Skip to content

v1.6.0
Compare
Choose a tag to compare
@github-actions github-actions released this 31 Aug 17:51
· 142 commits to master since this release
v1.6.0
92ae744
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release Notes

New features

  • support for stateful runtime detections Read more
  • file attributes/status parameters and field filters Read more

Enhancements

  • raw ETW event parsing and a number of optimizations leverage 10x performance gains
  • trace controller is refactored to facilitate the addition of new event sources
  • not operator can negate complex paren expressions and functions
  • beautify filter error reporting and make it compatible with multiline filter expressions

Bug fixes

  • rule group selector should support OpenProcess and OpenThread events
  • cidr_contains function implementation should return a correct value if no subnets are matched
  • paren expression should be visited recursively
  • process command line normalization wouldn't correctly complete missing command lines for system processes
  • stack overflow when replaying captures with the process ancestor filters

Breaking changes

  • file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
  • event exclusions by process name now require case-sensitive image names
Assets 4