-
Notifications
You must be signed in to change notification settings - Fork 178
/
Changelog.txt
121 lines (102 loc) · 4.77 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
### Updates 1.5.1
- Changed "Windows Management Instrumentation" to WMI in the name of the [T1047] searches to get below the 100 character max name length limit
- Added Splunk v9+ compliant version tags to dashboards
- Changed dependency in requirements.csv from "Splunk Add-On for Microsoft Sysmon" to "Splunk Add-on for Sysmon"
### Updates 1.5.0
New Features
- NEW REQUIREMENT : Event Timeline app
- GrantedAccess descriptions for the most common occurences
- Rare process chains dashboard finished
- Search based drilldown dashboard Added
- The threathunting index is now customizable in a macro
- lateral movement indicator dashboard overhaul, plus new panels
- user drilldown dashboard improved
- Network connection drilldown has clearer visualization for beaconing behavior, replaced punchcard by timeline visualization
- Updated the following changes to the whitelist dashboards:
Registry - Add "add/remove" option for entries
Process create - Add "add/remove" option for entries
Network - Add "add/remove" option for entries, put sort before dedup like others
File access - Add "add/remove" option for entries, added contact like others
File create - Add "add/remove" option for entries, added contact like others, eval error with file_name pointed at file_path
Process access - Add "add/remove" option for entries
Remote threat - Add "add/remove" option for entries
Image load - Add "add/remove" option for entries
DNS - Add "add/remove" option for entries, added contact like others
Pipe created - Add "add/remove" option for entries
WMI - Add "add/remove" option for entries
- added OriginalFileName mapping to file_name
- working new searches
Bugfixes
- tons!!
### Updates 1.4.2
New Features
- Rare process chains dashboard (still wip)
- Colors sprinkled though-out the app according to the ATT&CK Rainbow of Tactics
Changes
- Rebuilt some dashboards to have a significant speed increase and more efficient searches
- Changed the searches on the (Parent)ProcessGuid dashboards to have slightly less detail but a huge speed improvement
Bugfixes
- Some time pickers didn't properly translate to drilldowns
- Overlap with windows TA field mappings removed
- Fixed a faulty field name in one of the lookups
- Added the missing the blank lookup files
### Updates 1.4.0
New Features
- NEW REQUIREMENT : Link Analysis app >> LINK
- Initial mapping of Windows 4768/9 events in props.conf
- Pipe Drilldown dashboard
- File create whitelist macro
- File create Drilldown dashboard
- Added Stacking tools section
- Added Mitre ATT&CK stacking page
- Added DNS stacking page with beaconing detection
- Added DNS whitelist
- Added User drilldown page
- Added Macro drilldown dashboard
- Added 25 new searches
- Added Credits pane
- Added Requirement checks page and changed the about page
Changes
- Renamed pipe_created_whitelist macro to pipe_whitelist
- Renamed pipe_created_whitelist csv to pipe_whitelist throughout the app
- Replaced the force directed visual by link analysis for network connection drilldown
- Added a few fields to props.conf, including Sysmon DNS events
- Extended T1218,T1216,T1081,T1075 searches
- Rebuilt the whitelisting, searches are a LOT quicker now and take less resources
- Added original_file_name to event_id 1 and 7
- Top triggered techniques drilldown changed to technique_id
- Added google lookups to WMI consumers
- Added DNS drilldown on network events
- Added user drilldown on all relevant events
- Synced all drilldowns to have the same behavior
- Removed the hashes from the process_create whitelist macro for 4688 compatibility
Bugfixes
- T1197 had a typo
- props fix for host_fqdn in non-xml ingest
- whitelisting with long csv files caused bad behavior
- File created events didn't show
- Inital Access events didn't show on overview
- T1044 was misrepresented
- Fixed several drilldown bugs
Todo
- Add driver drilldown dashboard
### Updates 1.3.4
New Features
- Added Technique and Host filtering options to the threat hunting overview page
- Added Timeline graph to the overview page
- Added Technique and Host filtering options to the mitre att&ck overview page
- Added New Files created page, based on Sysmon event_id 11
- Added File Create whitelist editor page
- Initial mapping of Windows 4688 events in props.conf
- Added 4688 events to 70 reports
- Added indextime macro
Changes
- Automated search distribution
- Index time searches instead of _time
- Cleaned up the code a bit
- AppInspect passing
Bugfixes
- Fixed the Tactics and Technique(ID) filters on the mitre att&ck overview page
- Added the Initial Access tactic and properly sorted them on all pages
- Re-added the computer investigator page
- Changed sourcetype to source in macros