidents: INC-[<installation prefix>]-<YYMMDD>-<sequence number>
    • Aggregations: AGG-[<installation prefix>]-<YYMMDD>-<sequence number>
Improvements
  • Added ability to define time bounds for Search type drilldowns
  • For aggregations, it is now possible to configure an index suffix to control result distribution across indices
  • Column width in the Incident Manager page is now adjustable
Fixes
  • Fixed issue where the client info field was not populated in Service Provider mode
  • Default value for Select fields in the incident card settings can now be cleared

MITRE ATTACK

Improvements
  • A new Detection Methods section was added to technique descriptions
  • Added the ability to view tactic descriptions
Fixes
  • The Detection Matrix now calculates results based on the selected layer

SA Engine RE

Fixes
  • Fixed an issue where parameters containing delimiter characters could not be used

Cyber Security

⚡️Changes
  • A rule import mechanism for the Sigma format has been added. Sigma rules can now be integrated into the system and used to generate search tasks with automatic query generation in SML. More than 3000 rules are available for import

Version 5.0.1

📅 Search Anywhere Framework version 5.0.1 released on June 20, 2025.

Core

Fixes
  • Fixed an issue where some visualizations on the dashboard were not updating after changing the time filter
  • Fixed an issue where the dynamic filter inside the dashboard did not return search results when the time token was missing
  • Fixed an issue with incorrect array display in search results
  • Fixed an issue with incorrect value list output in the visualization color scheme
  • Fixed handling of prefix and suffix in dashboard dynamic options
  • Fixed an issue where the visualization selection window did not close properly
  • Fixed recognition of index patterns without single quotes for cross-cluster search
  • Fixed an issue where system dashboards could not be edited
  • Fixed display of tooltip values when updating the Pie Chart visualization
  • Fixed drilldown behavior when editing the query in the Pie Chart visualization
  • Fixed color scheme handling in the Table visualization
  • Fixed an issue where columns were duplicated in the Table visualization when a field was renamed in the query
  • Fixed an issue where color scheme settings were reset when switching between settings tabs in the Table visualization
  • Fixed macro name validation when many parameters are used
  • Fixed an issue where the list of JDBC drivers failed to load if it contained a driver with a large file size

Core: Engine

Improvements

The regex function in the search command is now case-insensitive by default. Case sensitivity can be enabled using the sens flag

Fixes
  • Fixed a high memory usage issue when saving background task results to disk
  • Fixed a search issue where a query or subquery starting with a pipeline was not processed correctly if preceded by a comment
  • Fixed an issue where the qsize parameter limit for the amount of requested data was not applied

Core: Job Scheduler

Fixes
  • Fixed an issue where the Save button was disabled when editing a search task
  • Fixed the display of the query editor in dark theme
  • Fixed the display of the HTML editor in the active Send E-mail action
  • Fixed a tokenization issue caused by escaping special characters in active actions
  • Fixed an issue where the Severity field with an integer value in the Create Incident active action was saved as a floating-point number
  • Fixed a focus loss issue when entering values in the Result Fields and Local Parameters of the Create Incident active action

Knowledge Center

Improvements
  • Added support for configuring note access using cluster-level permissions:
    • cluster:admin/sm/kwc/notebook/read_all – read access
    • cluster:admin/sm/kwc/notebook/write_all – edit and delete
    • cluster:admin/sm/kwc/notebook/create – create
Fixes
  • Fixed an issue where notes were inaccessible despite having read permissions

RSM 2.0

Improvements
  • Added the ability to configure layer-level access permissions
  • Added the ability to enable or disable metrics

SAF Beat Manager

Improvements
  • Added support for binding clients by tags in group filter configuration
  • The Clients page search now supports the Tag field

SAF Beat

Improvements
  • Application metadata and logs are no longer deleted when applications are modified

Incident Manager

Improvements
  • Added sorting for additional fields in AdHoc actions
  • Full incident information is now passed to AdHoc actions
Fixes
  • Fixed an issue with incorrect creation time for empty incidents
  • Fixed a NullPointerException when loading the dynamic filter
  • Fixed clearing of aggregation settings from memory when they are deleted