0.72 2 sync #3406
Merged
0.72 2 sync #3406
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This backs up volatile but critical information like hunts and client info records.
The following rule matcher is valid:
```
detection:
selection:
field: null
```
https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#special-field-values
Also support rules which omit the condition - while not strictly correct
they mean to match all the selection clauses.
This PR also removes the coercion to string of all the rule values and
use scope protocols instead. This results in a significant speedup as
well.
typo fixed. resutls > results.
If an image does not contain a partition table, and it is a filesystem (partition) image then we need to automatically add the image offset 0
When pipe() was used with parse_lines() a crash occured. This happened because parse_lines() attempts to open files as gzip files first, then reopen them again if that fails. It is not possible to safely reopen an pipe though. This PR fixes the crash and avoids opening the pipe as gzip first.
This lead to a phantom extra subdirectory added to each directory listing under the mount point. This only happens when a mount remap is added inside another remap (this does not normally happen in deaddisk processing but happens in registry remapping)
artifacts/testdata/server/testcases/macos.out.yaml, artifacts/testdata/server/testcases/macos.in.yaml and /artifacts/ and artifacts/definitions/MacOS/Forensics/FSEvents.yaml have received updates to spelling of EnrtryPath to EntryPath.
When running large globs over the registry the accessor's performance left a lot to be desired. This PR supercharges performance by using: * Caching of registry keys and directory listings * Lazy evaluations of value decoding * Use of sync.Pool to reduce memory allocations
Also uploads() plugin now works in a notebook.
Since WSS connections are never re-established the nanny will timeout if no messages were sent within the time (by default 10 min). This will cause a hard exit. --------- Co-authored-by: rob-wilco <140673290+rob-wilco@users.noreply.github.com>
…#3382) This works transparently for encrypted containers providing the correct server.config.yaml is used. Also: * Refactored raw_reg accessor to follow default key semantics properly. * Refactored grpc client code to keep the caller's identity separated in the client pool.
A few users have commented to me that the download password setting is unintuitive. Other settings in the form take effect once you click away from the field and persist if the form disappears without closing. The download password only updates with the close button. To provide a visual cue and feedback, I added a Set button that changes the password immediately. The button defaults to disabled until any input is entered (including a blank password), and disables itself again after submitting. I left the other setSetting calls in place as well. In local testing, the password changes/button behavior worked as expected. Collection downloads were encrypted using the saved password. --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
Also added multichoice parameter types. CreateInitialNotebook will now block until all the cells are constructed to ensure that the cells can not overwhelm the notebook workers. When an artifact creates a large default notebook, the browser will attempt to render each in parallel and this will initiate a worker update.
* Source() plugin did not support versions when reading from notebook cells. * Add Cell from Hunt regression - hunt GUI was modified * Adding new secret did not allow adding templates * ACE default UI elements were not set when user's GUI record was missing.
For systems where DNF does not exist the following output is given back:
[
{
"Stdout": ""
}
]
Therefore the switch statement is not proceeding with the b-variant
(yum). When filtering out via a WHERE statement this is done.
Replaced the old react-json-view with our own implementation: * When arrays get too large, the display shows a modal box to allow searching through them * When json object is too large a button allowing modal to view the whole object comfortably. * New component is properly themeable using classes - no need for the workaround for theming.
Add org_name field containing the Organization Name for use on Splunk --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.