v0.3.4 tightens the first-run experience and the MSSP/operator story.
- Rewrote the docs so SOC engineers and detection engineers can see the tool's job immediately: enabled detections mapped to the telemetry they depend on, with dead rules, impaired rules, source health, and unused telemetry called out separately.
- Added an MSSP lab GIF recorded from the Docker-backed simulated fleet artifacts.
- Added the Docker-backed MSSP lab workflow for a five-instance fleet with healthy tenants, bad credentials, an unreachable tenant, redacted reports, downtime handling, schema drift, and exporter metrics.
- Fixed
scan --rulefor single pretty-printed JSON rule files. - Removed the unsound
truncated-lookbackimpairment check and tightened lag attribution solag-blind-windownames the specific laggy source. serve --redactnow redacts fleet instance names before logging per-instance scan failures.
Supported backends remain Elastic Security 8.x and OpenSearch Security Analytics 2.x.