forked from olafhartong/ThreatHunting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangelog.txt
68 lines (60 loc) · 2.46 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
### Updates 1.4.0
New Features
- NEW REQUIREMENT : Link Analysis app >> LINK
- Initial mapping of Windows 4768/9 events in props.conf
- Pipe Drilldown dashboard
- File create whitelist macro
- File create Drilldown dashboard
- Added Stacking tools section
- Added Mitre ATT&CK stacking page
- Added DNS stacking page with beaconing detection
- Added DNS whitelist
- Added User drilldown page
- Added Macro drilldown dashboard
- Added 25 new searches
- Added Credits pane
- Added Requirement checks page and changed the about page
Changes
- Renamed pipe_created_whitelist macro to pipe_whitelist
- Renamed pipe_created_whitelist csv to pipe_whitelist throughout the app
- Replaced the force directed visual by link analysis for network connection drilldown
- Added a few fields to props.conf, including Sysmon DNS events
- Extended T1218,T1216,T1081,T1075 searches
- Rebuilt the whitelisting, searches are a LOT quicker now and take less resources
- Added original_file_name to event_id 1 and 7
- Top triggered techniques drilldown changed to technique_id
- Added google lookups to WMI consumers
- Added DNS drilldown on network events
- Added user drilldown on all relevant events
- Synced all drilldowns to have the same behavior
- Removed the hashes from the process_create whitelist macro for 4688 compatibility
Bugfixes
- T1197 had a typo
- props fix for host_fqdn in non-xml ingest
- whitelisting with long csv files caused bad behavior
- File created events didn't show
- Inital Access events didn't show on overview
- T1044 was misrepresented
- Fixed several drilldown bugs
Todo
- Add driver drilldown dashboard
### Updates 1.3.4
New Features
- Added Technique and Host filtering options to the threat hunting overview page
- Added Timeline graph to the overview page
- Added Technique and Host filtering options to the mitre att&ck overview page
- Added New Files created page, based on Sysmon event_id 11
- Added File Create whitelist editor page
- Initial mapping of Windows 4688 events in props.conf
- Added 4688 events to 70 reports
- Added indextime macro
Changes
- Automated search distribution
- Index time searches instead of _time
- Cleaned up the code a bit
- AppInspect passing
Bugfixes
- Fixed the Tactics and Technique(ID) filters on the mitre att&ck overview page
- Added the Initial Access tactic and properly sorted them on all pages
- Re-added the computer investigator page
- Changed sourcetype to source in macros