2.30.1

v2.30.1

What's Changed

• Add field transforms : Transforms in Zircolite are custom functions that manipulate the value of a specific field during the event flattening process. For example, you can decode base64 encoded values, extract credentials from logs etc. A quick demo is avaialable below.
• Zircolite is now up to 10% faster
• Dockerfile has been updated to automatically update rulesets
• Docs have been updated

Warning

• Event forwarding to ELK, Splunk, etc. is deprecated
• Supported Python version is now 3.10

Field transforms demo

Zircolite-field-transforms.mp4

New Contributors

• @nasbench made their first contribution in #82

2.30.0

v2.30.0

What's Changed

• Add field transforms : Transforms in Zircolite are custom functions that manipulate the value of a specific field during the event flattening process. For example, you can decode base64 encoded values, extract credentials from logs etc. A quick demo is avaialable below.
• Zircolite is now up to 10% faster
• Dockerfile has been updated to automatically update rulesets
• Docs have been updated

Warning

• Event forwarding to ELK, Splunk, etc. is deprecated
• Supported Python version is now 3.10

Field transforms demo

Zircolite-Field-transforms.mp4

New Contributors

• @nasbench made their first contribution in #82

Full Changelog: 2.20.0...2.30.0

v2.20.0

v2.20.0

What's Changed

• Add direct support for native Sigma rules with pySigma 🥳 : python3 zircolite.py -e samples.evtx -r schtasks.yml
• Add conditional imports to limit error for functionalities not used : requirements.txt / requirements.full.txt by @wagga40 in #75
• Add option groups to improve help readability by @wagga40 in #75
• Correct typo in docs by @wagga40 in #75
• Add a simple mechanism to control external binaries by @wagga40 in #75
• Update docs and rules by @wagga40 in #75
• Update docs for pysigma and installation by @wagga40 in #72
• [Snyk] Security upgrade aiohttp from 3.8.6 to 3.9.2 by @wagga40 in #73
• [Snyk] Security upgrade orjson from 3.9.7 to 3.9.15 by @wagga40 in #74

Full Changelog: 2.10.0...2.20.0

2.10.0

What's Changed

• Add CSV and JSON Array logs support by @wagga40 in #70
• Docs have been reworked and available in a dedicated website
• Some code refactoring

Full Changelog: 2.9.10...2.10.0

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.10

What's Changed

• Add field alias and field splitting (Hash/hashes in Sysmon) by @wagga40 in #58
• Add the ability to specify the index when forwarding to splunk #61 by @wagga40 in #62
• Update Mitre Att&ck (c) reference table by @wagga40 in #63
• Add options : delimiter for CSV, stop recursion, file pattern by @wagga40 in #65

Full Changelog: 2.9.9...2.9.10

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.9

What's new in v2.9.9 :

• Add timestamp try for rotten evtx files by @ZikyHD in #46
• Add xxhash with events by @ZikyHD in #45
• Add initial support for Evtxtract logs by @wagga40 in #53
• Add initial support for XML logs by @wagga40

Full Changelog: 2.9.7...2.9.9
⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.7

What's new in v2.9.7 :

• Updated EVTX_dump binaries (0.8) with MacOS Apple Silicon Support
• Added missing 'informational' rule level in the Mini-Gui

Full Changelog: 2.9.6...2.9.7

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.6

What's new in v2.9.6 :

• isolate invidvidual line parsing errors by @conitrade-as in #36
• ensure None values do not crash SQLite regex UDF by @conitrade-as in #37
• minor spelling error by @AndrewRathbun in #38

New Contributors

• @conitrade-as made their first contribution in #36

Full Changelog: 2.9.5...2.9.6

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.5

What's new in v2.9.5 :

• A Mitre Att&ck © Matrix view is now available in the Mini-Gui. You can use the web component in your own app by checking here
• You can update rules with -Uan --update-rules. This feature use the new auto-updated default rules repository
• Some bugs with browser detection is the Mini-Gui have been solved

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

Full Changelog: 2.9.1...2.9.5

2.9.1

What's new in v2.9.1 :

• Fix a bug with 2.9.0 when using multiple rulesets

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.