Changelog for version 5.4.4#

Released 26 January 2024#



  • Added the ability to retain searches that dispatched an Alert as Persistent Searches for a specified period.

  • Added Alerts to kit building.

  • Added the ability to disable Flow nodes.

  • Added improved ingest rate stats in Systems & Health.

  • Added a file extension .kit for Kits.

  • Added Title, Fallback, and Color fields to the Mattermost Message node in Flows.

  • Added webserver cache for expensive API requests.

  • Added Ingest-Secret-File configuration variable for all ingesters to support loading secrets from files.

  • Added authentication token tag routing to HEC-Compatible-Listener on the HTTP ingester.

Bug Fixes#

  • Fixed an issue that caused the rocket to spin during login until the page was refreshed.

  • Fixed an issue that caused slow typing in Query Studio when using Safari.

  • Fixed an issue that caused the table to hang when rendering large entries in Query Studio.

  • Fixed an issue with temporal mode on first when using a cluster deployment.

  • Fixed an issue with displaying schema validation error to an admin for an Alert owned by another user.

  • Fixed an issue with Scripts prompting for unsaved changes after debugging.

  • Fixed an issue with Extractors prompting for unsaved changes when no change was made.

  • Fixed an issue with downloading an extractor backup during kit install when a conflict exists.

  • Fixed an issue with navigating to a partially installed kit.

  • Fixed an issue with downloading an upgrade from Kit Archives.

  • Fixed an issue with vertical autoscaling using stackgraph.

  • Fixed an issue where upload errors were not displayed on the License page.

  • Fixed an issue where the wrong cracked entry was shown for the Tree View in the Query Studio details pane when zoomed.

  • Fixed an issue where the no capabilities error was not displayed for Tokens.

  • Fixed an issue where live updates sometimes would not update a Dashboard until after a page refresh.

  • Fixed an issue where the same shard could not be quarantined twice.

  • Fixed an issue where non-admin users were not able to snooze notifications.

  • Fixed a regression in the eval module which degraded performance on cluster deployments.

  • Improved snoozed notifications behavior.

  • Improved login error message for locked accounts.

  • Improved error logging for Flow node timeouts.

  • Improved Query Studio performance.

  • Improved Indexer page performance for cold shard tracking.

  • Removed unnecessary strict flag from maclookup.



  • Added the ability to specify URL parameters that are attached to environment variables on routes with HTTP ingester.

  • Added the ability to attach environment variables on ingesters.

  • Added File-Filters globbing to S3/SQS listener.

  • Added better debug post logging for the HTTP ingester when tag override is set in the URL.

Bug Fixes#

  • Enforced TLS 1.2 as minimum required version on HTTP ingester and Simple Relay.

  • Fixed an unsafe usage of scanner Bytes() method with a limited impact on the HTTP ingester.

  • Fixed an issue with S3/SQS ingester to delete messages in the same batch as received.

  • Fixed an issue where File Follower ingester could not catch up on start up scan with a high write rate.

  • Improved Federator performance when connected to many ingesters.


Bug Fixes#

  • Updated Corelight Kit to fix inconsistencies with auth_success booleans.