Skip to main content

What's new?

Version 4.2

📅 Search Anywhere Framework version 4.2.0 was released on October 25, 2024.

Core

⚡️ Changes
  • Introduced an interface for installation and content management
  • Added an interface to monitor active searches
  • Updated dark and light themes
  • Theme selection now replaces style settings
  • New themes added: Green, Blue, Night Blue, and Ocean
Improvements
  • Expanded the set of modules and objects available for Spotlight search
  • Global tag search is now available in Spotlight
  • Significantly increased data migration speed to ClickHouse
  • Updated the dompurify to version 2.5.4
Fixes
  • Fixed an issue where the core.use_cluster_state setting value would reset after cluster restart
  • Fixed an issue with configuration retrieval from Cluster State

Core: Search Interface

Fixes
  • Fixed an issue with link generation when clicking the Share button

Core: Engine

⚡️ Changes
  • Added Machine Learning support for SAF Language commands
  • Added support for the following algorithms:
    • K-means
    • Linear regression
    • Random Cut Forest (RCF)
    • RCF Summarize
    • Localization
    • Logistic regression
  • Added the train and predict commands
  • Added the median function to stats, aggs, timechart, timeaggs, chart, eventstats, and streamstats commands
Improvements
  • The perc (percentile) function is now available in chart, eventstats, and streamstats commands
  • Added the option to disable the time filter in the source command using the timefield parameter
Fixes
  • Fixed incorrect comparison of numbers with different data types in the eval command
  • Fixed an issue where the random function generated identical values for different documents

Core: Job Scheduler

⚡️ Changes
  • Added developer mode for editing tasks
Improvements
  • Added SSL/TLS configuration option for the Webhook action
  • Password for authorization in the Webhook action is now stored in Keystore with the prefix jobscheduler.webhook.password
Fixes
  • Fixed an issue with the suppression mechanism for nested fields
  • Fixed an issue where tasks could run on servers where the node_with_sme attribute was set to false

Core: Remote Executor

Improvements

SAF Beat

⚡️ Changes
  • Added the rotation.log_path configuration parameter to specify the log directory
  • Added CN=<hostname> to the agent certificate (or SAF Beat if hostname is unavailable)
Improvements
  • The server parameter group is now hidden by default in the configuration
  • Default values set for ssl.cert_ca as ./cert/ca-cert.pem and manager.host as 127.0.0.1

Agent Management

⚡️ Changes
  • Added CN=<hostname> to the agent certificate (or SAF Beat if hostname is unavailable)
Improvements
  • Renamed the console command delete to remove (standardized with SAF Beat)
  • Optimized data loading speed in the interface
  • Expanded error descriptions in logs
  • authorization.opensearch.host now defaults to https
  • authorization.opensearch.ca_key is now hidden by default
  • authorization.opensearch.ca_cert now defaults to ca-cert.pem
  • authorization.opensearch.ssl_enabled is now optional and hidden by default

Inventory

⚡️ Changes
  • Added the option to set a base field coefficient for more precise partial similarity tuning

Incident Manager

Fixes
  • Fixed the Responsible filter functionality

Lookup Manager

Improvements
  • Optimized data lookup search performance
Fixes
  • Added a parameter in the directory settings to control the amount of data displayed in the interface

Version 4.1

📅 Search Anywhere Framework version 4.1.0 was released on July 11, 2024.

Core

⚡️ Changes
  • Updated OpenSearch to version 2.13.0
  • Added the ability to save SAF settings in Cluster State, allowing access to the cluster when it's overloaded
  • Added the ability to manage Keystore via API
  • Updated Radar Chart visualization
  • Updated Sankey Diagram visualization
  • Updated Table visualization
Improvements
  • Added the ability to set a custom identifier when creating tags
  • Notifications now feature a View Error button with detailed information
  • In the Upload Data and Lookup Manager sections, the maximum import data size now refers to the server.maxPayloadBytes parameter
  • Added the ability to drag and drop panels to new rows up or down
Fixes
  • Fixed incorrect breadcrumb display with long text inside

Core: Search Interface

Improvements
  • Added highlighting for string expressions in search queries
  • Added the ability to delete words up to the nearest space using the Shift + Option + Backspace or Shift + Alt + Backspace key combination
  • Improved query expression highlighting in dark mode
  • Improved error display occurring during search execution
  • Added additional connection checks (SSL, mandatory authentication) when accessing SME-RE
Fixes
  • Fixed the inability to export data to Excel with multivalue fields

Core: Engine

⚡️ Changes
  • Added perc (percentile) function to stats, aggs, timechart, timeaggs commands
  • Added resource consumption control when sending data using SME Circuit Breaker
Improvements
  • Optimized search result transfer between SAF modules

Core: Job Scheduler

⚡️ Changes
  • Added the ability to specify roles under which a search will run within a task
  • Added the ability to mass enable and disable tasks
  • Removed Index Aggregation action
Improvements
  • Added additional connection checks (SSL, mandatory authentication) when accessing SME-RE
  • Added a driver for ClickHouse in JdbcOutputAction
  • The database connection password in JdbcOutputAction is now stored in Keystore
  • Added the ability to specify certificates and SSL protocol version in WebhookAction
Fixes
  • Fixed incorrect task name truncation
  • Fixed incorrect table behavior when adding a new column

User Behavior Analytics

⚡️ Changes
  • Added count to the calculation settings function
Improvements
  • Added the ability to change permissions for Object Types and Scoring Types
Fixes
  • Fixed blocked create object button when types are missing
  • Adjusted out-of-license message display

SAF Beat

⚡️ Changes
  • Added agent.ip parameter to override localIp sent to Agent Management
  • Added agent.tags configuration parameter to filter the list of agents in Agent Management
  • Added sending all IPv4 addresses of network interfaces with a filled MAC address
Fixes
  • Fixed DNS not displaying in the absence of a private IP
  • Fixed application integrity control
  • Fixed repeated TLS handshake error from : EOF messages

Agent Management

⚡️ Changes
  • Added the ability to store backup user and password in environment variables
Fixes
  • Fixed repeated TLS handshake error from : EOF messages

Inventory

⚡️ Changes
  • Added the ability to store login and password for connecting to SM Data Storage in environment variables
Improvements
  • Added a warning for duplicate names of base and additional fields in the configuration

Incident Manager

⚡️ Changes
  • Added incident grouping results to the Incident Manager main page
  • Added Incident Group Settings page for configuring incident grouping
  • Added tags to grouped incidents
Improvements
  • Search is now performed by the storage
  • Added the ability to display user filters in Incident Manager based on their type
  • Improved incident and incident group history, added incident_history_language flag to set the history language

Lookup Manager

Fixes
  • Fixed page reload issue during file import into the directory

Knowledge Center

⚡️ Changes
  • Added the ability to display Markdown articles (read-only)
Fixes
  • Fixed error when there are no items in the permission group field

MITRE ATTACK

⚡️ Changes
  • Role model can now be configured for MITRE ATTACK matrix layers

Version 4.0

📅 Search Anywhere Framework version 4.0.0 was released on April 12, 2024.

Core

⚡️ Changes
  • Added Search Anywhere settings interface (connection to external data stores)
  • Added auto-completion for database connection strings in Search Anywhere
  • Added the ability to test connections to external storage
  • Added scoring configuration options
Improvements
  • JDBC query configuration is now integrated into Search Anywhere
  • The Upload Data and Active Tasks links have been moved to the left menu
  • The xlsx library was updated to version 0.20.1
Fixes
  • Fixed the filter-saving mechanism in the address bar

Core: Search Interface

⚡️ Changes
  • Added a new visualization type: Heatmap

Core: Engine

⚡️ Changes
  • Support for searching Clickhouse using Search Language
  • Added Timeline and Sidebar for Clickhouse queries
  • Time parameter passing is now available for Clickhouse storage queries

Core: Job Scheduler

⚡️ Changes
  • Added the ability to select which columns to display in the Task List
Improvements
  • The MITRE ATT&CK action now supports multi-selection of techniques

⚡️ User Behavior Analytics

⚡️ Changes
  • Added module configuration on first launch
  • Added new profiling algorithms: Dictionary, Statistics, Frequency, and Chronology
  • Added UBA object profile page and object information card
  • Added warning for UBA object duplicates
  • Added the ability to configure the type of object profiling
  • Added the ability to link scoring type to an object
  • Added automatic object list population by schedule
  • Added support for running multiple profiling algorithms in policies
  • Added the ability to use a custom function for scoring calculation
  • Added the ability to view profiling policy results
  • Added statistics on runs for each object
  • Added server filtering options for running calculations
Improvements
  • Added deletion confirmation in module settings
  • Added scoring deletion confirmation

Incident Manager

⚡️ Changes
  • Added incident group creation mechanism (aggregations)
  • Added incident group configuration
  • Added the ability to choose the closure status for incident groups
  • Added the ability to configure the display (incidents only or incidents and groups of incidents)
  • Added the ability to edit incident groups with synchronized changes for each incident
  • Added the ability to run Adhoc Actions for incident groups
  • Added the ability to display MITRE techniques for incident groups
  • Each incident group now has configurable group parameters
Improvements
  • Incident or incident group description configuration can now be done with Markdown
  • Added search by owners in the incident table search bar
  • Added search by query results in the incident table search bar
  • System and display names for incident groups are now configurable
Fixes
  • Fixed the error that occurred when the incident list auto-refresh caused an issue due to lack of data

Knowledge Center

Fixes
  • Fixed the display of tags on the Scenarios page
  • Fixed the error when fetching the list on the Wikilogs page

MITRE ATTACK

Fixes
  • Fixed the error in technique information display when mitigations were missing
  • Fixed the error in getting statistics for triggered rules