ITRS Log Analytics 7.x Release Notes
Overview
Log Analytics release notes contain the list of all new or enhanced features and a list of all issues fixed in the current release.
To view the Log Analytics 6.x.x release notes, see ITRS Log Analytics 6.x Release Notes.
For more information, see Log Analytics documentation .
New features
These are the new features of this release:
| Module or component | Release description |
|---|---|
| Alert | New Alert method for the OP5 Monitor added to GUI. |
| Alert | New Alert method for Slack added to GUI. |
| Alert | The ability to rename an already created rule was added. |
| Alert | Groups for different alert types. |
| Alert | Possibility to modify all alarms in a selected group. |
| Alert | Calendar for managing notifications. |
| Alert | Escalate the alarm after a specified time. |
| Alert | The Hive integration. |
| Beats | Beats added to the installation package. |
| Central Agents Management (masteragent) | Stop, start, and restart for each registered agent. |
| Central Agents Management (masteragent) | Status of detected beats and master agent in each registered agent. |
| Central Agents Management (masteragent) | Tab with the list of agents can be grouped. |
| Central Agents Management (masteragent) | Auto rolling documents from .agents index based on a Settings in the Config tab. |
| Dashboards | Possibility to play a sound in the dashboard. |
| QualysGuard | Integration with the dedicated dashboard. |
| Tenable.SC | Integration with the dedicated dashboard. |
| Wazuh | Added the installation package. |
| Other | New plugin: Archive specified indices. |
| Other | Applications access management based on roles. |
Improvements
These are the improvements of this release:
| Module or component | Release description |
|---|---|
| Alert | Added sorting of labels in comboxes. |
| Alert Chain/Logical | Introduced a few improvements. |
| AD integration | Domain selector on the login page. |
| Audit | Cache for audit settings (performance). |
| Diagnostic-tool.sh | Added cerebro to audit files. |
| Incidents | New field was added: ToSkipForVerify. This is an option for skipping false-positives. |
| Installation script | The setup script validates the license. |
| Installation script | Support for 8. |
| Object permission | When adding an object to a role in Object permission it is now possible to add related objects at the same time. |
| Skimmer | New metric added: increase of documents in a specific index. |
| Skimmer | New metric added: size of a specific index. |
| Skimmer | New metric added: expected data nodes. |
| Skimmer | New metric added: Kafka offset in Kafka cluster. |
| User roles | Alphabetical, searchable list of roles. |
| User roles | List of users assigned to a given role. |
Issues fixed
These are the issues we have fixed in this release:
| Module or component | Release description |
|---|---|
| Alert | Aggregation schedule time. |
| Alert | Loading new_term fields. |
| Alert | RecursionError: maximum recursion depth exceeded in comparison. |
| Alert | Match_body.kibana_discover_url malfunction in aggregation. |
| Alert | Dashboard Recovery from the Alert Status tab. |
| Dashboards | Logserver_table removed in 7.x.x. It has been replaced with basic table. |
| Elasticsearch-auth | Forbidden — not authorized when querying an alias with a wild card. |
| Logstash | Mikrotik pipeline — failed to start pipeline. |
| Reports | Black bars after JPEG dashboard export. |
| Reports | Problems with Scheduled reports. |
| Other | Role caching fix for working in multiple node setup. |
New features
These are the new features of this release:
| Module or component | Release description |
|---|---|
| Alert | New alert type: Chain. It creates alerts from underlying rules triggered in a defined order. |
| Alert | New alert type: Logical. It creates alerts from underlying rules triggered with defined logic (OR,AND,NOR). |
| Alert | Correlate alerts for Chain and Logical types. An alert is triggered only if each rule returns thesame value (for example, IP, username, process). |
| Alert | Each triggered alert is indexed with unique alert_id — the field added to the default field schema. |
| Alert | Processing Time visualization on Alert dashboard — it is now easier to identify badly designed alerts. |
| Alert | Support for automatic search link generation. |
| Auditing | Added an IP address field for each action. |
| Auditing | Added the possibility to exclude values from auditing. |
| Input | Added MikroTik parsing rules. |
| MasterAgent | Added the possibility for beat agent restart and the master agent itself (GUI). |
| Skimmer | Indexing rate visualization. |
| Skimmer | New metric: offset in Kafka topics. |
| Skimmer | New metric: expected-datanodes. |
Improvements
These are the improvements of this release:
| Module or component | Release description |
|---|---|
| Alert | Improved performance with multi thread support (now default). |
| Alert | Validation of email addresses in the Alerts plugin. |
| Alert | Difference rule description include examples for alert recovery function. |
| Blacklist | Name field and Field names in the Fields column & Default field exclusions |
| Blacklist | runOnce is now only terminated on a fatal Alert failure. |
| Blacklist | IOC excludes threats marked as false-positive. |
| Incidents | New design for Preview. |
| Incidents | A new feature was added: Note. It provides the ability to add notes to incidents. |
| Logstash | MasterAgent pipeline shipped by default |
| Logtrail | Improved the beauty and readability of the plugin |
| MasterAgent | Possibility to exclude older SSL protocols. |
| MasterAgent | Now supports Centos 8 and related distros. |
| Risks | Possibility to add new custom value for risk without the need to index that value. |
| Security | jquery updated to 3.5.1. |
| Security | Bootstrap updated to 4.5.0. |
| Skimmer | Service status check was rewritten to dbus API. |
| XLSX import | Updated to 7.6.1. |
| Other | The Help button in Kibana now leads to the official product documentation. |
| Other | Centralization of previous alert code changes to a single module. |
| Other | Adding sample data and web sample dashboard from the home page was fixed. Changes were made in the default-base-template. |
| Other | Copy/Sync now supports insecure mode (operations without certificates). |
| Other | Search and sort support was added for the User List in the Config section. |
Issues fixed
These are the issues we have fixed in this release:
| Module or component | Release description |
|---|---|
| Alert | .alertrules is not a required index for proper system operation. |
| Alert | /opt/alerts/testrules is not a required directory for proper system operation. |
| Alert | .riskcategories is not a required index for proper system operation |
| Alert | Overwriting an alert when trying to create a new alert with the same name. |
| Alert | Wrong Alert status in the alert status tab. |
| Blacklist | Removal of the doc type in blacklist template. |
| Blacklist | Problem with generate_kibana_discover_url: true directive. |
| Reports | Export to CSV supports the STOP action. |
| Reports | Scroll errors CSV csv exports. |
| Reports | When exporting dashboards, PDF generates only one page or cuts the page. |
| Skimmer | Forcemerge caused under 0 values for cluster_stats_indices_docs_per_sec metric. |
| Other | Individual special characters caused problems in user passwords. |
| Other | Bad permissions for scheduler of Copy/Sync module has been corrected |
| Other | diagnostic-tool.sh: wrong name for the archive in output.. |
| Other | Malfunction in Session Timeout. |
| Other | Missing directives service_principal_name in bundled properties.yml. |
| Other | Wrong product logo when viewing dashboards in full screen mode. |
New features
These are the new features of this release:
-
Creating manual incidents from the Discovery section.
-
New Kibana plugin — Sync/Copy between clusters.
-
Analyzing historical data with a defined alert.
-
Indicators of compromise (IoC) — providing blacklists based on Malware Information Sharing Platform (MISP).
-
Automatic update of MaxMind GeoIP Databases [asn, city, country].
-
Extended LDAP support.
-
Cross cluster search.
-
Diagnostic script to collect information about the environment, log files, configuration files —
utils/diagnostic-tool.sh. -
New beat: op5beat — dedicated data shipper from OP5 Monitor.
Improvements
These are the improvements of this release:
-
Added
_licenseAPI for Elasticsearch (it replaces thelicensepath which is now deprecated and will stop working in future releases) -
_licenseAPI now showsexpiration_dateanddays_left. -
Visual indicator on the Config tab for expiring license (for 30 days and less).
-
Creating a new user now requires re-entering the password.
-
Complexity check for password fields.
-
Incidents can be supplemented with notes.
-
Alert Spike: more detailed description of usage.
-
ElasticDump added to base installation —
/usr/share/kibana/elasticdump. -
Alert plugin updated — frontend.
-
Reimplemented session timeout for user activity.
-
Skimmer: new metrics and dashboard for Cluster Monitoring.
-
Wazuh config/keys added to the
small_backup.shscript. -
Logrotate definitions for Logtrail logfiles.
-
Incidents can be sorted by Risk value.
-
UTF-8 support for credentials.
-
Wazuh: wrong
document_typeandtimestampfields.
Issues fixed
These are the issues we have fixed in this release:
-
Audit: Missing Audit entry for successful SSO login
-
Report: "stderr maxBuffer length exceeded" — export to CSV.
-
Report: "Too many scroll contexts" — export to CSV.
-
Intelligence: incorrect work in updated environments.
-
Agents: fixed wrong document type
-
Kibana: "Add Data to Kibana" from Home Page.
-
Incidents: the preview button uses the wrong index-pattern.
-
Audit: Missing information about login errors of ad/ldap users.
-
Netflow: fix for netflow v9.
-
MasterAgent: none/certificade verification mode should work as intended.
-
Incorrect CSS injections for dark theme.
-
The role could not be removed in specific scenarios.
New features
These are the new features of this release:
-
Major update is now based on Elasticsearch 7.3.2, Kibana 7.3.2 and Logstash 6.8.6.
-
Migration of all existing features from version 6.1.8 and below.
-
New plugin for working with XLSX import.
-
Embedded curator for index management.
-
New design for system and underlying plugins.
Disclaimer: The information contained in this document is for general information and guidance on our products, services, and other matters. It is only for information purposes and is not intended as advice which should be relied upon. We try to ensure that the content of this document is accurate and up-to-date, but this cannot be guaranteed. Changes may be made to our products, services, and other matters which are not noted or recorded herein. All liability for loss and damage arising from reliance on this document is excluded (except where death or personal injury arises from our negligence or loss or damage arises from any fraud on our part).
Other releases
| ITRS Log Analytics 7.x Release Notes |
Released: 23 September 2020 Last updated: 19 March 2020 |
| ITRS Log Analytics 6.x Release Notes |
Released: 17 September 2018 Last updated: 3 February 2020 |
| ITRS Log Analytics 2.x Release Notes |
Released: 18 June 2018 Last updated: 27 August 2018 |