Changelog for version 4.1.0

Released January 6 2021

Web UI Changes

• Allow multiple variables and default values in templates

• Actionables now support templates with multiple variables

• Add Web UI based data ingester

• The Web UI has been upgraded to use Angular 8

Backend Changes

• Added indexer/webserver API version negotiation - SEE NOTE BELOW - THIS HAS POTENTIAL DEPLOYMENT CONSIDERATIONS

• Implemented Compound Queries, enabling sequential, in-order, queries that share data

• Added enrich module

• Updated dump module to support a temporal mode

• Queries now skip bad/corrupted blocks in shards, continue searching, issue a warning instead of just aborting the query

• Added the repack command to the CLI

• Changed the CEF module to not require non-header values to be prefixed with Ext.

• Enhanced query recovery when a back storage block is encountered, queries will no longer fail.

• Updated SAML system to address protential security issue related to Golang XML parsing.

• Added Archive download time for saving query results in importable form.

• Enhanced reliability to search modules when encountering an unknown fault, query modules will not halt the search and inform the user.

• Fixed issue in anko scripts where toDuration was not handling some types correctly.

• Added categorize flag to the ip module.

Ingesters & Ingest Library Changes

• Implemented a Cisco ISE log preprocessor

General/Miscellaneous

• Windows installers are now fully signed

Notes

• Beginning in version 4.1.0, the Gravwell indexer and webserver now negotiate and enforce API versioning. This means that a 4.1.0 webserver cannot connect to an older indexer and vice versa. Consider all indexer and webserver versions before upgrading.