Releases
v1.6.0
Release Notes
New features
support for stateful runtime detections Read more
file attributes/status parameters and field filters Read more
Enhancements
raw ETW event parsing and a number of optimizations leverage 10x performance gains
trace controller is refactored to facilitate the addition of new event sources
not
operator can negate complex paren expressions and functions
beautify filter error reporting and make it compatible with multiline filter expressions
Bug fixes
rule group selector should support OpenProcess
and OpenThread
events
cidr_contains
function implementation should return a correct value if no subnets are matched
paren expression should be visited recursively
process command line normalization wouldn't correctly complete missing command lines for system processes
stack overflow when replaying captures with the process ancestor filters
Breaking changes
file and handle object parameters are represented in decimal instead of hex format if --kstream.raw-event-parsing=true
event exclusions by process name now require case-sensitive image names
You can’t perform that action at this time.