0.4.0-rc3

Added

• Support for pluggable actions for policy engine
• Support for asynchonous policy engine with thread pooling
• Packaging in deb, rpm, and targz formats
• Added 14 new MITRE TTP tagging rules
• Added support for quiet logging mode

Changed

• Added contextual sysflow structure, removed global cache and cache synchronization primitives; refactored handler interface
• Changed cache keys to OID types
• BREAKING Changed policy engine modes and action verbs (update policy yaml rule declarations to remove action attribute if used with alert or tag verbs)
  • alert and enrich are now policy engine modes, and action in policy rule declaration is now used for calling action handling plugins
• Updated the short union strings from gogen-avro
• Updated CI to automate packaging or release assets with release notes
• Bump go version to go1.17.7
• BREAKING Added support for architecture-dependent build (darwin, linux), due to changes in go 1.17 net package
• Updated findings short description formatting and name convention

Fixed

• Fixed cache coherence and race condition when updating the cache in the processor plugin; splits the processor plugin into two plugins, reader (which builds the cache) and processor (only reads from cache)
• Fixed stream socket reader issue introduced with the upgrade to go 1.17

Security

• Updated IBM Findings SDK to fix CVE-2020-26160

0.4.0-rc2

Added

• Support for pluggable actions for policy engine
• Support for asynchonous policy engine with thread pooling
• Packaging in deb, rpm, and targz formats
• Added 14 new MITRE TTP tagging rules
• Added support for quiet logging mode

Changed

• Added contextual sysflow structure, removed global cache and cache synchronization primitives; refactored handler interface
• Changed cache keys to OID types
• BREAKING Changed policy engine modes and action verbs (update policy yaml rule declarations to remove action attribute if used with alert or tag verbs)
  • alert and enrich are now policy engine modes, and action in policy rule declaration is now used for calling action handling plugins
• Updated the short union strings from gogen-avro
• Updated CI to automate packaging or release assets with release notes
• Bump go version to go1.17.7
• BREAKING Added support for architecture-dependent build (darwin, linux), due to changes in go 1.17 net package

Fixed

• Fixed cache coherence and race condition when updating the cache in the processor plugin; splits the processor plugin into two plugins, reader (which builds the cache) and processor (only reads from cache)
• Fixed stream socket reader issue introduced with the upgrade to go 1.17

0.4.0-rc1

Added

• Support for pluggable actions for policy engine
• Support for asynchonous policy engine with thread pooling
• Packaging in deb, rpm, and targz formats
• Added 14 new MITRE TTP tagging rules
• Added support for quiet logging mode

Changed

• Added contextual sysflow structure, removed global cache and cache synchronization primitives; refactored handler interface
• Changed cache keys to OID types
• BREAKING Changed policy engine modes and action verbs (update policy yaml rule declarations to remove action attribute if used with alert or tag verbs)
  • alert and enrich are now policy engine modes, and action in policy rule declaration is now used for calling action handling plugins
• Updated the short union strings from gogen-avro
• Updated CI to automate packaging or release assets with release notes
• Bump go version to go1.17.7
• BREAKING Added support for architecture-dependent build (darwin, linux), due to changes in go 1.17 net package

Fixed

• Fixed cache coherence and race condition when updating the cache in the processor plugin; splits the processor plugin into two plugins, reader (which builds the cache) and processor (only reads from cache)
• Fixed stream socket reader issue introduced with the upgrade to go 1.17

0.3.1

Changed

• Update(ubi): Bumped UBI version to 8.4-211.

0.3.0

Added

• Support for pluggable export protocols
• Elastic Common Schema (ECS) export format and Elasticsearch integration
• Export to IBM Findings API
• MITRE ATT&CK ttp tagging policy
• Support for pipeline forking (tee feature)
• Custom S3 prefix to Findings exporter

Changed

• Moved away from Dockerhub CI.
• Optimized JSON export
• Updated dependencies to latest sf-apis
• Updated sample policies
• Refactoring of processor and handling APIs

Fixed

• Fixes bugs in policy engine related to lists containing quoted strings
• Fixes several issues in policy engine field mapping

Removed

• Support for flat JSON schema

0.3.0-rc2

Changed

• Fixes CI issues on remote PR builds.
• Fixes issues 69, 70.

0.3.0-rc1

Added

• Support for pluggable export protocols
• Elastic Common Schema (ECS) export format and Elasticsearch integration
• Export to IBM Findings API
• MITRE ATT&CK ttp tagging policy
• Support for pipeline forking (tee feature)

Changed

• Moved away from Dockerhub CI.
• Optimized JSON export
• Updated dependencies to latest sf-apis
• Updated sample policies
• Refactoring of processor and handling APIs

Fixed

• Fixes bugs in policy engine related to lists containing quoted strings
• Fixes several issues in policy engine field mapping

0.2.2

Changed

• Updated dependencies to latest sf-apis.

0.2.1

Fixed

• Fixes sf.file.oid and sf.file.newoid attribute mapping.

0.2.0

Added

• Adds lists and macro preprocessing to deal with usage before declarations in input policy language.
• Adds empty handling for process flow objects.
• Adds endswith binary operator to policy expression language.
• Added initial documentation.

Changed

• Updates the grammar and interpreter to support Falco policies.
• Several refactorings and performance optimizations in policy engine.
• Tuned filter policy for k8s clusters.