Improvements
- Improved error display when API key authentication fails
- Changed connect profile option to optional when executing batch commands
Improved compatibility with Sonar
- Requires experimental app version 1.6.2510.0 or higher (uses log command)
- Requires **Logpresso Sonar 4.0.2502.0** or higher
Support #react2shell tagging
- Requires experimental app version 1.6.2510.0 or higher (uses log command)
- Requires **Logpresso Sonar 4.0.2507.0** or higher
Fix false positives for #command_injection related to simple template variable references
- Requires experimental app version 1.6.2510.0 or higher (uses log command)
- Requires **Logpresso Sonar 4.0.2507.0** or higher
Support Beacon Traffic Detection
- Requires experimental app version 1.6.2510.0 or higher (uses log command)
- Added ml-beaconing-connections command
- Added ml-beacon-sessions command
Requires **Logpresso Sonar 4.0.2507.0** or higher
First release
* apivoid-check-domain
* apivoid-check-domain-batch
* apivoid-check-ip
* apivoid-check-ip-batch
* apivoid-domain-info
* apivoid-domain-info-batch
* apivoid-reverse-ip
Minor modification of detection rules
- Exploit Detected rule: Added exception condition for Exploit/Win.MagicLineX
- CoinMiner Detected rule: Changed rule name
- Phishing Detected rule: Removed unnecessary exception condition from first search command
sonar sync commands improvements
- Added locale input to the sonar-sync-employees command
- Fixed an NPE issue 발생 when dept_code is empty
- Improved error cause reporting
Improve performance of Elastic log parser
Notes
- When upgrading from versions earlier than 1.4.2511.0, please review the steps below.
- For proper incremental collection, follow this sequence:
Disable the existing logger → Apply the app patch → Restore the index name in the logger settings → Enable the logger.
First release
- Support react2shell-scan-batch query command.
Improvements
- Add support for decimal values in the cpu_usage, mem_usage, disk_usage, and temperature fields for the Controller_resource and Sensor_resource log types.
Bug Fixes
- Fix a parsing failure that occurs when the msg field contains a comma (,) in the Admin_log, Ha_log, Controller_log, and Sensor_log log types.
New features
* Added mat-threads query command and support for mat-build discard-ratio option
New feature
- Google Workspace Group command and schema has been added
- Google Workspace User command has new "group" option
- Added support for Google Workspace playbook execution
Google Workspace drive activity collector bug patch
- Missing error handling for empty list responses for Google Drive activity logs
Improvements
- Added 4 detection rules
* Admin Role Assigned (T1098.003)
* Executable File Download (T1204.002)
* New Trusted Domain Added (T1562.007)
* User Unsuspended (T1078.004)
Improvements
- Added originating_app_name when collecting Google Drive activity logs.
- Added google-workspace-drive-apps, google-workspace-drive-app extended query commands.
Grant new scope for domain-wide delegation
* https://www.googleapis.com/auth/drive.apps.readonly
New feature
- Added Google Chat activity log schema, logger model, and dashboard.
- Google Workspace dashboards now support time filter in the dashboard panel.
Bug patch
- Fixed infinite loading bug of Google Workspace Alert Center collector.
- Fixed an issue where google-workspace-users command output is limited to 100 users
Support Google Workspace alert center
- Added phishing mail, alert center, service notice dashboards.
Grant new scope for domain-wide delegation
- https://www.googleapis.com/auth/apps.alerts
Added 13 MITRE ATT&CK TTP detection rules