Changelog for version 4.1.0#

Released January 6 2021#

Web UI Changes#

  • Allow multiple variables and default values in templates

  • Actionables now support templates with multiple variables

  • Add Web UI based data ingester

  • The Web UI has been upgraded to use Angular 8

Backend Changes#

  • Added indexer/webserver API version negotiation - SEE NOTE BELOW - THIS HAS POTENTIAL DEPLOYMENT CONSIDERATIONS

  • Implemented Compound Queries, enabling sequential, in-order, queries that share data

  • Added enrich module

  • Updated dump module to support a temporal mode

  • Queries now skip bad/corrupted blocks in shards, continue searching, issue a warning instead of just aborting the query

  • Added the repack command to the CLI

  • Changed the CEF module to not require non-header values to be prefixed with Ext.

  • Enhanced query recovery when a back storage block is encountered, queries will no longer fail.

  • Updated SAML system to address protential security issue related to Golang XML parsing.

  • Added Archive download time for saving query results in importable form.

  • Enhanced reliability to search modules when encountering an unknown fault, query modules will not halt the search and inform the user.

  • Fixed issue in anko scripts where toDuration was not handling some types correctly.

  • Added categorize flag to the ip module.

Ingesters & Ingest Library Changes#

  • Implemented a Cisco ISE log preprocessor


  • Windows installers are now fully signed


  • Beginning in version 4.1.0, the Gravwell indexer and webserver now negotiate and enforce API versioning. This means that a 4.1.0 webserver cannot connect to an older indexer and vice versa. Consider all indexer and webserver versions before upgrading.