Release Notes
- 19 May 2025
- 114 Minutes to read
- Print
- DarkLight
Release Notes
- Updated on 19 May 2025
- 114 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Note: BluVector Advanced Threat Detection™ for versions prior to 3.9.0 was known as BluVector Cortex™. Older release notes reflect the name in use at that time.
Release 5.7.0
DNS Tunnel Analyzer
[BCD-24083] Add new analyzer to detect DNS Tunnels
Analyzer watches Zeek dns logs to detect suspicious activity that matches DNS tunnel behavior
Configurable in the user interface, defaulted off
DNS Tunnel detections are a new event type
DNS Tunnel Analyzer runs in a new container
Weekly Summary Emails
[BCD-24076] Add summary emails to easily see what BluVector is doing
Configure ATD to send a weekly summary email to specified recipients
Summary emails contain:
total events processed
total suspicious events
total malicious events
total adjudicated events
number of configuration changes
and more
Gen 5 Hardware support
[BCD-24037] Add support for Gen 5 ATD hardware
Configure NIC for optimal performance
Configure Zeek and Suricata for new CPUs and memory
Add new SKU defaults to system configuration
Enhancements
DETECTION & LEARNING
[BCD-24025] Reworked hURI to improve performance and accuracy.
[BCD-24201] Update Hector to be able to use multiple servers to handle analysis requests.
[BCD-24247] Improved filetyping for files previously typed as generic ‘data’.
[BCD-24338] Update Nema Correlator to use Python 3.11
[BCD-24365] Update Beacon Analyzer to add hostname to results if available. Now able to add hostnames to beacon analyzer allow list.
[BCD-24415] Add geolocation information for country, region, city, postal code, latitude/longitude, ISP, and connection type.
[BCD-24459] Remove duration keys from Beacon events that are not long beacons.
[BCD-24508] Added resp hostname for Beacon Analyzer to detection telemetry.
USER INTERFACES
[BCD-24018] Upgrade User Interface to use Python 3.11
[BCD-24306] No longer display time offset for Zeek logs associated with an event, since we are only displaying logs from that specific connection.
[BCD-24367] Added help text to state that enabling long beacons in Beacon Analyzer enables long conn Zeek script. https://github.com/corelight/zeek-long-connections
[BCD-24376] Add configuration option to automatically disable accounts that are inactive for 90 days.
[BCD-24404] Subject Alternate Name is now a required field for generating CSRs.
[BCD-24445] Removed toggle for output debug logging from user interface. Option is still available via config command line.
DATAFLOW
[BCD-23787] Added logic to protect against writing duplicate detection artifacts for Hector.
[BCD-23788] Added logic to protect against writing duplicate in-situ retrain artifacts.
[BCD-23316] Improve logging for BV Intel service.
[BCD-24292] Migrate BV Intel Celery backend to use Postgres instead of Redis.
[BCD-24051] Update rules-management service to use Python 3.11
[BCD-23895] BREAKING CHANGE: Changed output ‘sensor_hostname’ key to ‘cm_hostname’ if output is configured to send from a central manager.
[BCD-24280] Include IPv6 addresses in Suricata detection events.
[BCD-24307] Updated Zeek Forwarder to not write an empty log if no match is found.
[BCD-24422] Updated DataBee Event Output keymap to send additional data to DataBee. Added filesize as well as more Yara and geolocation data.
[BCD-24513] Improved rate limiting for SFA logging to not suppress desired logs.
PLATFORM
[BCD-24381] Upgrade bv-join tooling to use Python 3.11
[BCD-23811] Add ability to orchestrate upgrades from a CM.
[BCD-23847] Improve packet filtering to include ipv6 addresses.
[BCD-24028] Upgrade bv-inject tool to use Python 3.11
[BCD-24295] Remove deprecated suricata configuration from /etc/suricata/ in the Artifact Storage container.
[BCD-24309] Removed unnecessary check for collector config staging during join to central manager.
[BCD-24323] Zeek package deprecations for dns-tunnel and sfa-allow-list; Zeek package updates for bzar. https://github.com/mitre-attack/bzar
[BCD-24336] Added configuration option to add geolocation data to Zeek conn logs.
[BCD-24353] Update PCAP processing to allow use of Zeek intel framework.
[BCD-24444] Upgraded system packages to resolve latest CVEs.
[BCD-24475] Increase redis container memory limit to 20GB.
[BCD-24512] Upgraded system packages to resolve latest CVEs.
[BCD-24524] Increased memory limits for Hector and Filetyper.
[BCD-24525] Added support for IPv6 address ranges to packet filtering.
Bug Fixes
[BCD-24446] Fixed issue causing some filenames to not be included in event metadata. Fixed issue where a database error could cause an event to never get written to the database.
[BCD-24207] Fixed issue with wrong default ingest interface for Gen3HD and Gen4 hardware SKUs.
[BCD-24352] Fixed issue with alternate DNS suffix configuration for UI failing.
[BCD-24383] Fixed an issue where some analyzer hits would not render icons on the event summary.
[BCD-24389] Fixed issue where Beacon events were showing up as suspicious status instead of info.
[BCD-24428] Fixed issue with hunt score, geolocation and intelligence results not rendering on event table.
[BCD-24433] Fixed issue with bv-librarian being unable to connect to database.
[BCD-24439] Fixed issue with Beacon Analyzer using too much memory.
[BCD-24456] Fixed issue with misidentifying javascript files as shell script.
[BCD-24460] Fixed issue that was degrading file typer performance for high event rates.
[BCD-24463] Fixed issue with some text being unreadable in Dark Mode.
[BCD-24465] Fixed issue with non-ASCII characters in bv-librarian database from versions prior to 5.6.0 causing an error.
[BCD-24492] Fixed issue with ThreatQ Intelligence test connectivity button not working.
[BCD-24498] Fixed issue where event status drop down menu sometimes pointed at the wrong event.
[BCD-24501] Fixed issue with TagIt data not being included in detection telemetry.
[BCD-24517] Fixed issue with events that grow too large to be inserted in the database due to many embedded files.
6.1 Release 5.5.1
6.1.1 Databee Integration
• [BCD-24105] Several enhancements to the DataBee Integration
Added additional zeek log types
Added support for using a proxy
Added an output keymap specific to DataBee
Bug Fixes
[BCD-24095] Fixed an issue where disabling redis injection for Yara rules did not properly disable it
[BCD-24118] Fixed an issue where Artifact Storage on a Collector could not connect to the Central Manager
[BCD-24119] Fixed an issue where common warnings were too noisy in the UI notifications
[BCD-24120] Fixed an issue where adjudicating many files at once was prohibitively slow
[BCD-24133] Fixed an issue where ssh config was not including the drop-in file directory
6.2 Release 5.5.0
6.2.1 Beacon Analyzer Service
• [BCD-23709] Implement a beacon analyzer to scan network traffic for beacons and alert on these new events
Add the long beacon analyzer to the product
Allows for more fine tuned beacon analysis
Add Beacon Analyzer UI page
Display beacon analyzer hits on the UI
Add beacon content to detection telemetry data
6.2.2 Improve zeek search feature
• [BCD-23873] Resolve issues using zeek search from the UI, which prevented use in large deployments
Add a 20GB limit for individual zeek search queries
Show filesize of zeek search queries
Allow users to grab zeek search content from individual collectors
Prevent the UI from overloading with too much zeek search content
Fix issue where zeek search was failing silently when processing data sets that were too large
6.2.3 Replace Targeted Logger
• [BCD-23601] Replace Targeted Logger which improves memory utilization while still providing the features customers use today
6.2.4 Improve Zeek and Suricata Validation
• [BCD-23636] Convert artifact storage validation of zeek and suricata to use a grpc interface, improving connectivity w – Add grpc endpoints for validating zeek and suricata files to ingest container
6.2.5 Databee Integration
[BCD-23874] Implement an integration with Databee, improving cross utilization of these products
Build output to send events to Databee
Create UI pages to configure Databee integrations
Add connection to s3 bucket for zeek to integrate logs with Databee
Enhancements
6.2.6 DETECTION & LEARNING
[BCD-23922] Base bundle UI banner appears during upgrade and only 3 active retrains allowed
6.2.7 USER INTERFACES
[BCD-22966] Improve long UI loading times
[BCD-23568] Provide additional cluster health endpoint content
[BCD-22900] Allow users to configure the packet filtering feature from the UI
[BCD-23502] Improve learning page mongo query to decrease page load times
[BCD-23736] Added ability to middle click menu items to open a new tab
[BCD-23744] Improve Hector output displayed on the UI
[BCD-23759] Keeping action item buttons visible for long lists.
[BCD-23821] Log user’s IP address to the audit log when they make changes
[BCD-23842] Allow users to configure alternate DNS entries to improve accessibility behind reverse proxies
[BCD-23916] Improve user experience by making column headers scroll with the insitu learning stats page
[BCD-23973] Update splash page to conform with reality
[BCD-23992] Allow ctrl-f searching within event json text
[BCD-24016] Add elements to splash page
[BCD-21434] Sync SAML configuration across entire deployment
[BCD-23843] Teach SAML to honor alternate DNS hostnames or suffixes
6.2.8 DATAFLOW
[BCD-23810] Added intel correlation for IOC Hunter results.
[BCD-23899] Improved EML file typing with archived files
6.2.9 PLATFORM
[BCD-23429] Installed the Mitre bro-http2 Zeek plugin. When activated the new http2.log will be generated and files extracted for analysis.
[BCD-23841] Allow specific time to be configured for system backups
[BCD-23845] Zeek file typing support for DOS/MBR img files
[BCD-23893] Add kcat package to host system
[BCD-23896] Removed vulnerable encryption ciphers from SSH
[BCD-23906] Allow sshd drop in configuration files
[BCD-23915] Upgraded system packages to resolve latest CVEs
[BCD-23918] Updated base OS to Oracle Linux 8.10
[BCD-23927] Root access disabled in cockpit
[BCD-23930] Updated the Zeek EML analyzer
[BCD-23957] Improve disk space and memory utilization by shrinking artifact storage container size
[BCD-23961] Improve disk space and memory utilization by shrinking ingest container size
[BCD-23974] Implemented Zeek’s new zeek-archiver tool which archives logs serially and atomically to provide a more robust archiving method and to account for reboots, power loss, OOM, etc.
Bug Fixes
[BCD-23262] Resolve issue with using hostname to join a collector
[BCD-23861] Updated unjoin script to remove SSH ID keys.
[BCD-23894] Update default keymapping to use proper yara function to pass along the yara details
[BCD-23898] Resolve incorrect processing of certain types of eml content
[BCD-23904] Fixed an issue with Zeek core dumping when getting the position of an enum when pushing Zeek intel events
[BCD-23912] Fixed bug with more than 4 pending classifier retrains. All retrains accepted one at a time
[BCD-23921] Resolve issue in Artifact Storage when pushing artifacts to collectors
[BCD-23923] Adjust lead analyst role to include access to some features they should have
[BCD-23928] Allow for indefinite adjudication TTL
6.2. Release 5.5.0
[BCD-23939] Resolve disappearing saml button
[BCD-23947] Prevent 0 byte clamav files from being placed on disk
[BCD-23987] Fixed an issue where zeek worker processes were forwarding intel records that the zeek manager process didn’t have loaded, which prevented intel hits from being logged
[BCD-23991] Update geolocation analyzer to correctly resolve some locations that do not conform to standard
[BCD-24003] Adjust timeouts to allow for long loading times when uploading files
[BCD-24013] Prevent certain events from breaking the event table display
[BCD-24021] Accept ssh keys during the join process automatically
6.3 Release 5.4.0
6.3.1 Low Level Packet Filtering
• [BCD-22889] Low level packet filtering to skip creating events unnecessarily, decreasing the workload on systems in pr
– [BCD-23324] Added configuration models for packet filtering that allows a user to specify lists of IPs or CIDR blocks to filter based on source or dest.
6.3.2 Rapid Retrain In-situ
• [BCD-23468] Rapid retrain capability for Insitu. The system can now retrain on content much more quickly than prev
[BCD-23576] Update bv-cfg with rapid retrain configuration paths
[BCD-23577] Hector reclassifies unknown files to benign in insitu if given appropriate settings
[BCD-23578] Implement various rapid retrain features for insitu
[BCD-23579] Update UI to accomodate new rapid retrain configuration settings
[BCD-23664] Load rapid retrain config from bv-cfg to insitu
Enhancements
6.3.3 DETECTION & LEARNING
[BCD-23555] Updated version of libmagic used for filetyping to 4.45
[BCD-23556] Update Hector’s H2O library to version 3.46
[BCD-23565] Teach Extractor to handle ISO files
[BCD-23659] Add background thread to remove stale data from insitu
[BCD-23702] Built Insitu endpoint to return files that should not be deleted
[BCD-23703] SFA cleaner honors files marked for no deletion and skips them during cleanup
6.3.4 USER INTERFACES
[BCD-23397] Display text file content in user interface
[BCD-23478] Display tags created by TagIt analyzer on event modal
[BCD-23502] Improve learning page mongo query to decrease page load times
[BCD-23611] Health alerts GUI page no longer has a cap and paginates instead
[BCD-23612] Allow sorting of health alerts by severity
[BCD-23614] Added scheduled task to ensure UI sessions database doesn’t grow unrestrained
[BCD-23621] Provide checkbox to toggle zeek validation on uploaded files
[BCD-23649] No longer allowed to adjudicate files or events on a collector. Make adjudications on the Central Manager.
[BCD-23671] Removed references to Targeted Logger from the user interface
6.3.5 DATAFLOW
[BCD-23306] Only update last fetched timestamp when all intel is fetched
[BCD-23470] Provide config option to set logging level of SFA process groups instead of just the whole SFA at once
[BCD-23662] Upgrade BV CFG API to Connexion 2.7.0
[BCD-23687] Bulk insert ThreatQ data by using a separate endpoint
[BCD-23696] Event rate health alert no longer takes Suricata events into account
[BCD-23723] Improve accuracy by using the zeek filetype for eml instead of filetyping
6.3.6 PLATFORM
[BCD-23673] Combine improvements from the 4.x to 5.x upgrade process with the backup and restore system
[BCD-23561] Install JA4s zkg package
[BCD-23566] Add sent events metric to allow for health metrics examining lost events
[BCD-23596] Improve zeek filetyping capability
[BCD-23633] Teach the backup and restore system about system type it runs against
[BCD-23634] Cap zeek logs with a configurable value
[BCD-23642] Add entitlement certificate to backup and restore process
[BCD-23645] Improve backup and restore of Artifacts
[BCD-23648] Improve the join process to allow it to convert uuids if a system has the same hostname as previously
[BCD-23708] Properly acknowledge that eml files are already extracted and skip extracting them again
[BCD-23729] Upgrade to Zeek 6.2.0
[BCD-23735] Provide additional eml signatures to improve filetyping
[BCD-23740] Disabled CBC ciphers for cockpit UI due to vulnerability
[BCD-23826] Add cryptsetup to host system for configuring LUKS password
[BCD-23754, BCD-23850] Upgraded system packages to close CVEs
6.3. Release 5.4.0
Bug Fixes
[BCD-23622] Fixed an issue with time window selection on Evolve Classifiers page
[BCD-23724] Fixed an issue with removing configured tags for the TagIt analyzer
[BCD-23704] Fixed an issue rendering events generated from previous versions of ATD
[BCD-23800] Fixed an issue where PinPoint wasn’t properly handling TagIt tags
[BCD-23739] Fix an issue where old unused Docker images are not being cleaned up
[BCD-23610] Fixed an issue where hunt score was not displaying correctly for small numbers
[BCD-23496] Fixed an issue where PinPoint would return no results when querying very large event sets
[BCD-23806] Prevent negative event counts from appearing on the collector health page
[BCD-23822] On retrains with many collectors, fixed h2o stopping after a certain amount of time
[BCD-23844] Fixed an issue where some intelligence wouldn’t properly render in the UI
[BCD-23828] Fixed an issue where email attachments could generate two separate events with the same file
6.4 Release 5.3.1
[BCD-23674] Downgrade confluent-kafka version to fix kafka producer issue
[BCD-23674] Fix issue where MongoDB indexes were being dropped and recreated
6.5 Release 5.3.0
6.5.1 BV Health Cluster Page
• [BCD-22529] New report page in the UI to display various important statistics about the health of a cluster.
The whole cluster is displayed in one place.
Each collector is represented by a card, with various important statistics about that collector.
Collector is reachable (uptime %, not single datapoint)
Collector ingest rate
Collector event rate
Suricata is running
Zeek is running
Artifact-storage is running/reachable (uptime %, not single datapoint)
Config API is running/reachable (uptime %, not single datapoint)
Information automatically updated by backend system, linking into the health and status info as well as new endpoints to provide updated data on a reasonable timeframe.
6.5.2 Migration path for 4.x to 5.x
• [BCD-23071] Built out method to get customers from older 4.x line systems to new 5.x line systems.
– Originally there was no intended migration path from older systems, this feature allows customers to upgrade and get all the new features, support, and security of the 5.x line.
6.5.3 Adjudication Sharing
[BCD-23161] Implemented method of sharing adjudications from Central Managers across a whole cluster.
Decreases load, as adjudicated files no longer need to be forwarded only to get ignored.
Updated adjudication to expose a configurable TTL, so that different customers can decide how long it should last.
Adjudications TTL now updates when an event or file is seen again, so that it will not expire if seen continuously.
Clusters no longer allow for adjudicating anywhere but on a Central Manager, to keep the whole cluster in sync.
[BCD-23162] Replicate Adjudication on Join.
[BCD-23163] Backup and Restore Adjudication data.
[BCD-23240] Add configurable TTL for Adjudication to the configuration pages.
[BCD-23165] SFA updates TTL for adjudications.
6.5.4 Zeek SFA File Filter
• [BCD-23543] Filter files within zeek to avoid spamming the SFA with unnecessary content.
– New Zeek policy hook allowing user uploaded zeek scripts to link in and filter as they desire.
6.5.5 TagIt Analyzer
• [BCD-22912] Added the new TagIt Analyzer which allows tags to be defined for events.
Analyzer provides the ability to check event metafields against either IP address or String tags.
IP Address tags can take individual IPv4 or IPv6 addresses, as well as CIDR blocks.
Any matched tag on an event attaches the tag name to the event analysis, which can then be used by workflow
* For instance, a list of IP Addresses with a tag named “good ips” can trigger a workflow rule setting the event to trusted status.
6.5.6 Hector Javascript Classifier
• [BCD-23557] Built new JS Classifier for Hector
Provides ability for Hector to examine javascript files and retrain on said files
Users can now upload their own javascript for analysis
6.5. Release 5.3.0
6.5.7 Zeek Version 6.0.3 Upgrade
• [BCD-21494, BCD-23314] Upgrade Zeek to latest LTS, 6.0.3, which provides:
Significant memory improvements, test devices have seen 60-70% decrease in overall zeek memory usage.
Integration of Zeek’s new protocol analyzers called Spicy.
Provides new protocols analyzers such as QUIC, LDAP and TFTP.
Allows installation of the new JA4 TLS fingerprinting.
New analyzer.log which tracks analyzer/protocols violations
New telemetry.log which collects and reports on zeek run-time metrics. This data can also be exported directly to prometheus.
The zeek-archiver tool has been integrated directly into zeek now which should resolve a longstanding log rotation/compression issue.
Enhancements
6.5.8 DETECTION & LEARNING
[BCD-23517] Use ngrams for better Hector accuracy on PDF files
[BCD-23402] Implement Mach-O parser in Hector
[BCD-23406] Implement Mach-O classifier in Hector
[BCD-16406] Integrate NEMA with Hector
[BCD-23248] Added guard rails on ratio of benign to malicious to Insitu when retraining
[BCD-23328] Update Hector To Support OIDC (role arn/ web identity token file)
[BCD-23446] Add Macho Universal file support to the Hector Filetyper
[BCD-23495] Update DIE library in Hector and add the new filetypes
[BCD-23531] Detect it easy, Add new library and filetypes to hector
[BCD-23545] Switch default config to AutoLearn for Insitu
[BCD-23549] Add iso to Hector Filetyper
6.5.9 USER INTERFACES
[BCD-23216] Allow bulk deletion of artifacts on artifact storage pages.
[BCD-23225] Minimize Artifact storage health check runs to initial page load.
[BCD-23220] Update zeek forwarder output page to describe multiple brokers.
[BCD-23266] Catch SAML errors and provide useful error messages instead of a big white screen with a 500 error.
[BCD-23270] Remove Name_id claim for SAML logins.
[BCD-23392] Add ability to disable support bundle creation/upload.
[BCD-23397] Display Text File Content from Hector.
[BCD-23409] Display Zeek logs in GUI after pcap upload.
[BCD-23424] Add link filetype output for Hector to the UI.
6.5.10 DATAFLOW
[BCD-23244] Update artifact-storage and artifact-storage-celery containers to be patchable in the field.
[BCD-23256] Artifact plugin tasks run in parallel.
[BCD-23222] Health alert for collectors on a mis-matched version.
[BCD-23183] Remove general mongo querying ability from Hunt Score DSL precluding potential ThreatVectors that would softlock the process.
[BCD-23184] Rewrite ThreatVector logic to stay in memory to increase analysis speed.
[BCD-23185] Add compound mongo index for Hunt Score internals, increasing speed of analysis for ThreatVector processes.
[BCD-23106] The bv-cfg-api now compresses config in transit across a cluster.
[BCD-23492] Make the bv-intel /add/ endpoint take tarballs.
[BCD-23224] Change health alert measuring events reaching the SFA.
[BCD-23305] Improve ThreatQ implementation, resolving several discovered implementation issues.
[BCD-23309] Build out several Artifact Storage improvements, improving DNS lookup capability and stability.
[BCD-23388] Rate limit rsyslog to prevent filling up the disk during problems.
[BCD-23428] Remove source field from artifact storage health considerations.
[BCD-23452] Add configuration option to disable writing Yara rules to Redis for large Yara rule deployments.
[BCD-23487] Add a timeout based on event_ttl to Extractor, which lets it bail out after Relay has already committed an event to Mongo.
[BCD-23583] Add response code checking during collector health metrics gathering.
6.5.11 PLATFORM
[BCD-23341] Enable luks disk encryption to allow users to set it up if they desire.
[BCD-23390] Upgrade Suricata to 6.0.14 release.
[BCD-22664] Disable user API access after their cockpit account has expired.
[BCD-23215] Make bv-gui use CM’s tinc hostname instead of tinc IP in its run.sh entrypoint.
[BCD-23391] Add RAID1 Support for Gen4 ISO.
[BCD-23395] Automatically repair half joined collectors.
[BCD-23396] BV Join repair will auto correct local type config if incorrect.
[BCD-23415] Add permissions for admin users to change hostname using hostnamectl.
[BCD-23433] Update Oracle Linux 8 for STIG Compliance.
[BCD-23547] Put date/time into top log on BAH.
6.5. Release 5.3.0
Bug Fixes
[BCD-23300] Artifact storage update cron job is never setup in sensor container.
[BCD-23301] Artifact storage transfer.py does not retain filenames if meta is included.
[BCD-23352] Convert Yara Rules Management Redis DB Flush to increase deletion speed.
[BCD-23481] Clear celery tasks on artifact-storage-celery restart and prevent spurious jobs from clogging the celery queue.
[BCD-23009] When NEMA is disabled via the “Enabled” Checkbox at the top of the config page, NEMA events still occur.
[BCD-23258] Redirects to login page do not follow original URL provided.
[BCD-23268] Manual deploy of retrain classifier from GUI doesnt work.
[BCD-23302] Hector cannot analyze lnk files.
[BCD-23327] Update user facing API documentation.
[BCD-23408] Pcap uploads to CM failed zeek extraction.
[BCD-23572] bvcm template white space causing monitor metrics to fail.
[BCD-23585] Fix race condition preventing Telegraf database setup from occurring.
6.6 Release 5.2.0
6.6.1 Suricata Rules Validation
• [BCD-20860] Suricata rules will be tested/validated when uploaded.
Users will receive a message in the UI if uploaded Suricata rules can not be parsed by the Suricata engine.
Suricata rules management now supports valid escape characters in rules
Users may configure the artifact storage and Suricata rules management system to not enforce validation. Rules failing to parse will be ignored by Suricata.
6.6.2 Zeek Log Forwarder
• [BCD-22823] Zeek Forwarding allows just the zeek logs matching the community id associated with the event to be forwarded via Kafka.
Users can configure a new Output called Zeek Forwarder
When enabled, zeek forwarding also enables calculation of the community id in both Zeek and Suricata
6.6.3 OneNote File Support
• [BCD-23001] OneNote files are now supported for analysis by BluVector ATD.
The system will extract and identify OneNote files in raw network traffic.
Users can configure ClamAV, Yara and IOCHunter to analyze OneNote files.
OneNote files will be extracted as sub-objects if they are embedded in other supported file types or file archives.
6.6.4 Threat Quotient Intel Feed
• [BCD-22943] Threat Quotient is now supported as an Intelligence provider.
Users can configure the Threat Quotient intel provider via the UI or Config CLI.
The system will pull intelligence signatures and include signature details in matching events.
6.6.5 Health Alerts for Event Rate Exceptions
• [BCD-22891] Health Alerts will be generated when the Event rate of a system exceeds a maximum value.
Event Rate Exception Threshold for Central Manager is 100 events per second.
Event Rate Exception Threshold for Collector/Sensor is 10 events per second.
Enhancements
6.6.6 DEPRECATIONS
[BCD-22914] Deprecated the dashboard widget that displays configurable event metrics.
[BCD-22916] Deprecated several unused high-cardinality metrics.
[BCD-22604] Deprecated IMAP Collector.
6.6.7 USER INTERFACE
[BCD-22911] Removed validation from custom IP and port groups for Suricata to allow more complex custom variable definitions.
[BCD-22909] User Interface will now display errors that occur while deploying configuration changes.
[BCD-23139] Added a new API endpoint to gather metrics.
[BCD-16716] Improved error message when trying to access a service the sensor isn’t entitled to use.
6.6.8 DATAFLOW
[BCD-22920] TLSH hashes are now calculated and added to file metadata.
[BCD-22762] Added a timestamp for when a forwarded event is received on the Central Manager.
[BCD-22913] Added detection telemetry fields: Event ID, Suricata Signature Name, Suricata Signature
Severity.
[BCD-22997] Added configurable threshold for Dropped Packets Health Alert (I118).
[BCD-23023] Improved retry logic for Suricata Artifact Storage group failures.
[BCD-23028] Artifact Storage health endpoint now supports standalone sensors as well as clusters.
[BCD-23041] Errors encountered while sending files to DMAC for post analysis will now show up in DMAC results.
6.6. Release 5.2.0
6.6.9 PLATFORM
[BCD-11047] vim is now included on the host system.
[BCD-22750] Python module hvac is not included on the host system.
[BCD-22907, BCD-23020] l2_address (MAC address) for source and destination hosts is now included in Zeek based file events and Event details view.
[BCD-23027] Support for Gen4 ATD hardware added.
[BCD-23039] Separate SSH keys are now supported for users when Smartcard authentication is enabled.
[BCD-22229] Enable syslog for journald logs.
[BCD-22819] Improved upgrade pre-checks and error handling.
Bug Fixes
[BCD-22922, BCD-22994] Multiple third party packages upgraded to address potential security vulnerabilities.
[BCD-22545] Fixed issue where a DNS configuration change might not propagate into running containers.
[BCD-22746] Fixed issue where event count would render on the events page as a variable instead of the count number.
[BCD-22968] Fixed issue where telemetry events are occasionally not sent to portal.
[BCD-23159] Fixed issue where Event ID was not available for use in a Connector.
[BCD-23195] Fixed issue where epoch time did not work in a Connector.
[BCD-23207] Fixed issue where Health checks could not connect to some services.
[BCD-23246] Fixed issue where bvadmin could escalate privileges using sudo and systemctl.
[BCD-23268] Fixed issue where In-Situ manual deploy of retrain would not work via GUI.
6.7 Release 5.1.0
6.7.1 DEPRECATIONS
The following features have been removed from the product due to lack of use:
[BCD-17877] Napatech-based SKUs and hardware are no longer supported.
[BCD-22108] Google authenticator is no longer supported for two-factor authentication.
[BCD-22250] Removed ThreatConnect integration.
[BCD-22262] Removed file reputation analyzer.
[BCD-22511] Removed Cuckoo post analyzer integration.
[BCD-22596] Removed CLI aliases for containers no longer used in ATD.
6.7.2 USER INTERFACE
[BCD-6766, BCD-18888, BCD-19516, BCD-22663] System will now disable users within 24 hours of them being removed from a remote domain group that previously allowed them access
[BCD-21237, BCD-21481] New “Most Recent File Uploads” section added to Upload Files page. New section allows users to quickly pivot to events created by a non-pcap file upload.
[BCD-21423, BCD-21881] Telemetry on use of user interface features is now opt-in and configurable.
[BCD-21515] User role is now displayed as part of the user profile.
[BCD-22085] Apache removed from the GUI technology stack and NGINX is now exposed.
[BCD-22540, BCD-22565] Updated Session options on Learning Stats page including renaming SMTP to EML and removing GUI Upload.
6.7.3 DATAFLOW
[BCD-15070] Intel service now supports STIX 2.1 format.
[BCD-20231] Option to automatically adjudicate samples based on DMAC analysis results added.
[BCD-20718] Intel service will now fetch and write IoCs in batches reducing memory load during intel updates.
[BCD-21504, BCD-21505] Upgraded sqlalchemy and urllib3 packages to address known vulnerabilities.
[BCD-22553] Added mongodb-database-tools package to sensor container.
[BCD-22581] Updated Suricata rules validation in artifact storage to handle custom variables.
6.7.4 PLATFORM
[BCD-20964, BCD-21174] Lead analyst role now available as an option when creating or editing accounts in Cockpit. “Staff” role name changed to “User” in Cockpit.
[BCD-20983] System administrators can now change their own and other user passwords from the CLI.
[BCD-21076] Upgraded to Cockpit version 264.2.
[BCD-21281] BV Join page in Cockpit has improved performance when dealing with large numbers of collectors.
[BCD-21719, BCD-22239] Updated multiple platform packages to address known vulnerabilities.
[BCD-22096] Added bind-utils package and its dependencies to the platform.
[BCD-22549] Updated and improved backup and restore scripts for 5.x versions.
6.7.5 DETECTION & LEARNING
[BCD-21647] Updated LNK file parser and detection model.
[BCD-22112, BCD-21648] Updated OOXML file parser. Updated DOCX and XLSX detection models.
[BCD-22198] Updated Yara to version 4.2.3.
6.7. Release 5.1.0
Bug Fixes
[BCD-20619] Fixed issue where intel service was not honoring last_fetch time.
[BCD-20710] Fixed issue preventing pcap uploads on a central manager from working correctly.
[BCD-21698] Fixed issue where multiple runs of the same artifact storage plugin prior to the first run completing could results in failures.
[BCD-21731] Fixed issue where GUI would return a server error when using SSO without a configured XML metadata file.
[BCD-21754] Fixed issue preventing use of sudo to run supervisorctl in the sensor container.
[BCD-22065] Fixed issue with delete and success messages reappearing after being closed/dismissed on the File Upload page.
[BCD-22066] Fixed issue where file deleted under Existing Library Content not reflecting under Filetypes Currently in Library.
[BCD-22114] Fixed issue where use the Set Status dropdown on the Threat Vectors page does not consistently result in updated status indicators for the changed events.
[BCD-22115] Fixed issue where an incorrect error message was displayed when using the Set Status dropdown on the Threat Vectors page when no thumbnail was selected.
[BCD-22189] Fixed issue where newly generated support bundles would be immediately uploaded to the Portal. System now waits for user to initiate upload.
[BCD-22222] Fixed issue preventing central manager from uploading a support bundles generated on a collector to the portal.
[BCD-22235] Fixed issue causing “View Related Events” button on Suricata Rules Management page from working.
[BCD-22386] Fixed issue handling large Suricata signature IDs.
[BCD-22542] Fixed issue where server error was generated when testing Portal connectivity without a Portal API key configured.
[BCD-22554] Fixed issue where configuration migration rollbacks during failed upgrades were not performed properly.
[BCD-22559] Fixed issue in output keymaps preventing correct mapping of email header fields.
[BCD-22619, BCD-22682] Fixed issues preventing the capture and display of stderr output when running an exec bundle.
[BCD-22628, BCD-22629, BCD-22692, BCD-22695] Fixed multiple issues preventing smooth upgrades from Cockpit ATD Upgrade page.
[BCD-22635] Fixed issue preventing upload of large suricata rules files (any file taking more than 10 seconds to upload).
[BCD-22660] Fixed image placement when scrolling through dashboard widget previews
[BCD-22679] Fixed issue preventing some cron jobs from running in the sensor container
6.8 Release 5.0.1
6.8.1 PLATFORM
[BCD-21441] Added support for UEFI bootloader.
[BCD-21514] Added the following packages:
netstat
lsof
tree
6.9 Release 5.0.0
6.9.1 ORACLE LINUX 8
[BCD-18755] Changed the base operating system to Oracle Linux 8. Updating from a previous ATD version to 5.0.0 requires a fresh install. In general, functionality throughout the product remains the same. Most Cockpit pages remain unchanged, including bv-join.
[BCD-18978] Software upgrades work slightly differently than before. The upgrade page in Cockpit has been renamed to ATD Upgrade. Users are given a dropdown to directly select Long Term Stable, General Availability, or Limited Availability (if applicable). The page will poll the BluVector Portal to determine the latest available version for the selected release. If there is an available release, users will have the option to Upgrade, which triggers downloading, installing, and rebooting into the new release as in previous versions.
The following customer-accessed containers have also had their base operating system updated:
[BCD-18651] Sensor container (updated to Oracle Linux 8)
[BCD-20816] Ingest container (updated to Oracle Linux 8)
As a part of this change, numerous software components using Python code have been upgraded to Python
3.8. There is no longer any Python code older than 3.8 on the system.
For continuity, the base operating system layer will continue to be referred to as “BAH” throughout BluVector documentation, but going forward “BAH” will refer to the “BluVector ATD Host”.
Enhancements
6.9.2 USER INTERFACE
[BCD-16486] Improved the test connectivity function for the following Intel services:
MISP
AlienVault
TAXII
ThreatConnect
[BCD-18796] Decluttered the search options dropdown to prevent it from covering parts of the Event Viewer while in use. This was done by removing a few elements from the search options dropdown that expands when users are typing an event query. The Filters feature has been deprecated, and the Saved Searches have been moved into a separate dropdown.
[BCD-19232] Added the ability to pull BluVector ATH certificates over the API by entering an admin credential when configuring ATD to forward to ATH.
6.8. Release 5.0.1
[BCD-19428] Improved the bv-join page’s refresh behavior. The page will now update status every 30 seconds normally, or every 5 seconds while a join or unjoin is occurring. Previously, the page updated every 5 seconds at all times. This could cause a backup of operations when updates take more than 5 seconds to perform with many collectors.
[BCD-19430] Improved the UI help text when configuring ATD to forward to ATH. In particular, it is noted that the Zeek Long Connection script must be enabled for certain analytics to operate, and the user must manually enable the script.
[BCD-19518] Added commas to event counts in the Event Viewer, as in Showing 1 to X of Y (filtered from Z). Counts of 1000 or more will now render as 1,000 and so on.
[BCD-19591] Improved consistency of the layout of Confirm and Cancel buttons on UI pop-ups. These buttons or similar buttons have been more consistently grouped to the right side of pop-ups.
[BCD-20067] Removed an undocumented icon allowing users to change the status of events from Threat Vectors cards. Multiple ways of setting event status remain.
[BCD-20506] The API documentation can now be downloaded as a PDF in Redoc format.
[BCD-20521] Improved the presentation of the Hunt Scores Summary dashboard widget when displaying large counts.
[BCD-20543] Added an activity feed to the User Interface. This is implemented as an optional dashboard widget. Recent user behavior is shown for the following actions:
User writes a note
User adjudicates an event
User deploys configuration
User Submits to BluVector
User deploys new a classifier
[BCD-20720] Added a copy-to-clipboard option when selecting use API keys and when selecting collector hostnames in the configuration.
[BCD-21027] Increased the minimum number of files needed to perform a Hector retrain from 0 to 1.
[BCD-21118] The notifications dropdown no longer shows read messages.
6.9.3 DATAFLOW
[BCD-19305] Added a health alert that triggers on a CM when large numbers of incoming events from Collectors are being dropped (over 100 drops within 15 minutes on a single queue).
[BCD-20201] Added new metrics to the CLI metrics tool (influx) that capture when SFA (Scalable File Analyzer) sub-processes drop messages.
[BCD-20206] Added an additional API endpoint to the Artifact Storage API which displays status on artifacts and whether they have or have not been synced from upstream yet.
[BCD-20998] Improved handling of extracting LZH files. They are no longer extracted into a larger number of files than actually exist as an intermediate step in analysis.
6.9.4 PLATFORM
[BCD-18843] The following containers will now restart on failure. Previously, these did not have an automatic response if the container crashed.
bv-gui
bv-gui-celery
ingest
telegraf
[BCD-20709] The script upload-artifact.sh is now available at the BAH platform and can be used to upload content to the Artifact Store system without having to enter a container.
[BCD-20832] Updated the Postgres database within the sensor container to version 14.2.
[BCD-20844] Updated Mongo to version 5.0.6 along with associated packages.
[BCD-20924] Increased the number of Insitu API processes from 2 to 3 to reduce the likelihood of the API backing up during bulk file submissions.
[BCD-21013] Upgraded multiple software packages to address known security vulnerabilities.
[BCD-21027] Installed TMUX into the platform for use by users.
6.9.5 DETECTION & LEARNING
[BCD-18685] Updated one of Hector’s filetyper methods to improve performance.
[BCD-18898] Improved the APK parser by adding the ability to count Resource Types within files.
[BCD-21133] The duration of the lookback graphs generated when reviewing Hector classifiers is now configurable only from the CLI. The default remains 24 hours.
Bug Fixes
[BCD-18936] Updated several internal scripts to use newer versions of the API.
[BCD-20228] Fixed an issue where Suricata rule uploads could present an error for duplicated file uploads based on a prior attempted submission.
[BCD-20596] Fixed an issue where refreshing the bv-join page could cause an underway join process to terminate.
[BCD-20712] Fixed a data field that was being sent to BluVector telemetry with an incorrect label when telemetry is enabled (packets_recv).
[BCD-20866] Improved error handling in the Artifact Storage system.
[BCD-20870] Fixed an issue in which UI notifications generated by Yara could sometimes not be deleted.
[BCD-21025] Fixed an issue where the Extractor would not flag encrypted files that could not be decrypted, even if the configuration option to do so was enabled.
[BCD-21084] Fixed a bug where Hector classifier retrain results could fail to show data due to an error in how the test file lists were constructed.
[BCD-21195] Fixed the SKU identification for Gen 3 HD hardware.
6.9. Release 5.0.0
6.10 Release 4.2.4
6.10.1 Suricata Rules Validation
• [BCD-20860] Suricata rules will be tested/validated when uploaded.
Users will receive a message in the UI if uploaded Suricata rules can not be parsed by the Suricata engine.
Suricata rules management now supports valid escape characters in rules
Users may configure the artifact storage and Suricata rules management system to not enforce validation. Rules failing to parse will be ignored by Suricata.
6.10.2 Zeek Log Forwarder
• [BCD-22823] Zeek Forwarding allows just the zeek logs matching the community id associated with the event to be forwarded via Kafka.
Users can configure a new Output called Zeek Forwarder
When enabled, zeek forwarding also enables calculation of the community id in both Zeek and Suricata
6.10.3 OneNote File Support
• [BCD-23001] OneNote files are now supported for analysis by BluVector ATD.
The system will extract and identify OneNote files in raw network traffic.
Users can configure ClamAV, Yara and IOCHunter to analyze OneNote files.
OneNote files will be extracted as sub-objects if they are embedded in other supported file types or file archives.
Enhancements
6.10.4 USER INTERFACE
[BCD-22257] Users will now receive a system notification in the UI if their license is within 2 weeks of expiration. For collectors, these messages will be visible in the central manager as well.
[BCD-22382, BCD-22562] Text of Yara rule that hit on a file is now available as part of the event and viewable in the GUI.
[BCD-22630] Users can now add Event ID as a column in the Event table view.
[BCD-22843] Complete Suricata process log is now available through the collectors/suricata/logs/ API endpoint.
[BCD-22847] Suricata default port groups are now configurable in the UI.
[BCD-22911] Removed validation from custom IP and port groups for Suricata to allow more complex custom variable definitions.
[BCD-23026] Username field can now be mapped during SAML configuration.
6.10.5 DATAFLOW
[BCD-22370] If the health monitoring system detects a stagnant events condition then SFA will now restart in addition to the ingest container.
[BCD-22466, BCD-23013] Artifact storage pages on central managers now display a synchronization status indicator and message in the UI. The status indicates where all artifacts are successfully deployed across all collectors or not.
[BCD-22574] Users will now be warned and the system will not accept invalid Zeek script uploads to artifact storage.
[BCD-22591] Renamed analysis.result.entry_count to extraction_count in the extractor results metadata.
[BCD-22920] TLSH hashes are now calculated and added to file metadata.
[BCD-22993] Extractor now extracts Microsoft Office files embedded in other Microsoft Office files.
6.10.6 PLATFORM
[BCD-11047] vim is now included as part of the BluVector Atomic Host platform. • [BCD-12680] FQDN must now exist when joining collectors to a central manager.
[BCD-18853, BCD-19175] Improvements to container resiliency and automated recovery on failure.
[BCD-20708] CLI execution of exec bundles now moves the exec bundle tar ball and subsequent extracted directory to /var/execbundles to match behavior of UI uploads
[BCD-22233] Users can now configure the Zeek log rotation interval via the GUI.
[BCD-22260] A health alert will now be generated if port 5555 is unavailable.
[BCD-22907, BCD-23020] l2_address (MAC address) for source and destination hosts is now included in Zeek based file events and Event details view.
[BCD-22970] Backup and restore procedures no longer attempt to include file content used by the MLE for retraining.
[BCD-23027] Support for Gen4 ATD hardware added.
[BCD-23039] Separate SSH keys are now supported for users when Smartcard authentication is enabled.
6.10.7 DETECTION & LEARNING
[BCD-14507] Users will now be warned and the system will not accept invalid Yara rule uploads.
[BCD-22289] Users will now be warned if their newest ClamAV signature file is more than 48 hours old.
[BCD-22413] MLE updated to version 6.13.3.
Bug Fixes
[BCD-20328] Fixed issue preventing user access when password force change option is enabled.
[BCD-20865] Fixed issue in handling of file sizes above 100MB. 100MB max file size limit is still enforced.
[BCD-22541] Fixed issue preventing automated restarts of the bv-gui celery service.
[BCD-22554] Fixed issue preventing configuration migration rollbacks working on configuration migration failures.
[BCD-22559] Made mapping of the email header field consistent throughout the product.
[BCD-22635] Fixed issue preventing upload of large (>30 MB) Suricata rule files.
6.10. Release 4.2.4
[BCD-22641] Fixed issue when attempting a collector-cm join while one of the system’s configuration service is unavailable.
[BCD-22643] Fixed issue calculating overall hunt score when the event has a hunt component that evaluates to zero.
[BCD-22793, BCD-22890, BCD-22981, BCD-23025] Multiple third party packages upgraded to address potential security vulnerabilities.
[BCD-22818] Fixed issue with number of events shown that match a Workflow rule.
[BCD-22876] Fixed issue preventing creation of new key maps for outputs.
[BCD-22929] Fixed issue causing errors when using copy-and-paste from some applications into ATD configuration forms.
[BCD-23033] Fixed issue where event filtering to DMAC post analyzer was not always working as expected.
6.11 Release 4.2.3
6.11.1 BACKUP AND RESTORE
• [BCD-21380] BluVector ATD™ now supports backup and restoration of the system.
Users can configure a backup artifact generation period from the ATD UI System configuration page.
Backup artifacts can be generated on-demand from a new Backup and Restore page in Cockpit.
Backup artifacts can be uploaded for restoration from the Cockpit page.
Uploaded artifacts or artifacts on disk in /var/backup can be used to restore the system to the state it was in at the time the backup artifact was created.
Enhancements
6.11.2 USER INTERFACE
[BCD-21019] System will now automatically attempt to upload new support bundles to the BluVector Portal if a portal API key is configured.
[BCD-22002] /me API endpoint on a central manager now returns a list of all joined collectors and their UUID, hostname, domain, and ATD software version.
[BCD-22067] User may now configure custom Suricata variables as key-value pairs on the Suricata configuration page.
6.11.3 DATAFLOW
[BCD-20927, BCD-21137] Entire suspicious archive will now be saved to disk instead of just the suspicious file(s) within the archive.
[BCD-21529] All Suricata alert metadata in eve-alerts now included in BluVector Suricata events.
[BCD-21535] Suricata events now include the complete Suricata signature string.
[BCD-21536] Clean up service added to cap disk space usage in /var/sfa/file_storage to 8% of total available disk space. Removed files will no longer be available for in-situ learning.
[BCD-21629] File reputation data sync is now disabled by default. File reputation analyzer will be deprecated in a future release.
[BCD-21813] Active files in artifact storage must now have a unique file name. If a new file is introduced whose filename matches that of an existing active file. That existing active file will be switched to inactive and the new file be set to active.
6.11.4 PLATFORM
[BCD-18893] System now periodically captures top output to assist in debugging issues.
[BCD-20599, BCD-20688] Users now have the option of distributing and executing exec-bundles to all collectors from a central manager.
[BCD-20983] Administrators may now change local user account passwords from the CLI.
[BCD-21258] System will now generate a health and status alert if InfluxDB is down.
[BCD-21564] Kernel dumps are now disabled.
[BCD-21759] Option added to cm-exec-bundle script to bypass password requirement to scp bundle to collectors.
6.11.5 DETECTION & LEARNING
[BCD-20970] Retrains will now return the start indication more quickly.
[BCD-21411] The following filetypes have received retrained MLE models:
GUI - code.pe32.gui
PS1 - code.script.ps
VBS - code.script.vbs
CDL - code.pe32.dll.console
APK - data.archive.zip.apk
NATp - code.pe32+.native
NAT - code.pe32.native
CONp - code.pe32+.console
DOCX - data.archive.ooxml.word
WRD - data.cdf.word
Bug Fixes
[BCD-18650] Fixed an issue causing old Zeek scripts created by ATH forwarder configuration changes to not be cleaned up properly.
[BCD-21240] Fixed an issue where not all file status were changed when an archive was included in a bulk event status change.
[BCD-21365] Fixed an issue when showing configuration changes to Kafka event output keymaps.
[BCD-21406] Fixed an issue where Zeek Search end times were not always being properly honored.
[BCD-21470] Fixed an issue where the Evolve Classifiers page could take a long time to load.
[BCD-21471] Fixed an issue causing the bvadmin user to erroneously show up in the Logged In Users dashboard widget.
[BCD-21689, BCD-21703] Fixed an issue when deleting all Suricata rules on a central manager did not result in removing all rules on joined collectors.
6.11. Release 4.2.3
[BCD-21700] If a configuration migration error occurs on upgrade of a collector, it will now roll back to last known good configuration and the migration will be reattempted after the next sensor container restart.
[BCD-21710] Removed smtp as a bv-inject session option and replaced it with eml.
[BCD-21728] Fixed an issue where long hostnames were being cut-off on the staged configuration view.
[BCD-21732] Fixed an issue where some containers could not communicate to each other when using mDNS.
[BCD-21764] Fixed an issue where file content was not always correct when downloading files from the Library page.
[BCD-21771] Fixed an issue where the sensor container will fail to start if the artifact storage container stays down for too long.
[BCD-21978] Fixed an issue where file reputation data was not being properly stored.
[BCD-21999, BCD-22000] Fixed an issue where bv-gui-celery container was failing to execute hot patches.
[BCD-22042] Fixed an issue preventing user logins on a collector when its central manager is unreachable.
[BCD-22043] Fixed an issue causing SSH key cleanups to occur on each system reboot.
6.12 Release 4.2.2
6.12.1 SAML LOGINS
• [BCD-20683] BluVector ATD™ now supports Single-Sign On (SSO) logins using SAML.
SAML can be configured in the configuration under the System tab, on the new SAML page.
SAML logins also require the user to define external groups allowed for login under the System -> Management page.
SAML version 2 is supported.
SAML logins can only be used on the ATD application and not for the BAH.
When SAML login is enabled, users can continue to use local system accounts to log in.
When SAML login is enabled, users will see a new button to initiate a SAML login operation from the main login page.
The SAML login feature will not function if Smart Card logins are also enabled.
Enhancements
6.12.2 USER INTERFACE
[BCD-20506] A formatted PDF of the API Redoc is available.
[BCD-20636] Excel Event downloads from the Event Viewer now include Hunt Scores.
[BCD-20637] The configuration will now validate Suricata Home Net lengths to their expanded limit of 65,536 characters.
[BCD-20830] Various Suricata variables have now been brought into the UI configuration in the same way as the Home Net. The following variables are now included:
HTTP servers
SMTP servers
SQL servers
DNS servers
telnet servers
aim servers
dnp3 servers
dnp3 clients
modbus servers
modbus clients
enip servers – enip clients
[BCD-20928] Lead Analyst users can now use the “Whitelist this Suricata rule” pivot in the Event Viewer. This option is now hidden from regular/staff users, who cannot use it.
[BCD-20933] Lead Analyst users can now edit Suricata thresholds from the UI.
[BCD-21037] Lead Analyst users and regular users can now use the /api/configuration/me/ endpoint on the API to access the BluVector ATD version.
[BCD-21363] All users can now use the Submit to BluVector feature. Previously, only admin users could.
6.12.3 DATAFLOW
[BCD-19209] The following elements have been removed from the default Hunt Score calculation to improve performance:
Host Rarity
Potential Targeted Campaign
Potential Spam Campaign
[BCD-20642] Intelligence downloads now track their last updated date by the timestamp when the last update began, rather than when the last update completed, to more accurately track new signatures.
[BCD-20944] Made various improvements to the SFA to reduce bottlenecking and backups while under strain.
[BCD-20945] Made various improvements to SFA processes to ensure greater resiliency to traffic spikes and backups.
[BCD-20982] Added new statistical data to Kafka output logging. Every five minutes, new informational logs will record how many messages are passing through the output. Additional debug logging was added to capture when individual messages are sent and processed.
[BCD-20995] Made various fixes to the FireEye Post Analyzer. This was tested against AX 8.4.1.883951.
[BCD-21137] When an event is flagged as suspicious, all contained files will now be saved to disk (applicable to archive events).
[BCD-21162] Event outputs now round Hector confidence scores to three significant figures rather than one.
6.12. Release 4.2.2
6.12.4 PLATFORM
[BCD-20688] Added new options to the exec-bundle command on the CLI. Using the new flags --all or --collector, users can execute a bundle from the CLI on a CM and have it distributed to Collectors. Distribution will attempt to utilize existing SSH keys that have been exchanged between the CM and Collectors. Where security features have been enabled that remove these SSH keys, the user will instead be prompted to enter a username and password for each Collector.
[BCD-20930] Admin users can now read and write /etc/sssd.conf and can read /var/log/sssd.
[BCD-21241] Updated various third party libraries to address known vulnerabilities.
Bug Fixes
[BCD-15134] Fixed an issue preventing ClamAV from utilizing cached results.
[BCD-20524] The total volume of Targeted Logger content on disk is now limited to 10GB as intended. The oldest logs are removed first.
[BCD-20730] File uploads will now avoid redirecting the user to the event until the event is ready to load.
[BCD-20818] Fixed an issue where sometimes files available for download in the UI were not properly identified as such and could not be downloaded.
[BCD-20866] Artifact Storage will now timeout after a reasonable length of time and then log an error if it receives an error from a Collector when pushing to one.
[BCD-20870] Fixed an issue where UI banner messages related to Yara could not be deleted.
[BCD-20895] Trying to connect to the UI via HTTP will now always redirect to HTTP as previously.
[BCD-20935] Fixed an issue where viewing potential threshold changes on the in-situ stats page could result in queries running after the user browses away.
[BCD-21036] Fixed an issue where the “Clear Proxies” button in the BAH Cockpit could fail to clear proxies and also re-enable them.
[BCD-21060] Fixed an issue where the Event Viewer could fail to render integer values for custom selected columns.
[BCD-21084] Fixed a bug where Hector classifier result comparisons could fail to render when the before and after performed equally well.
[BCD-21415] Fixed an issue where in-situ statistics were being generated on Collectors where they could not be displayed in the UI. The stats now are collected only on CMs where applicable as intended.
[BCD-21634] Fixed an issue where a default suggested query had invalid syntax.
6.13 Release 4.2.1
6.13.1 USER INTERFACE
[BCD-19276] Improved the presentation of the dashboard at different screen resolutions.
[BCD-20083] Reduced the time it takes to load an event with an archive in it. The system will, as a consequence, no longer query for the timestamp when a file was last seen. It will load metadata for each file in an archive at the time the file is selected.
[BCD-20164] Disabled the Insitu Learning Overview page on Collectors while they are joined to a CM.
[BCD-20242] The first time the Insitu Learning Overview page generates results, it will now write results incrementally rather than in a batch after all queries are completed.
[BCD-20248] Improved the time it takes for the Learning Overview page stats to complete for the first time by triggering stat collection when the system starts up (sensor container).
[BCD-20264] Filenames for artifacts that are very long will now wrap to multiple lines.
[BCD-20375] A new option has been added to the configuration called Alternate DNS Suffixes. It is found under the System -> Management section. It allows users to specify domain names from which the system should be reachable that are different from the locally configured domain.
[BCD-20379] Improved the visibility of the File Upload option when in dark mode.
[BCD-20598] Lead Analyst users can now view Suricata rule details and thresholds in the Event Viewer.
[BCD-20600] Lead Analyst users can now view all system notifications in the UI. They have the same access to these notifications as admin users.
[BCD-20711] After a PCAP is uploaded, the link that pivots users to the Event Viewer will now search for the PCAP ID within a two hour window instead of searching all time.
[BCD-20732] The text notification provided to users after Suricata rules are uploaded has been updated to accurately reflect the Artifact Store.
6.13.2 DATAFLOW
[BCD-20193] The threshold for the Disk Space Near Full health alert has been reduced from 95% to 90%. The alert will now trigger sooner when a disk is filling.
[BCD-20257] Artifact Store transfer times have been improved across the board. In general, artifacts should copy several times faster.
[BCD-20321] Files from Artifact Store that are written to disk are now generally written with their actual filename. A portion of their SHA256 is appended if there is a filename collision.
[BCD-20443, BCD-20485] The following Zeek log types have been added to the default ATH Forwarder configuration:
SMB_FILES
SMB_Mapping
DCE_RPC
NTLM
[BCD-20471] Detection telemetry has been changed to opt-in. Customers currently using Detection telemetry must re-enable it if they wish.
[BCD-20609] Insitu bundles are no longer synced from CM to collectors. This change applies to new collectors or to existing collectors at join time. Syncing can be disabled for existing, joined collectors by turning off sync for each collector in the Insitu repo.
[BCD-20666] The default configuration setting for Hector Learning Automation is now ‘Automatically Deploy’. This means that Insitu will attempt to retrain classifiers as soon as the recommended count of eligible samples has been reached and will automatically deploy the classifier if it is more accurate against test data and retrained samples than the previous classifier. Customers who have previously chosen a nondefault setting such as Automatically Train will not have the value updated.
6.13. Release 4.2.1
6.13.3 PLATFORM
[BCD-20202. BCD-20503, BCD-20588] Updated several packages according to the results of the latest Nessus scans.
[BCD-20256] The memory limit on the InfluxDB container has been removed to allow for proper retrain performance.
[BCD-20602] Some changes previously deployed as a part of hotfixes have been reverted, particularly around memory limits. All affected changes will result in systems using new, validated default settings.
[BCD-20681] The maximum variable size for Suricata, such as for the Home Net, has been increased from 8196 characters to 65,536 characters.
6.13.4 DETECTION & LEARNING
[BCD-20218] The following filetypes have received retrained Hector models:
VBS - code.script.vbs
ELF64 - code.elf.x86-64
GDL - code.pe32.dll.gui
GUI - code.pe32.gui
GUIp - code.pe32+.gui
APK - data.archive.zip.apk
PS1 - code.script.ps
[BCD-20293] Insitu bundles from previous releases can be removed once they can no longer be used. This can be triggered by running /usr/bin/bv-clean-insitu-bundles in the sensor container.
Bug Fixes
[BCD-17969] Updated the event query syntax help to accurately reflect email app types.
[BCD-18759] Fixed an issue with MISP intel incremental updates, instead pulling in all signatures on every pull.
[BCD-18780] Fixed a bug that could prevent a collector from being Force Removed while in degraded state.
[BCD-19691] PinPoint event counts are now based on file status rather than event status.
[BCD-20002] Made a moderate improvement to the load times for the ContentTypes widget in the Event Details Screen.
[BCD-20019] The Zeek Search page now returns a clearer response to the user if a query returns too much data for the search functionality to handle (for example, using a wildcard search).
[BCD-20021] Fixed an issue that could prevent the Dataflow dashboard widget from loading.
[BCD-20022] Fixed an issue with downloading targeted logger information as a zip file.
[BCD-20058] Fixed an issue where the Extractor was not counting recursive files as intended.
[BCD-20137] Fixed an issue where ThreatVector would stop loading thumbnails if there were too many cards on the page.
[BCD-20161] Fixed an issue where bv-insitu-library-api was not restarting when it was unavailable.
[BCD-20322] The Artifact store will now re-try syncing artifacts from the Portal or to Collectors if syncing is interrupted for any reason.
[BCD-20324] Artifacts uploaded to CMs will now have their source set to ‘Central Manager Upload’ properly. This ensures that the artifacts cannot be deleted from Collectors (only to be re-synced immediately).
[BCD-20329] The Event Content download button will now display if an archive contains a sub-file which is available for download.
[BCD-20374] Fixed an issue where the CM could fail to show task completion when uploading scripts to a single Collector.
[BCD-20499] Fixed an issue where the Insitu Learning Overview page was not sorting properly on hit rate.
[BCD-20507] Fixed an issue where PinPoint Suricata pivots could fail to yield matching events.
[BCD-20530] Fixed an issue where some Suricata events did not get targeted logger results.
[BCD-20567] Fixed a bug preventing users from adding Suricata thresholds via the rules management interface in the CM UI.
[BCD-20733] Lead Analysts can now apply Suricata rule updates.
[BCD-20749] Fixed a bug where the certificate for the CM was being shown for all the different collectors instead of displaying each individual collector’s certificate.
6.14 Release 4.2.0
6.14.1 EVENT AND FILE CARD UNIFICATION
• [BCD-16270] Joined the Event Card and File Cards into a single view
The new Event view is organized into 5 sections:
Event Metadata
File Analysis (including File Metadata and Analyzer results)
Event Analysis (such as Suricata results, if applicable)
Context (Correlated Events, Targeted Logs)
Notes
The File Analysis section lists all files present in archives with their status and flags
Selecting a file from the archive dropdown displays metadata and analysis for the file
Files in the dropdown are sorted by status
On the event table, the blue icon which previously expanded events has been removed. Instead, clicking the content in the ‘Analysis’ column opens the event. The content will be either a filename or a Suricata event summary, as before.
6.14.2 NEW METRICS WIDGET
• [BCD-16268] Added the optional ‘Ingest Metrics’ widget to the Dashboard.
Can be added to the Dashboard for any ATD Sensor or CM
Displays packets/bytes received/dropped on the ingest interface over time
Shows stats for all joined collectors when viewed on a CM
6.14.3 NOTIFICATIONS REFACTOR
• [BCD-16243] A new page has been added to the UI to display system notifications (such as health alerts).
A new icon has been added to the top right of the user interface, to the left of the user icon, for notifications.
The icon will show a small blue dot when there are alerts to view.
The blue dot will remain until alerts have been viewed. Users are encouraged to clear out alerts that are no longer relevant.
6.14.4 MACHINE LEARNING UI IMPROVEMENTS
[BCD-16264] The Learning UI pages have received several improvements. These changes should greatly reduce the time it takes for users to retrain and deploy new classifiers.
The Evolve Classifiers page has an improved look and feel.
Classifier statistics are now displayed in a sortable table.
Classifier statistics are passively collected by the system on a periodic basis. When the page is loaded, stats will already be ready to display without requiring lengthy database queries. Separate stats are pulled for a few time ranges.
The time the stats were last pulled is displayed in the table.
The Evolve Classifiers page provides several new actions per classifier.
Update Stats: Re-generate the summary statistics for the given classifier.
View Threshold: Display recent results for the classifier plotted against the classifier threshold, and view the potential effect of changing the threshold. Also provides a pivot to the configuration to update thresholds.
Trust All New Files: Labels all files that have been flagged by the classifier as Benign. This applies only for the purposes of retrains and does not update the status of events. This operation is much faster to complete than a bulk event status update.
To support the previous option, all files flagged by Hector are now added to the retrain library with classification ‘unknown’ at the time they are flagged.
Force Retrain: Kick off a retrain for the classifier even if the ‘Recommended’ file count to retrain is not met. The ‘Required’ counts from before previous releases are the same but have been renamed to ‘Recommended’ counts. There is no minimum file count to force a retrain.
The Library page has also been improved with two new tables.
The ‘Filetypes Currently in Library’ table shows the number of benign and malicious samples in the library per filetype. Users can delete samples by label and filetype.
The ‘Existing Library Content’ table lists every file in the retrain library with its hash and classification.
Users can search the table by file type, hash, date, or classification.
Users can download or delete samples from the table.
The ‘Deploy’ page has received two new options
‘Deploy All Candidates’: Deploys all classifiers that have been retrained and are awaiting review
‘Retrain History’: Displays the last date of retrain for each classifier that has been retrained.
6.14.5 ARTIFACT STORE USER EXPERIENCE
• [BCD-16385, BCD-18781] Improved the user experience when using the Artifact Store in the UI (uploading Zeek scripts, etc.). These changes are targeted at making the Artifact Store more flexible and intuitive. In general it should be easier to understand what content will be loaded on a given system and avoid conflicts.
Each repo (Zeek, Suricata, etc) now has an option to disable syncing from upstream. This can be used for example to prevent the Central Manager from pushing content to a particular repo on a particular collector if unique local configuration is needed.
When syncing from upstream, each repo will still pull in all files the upstream possesses, and will still respect the enabled/disabled status from the upstream.
In general, multiple files with the same filename are allowed per repo, but the system will try to prevent more than one file with the same filename from being active at a time.
Users can now enable/disable Artifacts regardless of their source. In the previous release, disabling Artifacts from the portal had been disabled.
Content can now be sorted by Filename, Active, Source, and Last Modified date.
6.14.6 NEW API DOCS
• [BCD-19401] The API Documentation for ATD has been overhauled.
Many previously undocumented endpoints are now shown.
Parameters, options, and results are in general much more completely documented.
6.14.7 FEATURE DEPRECATIONS
• [BCD-19521] Two containers were removed from BAH to rapidly address Log4j related vulnerabilities. Several features have been removed from 4.2 due to this change:
Carbonblack Endpoint Integration
Opentaxii Integration
Enhancements 6.14.8 USER INTERFACE
ATD GUI:
[BCD-11049] PinPoint can now group events by CIDR block. Entering ‘src/16’ or ‘dest/24’, for example, will yield results grouped by each set of IPs within the same range. Clicking on a subnet in the results will expand to show all individual IPs present.
[BCD-16704] Multiple rows of PinPoint results can now be control-clicked and queried for as a group.
[BCD-16717] Suricata rule details are now loaded when the Event View is loaded without the user having to click the ‘Rule Detail’ and ‘Rule Threshold’ buttons.
[BCD-16718] Previous Zeek searches can now be deleted.
[BCD-17237] More fields in the event metadata can now be added as columns in the event table. When editing the columns, more options are available, but other fields can be typed in as well.
[BCD-17284] The ‘Submit to BV Key’ config field has been renamed to ‘BluVector API Key’.
[BCD-17391] Improved the event table. The double scroll bar has been reduced to a single one with a sticky header. Improved style and sizing.
[BCD-17462] The Central Manager UI will now display Collector hostnames in the event table using the ‘meta.collector’ field rather than the uuid. This improves load times. Events generated before 4.2 will not have their ‘Collector’ displayed in the event table as they do not have the new field, but all new events will.
[BCD-18553] Collector names are now displayed in alphabetical order in configuration dropdowns.
[BCD-18554] Events can now be searched for by event id using the syntax id == “event_id”
[BCD-18645] The ATH Forwarding output now allows users to configure which Zeek logs are forwarded to ATH from the UI.
[BCD-19148, BCD-19149] The Lastline sandbox post-analyzer has been removed.
[BCD-19369] The dashboard now more gracefully renders when no ThreatVectors are enabled.
[BCD-19813] The ‘Collector’ field is now displayed in the Event View below existing host/IP metadata.
[BCD-19817] Added text to PinPoint clarifying the effect archives have on apparent event counts.
BAH Cockpit:
[BCD-16276] License files can now be uploaded to the BAH User Interface on the ‘License’ page.
[BCD-18824] The bv-join page is now more performant when large numbers of collectors are joined (more than 5).
6.14.9 DATAFLOW
[BCD-10080] Added a new config endpoint for the Central Manager that returns whether any collector or the CM is currently deploying configuration.
[BCD-17076] Implemented a configurable Time to Live to Intelligence feeds. Pulled indicators will expire after this time, which can be configured per Intel Feed. The default is 30 days.
[BCD-17159] Implemented an allowlist for Intelligence feeds. Users can enter hashes, IPs, or hostnames in the Intelligence ‘General’ tab. Any event matching the allowlist will be ignored by Intelligence feeds.
[BCD-17284] The ‘Submit to BV key’ has been renamed to ‘BluVector API key’. This is the key on the System / Management tab in the configuration. This change only affects how the key is displayed in the UI.
[BCD-17463] The hostname of a sensor is now added to the event metadata for any events generated by the sensor. This is relevant for outputs. For example, if many collectors are individually forwarding to a SIEM, the ‘meta.collector’. This field can now be used to identify the configured hostname of originating sensors, rather than only the uuid. This field is blank if the hostname has not been defined.
[BCD-17491] The NEMA analyzer will no longer set events to suspicious by default. It will still analyze files and fileless content, and ‘flag’ content as before, but content flagged by NEMA alone will not result in a suspicious status. This behavior can be re-enabled in the NEMA configuration.
[BCD-18354] The ATH Forwarding output no longer can be used to forward to ATH 0.1 instances. This change is relevant to the encryption and authentication.
[BCD-18646, BCD-18647] The ATH Forwarding output now allows users to forward the Zeek long connections log. The log will be forwarded if the Zeek long connections script has been loaded.
[BCD-19326] A new Zeek script has been added to the BluVector portal to support long connections. The script will be downloaded by any sensor that connects to the portal or runs an offline content bundle. The script will be disabled by default. This is the first time BluVector is pushing Zeek scripts through the portal.
[BCD-19362] Detection Telemetry is now always submitted regardless of whether new data is available.
Previously telemetry would not be submitted if applicable values had not been updated.
6.14.10 PLATFORM
[BCD-16284] The Central Manager can now be deployed to Azure. Contact the BluVector Customer Success team for information on delivery and versioning.
[BCD-16948] Tcpreplay is now installed in the ingest container.
[BCD-17348] A number of auxilliary containers have now been given memory limits (typically 5Gb). This is for containers whose usage is generally much lower than this but is intended to prevent future edge cases where a malfunctioning container could consume an excessive ammount of memory and jeopardize the health of the system.
[BCD-17544] The ‘Startup’ directory in various containers (/var/bluvector/startup) is now copied into support bundles when they are generated.
[BCD-17711] Updated Suricata from version 5.0.2 to version 5.0.6.
[BCD-18361] Added new bvshell commands to access the following containers: opentaxii, bv-gui, artifactstorage, artifact-storage-celery, bv-gui-celery, hostinfo, bv-intel, redis, telegraf, influxdb, postgresql, cockpit
[BCD-18817] Reduced the interval for the cron job which restarts crashed Zeek processes from 5 minutes to 2 minutes.
[BCD-18818] The syslog service in the sensor and ingest containers now attempts to deduplicate. When multiple messages with the exact same text, source, service, and pid are sent to syslog in a row, after the first message is written, all subsequent message are rolled into a single message with the count of repeats. This is printed the first time a non-matching message is received.
[BCD-18857, BCD-19331] Various packages have been updated in accordance with vulnerability scan findings.
[BCD-18880] Reduced the size of the bv-gui container image.
6.14.11 DETECTION & LEARNING
[BCD-16261] The following filetypes have received re-trained Hector models:
APK (data.archive.zip.apk)
PDF (data.pdf)
Word Documents (data.archive.ooxml.word)
Powershell (code.script.ps1)
PE32 console files (code.pe32.console)
PE32+ dll console files (code.pe32+.dll.console)
PE32 dll console files (code.pe32.dll.console)
PE32 gui files (code.pe32.gui)
[BCD-17610] Added support for a new filetype to Hector - Android App Bundle (AAB).
[BCD-17960] Added support for two new subtypes of elf files: Renesas SH and Motorola m68k
These subtypes are denoted by unique lib magic strings.
The new filetypes were defined within ATD because enough unique malware samples have been discovered for each to warrant distinct classifiers.
[BCD-18782] Increased the resources allocated to the APK parser.
Bug Fixes
[BCD-16537] Collectors are now removed from the OS-level ‘Known Hosts’ file when unjoined. This prevents issues related to rejoining different collectors with the same hostname.
[BCD-16703] Fixed an issue where file status changes could display incorrectly if you rapidly close a file card and open another one.
[BCD-17059] Fixed an issue preventing Intel signatures from being loaded by Zeek.
[BCD-17318] Fixed an issue with the Hector Filetyper where certain Powershell samples were misclassified and received the wrong analysis.
[BCD-17347] The default memory limits for the ingest and sensor containers have been updated. The ingest limit on the Dell R440 SKU has been fixed (it was 0). The ingest limit on the Dell FX-2 SKU has been set to 225 Gb.
[BCD-17670] Fixed an issue preventing user sessions from properly timing out.
[BCD-18117] When a collector is removed from the bv-join page, subsequent collectors are no longer automatically checked.
[BCD-18268] Fixed an issue where the user preference for default query time range was not being respected.
[BCD-18295] Users can no longer inadvertantly enter proxy hostnames with spaces, causing issues.
[BCD-18299] Fixed an issue with ingest interface mapping on the Dell R440 SKU.
[BCD-18351] Fixed an issue preventing BAH admins from updating timezones in cockpit.
[BCD-18431] Fixed an issue where the graph showing filetypes from a host (in the Event View) could crash the page.
[BCD-18548] Reduced risk of startup issues by changing the sensor container’s startup behavior. Now it does not trigger multiple reach outs to the configuration unless necessary.
[BCD-18648] Restoring defaults on the ATH Forwarding output did not remove the Kafka forwarder for events; this is fixed.
[BCD-18742] Fixed an issue preventing artifacts such as Zeek scripts from being downloaded from the UI.
[BCD-18887] Fixed an issue with formatting events downloaded as CSV.
[BCD-19036] The permissions for the Lead Analyst role have been fixed. Several features, particularly within the configuration, were visible to them but not functioning properly or were not visible.
[BCD-19279] Prevented the Event Card from displaying the Submit to BluVector widget even when no API key is configured.
[BCD-19393] Fixed an issue where the ATH Forwarding Zeek Kafka script could cause Zeek to crash.
[BCD-19589] Fixed an issue where a single configuration change in a list could appear as duplicate changes in the configuration diff viewer.
6.15 Release 4.1.2
[BCD-18178] Expanded the ATH Zeek log forwarder created to include additional log types. The full list below includes all the Zeek log types that are now forwarded:
conn.log
dns.log
files.log
http.log
kerberos.log
notice.log
rdp.log
ssh.log
ssl.log
[BCD-18179] Included a tenant name as an identifier in the forwarded ATD Events, Zeek logs to support ATH deployments in multi-tenant environments.
[BCD-18236, BCD-18312] Fixed an issue and improved the exec scripts in the Offline Update Bundle to maintain the artifacts downloaded from the BluVector Portal when the status of the artifact is inactive.
[BCD-18343] Included the BluVector MLE data artifacts (Hector bundle) in the Daily Offline Content Updates artifact to allow the ML engine in a ‘new’ or ‘fresh install’ BluVector ATD Central Manager to start, operate.
[BCD-18393] Improved the user experience of artifacts downloaded daily from the BluVector Portal (ex. signatures, rules) by disabling icons that provide the capability to enable / disable or delete individual artifacts.
[BCD-18315] Fixed an issue with the Zeek log search page to show zeek logs for the most recent events generated by the system.
[BCD-18344] Fixed extra space shown in the alert text for notifying user about configuration lock when configuration changes are made.
6.16 Release 4.1.1
[BCD-18031] Multiple components in the platform have been upgraded to later versions.
[BCD-18053] Disabled swap partition to avoid performance issues and eventual out-of-memory conditions leading to arbitrary process information.
[BCD-18090] Added the ability to combine all Yara-rule names related to an event to be sent via the Output key-maps to external systems like SIEM.
[BCD-18118] Added CLI permissions, including admin user’s sudo access to perform functions such as system shutdown/restart, software update, set proxies and join Active Directory domain.
[BCD-18121] Improved functionality for supporting Department of Defense (DoD) PKI Authentication, allowing DoD customer users to use their current CAC cards for 2nd factor authentication to access BluVector ATD Collectors and Central Manager.
[BCD-17900] Fixed an issue with the Yara analyzer not generating events.
[BCD-18039] Fixed an issue with Artifact Store that prevented the user’s ability to successfully upgrade from ATD version 4.0.0 to the latest (ATD 4.1.1).
[BCD-18044, BCD-17347] Fixed an issue that was preventing ingest memory limits from taking effect on lower data rate sensors. Also modified the ingest memory limit on the Central Manager to match system manufactured specifications.
[BCD-18071] Fixed an issue with the Test Connectivity button for the MISP intel data source.
[BCD-18095] Fixed an issue with the Download Support Bundle page throwing an error when the user selects Download Support Bundle immediately upon bundle creation.
6.16. Release 4.1.1
6.17 Release 4.1.0
6.17.1 SMART CARD SUPPORT
• [BCD-16282] New feature supporting Department of Defense (DoD) PKI and other smart card-based authentication, allowing users to use their smart cards (including DoD CAC) for 2nd factor authentication to access BluVector ATD Collectors and Central Manager.
6.17.2 LEAD ANALYST USER ROLE
• [BCD-16280] Created a new user role called Lead Analyst that allows users to perform advanced systems management and specific configuration. – Created a new user role (Lead Analyst)
Lead Analyst has the ability to:
Ability to enable / disable and modify Suricata Rules
Ability to create, read, update, and delete Yara Rules Management
Perform ClamAV Signature Management
Access Insitu Learning Library, Train and Deploy Machine Learning Engine classifier
Change configuration settings for Analyzers, Collectors, and current Workflow
Lead Analyst does not have the ability to change system state, such as change System Certificates, Outputs, Post-Analyzer configuration, or join / un-join Collectors to the Central Manager.
Enhancements
6.17.3 USER INTERFACE
• [BCD-16922] For AlienVault intelligence integration, added a configurable look-back period for pulling signatures.
6.17.4 PLATFORM
[BCD-17356] Updated the version of Apache web server in the Sensor container to v2.4.35
[BCD-17584] Added common utilities (vim, less, pql) to the platform BV-GUI container.
Bug Fixes
[BCD-17559] Fixed potential race condition with Artifact Storage writes of large files.
[BCD-17627] Fixed an issue with the Events Query API endpoint to return results when searching by Source (meta.src) or Destination IP (meta.dest).
6.18 Release 4.0.0
6.18.1 ARTIFACT STORAGE UPGRADE
• [BCD-13403] The Artifact Storage system in ATD has received a major refactor, altering it from a repository to a database to meet evolved requirements and bringing several benefits to users.
Configuration deployment times have been reduced, in some cases by 30 seconds or more.
Syncing content from the BluVector Portal will now generally be faster, especially if a significant time has passed since the last Portal sync.
Files uploaded to a CM are now shared with joined Collectors immediately. Previously, files would not be pushed to collectors until the next time the configuration was deployed or the collector performed its daily pull.
Users can now set content as Active or Inactive. Inactive content will not be loaded by relevant processes, but will be tracked and can be re-activated at any time. Previously, content could only be deactivated by being deleted, and re-activated by being re-uploaded.
Content can be activated or deactivated across all collectors by a CM, or on individual collectors.
When a change is made on a particular collector, subsequent changes to the same file from the CM will not automatically be pushed.
When a push from the CM is manually triggered, all local changes to affected files on collectors will be overridden.
– Users can now upload tarballs containing Zeek scripts. The contents of the tarball will be extracted and loaded by Zeek, and their relative paths will be preserved. Previously, scripts had to be uploaded one-at-a-time.
* Additionally, some Zeek configuration files are now exposed through the Artifact Store, including networks.cfg.
– Metadata or paths for uploaded files can now be edited. For example, Yara rules can be moved from one category to another (from ‘all’ to ‘pdfs’).
* Users can now upload multiple files with the same filename and selectively activate them. Previously, the system would attempt to automatically merge files with the same name.
The BluVector Atomic Host (BAH) ISO will no longer include copies of the latest Hector models, ClamAV signatures, Suricata signatures, GeoLocation data, or File Reputation data. Newly installed ATD instances, including virtual machines, will not be able to use these features until they either sync from the BluVector Portal or run the latest Offline Content Bundle (downloaded from the portal). When software updates are performed on an existing ATD instance, new data from these categories will not be applied until the instance syncs with the Portal or runs the latest Offline Content bundle. This change primarily affects Hector and Insitu, where previously we relied solely on software updates to deliver changes.
BAH software updates (including 4.0) will generally download faster and will initialize more quickly after reboots.
[BCD-12781] Offline Content bundles provided by the Portal now include all Artifact Store content.
Suricata signatures
File Reputation
ClamAV signatures
Hector classifiers
Insitu Data
Zeek scripts
Yara rules
6.18. Release 4.0.0
Daily Offline Content bundles provide signature updates.
Quarterly Offline Content bundles provide the latest classifiers and Insitu data.
6.18.2 ATH INTEGRATION
[BCD-15215] Added a new output type to ATD, called “ATH Output”. This allows users to configure Event and Zeek log outputs from a BluVector ATD instance to a BluVector ATH instance using a single configuration view.
Deploying an ATH Output creates both a Kafka Output (for events) and a Zeek-Kafka-Plugin Script, then deploys them.
The derived Kafka Output instance is an instance of the existing Kafka Output type, but is hidden from the UI for clarity. All ATH Forwarding is intended to be managed from the ATH Output view.
Several configuration values used for the Kafka Output and Zeek-Kafka-Plugin Script can be edited from the terminal using bv-cfg. These include the default routing criteria for event forwarding (which is suricata != None and suricata == exists(true)) or status >= "suspicious"), and the default list of Zeek logs to forward (which is http, conn, rdp, notice, dns, krb, and ssh).
The derived Zeek-Kafka-Plugin Script is committed to the Artifact Store and deployed by Zeek.
For more guidance on this feature, please refer to Feature Brief: ATD to ATH Data Forwarding.
[BCD-15215] Made several related improvements to Kafka Event Outputs. These changes affect all Kafka Event Outputs.
Kafka Event Outputs now support routing criteria, which can be edited from the Configuration.
Kafka Event Outputs can now be encrypted using TLS 1.2.
Users can configure encryption by providing either a certificate file and key, or a password.
· If a certificate with key and password are both provided, the certificate will be used.
TLS Verification of the destination’s hostname can be optionally skipped.
Kafka Outputs can now be configured with keymaps. Previously, they used a pre-defined hard-coded keymap.
6.18.3 AUDIT LOGGING IMPROVEMENTS
• [BCD-15227] Added several types of new audit logging to ATH. These logs are written to a dedicated audit logging volume, which can be mounted by custom containers for forwarding.
Configuration changes made by users are logged to sensor:/var/log/bv-audit/ config_changes.log.
Artifact Store changes made by users are logged to sensor:/var/log/bv-audit/bv-audit. log.
Event Status changes made by users are logged to sensor:/var/log/bv-audit/bv-audit. log.
User Logins and Logouts from the Application Interface (port 443) are logged to sensor:/var/ log/bv-audit/bv-audit.log.
For more guidance on using these new logs, please refer to Feature Brief: ATD Audit Logging in
4.0.
Enhancements 6.18.4 USER INTERFACE
ATD GUI:
[BCD-7957] Socket Outputs (TCP/UDP) now have a Test Connectivity button in the UI.
For TCP Outputs, the test connectivity button tries to establish a connection to the host and port specified.
For UDP Outputs, the test connectivity button checks whether the given port is open for UDP on the given host.
[BCD-13986] The Learning page now loads in batches. Total load time is also reduced.
[BCD-14055] Removed the time-range selector and query bar from Pinpoint. Pinpoint will now always use the time range and query bar located above the Event Table.
[BCD-14618] The Suricata Signature ID can now be selected as an optional column in the Event Table.
[BCD-14744] The maximum size of pcaps or files uploaded for analysis has been increased from 2GB to 4GB.
[BCD-15949] Improved the display of Hunt Scores in the Event View.
BAH Cockpit:
[BCD-7382] The Support Bundles page now displays when a bundle has been successfully uploaded to the
Portal.
[BCD-13589] Collectors in degraded or unknown state can now be Force Removed from the BV Join page in the BAH Cockpit.
To use the normal remove option, all selected collectors must be ‘joined’ or ‘ready’.
To use the Force Remove option, all selected collectors must be ‘degraded’ or ‘unknown’.
[BCD-15074] Renamed the “Entitlement” certificate to the “License” throughout the product.
[BCD-15409] The ‘Rollback’ button has been removed from BAH.
Rollbacks have never been supported; removing the button will prevent unintended attempts.
6.18.5 DATAFLOW
[BCD-14058] ATD can now consume MISP event attributes as indicators of compromise. This can be accessed under the ‘Intel’ tab in the Configuration.
[BCD-14070] The Intelligence framework upgraded to STIX version 2.0 to consume STIX messages.
6.18.6 PLATFORM
[BCD-13708] Administrator Users can now run the ‘traceroute’, ‘tcptraceroute’, and ‘lsof’ commands from the terminal by using sudo.
[BCD-15512] Admin users can now execute exec-bundles from the CLI.
Exec-bundles run from the CLI will be run with the admin user’s permissions.
Therefore, exec-bundles intended for CLI usage must use sudo for all docker commands.
[BCD-15772] Zeek has been upgraded to version 3.2.4.
6.18. Release 4.0.0
6.18.7 DETECTION & LEARNING
The following filetypes have received re-trained Hector models:
DMG
JAR
MSI
PS1
XLS
XLSX
[BCD-14038] The ClamAV analyzer can now run multiple instances in parallel.
[BCD-14451] The Yara Analyzer has been updated to version 4.0.2, from Yara 3.11.0.
Yara 4’s benefits include a reduced memory footprint and expanded options for rule creation. For details, see: https://github.com/VirusTotal/yara/releases/tag/v4.0.0
Yara 4 brings a few changes to how rules are parsed that are not backwards compatible. If you are not sure if your Yara rules are Yara 4 compatible, please consult this resource to see if your rules are affected: https://github.com/VirusTotal/yara/wiki/Backward-incompatible-changes-in-YARA-4.0-API.
[BCD-14481] Improved filetyping of potential Javascript code.
Bug Fixes
[BCD-13229] Fixed a bug that could result in inaccurate error codes generated after submissions to DMAC.
[BCD-14501] Targeted logger now opens to the log entry with the closest timestamp to the event time, even if the Zeek log type does not include the common uid.
[BCD-14599] Fixed a bug preventing the User Interface from using wildcard ssl certificates.
[BCD-14623] Fixed a bug reverting the size of the Threat Vectors dashboard widget after a user re-sizes it.
[BCD-15305] Fixed a bug allowing non-authenticated users to view some metadata related to the BluVector
Portal.
[BCD-15399, BCD-15400, BCD-15787, BCD-16348] The User Interface now searches for email headers in Files rather than Events. Previously, email headers were associated with Event metadata. In a previous release, we made it possible to parse EML objects as files. In 4.0, the following user interface components now parse headers from File metadata:
Threat Vectors
File Details (Moved from Event Details)
Email Related Dashboard Widgets
Default Keymaps
[BCD-15942] Clicking the version number on the bottom of the UI will now load the release notes as intended.
[BCD-16064] Colons can now be used in the names of saved Zeek Log Searches.
[BCD-16567] Fixed a bug that could result in dashboard widgets with links pivoting to too many or too few events.
6.19 Release 3.10.1
6.19.1 PLATFORM
• [BCD-14641] Improved overall platform security to meet customer specific requirements.
Bug Fixes
[BCD-15341] Fixed an issue with Artifact Store sync errors if entitlement is missing.
[BCD-15866] Fixed an issue when Docker service fails to restart on fresh installs of software release.
6.20 Release 3.10.0
6.20.1 IP COUNTRY GEOLOCATION INFORMATION
[BCD-13152] This feature tracks registered IP Geolocation information for both the source and destination IPs of events generated from the system. The location information is displayed in the Event Viewer as a country map icon, which you can hover over to display a tooltip with the country name. The country code is stored in the event database and can be reported upon, allowing forensic investigations based on country of origin.
IP Geolocation data is useful for event and activity analysis in the following ways:
Aids in quick visualization of separate events to determine if a campaign is occurring and if it is originating from a single country.
Helps determine if C2 servers are similarly geolocated and may represent state-sponsored activity.
Allows an analyst to visualize the spectrum of an attack that is originating in separate geolocations.
A new dashboard widget is available for displaying geolocation data on a world map, for either source or destination IPs.
A new configuration page located at Configuration >> Analyzers >> GeoLocation allows
Ability to enable / disable GeoLocation data
Configure the number of days between updates of the geolocation data
The number of missed updates before the database is consider stale
Enhancements
6.20.2 DETECTION & LEARNING
[BCD-13018] Updated hURI analyzer to ignore bluvector.api.upload (the hostname applied by the system when up-loading files to the system for analysis)
[BCD-13162, BCD-13623, BCD-14024] Added new classifiers to Hector for PDF, XLSX, DOCX, and VBS
[BCD-13349] Improved detection accuracy of the NEMA-ML model
[BCD-14022] The BluVector MLE classifier for DMG file type is now disabled by default
6.19. Release 3.10.1
6.20.3 USER INTERFACE / USER EXPERIENCE IMPROVEMENTS
[BCD-6899] Updated the Timestamp column in Correlated Events view section to include the timezone
[BCD-6899] Improved the Score column in event correlation to improve alignment and readability
[BCD-7331] Added support in the PinPoint feature to allow easier creation of Pivot Tables in Excel
[BCD-7485] Improved the display of File Reputation data
[BCD-11573, BCD-13658] Added a header to dashboard widgets to support moving a widget, which then allows text selection within the widget body
[BCD-11793] Added an Expand All option to the Pinpoint view within Threat Vectors
[BCD-11945] Added a direct link to Threat Vectors from the sidebar menu
[BCD-13002] Improved the user creation process
[BCD-13017] Added a refresh of the content after exporting Hector classifiers
[BCD-13043] Improved the logo transition appearance when expanding the sidebar
[BCD-13404] Added an optional staging_key parameter when submitting a POST API request to
/api/config/edit
[BCD-13487] Improved handling of certain error pages involving nginx
[BCD-13656] Added a new widget to the existing, default Overview dashboard to display statistics regarding Novel Malware events
The Novel Malware events are triggered by the Machine Learning Engine or the Speculative Code Execution engine.
Existing users will not automatically see the widget if they logged in prior to a 3.10.0 upgrade, but newly created users in 3.10.0 will see it.
[BCD-13690] Added the ability to type in Datetime fields
[BCD-13765] Improved the color in dark mode for text input boxes in correlated events
[BCD-13981] Improved GUI password reset enforcement when configured in BAH
6.20.4 DATAFLOW IMPROVEMENTS
[BCD-12871] Added a new analytic offline update bundle for Zeek, Yara, File Reputation, Classifier, Insitu, and Suricata. Bundles are updated quarterly. Contact BluVector Support for more information.
6.20.5 PLATFORM
[BCD-10029] Updated ISO install to use new logo
[BCD-13232] Added Ripple20 vulnerability detection to Zeek Scripts
[BCD-13295] Added FQDN to Alerts metrics
[BCD-13595] Removed Zeek GQUIC plugin which was causing an issue on some sensors
6.20.6 GENERAL
[BCD-6797] Improved the speed of Hector filetyper
[BCD-13615] Increased open file limit for Kafka plugin
Bug Fixes
[BCD-6073] Fixed an issue where an Analysis summary was displayed when the HostInfo Analyzer was enabled
[BCD-7375] Fixed an issue with Privileged Groups accepting an empty string
[BCD-13147] Fixed an Extractor error issue affecting bz2 and gzip archive decompression
[BCD-13390] Corrected HTTP response code when missing a required parameter in some Artifact Storage API calls
[BCD-13448] Fixed an issue with inclusion of the “current” folder in Zeek queries based on particular time windows for the query
[BCD-13449] Fixed an Evolve Classifiers timeout issue
[BCD-13574] Fixed an issue with some existing users not able to login after the software update from 3.8.2 to 3.9.0
[BCD-13615] Fixed an issue where Zeek could not run with a Kafka plugin for certain configurations
[BCD-13627] Fixed an issue where Base64 encoded values were seen for IOCHunter and NEMA metadata
[BCD-13642] Fixed an issue with event forwarding that can occur when configured to include Hunt Scores as part of the event metadata
[BCD-13839] Fixed an issue with the ThreatVector view showing mixed status for single events
[BCD-13984] Fixed an issue where a Status Code 400 Warning Banner would appear when scrolling to the end of the Hexdump tab of File Details -> Results
6.21 Release 3.9.0
6.21.1 DETECTION TELEMETRY
[BCD-11402] Implemented two (2) Detection Data telemetry services from BluVector Sensors to BluVector Portal that is useful in improving future versions of the system.
Detection telemetry service collects detection telemetry data from each event in the BluVector sensor / collector for transmission to BluVector portal.
Adjudication telemetry service collects adjudication telemetry data from events adjudicated in the BluVector sensor / collector for transmission to BluVector portal.
New configuration pages to enable / disable Detection Data telemetry services and configuration of service parameters. The new configuration pages can be accessed from:
Configuration >> Portal >> Telemetry >> Detection
Configuration >> Portal >> Telemetry >> Adjudication
Detection Data telemetry services are enabled by default, can be easily disabled if needed.
Telemetry data is sent as JSON blob via secure communication channel SSL/TLS.
File content extracted by BluVector from the network session is not shared back to BluVector Portal.
6.21.2 SPECULATIVE CODE EXECUTION (NEMA-ML)
[BCD-11845] Implemented a new approach to detecting suspicious / malicious JavaScript from the network stream.
The new approach combines static detection and dynamic detection with machine learning techniques, to analyze and extract script features, and uses machine learning to classify the scripts. This technique has the characteristics of high detection rate, low false positive rate and the detection of unknown attacks.
Implemented configuration options in Configuration >> Analyzers >> NEMA to configure threshold on which NEMA-ML score should classify a JavaScript as suspicious along with the ability to adjust the Analysis Levels to select how much of the human-readable metadata to retain as part of the event.
6.21.3 ANALYTICS OFFLINE UPDATE BUNDLE
[BCD-11549] For customers with BluVector sensors in air gapped networks implemented capability to download a package containing all the necessary content updates.
Analytics offline update bundles are generated daily and uploaded to BluVector Portal. The bundles are BluVector Advanced Threat Detection (ATD) product version specific.
The downloaded package can be moved to the air gapped network where the BluVector sensors are located based on customer’s operational policies.
Analytics offline updates currently includes updates for ClamAV signatures and Suricata ETPro signatures.
Analytics offline updates with Suricata ETPro signatures requires a separate entitlement / license and must be purchased along with the product.
6.21.4 SURICATA TUNING ASSISTANT FOR RULES / SIGNATURES
[BCD-12527] Implemented capability to get recommendations on which Suricata rules and/or (Signature, Source IP) pairs to suppress or disable in order to reduce noise from rules / signatures.
Tuning assistant analyzes alerts generated by Suricata on the signatures / rules over a user-defined tuning window.
The Tuning Assistant optimizes the trade-off between rule suppression and accepted noise reduction. Tuning assistant generates recommendations (Signature, Source IP) pairs to suppress or disable in order to reduce noise.
Recommendations are based on risk tolerance configured by the system administrator (Tuning Level - numerous pre-defined options are available along with a custom option).
Suricata Rules / Signature management administrators retain control over whether to accept or reject each individual recommendation.
Users can access Tuning Assistant from Configuration >> Collectors >> Suricata >> Tuning Assistant page.
Enhancements
6.21.5 DETECTION & LEARNING
[BCD-12570] Implemented the ability to retain analyst / user file adjudications performed before classifier update to allow the samples to be used for classifier retrain.
[BCD-6289] Improved handling of archives by containing embedded file(s) with size greater 100MB.
[BCD-11252] Improved logging on service used by MLE Insitu functionality.
6.21.6 USER INTERFACE / USER EXPERIENCE IMPROVEMENTS
[BCD-7007] Added new Saved Query called Network Events - Malware, Exploit, Trojan to display Suricata events in the Events View. Query parameters are flags == "suricata" and analysis. suricata.result.signature ==regex("MALWARE|EXPLOIT|TROJAN").
[BCD-7352] Updated the Events Grid user interface to display separate count of Notes entered by user for each File and Event.
[BCD-8212] Improved page load performance for events with Dynamic Malware Analysis (DMAC) post analyzer result by retrieving Processes information generated by the service on-demand from BluVector
Portal.
[BCD-9779, BCD-11872] Implemented the ability to build new dashboard widgets with metrics related to Ingest performance for non-Napatech hardware. Users can add a new widget type called Ingest Metric. The Ingest Metric Widget provides measurements in a line chart of Total Bytes seen or a stacked bar chart of Bytes Processed and Bytes Dropped over configurable time range.
[BCD-10246] Updated BV Join page in BAH to display updated error message for non-administrative users.
[BCD-10526] Improved the hover tooltip on the dashboard widgets to display a single point of data rather than every point on the selected date.
[BCD-10775] Implemented ability to cancel a running Zeek/Bro log search in Events >> Search Zeek Logs page.
[BCD-10846] Moved the ‘Theme Color’ and ‘Use Local Time’ options from Event Table Configuration to the Account page located at Account >> My Account.
[BCD-11063] Improved user experience displaying loading spinner on Event >> Targeted Logs when the system loads the Targeted Logs.
[BCD-11074] Added a link / button in the User Interface to navigate from Collector to Central Manager when user navigates to Configuration >> System page.
[BCD-11144] In User Account >> Connectors page, combined Hide Connectors page to the main Connector management page.
[BCD-11394] Updated user interface to display health and status message error when bv-gui container is not running.
[BCD-11427] Product documentation opens in a new browser tab instead of the current tab when user selects Documentation link from the left sidebar menu.
[BCD-11510] Added a profile icon to the user link located at the top right corner of the page.
[BCD-11511] Moved the product Documentation links from the left sidebar menu to top right corner for ease of navigation / access.
[BCD-11643] Updated Event Workflow page title located at Configuration >> Workflow >> Event Workflow, modified help text references to rules related to Event Workflow, removed Events Workflow link that used to appear in the Events subsection of the left sidebar menu.
[BCD-11645] Added a new link to Threatvectors on left sidebar navigation Events section (Left sidebar navigation menu >> Events >> Threatvectors).
[BCD-11647] Renamed Meta Fields in Configuration >> Workflow >> Threat Vectors to Pinpoint Filters.
[BCD-11796, CS-586] Implemented the ability to search IP range in the Events table search query. Users now have the ability to search in a large scale list of non-contiguous IP address using attribute name (usually meta.src or meta.dest) in [“x.x.x.x”, “y.y.y.y” ...].
[BCD-12008] Updated the Grid Overview widget on the BluVector Central Manager to show ingest bytes over the last 24 hours.
[BCD-12186, BCD-10806] Deprecated integrations (ThreatGrid, Threatstream) and updated user interface to remove links and configuration options.
[BCD-12295] Updated the Collector Join page located in BluVector Atomic Host (BAH) with a Force remove options. Users can also force remove collectors using -f option in the unjoinhosts.sh script from the command line (example: sudo /usr/bin/unjoinhosts.sh -f collector1.bah).
[BCD-12483] Deprecated CIF (Common Intelligence Framework) from Configuration >> Intelligence.
[BCD-12590, BCD-12591, BCD-12846] Updated product logo and name to new name (Advanced Threat Detection - ATD).
6.21.7 DATAFLOW IMPROVEMENTS
[BCD-4367] Changed system resources allocated to hURI (URL analyzer) to improve service performance in customer networks.
[BCD-10674] Implemented the ability to configure & send action (Block or Deny) to Symantec ICDx for processing / forward to Symantec Endpoint Manager.
[BCD-10745] Improved handling of customer signed certificates when communicating with BluVector Portal.
[BCD-11176] Implemented ability to control logging for specific third party library in the product dataflow component (SFA). Logging for specific library can be enabled / changed through BluVector Configuration (bv-cfg) from command line.
[BCD-11443, BCD-12612, CS-575] Improved support bundle to include content from journalctl for the previous week - ingest service log, sensor service log, docker service log, output of ‘journalctl -xe’.
[BCD-11603] Implemented log rotation on BluVector Configuration Management changes (bvcm).
6.21.8 GENERAL
[BCD-9177] Improved security controls to allow admin users to perform offline updates and upgrades.
[BCD-10822] Upgraded Bro / Zeek to the latest version 3.1.5. The latest version provides several stability improvements, fixes to security issues and bug fixes.
[BCD-11280] Improved security controls of the product from security assessments of included product software packages.
[BCD-11764] Implemented GPG signing on BluVector Exec bundles. Signature is checked during exec bundle installation / execution in BAH. Exec bundle installation / execution is stopped on signature verification failure.
[BCD-11782] Updated the platform GUI container (bv-gui) to allow persistent hotfixes outside of release schedule for customers.
[BCD-11829] Implemented the capability to deliver the Suricata Signature / Rules update via the BluVector Portal eliminating the need for firewall exceptions. Daily Suricata signature / rules are now delivered through BluVector portal located at api.bluvector.io.
[BCD-11997] Implemented capability to support configuration of TLS version for TCP/UDP Outputs. New configuration option located in Configuration >> Outputs >> TCP/UDP allows administrators to select between TLS 1.1 and TLS 1.2 with TLS 1.2 used as default for communication.
[BCD-12335, CS-651] Implemented log rotation on /var/log/mongodb/mongo.log.
Bug Fixes
[BCD-11151] Fixed an user interface issue when hURI provides improved feedback on hostname with no dots in the domain name.
[BCD-11390] Fixed an issue with clean up routine not executing resulting in old Bro/Zeek searches performed by the user remaining in the user interface.
[BCD-11406] Modified ‘processing’ box to be more visible while a search query is being executed in user interface dark mode.
[BCD-11417] Fixed an issue with Configuration picker in Configuration >> Workflow >> Event Workflow generating an error when user selects BluVector Central Manager and Collector.
[BCD-11456] Fixed an issue with failure to load login page, when user is not logged in and user follows a direct link to /api/*.
[BCD-11555] Fixed an issue and improved the default configuration on ThreatVectors to include (binning) all email events correctly.
[BCD-11586] Fixed an issue to remove duplicate API calls to the event status API when analyst changes Event status and changes the number of records shown in the Event data grid using the Show Entries picker.
[BCD-11744] Fixed an issue with Dashboard not reflecting configuration changes without a user initiated a page fresh.
[BCD-11745] Fixed an issue with /api/files endpoint fails to return a large number of unique files hashes seen (on high data rate networks) when accessed via script.
[BCD-11792, CS-589] Fixed an issue with pinpoint crashing when user selects one of the five (5) status icons on the pinpoint table.
[BCD-11922, CS-624, CS-625] Fixed an issue that was preventing non-admin users ability to select & load Pinpoint queries for execution on BluVector Central Manager - Collector pairs.
[BCD-11923] Fixed an issue with default Pinpoint filter for Suricata result category Unknown & Classtype generates an incorrect query.
[BCD-12000] Fixed an issue with Suricata service failing to start in BluVector Central Manager.
[BCD-12009, CS-630] Fixed an issue that was preventing a system user from adding the Event Field Frequency widget to the Dashboard.
[BCD-12010, CS-631] Fixed text color in User Interface Dark Mode.
[BCD-12013] Fixed an issue with Configuration >> Endpoints >> Symantec accepting empty values for Name, Username, Password fields and allowing Configuration to be deployed.
[BCD-12014, CS-636] Fixed an issue with BluVector system failing configuration validations introduced in release 3.7 during software upgrade to release 3.8.
[BCD-12059] Fixed the ability to export CSV data in Dashboard >> Reports page when user selects Export button.
[BCD-12141] Fixed an issue with BluVector Machine Learning Engine consuming memory greater than allocated capacity.
[BCD-12144] Fixed an issue with OpenTAXII container not setting the correct domain or IP address on the platform making the OpenTAXII server unreachable.
[BCD-12235] Fixed an issue with Suricata rules / signatures were overwritten after a daily update.
[BCD-12488] Fixed an issue that prevented loading of the second TCP/UDP output when configured in the user interface at Configuration >> Outputs >> TCP/UDP.
[BCD-12932] Fixed a permissions issue with the Analytics Offline Update bundle preventing execution in BAH.
6.22 Release 3.8.3
6.22.1 GENERATION3 HIGH DATA-RATE (GEN3HD) HARDWARE SUPPORT
• [BCD-12968] Support for new Gen3HD hardware supporting higher data-rate in a 2U footprint. The new Gen3HD hardware platform provides the ability to process upto 40Gbps of data rate in a 2U form factor. A fully-loaded 2U Gen3HD hardware platform when compared to the current BluVector Gen3 hardware platform provides:
– Upto 2x increase in total data-rate throughput processing over the Gen3 hardware platform, – Upto 4x increase in total raw hard disk space available for storage of data.
Enhancements
[BCD-12712] Upgraded Bro / Zeek to the latest long term supported version (Zeek-LTS-3.0.10). The upgraded version provides several stability improvements, fixes to security issues and bug fixes.
[BCD-12820] Added a new meta field called “elapsed_time_ms” that tracks flight time of network session from data ingest to when the event associated to the network sessions is written to the BluVector database.
Bug Fixes
[BCD-13113] Fixed issues with ability to use in-situational (in-situ) learning capability of the machine learning engine for customers in air-gapped networks leveraging the BluVector Analytic Offline Update bundles.
[BCD-13081] Fixed performance issues with configuration deployments when BluVector sensors are entitled for in-situ service to pull artifacts from the BluVector portal.
[BCD-13114] Fixed high memory consumption issue with IOCHunter analyzer.
[BCD-13595] Removed GQUIC Zeek plug-in due to performance issues.
6.23 Release 3.8.2
None
[BCD-12215] Added JSON format option to syslog output type
[BCD-12712] Updated fourteen MLE classifier models
[BCD-12836] Added support for use of TLS 1.2 in TCP outputs
[BCD-12858] Fix issue where Suricata rules may be inadvertently overwritten
[BCD-12859] Fix issue where a space in an output name can prevent configuration deployment during software upgrade
[BCD-12860] Fix issue where some Suricata events were missing category metadata
[BCD-12861] Fix issue where Suricata would not start on Central Manager
[BCD-12862] Fix issue with GUI rendering of multiple outputs
[BCD-12863] Fix issue preventing use of host picker on workflow configuration page
[BCD-12879] Fix issue where the machine learning engine could exceed configured memory constraints
[BCD-13012] Fix issue with changing event or file status from current value to current value
6.24 Release 3.8.1
None
[BCD-11629] Implement version specific Chrome extension filetypes
[BCD-11589] Fix ClamAV failing while notifying of updated signature files
[BCD-11631] Fix issue where system was not cleaning up Zeek logs correctly
[BCD-11650] Fix ability to add more than one output key mapping
[BCD-11676] Fix Symantec-ICDx process failing to start on Central Manager in some situations
[BCD-11679] Fix issue preventing deletion of Symantec ICDx integrations
[BCD-11761] Fix issue with MLE upgrades failing to load new classifiers in some situations
6.25 Release 3.8.0
6.25.1 SUPERVISED MACHINE LEARNING ENGINE
• [BCD-10701] BluVector continues to improve coverage of the attack surface by introducing machine learning classifiers for the following file types:
Chrome Web Browser Extensions
Linux ELF MIPS
Linux ELF PowerPC
Linux ELF ARM – Linux ELF Sparc
Linux ELF i386
Linux ELF 64bit
Enhancements
6.25.2 SURICATA AND UPDATED ETPRO RULE SETS
• [BCD-9529] Upgraded Suricata to the latest version 5.0.2 and enabled support for new rule categories for Suricata. The new rule sets support an additional 25,000 rules added by Proofpoint across the following new categories
Coinminer
Exploit_kit
Hunting
JA3
Phishing
With the update, new classtypes have also been introduced by Proofpoint. The following rules category have been renamed by Proofpoint:
Malware to Adware_PUP
Trojan to Malware
6.24. Release 3.8.1
6.25.3 BRO / ZEEK UPGRADE
• [BCD-7831] Upgraded Bro / Zeek to the latest version 3.0.3. The latest version provides several stability improvements, fixes to security issues and bug fixes.
6.25.4 PLATFORM
[BCD-10641] Improved security controls related to account administration.
[BCD-11028] Updated collector join process and removed the dependency on ICMP to check connectivity between Central Manager and Collector.
[BCD-10863] Implemented additional security control to prevent remote shell access directly as the root user.
[BCD-9304, BCD-1034] Fixed an issue with users being unable to open ports to get traffic into docker containers and allow wheel group users to be able to modify /etc/sysconfig/bah-docker
[BCD-11112] Implemented a system hostname environment variable (HOST_HOSTNAME) in the ingest container.
6.25.5 USER INTERFACE
[BCD-9971] Updated the color scheme to follow the BluVector brand guideline for the following pages
Events details view
Zeek / Bro logs time window
File details view
[BCD-5771] Implemented the ability to download the hexdump of a file from the File details view without requiring the need to download the file content.
[BCD-10525] Added rounding logic on Count Trends widget Y axis to scale graphs and make data presentable to the user.
[BCD-11101] Implemented the ability to open platform UI page or the BluVector application page in a new tab when user selects the pages in the user interface.
[BCD-10221] Improved failed connectivity messages to provide additional context when user clicks test connectivity in Configuration >> Endpoints and Configuration >> Intelligence
[BCD-11145] Changed Bro to Zeek in all UI pages.
[BCD-10325] Added subjectAltName (SAN) to certificate creation options in the UI as it is required by some browsers to treat a certificate as valid.
[BCD-9347] Improved the user experience of the Collector Join page.
6.25.6 GENERAL
[BCD-2398] Improved standard logging and debug logging of bv-cfg-api.
[BCD-11154] Upgraded ClamAV to the latest version 0.102.2 for improved performance.
[BCD-11172] Upgraded Yara engine to 3.11 for improved performance.
Bug Fixes
[BCD-11169, BCD-11165, BCD-11152] Fixed an issue that could prevent event processing and improved event processing process resiliency.
[BCD-6800] Implemented notification on the Rules Management upload page when the Yara rules parser ignores any files that does not contain the extension ‘.yar’ or ‘.yara’.
[BCD-8644, BCD-8918] Fixed incorrect UI alert banner informing user Suricata is not running while events are being generated.
[BCD-10931] Fixed an issue with Search Zeek/Bro logs when using a string as a search term.
[BCD-11021] Fixed an issue to allow the user to be able to scroll File card instead of scrolling the main page behind the File card popup.
[BCD-11026] Fixed permissions issue to provide customer admin users access to /etc/cockpit/ws-certs.d to apply SSL certs to cockpit.
[BCD-11040] Whitelisted docker load command to not require a password when passing an image via stdin.
[BCD-10828] Fixed an issue with Configuration pages when an empty configuration cannot be discarded.
[BCD-11025] Fixed an issue with ‘Review Staged Changes’ button not appearing when user makes a change in Configuration >> Analyzers >> NEMA.
[BCD-7143] Fixed alignment and formatting issue on success text shown to the user on Rules & Threshold upload page.
[BCD-10610] Fixed and restyled the graphs on Insitu comparison page when using dark theme mode in UI.
[BCD-10765] Fixed formatting issue on event views with Intel hits (like AlienVault) in Chrome browser.
[BCD-11114] Fixed an issue with incorrect records count in Event pagination section.
[BCD-10195] Fixed an issue with misaligned text and dismiss icons in notification banners.
[BCD-10861] Fixed an issue for Collector UI to operate when Collector is unable to communicate with Central Manager.
6.26 Release 3.7.1
None
[BCD-10749] Added support for searching additional Zeek/Bro log types in the user interface • [BCD-10587] Fix timestamp recentering for targeted logs
[BCD-10588] Fix issue where dashboard pivot to event table could have incorrect time ranges
[BCD-10593] Fix issue in receiving ActiveDirectory probe data
[BCD-10721] Fix issue preventing federated Bro searches from a Central Manager
[BCD-10723] Fix race condition that could prevent ingest from working on Gen3 hardware
[BCD-10738] Fix issue with ThreatConnect test connectivity button
[BCD-10759] Fix issue preventing time queries of less than one day for Bro searches
[BCD-10815] Fix issue where some SCE analysis results tabs are not clickable
6.26. Release 3.7.1
6.27 Release 3.7.0
6.27.1 CENTRAL MANAGER – COLLECTOR MANAGEMENT
• [BCD-8247] Ability to join or remove one or more Collectors to a Central Manager with a single action.
Updated join page on BluVector Atomic Host (BAH) allows the ability to join one or more Collectors to Central Manager.
View detailed information on the status of the joined Collectors.
6.27.2 CENTRAL MANAGER – SEARCH ZEEK LOGS USER INTERFACE
• [BCD-6383] Ability to perform Zeek log search from Central Manager
Analyst users can perform search on Zeek logs generated and stored on all Collectors or individual Collectors from Central Manager.
Search in Central Manager allows users to search through all Bro logs from the UI. The new search capability allows users to:
Search To / From date and time (maximum 7-day window)
Enter Search Terms as string (filename or part of file name, part of URL etc.) or RegEx
Select from a subset of Bro logs to search (like conn.log, files.log, http.log) or include all logs
Recall a previous search that was executed up to 2 days before
View progress updates for currently running searches
View completed searches that match search criteria
Export search results as a zip file for additional analysis.
Note: This is not a full index search of Zeek logs. BluVector recommends export of Zeek logs to a external system like SIEM or data lake for full index search capability in deployments with five (5) or more Collectors connected to the Central Manager.
6.27.3 CENTRAL MANAGER – CENTRALIZED USER PREFERENCES
• [BCD-6571] Implemented the ability in the Central Manager to allow a user to create / edit / delete the following user specific preferences for use across all Collectors connected to the Central Manager.
Connectors
Saved Filters, Queries and PinPoint Workflows
Event table order
GUI theme preference
Timezone use preference (Local vs. UTC)
6.27.4 USER INTERFACE – CUSTOMIZABLE DASHBOARDS & REPORTS
• [BCD-7897] Ability to CRUD dashboards based on user preferences.
Create your own custom dashboard with the ability to create / read / update / delete dashboards with customizable widgets.
Quickly add new predefined widgets for the user to easily create their own custom dashboard.
If all dashboards for a user are deleted, the default ones will be recreated for that user.
Easily reposition and resize Widgets in the dashboard using the new drag-and-drop features.
Configurable auto refresh for Widgets to meet your own personal preferences.
Predefined widgets types are available for the user to pick from to create their custom dashboard.
Limitations
Dashboards cannot be shared by users.
Custom dashboards created in Central Manager are not included in the centralized user preferences when user logs into Collector.
6.27.5 USER INTERFACE – NEW THEMES
• [BCD-8091, BCD-9309] New user interface with easier navigation, improved analyst visualizations, and dark theme.
Updated BluVector branding
New Left Sidebar Navigation
New UI themes. User has ability to switch between light theme (default) and dark theme.
6.27.6 SYSTEM TELEMETRY
• [BCD-7869] Implemented health and status telemetry service from BluVector Sensors to BluVector Portal to support future product enhancements and improve product support.
Improved metric services collect telemetry data (includes health and status metrics, performance metrics) and stores them in a database local to the Collector / Sensor.
A new configuration page in the Configuration >> Portal >> Telemetry to enable / disable service and configuration of service parameters.
Telemetry service is by default enabled and can be based on customer requirement.
Telemetry data is sent as JSON blob via secure communication channel SSL/TLS.
File content extracted by BluVector from the network session is not shared back to BluVector Portal.
6.27.7 INTEGRATIONS – SYMANTEC ICDx
• [BCD-7938] BCD-7938] Symantec ICDx (Integrated Cyber Defense Exchange) is a layer that Symantec and partner products like BluVector Cortex connect to for handling event routing, message, storage and configuration. It implements a unified security schema and framework for collecting, filtering and forwarding events and requested actions across the ICDx integration bus. BluVector Cortex has adopted the unified security schema to communicate with the Symantec product ecosystem.
The Integration supports Symantec Endpoint Solution (SEP Release 14 and higher).
A BluVector Cortex file detection event is sent to ICDx with the attribute type_id (Type) set to File Detection and the key attributes such as file.sha256, severity_id, file.size etc.
6.27. Release 3.7.0
– The user can configure ICDx to forward BluVector generated events to SEP for actions based on your security policy.
Enhancements
6.27.8 SUPERVISED MACHINE LEARNING ENGINE
[BCD-8051] Ability to receive supervised Machine Learning Engine (MLE) classifier updates from BluVector portal.
Classifiers no longer require a BluVector Cortex software update to receive the latest classifiers.
Classifier updates are received on the Central Manager and distributed to the Collectors.
Standalone Sensors receive updates directly from the portal.
Data bundles for in-situ training are also downloaded from the portal.
[BCD-9125] Updated classifiers for the following file types – Office 2007+ File Types – PPTX, DOCX, XLSX
Office 2003-2007 File Types – PPT, DOC, XLS
Portable Document Format (PDF)
PE32 GUI files
[BCD-8042] Ability to perform in-situ training on Central Manager without event forwarding from the collectors.
Provides the ability for Central Manager to track user adjudications on Collectors when event forwarding is not enabled on the Collectors
Central Manager can train classifiers based on tracking of user adjudications on Collectors
Central Manager will train and deploy classifier to ‘all’ Collectors connected to the CM. There is no option to selectively deploy classifiers to certain Collectors.
[BCD-6924] Updated feature vectors across multiple filetypes.
Added new MSDOS parser output including UI
Added new parser for Mozilla Firefox browser extensions
Enhanced the SWF parser to display Flash Attributes, and ActionScript packages
6.27.9 SPECULATIVE CODE EXECUTION ENGINE
• [BCD-8668] Implemented improvements to heuristics and several performance improvements
Included obfuscated URL lists and protocols in the event JSON when an event is generated by the engine to forward to SIEM via outputs.
Improved NEMA Correlator memory management for large volume traffic.
Updated shell-code detection heuristic to improve accuracy of Self-Modifying Shell Code detection in executable files.
Enhanced SCE to support HTML files
Improved exception handling and logging in the worker logs related to the SCE correlator workers.
6.27.10 PLATFORM
[BCD-5538] Implemented FIPS 140-2 compliant RPMS and libraries on BluVector Atomic Host platform.
Use of FIPS 140-2 compliant libraries enabled on Atomic Host at kernel level.
Containers in the platform inherit FIPS mode from platform.
Fresh install of release 3.7.0 will enable FIPS compliant libraries by default for all external communication.
For customers upgrading from release 3.6.x to 3.7.0, contact BluVector support team to enable use of FIPS 140-2 compliant libraries.
[BCD-9690] Added admin user permissions in BAH to edit /etc/hosts.
6.27.11 USER INTERFACE
[BCD-7705, BCD-8116] Implemented support for proxies for CB Response and CB Protect.
[BCD-7079] Changed time picker in Search Bro Logs page to use time picker selector used in PinPoint views.
[BCD-7742, BCD-7820] Implemented the ability to export of Zeek Query results to CSV.
6.27.12 GENERAL
[BCD-5915, BCD-5916, BCD-6904, BCD-9008, BCD-9005, BCD-9419, BCD-9350] Updated the API used for uploading Yara rules, Suricata rules to accept multiple files (bulk upload) and add/commit them in a single operation. All Yara rules are uploaded to a single path (e.g. /opt/bluvector/repo/yara/ rules/) during the add / commit operation.
[BCD-6369] Extended the Suricata Rules Hit Statistics Endpoint to support returning hit counts for each signature ID so that it can be used in ERM application.
[BCD-8839, BCD-8975, BCD-8931, BCD-8932] Enhanced and fixed the ability to upload large support bundles (>1GB) to BluVector portal from the UI.
[BCD-8997] Updated default configurations in product to (1) start IoC Hunter service, (2) Standard MLE metadata logging for all file types except SWF, (3) added a new KeyMap for Splunk output.
[BCD-9812] Updated BluVector support team contact number to 1-833-BLU-0595.
[BCD-7456] Implemented the capability to allow system users to upload to artifact store on collectors from the Central Manager.
[BCD-9068] Expanded health & status monitoring framework to show alerts for the additional system services.
[BCD-9670] Added tcpdump and unzip packages to ingest container to help troubleshoot issues with Customer Service team
Bug Fixes
[BCD-7287] Fixed an issue in the NEMA Correlator that was causing low memory issues when processing a large amount of traffic throughput.
[BCD-7768] NEMA was flagging a large amount of non-malicious Windows executables. The engine was updated to flag only self-modified executables.
[BCD-8755] Fixed an issue with ThreatVector status change red color banner appearing after user changes file statuses in the ThreatVector view
6.27. Release 3.7.0
[BCD-8844] Updated UI logic to show to user “Log collection has not yet finished” message when targeted logs not have completed writing to the related event directory
[BCD-8907] Fixed an issue with User Adjudication Report building URIs that exceed URI length limit
[BCD-8964] Fixed a lock condition when Sensor container fails to start when configuration is staged for deployment and sensor container was restarted prior to deployment
[BCD-9163] Fixed an issue where the Suricata Rules Management Engine Fails on a space after ‘msg’
[BCD-9164] Fixed an issue where a Suricata event Display Rule Details button may spin indefinitely when clicked
[BCD-9165] SMTP output password that were not masked are now properly obfuscated
[BCD-9167] Fixed an issue where configuration may not display staged changes
[BCD-9173, BCD-9174] Fixed an error when queuing up file adjudications using bulk status change in the UI
[BCD-9237] Fixed an issue in Central Manager to enable targeted loggers to retrieve logs from the collector asynchronously to prevent long event page load times
[BCD-9354, BCD-9357] Bug Fixes for issues causing incorrect event counts
6.28 Release 3.6.3
None
[BCD-8635] Improved removal of orphaned extractor artifacts from system storage
[BCD-8665] Fixed issue with erroneous error banner appearing in Event Details view when targeted logs are still processing
[BCD-8862] Fixed issue with evolving classifiers when retraining with highly unbalanced training lists
[BCD-8871] Fixed issue where some events forwarded to a Central Manager are not scored
[BCD-8894] Fixed issue where message log can grow unbounded
[BCD-8995] Fixed issue with AlienVault integration preventing download of new IoCs
[BCD-9001] Fixed issue with erroneous error banner appearing after status changes in ThreatVector view
6.29 Release 3.6.2
None
None
[BCD-8649] Fix issue with file permissions on disk maintenance cron job
[BCD-8655] Fix issue with Lastline Post Analyzer interface
6.30 Release 3.6.1
None
[BCD-8086] Improve Portal API URL validator to enforce trailing slashes on URLs
[BCD-8097] Place maximum limit on Bro log directory size
[BCD-7733, BCD-7784] Fixed typos on GUI and API documentation pages
[BCD-7844, BCD-7968, BCD-8046, BCD-8052] Fixed various minor UI rendering issues
[BCD-7872, BCD-7936, BCD-8026, BCD-8073, BCD-8085] Fixed issues with validating existing configurations during upgrades to BV 3.6.0
[BCD-7924, BCD-8006] Fixed issues rendering certain staged configurations
[BCD-7935] Remove unnecessary systemd units during upgrade
[BCD-7959] Remove unnecessary configuration fields during upgrade
[BCD-8054] Fixed issue that prevented output generation for events with no files
[BCD-8070] Make check for targeted logs non-blocking on event detail page load
[BCD-8079] Provide additional visual feedback to user during opening of event details
[BCD-8080] Fixed issue with excessive file existence checking within FileManager
[BCD-8101] Fixed issue with the Central Manager when entitling artifact storage to use the BluVector Portal for the first time
[BCD-8127] Added disk maintenance cron job to address orphaned extractor artifacts
[BCD-8159] Fixed potential security vulnerability that could be exploited to perform a cross-site scripting attack
[BCD-8192] Fixed issue with remote administrator sudo privileges
6.31 Release 3.6.0
6.31.1 FILE REPUTATION ANALYZER
• [BCD-6472, BCD-6867, BCD-6833, BCD-6870, BCD-6580, BCD-6606, BCD-6716, BCD-6718, BCD6833, BCD-6867, BCD-6908] A File Reputation analyzer has been added to the analysis suite.
This analyzer compares seen files to a database of known good hashes and appropriately adds context where available.
By default, the analyzer is loaded with the NIST known good file hashes and when connected to the BluVector portal will receive periodic updates with good file hashes as they are aggregated and adjudicated by the BluVector Threat Research team.
Implemented and enabled out of the box rules in Configuration >> Workflow for setting status of events & files to trusted or malicious based on the downloaded file hash list from the portal.
Support for uploading additional known good and known bad hashes will be added in a future version.
6.30. Release 3.6.1
6.31.2 STIX/TAXII
• [BCD-6529, BCD-6484, BCD-6775, BCD-6483] BluVector sensors can now share information on events detected by BluVector Cortex platform with other systems / components in the customer’s cybersecurity stack by using the STIX/TAXII service. The service:
Supports MITRE’s TAXII standard for integration.
Information in each event is represented using the STIX language format.
The STIX format allows the BluVector Cortex platform to present its breach detection findings in a hierarchical fashion.
Supports only the Indicator (Pattern identifying observable conditions) STIX object. No other object types are supported.
The STIX artifact is used by BluVector to communicate indicators to other cybersecurity products.
Does allow other solutions to push out Indicators through BluVector.
BluVector generates STIX artifacts for
Hashes of any file which BluVector has adjudicated to be malicious
URI of any fileless threat detected by BluVector Speculative Code Execution (SCE) engine and adjudicated to be malicious.
6.31.3 NOTES ON EVENTS
[BCD-4503] BluVector Cortex platform now allows users the ability to enter Notes on Events. The Notes feature allows users of BluVector Cortex to communicate information within the BluVector application about events and files to other users of the system. The feature allows users to:
Create Notes and Attach Notes to a File / Event:
Each File / Event provides the user with a UI interface to leave a Note.
A Note’s maximum length is 256 characters.
Each File / Event can have more than one comment attached to it.
Multiple Notes will appear as a flat list sorted by the time when the Note was created.
View Notes:
Notes are viewable by the users at the bottom of File / Event details page (after HTTP headers panes on Event, and after Recent Events on the File).
Each Note in the File / Event card shows the author and the date, timestamp of entry.
Search Notes: Users can search based on
Full or partial text of Note in their search query using PQL query message == “some text”.
User that created the note using PQL query user == “username”.
Delete Notes: Users can delete the Notes they have entered for a File / Event.
Edit Notes: Users can edit Notes that they have written. An edited time stamp will be displayed on any notes modified this way.
Reply to Notes entered by users: Users can enter a reply to a Note.
Replies to Notes appear in chronological order based on time stamp. The Events data grid / data table contains a visual indication when an Event contains one or more Notes.
6.31.4 CORRELATED EVENTS
• [BCD-6607] BluVector Cortex now shows correlated events to a selected event in question. The correlated events are shown in table format with timestamp, event score, event id (with hyperlink), hostname, flagging analyzers. The table provides the following options:
Time Window (plus / minus around the event): 5 seconds (default), 30 seconds, 60 seconds, 5 minutes.
Correlation Field: Destination IP (default if no username), Username, Destination IP or Username (default if username is present).
6.31.5 LICENSE CONTROL OF APPLIANCES
• [BCD-5419, BCD-5247, BCD-6842, BCD-6843, BCD-6258] A new license enforcement mechanism has been added to the appliances.
This enforcement mechanism will check the expiry date of the entitlement certificate in BluVector Cortex appliance.
The check on the entitlement certificate occurs during BluVector appliance reboot.
The enforcement mechanism will
Stop the appliance from processing incoming traffic when the entitlement certificate of the box has expired. No new events are generated, existing data in the system is retained, and users can log into the appliance through the web user interface and / or BluVector Atomic Host user interface.
Stop the appliance from downloading new software updates from the BluVector Software Update
Server.
Enhancements
6.31.6 DETECTION (SUPERVISED MACHINE LEARNING, SPECULATIVE CODE EXECUTION)
[BCD-6674] Enhanced BluVector Cortex platform to filetype web-extensions / add-ons from Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Edge. ClamAV by default is subscribed to these extensions. Supervised Machine Learning engine classifiers will be added in a future release.
[BCD-6890] Added elapsed analysis time for Speculative Code Execution (SCE) events generated by BluVector.
[BCD-6900] Enhanced BluVector Cortex SCE generated events to be processed & enriched by other analyzers in the system.
6.31.7 TARGETED LOGGING
[BCD-6376] BluVector’s Targeted Logging capability is now configurable via the command line allowing for more complex targeting schemes along with the ability to add additional Bro / Zeek logs generated by plugins added to the Sensor.
[BCD-5885, BCD-7118] Updated the Targeted Logger in BluVector to include the following additional Bro / Zeek logs in the UI Events Targeted Logs section – dce_rpm, ntlm, mysql, smb_cmd, smb_files, smb_mapping.
[BCD-3885] Enhanced the ability of the BluVector Central Manager to view Targeted Logs of a Collector.
6.31. Release 3.6.0
6.31.8 X.509 CERTIFICATES ANALYZER
• [BCD-5511] BluVector release 3.4.0 introduced a new analyzer to extract metadata from X.509 certificated for all SSL connections processed by Bro / Zeek. In current release, we’ve enhanced the X.509 certificate analyzer to reduce duplicate X.509 certificate extractions significantly. The duplicate certificate expiration interval is now manually configurable in the sfa_extract.bro policy located at policy/bluvector/ x509/sfa_extract.bro with a default value of one (1) hour.
6.31.9 DYNAMIC MALWARE ANALYSIS IN CLOUD (DMAC)
[BCD-4555] Enhanced ability in BluVector sensors to submit additional file types such as DMG, PE32+
DLLs, PE32+ EXEs, JAR, Flash, GIF, TIFF, BMP, JPEG, PNG and RTF to BluVector’s Dynamic Malware Analysis in the Cloud (DMAC) sandbox. Results from the analysis of these filetypes are shown in the File card under the Post Analysis tab.
[BCD-4679, BCD-5451] Enhanced the error handling of unsupported filetypes of DMAC results in the BluVector user interface and reduced the DMAC post analyzer messages written to system logs.
[BCD-7113, BCD-7154] Implemented the ability to proxy the submissions from BluVector sensors to Dynamic Malware Analysis in the Cloud sandbox via the BluVector portal.
6.31.10 UI/UX IMPROVEMENTS
[BCD-5331] Implemented the ability to auto complete when querying events using metadata. The UI now provides auto complete suggestions in the Events Search bar when metadata fields are entered by the user.
[BCD-6737] Enhanced the Output keymaps located at Configuration >> Outputs >> Key Mappings to map complex values such as lists and dictionary structures. These complex values usually occur in events generated by Speculative Code Execution engine or IoC hunter containing more than 1 value for an Event key.
[BCD-5536] Enhanced the User Adjudications report located at Reports >> User Adjudications to be interactive. Users can select a value in the report and view list of events matching selected status and user.
[BCD-3784, BCD-6337] Implemented the ability to export PinPoint view data to CSV. To export all data used in generating the PinPoint view, users will have to select the ‘Expand All’ button in PinPoint view and select Export.
[BCD-3992] Implemented auto-refresh of Reports located in Dashboard >> Reports every minute.
[BCD-5676] Implemented a ‘Test Connectivity’ button under Configuration >> Collectors >> IMAP if the IMAP service is enabled to verify connection to the IMAP server including correct user name and password to be used by the service.
[BCD-5973, BCD-6398] Updated Events data grid view to show combined source / destination addresses and ports rather than as separate columns. IP addresses and ports are now shown as “IP Address:Port”. Extra space in the Events data grid is now used to show Protocol field as default column. Users have the ability to search based on source or destination or port using the search query located at the top of the Event page. The change applies to IPv4 and IPv6 addresses.
[BCD-6436, BCD-7378, BCD-7389] Under Configuration >> Support implemented the ability to upload the support bundle to BluVector Portal (located at https://api.bluvector.io) eliminating the need to download and manually copy the bundle to BluVector’s support sharepoint site.
[BCD-5331] Enhanced the user interface to allow meta.headers.method as a query-able key and enabled the autocomplete capability on the search query field on the metadata fields.
[BCD-6391] Enhanced error messages on Rules Management endpoints to how user-friendly message with an associated ‘detail’ button showing the exception generated by the endpoint.
[BCD-7162, BCD-7110, BCD-7163] Implemented the ability to upload Custom or new ClamAV signatures through the configuration page (Configuration >> Analyzers >> ClamAV >> Signatures Management) to keep the signatures up to date. BluVector Cortex Sensors with internet access will automatically fetch the latest ClamAV signatures via BluVector Portal. BluVector also offers access to an additional proprietary set of signatures that are downloaded via BluVector Portal. In addition, custom signatures uploaded to a Central Manager will automatically be synchronized with those on joined collectors.
[BCD-6113, BCD-5664] Implemented the ability to configure proxies through BluVector Atomic Host. The ability to configure and set proxies via the BluVector User Interface is now deprecated and removed.
6.31.11 GENERAL
[BCD-6828] Implemented the ability to track and alert if free space on root file system partition in sensor container is below 3GB.
[BCD-6884] Increased size of the root file system partition in Sensor container to 20GB from the default 10GB.
[BCD-6739, BCD-6740, BCD-6741, BCD-6742, BCD-6749, BCD-6848, BCD-6953, BCD-7027] Enabled Bro/Zeek Package Manager command-line tool for installing and managing script and plugin packages. This offers a consistent way to install new Bro capabilities from either GitHub community-maintained repos, or from BluVector. The following GitHub community-maintained plugins are included but not enabled by default.
SFA_DNS scripts to flag potential DNS tunnels in dns.log and send notifications by BluVector
Long connection logging by Corelight
Bitcoin mining detection by Jsiwek
JA3 project for fingerprinting SSL/TLS certificates in Bro/Zeek by Salesforce
[BCD-7072] Implemented the ability to allow customers to generate or procure a list of JA3 hashes of interest and supply them to Bro / Zeek using the intel framework so that BluVector Cortex sensors can send any sessions with matching hashes as an Event. This capability leverages the Salesforce JA3 Bro / Zeek plugin available via GitHub.
[BCD-6801] Implemented the ability for Yara Rules Management to allow for files with .yara extension.
[BCD-5272, BCD-6947, BCD-6992] Implemented the ability to show the PCAP Id and Name in the event JSON when user uploads PCAPs using the user interface.
[BCD-7379] Improved database performance through implementation of a cache service used when searching for previous file status.
[BCD-7583] Deprecated STOMP output type.
Bug Fixes
[BCD-6382] Fixed issue with Sensor Diagram not loading on BluVector Central Manager when there’s traffic from Collector.
[BCD-6361] Fixed an issue with User Interface showing a persistent blue banner and incorrect message on number of events generated when user uploads PCAP through Upload page.
[BCD-6416] Updated the default subscribe list for ClamAV and Yara to exclude ‘text’ filetype. Updated the IoCHunter subscribe list to exclude Office 2007+ document type.
[BCD-4265] Fixed issue with reload of Suricata rules informational banner message being visible after the rules have been successfully reloaded in the system.
[BCD-4283] Fixed the ability to support output of meta-data fields generated by sensor analyzers such as Yara and SCE for array datatypes.
[BCD-6929] Fixed an issue with users in User level permission group to view & select the “Search Bro Log” option under Events in UI.
6.31. Release 3.6.0
[BCD-7040] Fixed an issue with hostname and domain changes on collectors not persisting after configuration changes.
[BCD-6414] Fixed issue with saving content to disk when a file is flagged via a rule.
[BCD-6453] Fixed an issue with some RTF files not being properly categorized in BluVector MLE.
6.32 Release 3.5.0
6.32.1 RULES MANAGEMENT
[BCD-6045] Updated rules management framework to to allow adding rules and thresholds through file uploads..
Allows customers using their own rule set in the same format as ETPro to configure the URL for pulling rules into the BluVector Sensor.
Provides the ability to directly upload new Suricata rules or threshold configuration for rules management through the BluVector user interface.
Provides the ability to add / remove / edit different rules and thresholds for Suricata through APIs. The following rules management endpoints are available
/api/collectors/Suricata/
/api/collectors/Suricata/rules
/api/collectors/Suricata/counts
/api/collectors/Suricata/whitelists
/api/collectors/Suricata/update_rules
/api/collectors/Suricata/thresholds
Logs all changes made by the users to syslog.
6.32.2 CENTRAL MANAGER
[BCD-6174] Display Sensor Health and Status on Central Manager.
Implemented ability for BluVector Cortex Central Manager (CM) to collect health status of Sensors managed by the CM.
Based on the metrics collected from the managed Sensors, the CM in Sensor Grid will provide a visual indication (Red / Yellow / Green) of the status of the Sensor along with a visual indication to notify the user that CM is unable to connect to managed Sensor.
The CM will generate an alert if one of the following conditions is met:
Connection to the managed Sensor exists and no events have been received for the last 2 hours.
CM is unable to collect the sensor health status from any of the Sensors under management.
6.32.3 HEALTH & STATUS
[BCD-5507] Health and status rule to monitor dropped packets at the ingest interface.
Implemented the ability to track and alert on dropped packets at the ingest interface.
The alert will be marked as an INFO alert and will be output over syslog (if configured) and logged to
Sensor alert.log file.
No alert will be shown in the User Interface.
[BCD-5805, BCD-6004] Health and status rule to monitor the Output framework for failures.
Implemented the ability to track and alert on per Output configured in the system, if the Output is either working or not.
6.32.4 TWO FACTOR AUTHENTICATION USING GOOGLE AUTHENTICATOR
[BCD-5497, BCD-5634, BCD-5633, BCD-5962, BCD-6013] New feature requiring Two Factor Authentication (2FA) to access BluVector User Interface and underlying platform user interface.
System administrator can enable 2FA.
When 2FA is enabled ALL users will be required to use it. Administrators do not have the ability to turn off 2FA on individual account.
Administrators will need to create & capture the QR code and forward to the user to complete the 2FA setup process with the Google Authenticator application on their mobile device.
During setup, Google Authenticator will provide several emergency keys that can be used to get in if the Google Authenticator device paired with the account is unavailable. It is highly recommended to record these.
After setup, when 2FA is enabled the user will be prompted to enter their token from the Google Authenticator mobile app on a screen after the BluVector login page.
Enhancements
6.32.5 ARTIFACT STORE
• [BCD-6112] BluVector Release 3.4 introduced the ability for customers to manage Bro/Zeek scripts & Yara rules through a local artifact store on the BluVector Cortex Sensor. This feature updates the ability of the sensor to create audit logs for the artifact store running on the Sensor to track CRUD user actions to be included in /var/log/audit file. The audit log contains username, file path / file, action taken and timestamp.
6.32.6 GENERAL
[BCD-5502, BCD-5503, BCD-6037] Implemented the ability to support SSL on output framework for TCP output protocols.
[BCD-5809] Implemented the ability track configuration changes by the user in the system.
[BCD-5813] Implemented the ability to generate and write notifications in /var/log/messages when new signatures (ClamAV, Yara, and Suricata) are deployed in the system.
6.32. Release 3.5.0
Bug Fixes
[BCD-6164] Fixed an issue with Extractor service returning empty results when the maximum embedded file size or file count is reached. The BluVector Cortex sensor will now extract up to embedded size limit and count limits and provide a warning. The maximum embedded file size has been updated to 500MB.
[BCD-6151] Fixed and removed extra characters (> and <) appearing at the end of extracted URLs from IOCHunter.
[BCD-6141] Fixed an issue with new health alerts for Ingest container not running, Bro/Zeek not running and Suricata not running from triggering erroneously on BluVector Cortex Central Manager.
[BCD-6173] Fixed an issue with ClamAV file analysis process timing out due to very large file processing.
[BCD-6186] Fixed an issue with Extractor service not properly parsing some email formats during attachment extraction.
[BCD-6346] Fixed an issue with display of API documentation on a central manager.
[BCD-6364] Fixed an issue with GUI session timeouts causing erroneous errors to be reported when changing configuration.
[BCD-6372, BCD-6377] Fixed issues with export and import of classifier bundles from another BluVector.
[BCD-6374] Fixed an issue with changing event status on a central manager.
[BCD-6380] Fixed an issue on the central manager when attempting to configure portal parameters.
6.33 Release 3.4.1
None
None
[BCD-6080] Fixed issue where SFA logs grew unbounded
[BCD-6082, BCD-6083] Fixed issue where Suricata event listener failed to start if previous socket was not closed in time
6.34 Release 3.4.0
6.34.1 ASSET ILLUMINATION & USER CONTEXT
[BCD-5475, BCD-5476, BCD-5477, BCD-5478, BCD-5557, BCD-5725] BluVector Cortex sensors integrate with directory services to trace events back to exact systems and users. This capability provides context into network activity allowing for greater detection and quicker response. The feature requires:
An ‘AD Probe’ Windows Service developed by BluVector running on a Windows 7 or Windows 10 machine to communicate with administrator privileges to the Active Directory Domain Controller.
An ‘AD Info Service’ running in a docker container to be enabled via CLI on the BluVector Cortex appliance.
6.34.2 X509 CERTIFCATES ANALYZER
[BCD-4668], [BCD-5051], [BCD-5324] Created a new analyzer to extract metadata from X509 certificates for all SSL connections processed by Bro. Extracted metadata will contain the following keys • subject_string
not_after
issuer_string
version
extensions (subjectKeyIdentifier, authorityKeyIdentifier, extendedKeyUsage, subjectAltName, crlDistributionPoints, keyUsage, certificatePolicies, authorityInfoAccess)
fingerprint
duration
serial_number
The capability can be enabled by adding @load policy/bluvector/x509/sfa_extract to /usr/ share/bro/site/local.local-worker.bro to activate it. In numerous cases the same cert is often extracted multiple times for the same connection during SSL/TLS negotiation resulting in a high number of events in the system. This is a known behavior.
6.34.3 IOC HUNTER
• [BCD-4670], [BCD-5500], [BCD-5596] Created a new analyzer in SFA called IOCHunter that enriches file metadata by extracting potentially interesting indicators from the file binary such as URLs, domains and email addresses. These indicators provide enhanced understanding while analyzing an event. The indicators can be used as inputs to custom rules to extract email addresses, domains and URLs from any generic file. Results from IOCHunter appear in Events Details >> Analysis tab under a new Analyzer entry section called IOCHunter.
6.34.4 BRO SEARCH QUERY USER INTERFACE
[BCD-4891] A new search capability allowing users to search through all Bro logs from the UI. The new search capability allows users to
Search To / From date and time (maximum 7-day window)
Enter Search Terms as string (filename or part of file name, part of URL etc.) or RegEx
Select from a subset of Bro logs to search (like conn.log, files.log, http.log) or include all logs
Recall a previous search that was executed up to 2 days before
View searches in progress
View completed searches that match search criteria
Export search results as a zip file for additional analysis.
6.34.5 YARA RULE & BRO SCRIPT MANAGEMENT
• [BCD-4345] A new capability to allow customers to manage (list, search, create, replace, and delete) customer defined Yara Rules and Bro Scripts through the User Interface. The ability to manage Yara Rules and Bro scripts is located at Configuration >> Analyzers >> Yara >> Rules and Configuration >> Collectors >> Bro >> Scripts.
6.34.6 BLUVECTOR PORTAL
• [BCD-4345] A new set of services and capability to allows BluVector Cortex Sensors and Central Manager to receive curated content (ClamAV signature updates, Suricata Rules, Yara Rules and Bro Scripts) from BluVector Customer Support team and Threat Intelligence team.
Enhancements
6.34.7 SYSTEM HEALTH & STATUS MONITORING
[BCD-4621] For customers monitoring Office365 emails using BluVector IMAP Service, implemented a health monitoring rule that checks if the IMAP service is enabled and no emails have been processed by the system for two (2) hours.
[BCD-5228] Implemented a health rule for alerting when disk space on the root volume of the appliance is below 10GB and /var volume disk usage is greater than 95%.
[BCD-4714] Updated health and status UI error messages to provide context of the issue detected in the system. Each error message contains a message identifier and context on the error.
[BCD-5700] Implemented a rule to restart the Ingest Container when the system has detected no events have been generated in the last two (2) hours. The rule will restart the Ingest Container every (1) hour after the first two (2) hour window. UI alerts will be triggered every 5 minutes.
6.34.8 USABILITY & USER EXPERIENCE
[BCD-5473] Disabled TLS 1.0, TLS 1.1 as TLS 1.0 is deprecated as of June 2018 and TLS 1.1 is being disabled by numerous websites.
[BCD-4240], [BCD-3831] Updated the event metadata view in the UI to show a log of status changes. For each event, the log of status changes will show when (time) the event status was changed, what was the status changed to and who (user) performed the status change.
[BCD-4443] Updated UI with new icons for all parts of the system.
[BCD-4526] Implemented the ability to configure Suricata HomeNet and ExternalNet from the User Interface.
[BCD-4618] implemented the ability to show progress updates when bulk status change action is performed by the user in the system.
[BCD-5257] Added the ability to enable and configure LastLine as a Post Analyzer through the UI (Configuration >> Post Analyzers >> LastLine).
[BCD-5258] Introduced the default alias for frequently used commands in the command line interface
bvshell – default alias in the command line for switching to the Sensor Container,
bvcopyto – default alias for copying files to the container,
bvcopyfrom – default alias for coping files from the container.
[BCD-5262] Implemented the use of ‘lists’ within the Event Workflow Rule query. This allows the user to use the ‘IN’ operand in the Query field during rule setup.
[BCD-5435] Updated references to MetaDefender from MetaScan.
[BCD-5542], [BCD-5543] Added the ability to enable and configure BluVector Portal through the UI.
[BCD-5681], [BCD-5711] Added the ability to cluster Suricata events on ThreatVector page based on common SID (signature identifier provided by Proofpoint ETPro). The cluster will
Support events of different status in the same cluster, mixed status
Support clusters on the order of 100K
Show an updated display status of “mixed” for clusters containing events with different status.
[BCD-5735] Updated success text on staging the Keymap (Configuration >> Outputs >> Key Mappings) to provide feedback to the user to say ‘saved’ rather than ‘staged’.
[BCD-5371] Implemented the ability to attach Workflow Rule details to the Event metadata when a rule matches against an event during system processing.
[BCD-5372] Implemented the ability to auto-adjudicate file or event based on rules.
[BCD-5665] Implemented the ability to attach Workflow Rule details to the File metadata when applying workflow rules to Files.
[BCD-5677] Implemented a new function (inIPSubnet()) method as a part of ThreatVector DSL for checking ‘if IP in Subnet’. The function takes a metadata field and list of CIDR block ranges and for metafields that resolve to IP addresses, evaluates to 1 if the address is in any of the CIDR blocks in the list. For metafields that do not resolve to an IP address it evaluates to 0. And invalid CIDR blocks fail validation.
6.34.9 SUPERVISED MACHINE LEARNING ENGINE
[BCD-5518] Updated Visual Basic Script (VBS) classifier with new feature vector generator including the ability to retrain VBS classifier.
[BCD-5520] Updated Power Shell (PS1) classifier with new feature vector generator including the ability to retrain the PS1 classifier.
[BCD-4525] Implemented the ability in In-Situ Manager to preserve eligible files that were adjudicated before the base bundle changed.
[BCD-5005] Updated extended metadata displayed in the UI for RTF files to include User properties.
[BCD-5008], [BCD-5462] Updated extended metadata displayed in the UI for PDF documents to include
URLs section showing list of URLs and domains extracted from the document metadata.
KeyWords section containing
Counts of Pages, Object Streams, Launch Actions
Indication of presence of JavaScripts
Indication of automatic action to be performed when page /document is viewed
Indication if the PDF document uses JBIG2 compression
Indication for embedded Flash.
[BCD-5362] Updated extended metadata displayed in the UI for OOXML documents to show Detected Languages.
[BCD-5364] Updated extended metadata displayed in the UI for PDF files to include URLs from the PDF file.
[BCD-5365] Updated extended metadata displayed in the UI for JAR & APK files to include Certificate data from the files.
6.34.10 INTEGRATIONS
[BCD-4006] Included docker images (bvapollo & bvintegrations) in base install and started the Integrations Container by default for use by customers.
[BCD-4757], [BCD-4856], [BCD-5235], [BCD-5758], [BCD-5723] Updated UI to configure settings (1) common to all integrations, (2) Output mechanism – Email, STOMP and (3) Carbon Black integration.
6.34.11 PERFORMANCE FIXES & SCALABILITY ENHANCEMENTS
[BCD-2786] Enabled automatic clean-up of Bro crash directories (/var/spool/bro/tmp) by turning on crashexpireinterval key in Broctl configuration (/etc/bro/broctl.cfg).
[BCD-3830], [BCD-4449] Removed 1.6GB max bundle size restriction on Support bundles.
[BCD-4524] Improved processing of SuperClam signatures to include signature files capable of detecting malware older than 3 years.
6.34.12 GENERAL
[BCD-4655] Removed the Log Forwarding page from System Configuration (Configuration >> Output).
[BCD-5413] Implemented ACE file extraction capability to handle ACE archive files.
Bug Fixes
[BCD-5385] Fixed a race condition with the SupervisorD metrics collector that is used by the Health and Status monitoring service. The race condition prevented all of the metrics for SupervisorD from being written into the metrics database tracking the overall health and status of the system.
[BCD-4976] Updated hostname key value in Default Keymap (Configuration >> Outputs >> Key Mappings >> default) to use fully qualified domain name of the device.
[BCD-1461] Fixed alignment issues with counts in the Threat Vectors page and PinPoint summary table.
[BCD-5254], [BCD-4495] Updated BluVector Configuration object (bv-cfg) to load common config by default to keep the GUI and bv-cfg in sync for configuration changes and updates.
[BCD-5525] Disabled ‘Processing’ button in Support page (Configuration >> Support) when generating a supporting bundle to prevent internal server error.
[BCD-5529] Fixed an issue with red error banners stacking up in Event Datagrid page.
[BCD-4395] Fixed unicode characters display issue on datafields of Email headers.
[BCD-5530] Fixed an issue with setting Event Status to Review fails with an error and shows the incorrect status to the user when expanding the event.
[BCD-5788] Fixed an issue with adjudicating File Status to malicious does not update the corresponding Event’s status.
[BCD-5541] Fixed an issue to provide notification via UI when Staged configuration changes are deployed and fail due to a missing service.
[BCD-5641] Fixed an issue causing a health alert to appear in the UI when the ClamAV service is disabled by the administrator.
[BCD-5726] Fixed issues with Suricata Targeted Logger to (1) display timestamps in epoch time, rather than the delta between the log entry and the event and (2) retrieve relevant logs for the source and destination of the event.
[BCD-4832] Fixed an issue with BluVector IMAP Service for Office365 accounts to extract all attachments in a multi-attachment rather than only the first attachment.
[BCD-5642] Fixed an issue with SCE fileless correlator to store source and destination IPs as base64 binary values rather than strings.
[BCD-5666] Fixed an issue with event query generation in Reports Dashboard (Dashboard >> Reports) to enable filtering on Event Status.
[BCD-5687] Fixed an issue with Rules Statistics button (Configuration >> Event Workflow >> Rule Statistics in a Rule) to display count of matching events from the past 5 days.
[BCD-5421] Fixed an autowrapping in Configuration >> Analyzers >> ClamAV when viewing staged configuration in Firefox 61.0.1.
Was this article helpful?