Skip to content

1.3.0
Compare
Choose a tag to compare
@pcoccoli pcoccoli released this 15 Apr 18:49
· 1302 commits to develop since this release
v1.3.0
4dac5e2

Added

  • internal data model upgraded to firepit 2.0.0 with full graph-like database schema:

    • new firepit data normalized schema: https://firepit.readthedocs.io/en/latest/database.html
    • the normalized schema extracts/recognizes entities/SCOs from STIX observations and stores them and their relations.
    • the normalized schema fully enables a Kestrel variable to refer to a list of homogeneous entities as a view in a relational-DB table.
    • older hunts will need to be re-executed.

  • syntax upgrade: introducing the language construct expression to process a variable, e.g., adding a WHERE clause, and the processed variable can be

    • assigned to another variable, so one does not need another GET command with a STIX pattern to do filtering.
    • passed to DISP, so DISP is naturally upgraded to support many clauses such as SORT, LIMIT, etc.

  • new syntax for initial events handling besides entities:

    • entities in a variable do not have timestamps anymore; previously all observations of the entities were listed in a variable with timestamps.
    • use the function TIMESTAMPED() to wrap a variable into an expression when the user needs timestamps of the observations/events in which the entities appeared. This is useful for analyzing and visualizing events of entities through time, e.g., time series analysis of visited ipv4-addr entities in a variable.

  • unit tests:

    • 5 more unit tests for command FIND.
    • 2 more unit tests for command SAVE.
    • 2 unit tests for expression TIMESTAMPED().

  • new syntax added to language reference documentation

    • TIMESTAMPED
    • DISP
    • assign

  • repo updates:

    • Kestrel logo created.
    • GOVERNANCE.rst including versioning, release procedure, vulnerability disclosure, and more.

Removed

  • the copy command is removed (replaced by the more generic assign command).

Changed

  • repo front-page restructured to make it shorter but providing more information/links.
  • the overview page of Kestrel doc is turned into a directory of sections. The URL of the page is changed from overview.html to overview.
Assets 2
Loading