Release Notes

New features

driver load events Read more
initial catalog of detection rules based on the MITRE ATT&CK framework Read more
macro expansion in rules Read more
beautiful HTML rule alert emails Read more
allow enabling/disabling Audit API Calls and Antimalware Engine ETW providers
enrich handle events with driver image path for Driver object types
add ps.sibling.args filter field
field interpolation in alert title and text strings and the ability to use Markdown/HTML syntax Read more
~= operator for case-insensitive string comparisons in filters
is_minidump filter function for checking the signature of minidump files Read more

Go 1.19 upgrade and migration of deprecated functions
bumped libyara to version 4.2
bumped Golang CI Lint toolchain
add content-type config flag for email alert sender
add labels and description attributes in rule groups
loading rule files from paths with glob expressions
optimize filter field accessors to prevent unnecessary traversing
lazy evaluation of binary expressions for and and or operators
decommission type/category selector in include/exclude rule policies
prevent executing rules in sequence policies if the incoming event is not eligible for evaluation
avoid adding duplicate tuples in sequence policies internal state
improve registry key formatting from native key names
limit the number of handles per proc and per global handle snapshotter state
speed up UTF-16 string decoding. Kudos to @skeeto

rule policies with the selector attribute will fail to load. As a workaround, remove the selector attribute and include it as a first condition in the rule.