You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Extension push button on remote / modern Kibana — the Elastic adapter now reads the async-search strategy envelope (/internal/search/ese → hits under response.hits.hits, the ES _async_search body), which recent Kibana Discover uses; the hook intercepted the response but extractRows didn't recognise the shape, so the button stayed gray / "No results". Also handles the other shapes /internal/bsearch emits — single JSON, streamed NDJSON, and bfetch compression (remote/Cloud, each line base64(deflate(JSON)), decompressed in-browser via DecompressionStream) — and re-injects the floating button after React re-renders the page body (MutationObserver) so it survives a refresh on SPA consoles.
Pushed Elastic rows from _source-disabled indices — when an index has _source off (common for high-volume timeline data), Kibana returns docvalue fields (each value an array) instead of _source; the adapter now flattens those into scalar rows, so the import sees real fields (@timestamp, desc, …) instead of a raw hit. The generic SIEM mapper now reads desc as the description and summarizes salient fields (detections, rule hits, command lines) instead of dumping Elasticsearch metadata (_index/_version/_ignored) — fixing "undated" events with no meaningful description.
MemProcFS timeline_all.csv Net IOCs — used an invalid "network" IOC type (broke tsc; only vitest's no-typecheck transpile let it pass); now correctly typed as ip.
Added
Second LLM opinion — an on-demand QA cross-check that runs a different model independently over the same case (non-destructive re-synthesis), then a reconcile pass surfacing where it disagrees with the primary synthesis (findings it adds/drops, severity, ATT&CK technique) with a rationale + recommendation for per-item analyst accept/reject; accepted deltas are durable across re-synthesis; DFIR_AI_SECOND_OPINION_MODEL (off until set), POST/GET /cases/:id/second-opinion + …/apply (closes #116).
Velociraptor data from Elasticsearch routes to the Velociraptor importer (JSON push + CSV export) — when Velociraptor/DetectRaptor output is indexed into Elastic and either pushed from Kibana (JSON) or downloaded as a Discover CSV export, detectImportKind now recognises it (the artifact_<name> index or flattened Detection.*/Artifact columns) and routes to importVelociraptor for full severity + MITRE + Sigma/YARA classification, instead of the generic AI CSV / SIEM path — so it works with AI off. The importer parses the CSV (dropping Kibana's - empty-cell placeholder) and normalizes the ES-reshaped rows back to native form (un-flatten dotted keys, collapse .keyword/.text multi-fields, derive the artifact from the index name) — gated so native Velociraptor JSON is untouched — reads DetectRaptor keyword-hit verdicts from Detection.StringHit/HitString, and parses Kibana display-format timestamps (May 7, 2026 @ 16:31:04.000) to UTC ISO.
MemProcFS timeline_all.csv importer — deterministic parser for the full-system kernel timeline (Time,Type,Action,PID,Value32,Value64,Text,Pad); ShTask CRE/DEL → Medium/T1053.005|T1070, Net TCP → Low/T1071, WEB DOWNLOAD → Low/T1105, PROC → Info; NTFS CRE with exec extensions → file IOCs; 254k REG + THREAD rows dropped; auto-detected by the unified Import button.
MemProcFS findevil importer — deterministic parser for the findevil finding-report table; maps finding types to severity + ATT&CK (YR_HACKTOOL → Critical/T1588.002, PEB_MASQ → High/T1036.005, PE_PATCHED → High/T1055, THREAD SYSTEM_IMPERSONATION → High/T1134, etc.); groups bulk PRIVATE_RWX/PRIVATE_RX pages by process; harvests driver/module/patched-DLL paths as file IOCs; auto-detected by the unified Import button.
