v2.20.0

v2.20.0

What's Changed

• Add direct support for native Sigma rules with pySigma 🥳 : python3 zircolite.py -e samples.evtx -r schtasks.yml
• Add conditional imports to limit error for functionalities not used : requirements.txt / requirements.full.txt by @wagga40 in #75
• Add option groups to improve help readability by @wagga40 in #75
• Correct typo in docs by @wagga40 in #75
• Add a simple mechanism to control external binaries by @wagga40 in #75
• Update docs and rules by @wagga40 in #75
• Update docs for pysigma and installation by @wagga40 in #72
• [Snyk] Security upgrade aiohttp from 3.8.6 to 3.9.2 by @wagga40 in #73
• [Snyk] Security upgrade orjson from 3.9.7 to 3.9.15 by @wagga40 in #74

Full Changelog: 2.10.0...2.20.0

2.10.0

What's Changed

• Add CSV and JSON Array logs support by @wagga40 in #70
• Docs have been reworked and available in a dedicated website
• Some code refactoring

Full Changelog: 2.9.10...2.10.0

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.10

What's Changed

• Add field alias and field splitting (Hash/hashes in Sysmon) by @wagga40 in #58
• Add the ability to specify the index when forwarding to splunk #61 by @wagga40 in #62
• Update Mitre Att&ck (c) reference table by @wagga40 in #63
• Add options : delimiter for CSV, stop recursion, file pattern by @wagga40 in #65

Full Changelog: 2.9.9...2.9.10

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.9

What's new in v2.9.9 :

• Add timestamp try for rotten evtx files by @ZikyHD in #46
• Add xxhash with events by @ZikyHD in #45
• Add initial support for Evtxtract logs by @wagga40 in #53
• Add initial support for XML logs by @wagga40

Full Changelog: 2.9.7...2.9.9
⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.7

What's new in v2.9.7 :

• Updated EVTX_dump binaries (0.8) with MacOS Apple Silicon Support
• Added missing 'informational' rule level in the Mini-Gui

Full Changelog: 2.9.6...2.9.7

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.6

What's new in v2.9.6 :

• isolate invidvidual line parsing errors by @conitrade-as in #36
• ensure None values do not crash SQLite regex UDF by @conitrade-as in #37
• minor spelling error by @AndrewRathbun in #38

New Contributors

• @conitrade-as made their first contribution in #36

Full Changelog: 2.9.5...2.9.6

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.5

What's new in v2.9.5 :

• A Mitre Att&ck © Matrix view is now available in the Mini-Gui. You can use the web component in your own app by checking here
• You can update rules with -Uan --update-rules. This feature use the new auto-updated default rules repository
• Some bugs with browser detection is the Mini-Gui have been solved

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

Full Changelog: 2.9.1...2.9.5

2.9.1

What's new in v2.9.1 :

• Fix a bug with 2.9.0 when using multiple rulesets

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.9.0

What's new in v2.9.0 :

• The mini-GUI now includes a timeline view check the screenshot here
• You can now use multiple rulesets by using --ruleset or -r multiple times
• Correct a bug with CSV output
• Correct a bug with the --limit parameter
• Removed embedded version related code and formatting. Please use DFIR-ORC if you want an embedded version (docs here).

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

2.8.1

What's new in v2.8.1 :

• This release correct a bug where it was not possible to use time filtering

Known issues

• For users with an Apple Silicon computer : please use --noexternal to prevent the use of evtx_dump external binaries

⚠️ Some AV may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from being exhaustive, please create an issue if you encounter difficulties.

Full Changelog: 2.8.0...2.8.1