Version 2017.11.0

This is an unofficial release. More extensive release notes will come with the next full release, probably in early 2018.

Version 2017.9.2

v2017.9.2 Bugfix Release

• Fixed __JSONIFY__ support in nebula (unicode bug)

v2017.9.1 Bugfix Release

• Fixed a potential unicode bug in Nova
• Small fix for cve_scan_v2 in Nova

v2017.9.0 Feature Release

Major Features/Improvements

• top.nebula support
• top.pulsar support for windows only (it doesn't work as a beacon. Consider migrating to hubble for increased flexibility and features)
• Many new nova misc.py checks used in hubblestack_data
• New nova modules mount.py and systemctl.py
• Fix an issue in nova's hubble.top that was causing it to sync the nova files twice each run. This will markedly improve the performance of hubble.top.

General

• Improved error handling in nova's misc.py
• Fixed a few errors caused by using old-style splunk returner config
• Increased error visibility in splunk returners
• Improved logging around nova's topfile errors
• Improved handling around JSONIFY support in nebula

Version 2017.9.1

v2017.9.1 Bugfix Release

• Fixed a potential unicode bug in Nova
• Small fix for cve_scan_v2 in Nova

v2017.9.0 Feature Release

Major Features/Improvements

• top.nebula support
• top.pulsar support for windows only (it doesn't work as a beacon. Consider migrating to hubble for increased flexibility and features)
• Many new nova misc.py checks used in hubblestack_data
• New nova modules mount.py and systemctl.py
• Fix an issue in nova's hubble.top that was causing it to sync the nova files twice each run. This will markedly improve the performance of hubble.top.

General

• Improved error handling in nova's misc.py
• Fixed a few errors caused by using old-style splunk returner config
• Increased error visibility in splunk returners
• Improved logging around nova's topfile errors
• Improved handling around JSONIFY support in nebula

Version 2017.9.0

Major Features/Improvements

• top.nebula support
• top.pulsar support for windows only (it doesn't work as a beacon. Consider migrating to hubble for increased flexibility and features)
• Many new nova misc.py checks used in hubblestack_data
• New nova modules mount.py and systemctl.py
• Fix an issue in nova's hubble.top that was causing it to sync the nova files twice each run. This will markedly improve the performance of hubble.top.

General

• Improved error handling in nova's misc.py
• Fixed a few errors caused by using old-style splunk returner config
• Increased error visibility in splunk returners
• Improved logging around nova's topfile errors
• Improved handling around JSONIFY support in nebula

Version 2017.8.3

• Fixed an issue with the splunk returners for users of the old-style splunk returner config
• Removed hubblestack_data data from hubble-salt, added note to README

Version 2017.8.2

v2017.8.1

tl;dr (big changes)

• Fixes for Salt v2017.7.0
• Huge improvement to Windows pulsar performance for some users
• nebula.fields function for reporting custom data to splunk on a specific schedule
• Support for /etc/hubble/hubble.d/*.conf for user config
• pulsar.canary function for daily FIM event generation
• Logstash returners!
• New and improved vulners CVE scanner to use their more performant API

Cross-Platform

• Fixes for Salt v2017.7.0
• Added osqueryversion and osquerybinpath grains for reporting osquery information
• Added code to nebula to prefer our bundled version of osqueryi
• Added option to extract fields at index time for splunk returners
• Added nebula.fields function for reporting custom data to splunk on a specific schedule
• Added support for **kwargs passthrough to nova modules
• Added support for /etc/hubble/hubble.d/*.conf for user config
• Added pulsar.canary function for daily FIM event generation
• Added azure details fetching to splunk returners (similar to aws details)
• Added support for __JSONIFY__ prefacing for osquery results which are JSON instead of python data structures. This allows us to further process the data into python data structures which can then be parsed into columns by splunk.
• Added logstash returners
• Added new vulners CVE scanner
• Added some misc.py functions in nova to support CoreOS and Amazon Linux CIS checks
• Changed the splunk port to be configurable in the splunk returners
• New Dockerfiles for building pyinstaller packages
• Added azurefs support

Windows

• Improved performance of win_pulsar. Some users will see a substantial reduction in CPU usage during pulsar.process on windows.
• Many logic improvements and fixes to audit modules in Nova for Windows
• Fixed upgrading via installer

v2017.8.2

• Fixed a bug introduced in the splunk returners (hubblestack/hubble#142)
• Add multiline matching to nova grep module's match_output by default (hubblestack/hubble#148)

Version 2017.8.1

tl;dr (big changes)

• Fixes for Salt v2017.7.0
• AzureFS support for pulling profile data from azure blob storage
• Huge improvement to Windows pulsar performance for some users
• nebula.fields function for reporting custom data to splunk on a specific schedule
• Support for /etc/hubble/hubble.d/*.conf for user config
• pulsar.canary function for daily FIM event generation
• Logstash returners!
• New and improved vulners CVE scanner to use their more performant API

Cross-Platform

• Fixes for Salt v2017.7.0
• Added osqueryversion and osquerybinpath grains for reporting osquery information
• Added code to nebula to prefer our bundled version of osqueryi
• Added option to extract fields at index time for splunk returners
• Added nebula.fields function for reporting custom data to splunk on a specific schedule
• Added support for **kwargs passthrough to nova modules
• Added support for /etc/hubble/hubble.d/*.conf for user config
• Added pulsar.canary function for daily FIM event generation
• Added azure details fetching to splunk returners (similar to aws details)
• Added support for __JSONIFY__ prefacing for osquery results which are JSON instead of python data structures. This allows us to further process the data into python data structures which can then be parsed into columns by splunk.
• Added logstash returners
• Added new vulners CVE scanner
• Added some misc.py functions in nova to support CoreOS and Amazon Linux CIS checks
• Changed the splunk port to be configurable in the splunk returners
• New Dockerfiles for building pyinstaller packages
• Added azurefs support

Windows

• Improved performance of win_pulsar. Some users will see a substantial reduction in CPU usage during pulsar.process on windows.
• Many logic improvements and fixes to audit modules in Nova for Windows
• Fixed upgrading via installer

Version 2017.4.1

Pulsar

• Fix __virtual__ function for pulsar so that it actually loads. (sorry!)
• Add win_pulsar as a module in addition to the beacon, to prevent minion responsiveness issues for long running pulsar queries

Quasar

splunk_nebula_return

• Extract time from queries which contain it

Nebula

• Add a couple of new queries from hubblestack_data

Version 2017.3.2

Pulsar

• Always load linux version of pulsar, and then fail silently if python-inotify is not installed (keeps logging cleaner)
• Fix win_pulsar (it actually works now!)
• Add regex excludes to win_pulsar
• Update exceptions in default linux watch list
• Fix the sample pillar data for windows

Quasar

• Multi-endpoint support in splunk returners (try each in turn, mark those which are unreachable as such, use only good endpoints)
• Fix more errors that could happen on non-aws hosts attempting to fetch aws details

Misc

Documentation fixes

Version 2017.3.1

Nova

• Fix cve_scan_v2 for Debian systems which have an integer for os_version
• Misc profile fixes
• Move output formatting from nova modules to the central hubble.py
• Deprecate show_profile (always True now)
• Remove cve scan from default top.nova
• Add provisional Ubuntu 16.04 CIS profile

Nebula

• Add uptime fallback query
• Misc query fixes

Quasar

Splunk Returners

• Consolidate pillar data (optional) and allow for multiple splunk endpoints
• Fix for blank hosts when fqdn doesn't return anything
• Turn off http event collector debug mode
• Handle empty returns from pulsar (more applicable on saltless hubble)
• Add aws_account_id to all events (if available)