Malcolm v24.06.0 - Githubissues

Features and enhancements
- Support for multiple NetBox sites (idaholab/Malcolm#449)
  - Malcolm now supports enrichment from a NetBox inventory for asset interaction analysis across multiple sites. The NetBox site can be specified for uploaded PCAP, for a Hedgehog Linux sensor, and for Malcolm live capture.
- JA4+ replaces the JA3 TLS fingerprinting standard from 2017 (see also this blog post) (idaholab/Malcolm#419)
- Support uploading Windows Event Log evtx files (idaholab/Malcolm#465) and update associated dashboard
- Document using GitHub runners to build Malcolm images (for contributors' guide, idaholab/Malcolm#491)
- Generate new forwarder SSL keys on-the-fly when transferring between Malcolm and Hedgehog Linux (idaholab/Malcolm#492)
- Incorporate ATT&CK-based Control-system Indicator Detection for Zeek (ACID) (idaholab/Malcolm#489), a collection of Operational Techonology (OT) protocol indicators developed to alert on specific ATT&CK for ICS behaviors
- Add platform architecture and machine boot time to Malcolm version API
- Add links to the navigation pane of most dashboards to "other" dashboards for non-network log data (e.g., resource monitoring, Windows Event logs, etc.)
Component version updates
- Alpine to v3.20 for some of the Docker images
- Beats to v8.14.1
- capa to v7.1.0
- elasticsearch-dsl to v8.13.1
- elasticsearch-py to v8.14.0
- Fluent Bit to v3.0.7
- Logstash to v8.14.1
- NetBox to v4.0.6 (from v3.6.7, idaholab/Malcolm#385)
- OpenSearch and OpenSearch Dashboards to v2.15.0
- opensearch-py to v2.6.0
- psutil to v5.9.8
- Supercronic to v0.2.30
- urllib3 to v1.26.19
- yq to v4.44.2
Bug fixes
- Arkime viewer not rolling PCAPs (idaholab/Malcolm#484)
- Free up space in GitHub runner environment building ISO images to avoid errors due to exhausted disk space
Configuration changes in environment variables
- There are no significant changes or additions to the ./config/*.env environment variable files in Malcolm v24.06.0

cisagov / Malcolm

Malcolm v24.06.0 #318