2.9.0

What's new in v2.9.0 :

• The mini-GUI now includes a timeline view check the screenshot here
• You can now use multiple rulesets by using --ruleset or -r multiple times
• Correct a bug with CSV output
• Correct a bug with the --limit parameter
• Removed embedded version related code and formatting. Please use DFIR-ORC if you want an embedded version (docs here).

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.8.1

What's new in v2.8.1 :

• This release correct a bug where it was not possible to use time filtering

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

Full Changelog: 2.8.0...2.8.1

2.8.0

What's new in v2.8.0 :

⚠️ An ORJSON bug was preventing Zircolite to work in some use case, binaries have been replaced.

• It is now possible to forward detected events to an ELK stack
• All events (and not only detected events) can be forwarded with --forwardall. You should note that it works very well with Splunk but can be problematic with ELK because of the automatic type mapping
• ORJSON has replaced the default JSON Python library. It brings a significant speedup in some cases
• There are now two files for Zircolite (only one is required), the zircolite.py file is formatted with Black
• Rules and docs have been updated

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

Full Changelog: 2.7.0...2.8.0

2.7.0

What's new in v2.7.0 :

• Initial Auditd logs support
• Initial rules with regex support
• Colorized output for rule level
• Updated rules and docs

⚠️ I will probably remove the embedded versions in favor of DFIR ORC packaged versions.

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.6.2

What's new in v2.6.2 :

• New format for releases : 7z packages that contain the standard version (not the embedded one) with all files needed to run it
• Add a '-v' option to display Zircolite version
• Documention is also available in PDF format
• Solve some issues with unicode on windows
• Add rule level/severity in CLI output
• Updated rules and docs

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.6.1

What's new in v2.6.1 :

This is a bug correction release. Check 2.6.0 release to know what were the new features.

• Embedded versions are now using bindings instead of dropping the evtx_dump binary (slower but more reliable), If you don't want that use 2.6.0 release
• Solved a Windows character encoding problem when running non-interactively.

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.6.0

What's new in v2.6.0 :

• You can now analyze Sysmon for Linux logs in Zircolite (initial support) 🎉🎉🎉
• A "fieldlist" option has been added to list fields found in your EVTX, you can use it to debug and find problem with field mappings. This option needs to be used with the -r option but it is not used
• You can now provide you own evtx_dump binary with --evtx_dump
• Docs have been updated with a little tutorial to integrate Zircolite into DFIR Orc
• Linux binaries has been removed, don't hesitate to create an issue if you want them back
• Only the Nuitka build is available for Windows 10, don't hesitate to create an issue if you want PyInstaller builds back

Release updated 2021/11/23 : Sole a Windows character encoding problem when running non-interactively. Thanks to @weslambert

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.5.1

What's new in v2.5.1 :

Bug correction release for Windows users. Please check 2.5.0 changes to see the big changes 😅

• Correct a bug with JSON generated directly from sigmac under windows. Thanks @frack113.

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
• Binaries for Linux have "lin" in their names

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.5.0

What's new in v2.5.0 :

• [BETA] Added the ability to use Sigma rules directly (on-the-fly conversion)
• You can know use CSV output instead of JSON
• genRules has been updated but will be deprecated soon since sigmatools since 0.20 can generate Zircolite compatible rulesets (check docs)
• It is now possible to limit results (terminal output and forwarded events)
• Removed Zircolite_legacy.py
• Docs and rulesets have been updated

What to download ?

• [RECOMMENDED] Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
• Binaries for Linux have "lin" in their names

⚠️ Some AV may not like the packaged binaries. The nuitka version are generally considered OK by most AV.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.1.1

What's new in v2.1.1 :

⚠️ This is a test release !

• This release add a CSV mode replacing the completely bogus CSV template. Please note that as opposed to the templating system the "CSV Mode" will replace default JSON output and the format of events if you forward them to Splunk or to a HTTP Server.

What to download ?

• Binaries with "nuitka" in their names were generated with Nuitka and are supposedly faster (but bigger in size)
• Binaries with "embedded" in their names are self contained and to not need external files to work (even ruleset files)
• Binaries for Windows 7 have "win7" in their names. Other releases may not work on Windows 7
• Binaries for Linux have "lin" in their names

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.