General Updates
New
- Integrated Sigma Support:
- Sigma is a popular standard for sharing detections that are easily portable across various SIEM products. The Velociraptor Component now includes a Sigma rules engine, effectively turning the endpoint into a “SIEM.”
- Sigma VQL queries can search or monitor local event log files so that only matching events are sent to the server.
- Velociraptor's curated Sigma rules now include the Hayabusa rule set, eliminating the need to download the external Hayabusa binary.
- The (Velociraptor Curated Sigma)[https://sigma.velocidex.com/] site includes documentation on Velociraptor Sigma artifacts and models for both Linux and Windows data sources.
Improved
- Before version 0.72, Velociraptor used a four-part versioning scheme (e.g., 0.7.0-patch#). Newer releases now follow Semantic Versioning for better compatibility with package and compliance management tools. The current version is 0.74 (not 0.7.4).
Hosted Velociraptor UI Updates
Rapid7 updates and maintains the Hosted Velociraptor service and frontend and you do not need to take action.
New
- Enhanced Timeline Visualization and Navigation:
- Notebook Timelines now include a visualizer and navigator for timeline tables.
- Entries from individual timelines can be collected into a Supertimeline with annotations. Supertimelines enable teams to communicate key investigation findings in a unified view.
Improved
- The Notebooks feature includes several enhancements:
- Built-in Data Stacking: Notebook tables can now stack query results by the selected column with a single click, displaying them in a new stacking data view.
- Reusable templates are now supported, making it easy to recreate specific Notebook configurations.
- Hunts can now be labeled for easier organization within the Hunts screen.
- The Virtual Filesystem (VFS) UI now supports password-ecrypted
zipdownloads. Previously this was only available on the Endpoint's Collection screen. - Additional quality-of-life improvements have been made throughout the interface.
Fixed
- When configuring Artifact parameters, clicking the wrench button twice no longer causes the screen to go blank.
Rapid7 Velociraptor Component Update
Your assets will be updated automatically with the latest Rapid7 Velociraptor versions only if you enable Insight Platform-managed updates. Read more in the managed agent updates documentation.
New
New plugins support:
- Parsing and monitoring of
journaldlogs on Linux systems - Monitoring several Windows Kernel ETW sources
- Monitoring Linux Extended Berkeley Packet Filter (eBPF) kernel events
These plugins are especially powerful when used with curated Sigma artifacts.
- Parsing and monitoring of
Improved
- The Windows ETW monitoring plugin now supports subscribing to multiple ETW providers in a single session. Previously, each ETW monitoring query required a separate session, quickly consuming the limited number of available sessions in Windows.
- Performance improvements to the Windows Registry accessor significantly reduce processing times for large Registry hives.