This security hotfix addresses authentication vulnerabilities in the login system. We've enhanced session generation and login logic to prevent email enumeration attacks and mitigate timing-based attack vectors, ensuring consistent behavior regardless of user existence.

🛡 Security​

Authentication Hardening​

• Email Enumeration Prevention - The authentication response now behaves consistently, eliminating information leakage through response variations.

• Timing Attack Mitigation - Implemented consistent computational effort during authentication regardless of user existence or password validation outcome. Fixed-salt hash comparison ensures uniform response times, preventing timing-based user enumeration.

• Consistent CAPTCHA Behavior - Updated failed login attempt handling to apply CAPTCHA requirements uniformly for both existing and non-existing users, preventing behavioral fingerprinting.

---

This release introduces schema drift detection and multi-tier pipeline capabilities with eight new processors for validation, staged routing, and alerting. Four new storage target integrations expand data forwarding options, while CAPTCHA protection strengthens platform security. Enhanced tenant limit management provides improved control over resource allocation, and comprehensive user interface improvements across multiple targets enhance configuration clarity.

🚀 New Features​

• CAPTCHA Security Enhancement - CAPTCHA verification implemented across authentication workflows to protect against automated attacks. CAPTCHA challenges added to login, signup, and password reset processes, preventing unauthorized access attempts and bot-based attacks while maintaining smooth user experience for legitimate access.

• Tenant Limit Management Enhancement - Parent tenant limit configuration enhanced with self-management capabilities, providing greater control over resource allocation across organizational hierarchies. Parent tenants can now configure their own limits directly, with changes automatically affecting sub-tenant limit allocation. License limits calculated as combined total of parent tenant and all sub-tenants, ensuring accurate resource tracking across entire tenant structure.

• Schema Drift Detection - New schema validation capability detects when vendor log formats change unexpectedly. The check_schema processor validates events against ASIM and OCSF schemas, identifying missing fields, extra fields, and type mismatches. Supports conditional processor chains for automated alerting and fallback processing when drift is detected.

• Multi-Tier Pipelines - Staged routing enables sending the same data to multiple destinations at different normalization levels without event duplication. Progressive normalization transforms data through tiers (raw, CSL, ASIM) with the commit processor finalizing staged routes. Eliminates ingestion cost multiplication for multi-destination workflows.

🔧 Improvements​

New Processors​

• check_schema - Validates event data against ASIM or OCSF schema definitions, detecting missing fields, extra fields, and type mismatches for schema drift detection.

• commit - Finalizes staged routes created by the reroute processor, enabling multi-tier pipeline architectures where only the final normalized version reaches each destination.

• defender - Creates custom alerts in Microsoft Defender using the CreateAlert API, enabling external threat detection systems to integrate with Microsoft's endpoint security platform.

• msteams - Sends notifications to Microsoft Teams channels via incoming webhooks, supporting customizable message formatting for alerting workflows.

• pagerduty - Creates incidents in PagerDuty for on-call alerting, enabling automated escalation when critical events or processing failures are detected.

• servicenow - Creates incidents in ServiceNow for IT service management integration, supporting automated ticket creation from pipeline processing events.

• slack - Sends notifications to Slack channels via incoming webhooks, supporting customizable message formatting and severity-based color coding.

• telegram - Sends notifications to Telegram chats via bot API, enabling mobile alerting for critical events and processing status updates.

New Targets​

• AWS S3 - AWS S3 target integration enables direct data transmission to Amazon S3 storage infrastructure. Seamless integration with AWS ecosystem expands data routing options for archival, analytics, and backup workflows.

• Cloudflare R2 - Cloudflare R2 target integration provides object storage capabilities with S3-compatible API. Integration supports cost-effective data storage and retrieval, expanding cloud storage options for log forwarding and data archival.

• IBM Cloud Object Storage - IBM Cloud Object Storage target enables data forwarding to IBM's enterprise cloud storage platform. Integration supports secure, scalable storage for analytics and compliance requirements.

• MinIO - MinIO target integration provides high-performance object storage capabilities with S3-compatible API. Self-hosted storage option supports on-premises and private cloud deployments, offering flexible data storage alternatives.

Target Configuration Enhancements​

• Azure Blob Storage Field Improvements - Field formats and descriptive text enhanced for improved clarity. Streamlined interface makes configuration more intuitive and reduces setup complexity.

• Azure Event Hubs Field Improvements - Field formats and descriptive text refined, enhancing user understanding. Improved labeling and formatting support easier configuration and reduce potential errors.

• Azure Data Explorer (ADX) Field Improvements - Field formats and descriptive text optimized for better comprehension. Enhanced interface clarity simplifies setup process and improves configuration accuracy.

• Elastic Field Improvements - Field formats and descriptive text enhanced, improving overall usability. Clearer field descriptions and formatting support more efficient target setup.

• Splunk Field Improvements - Field formats and descriptive text refined for enhanced clarity. Improved interface elements make configuration more straightforward and user-friendly.

Director and Device Enhancements​

• Case-Insensitive Director Search - Director search functionality enhanced with case-insensitive search capability, reducing search errors and improving discoverability. Search operations now match Directors regardless of character case, supporting more flexible search queries.

• IPv6 Support for Agent Installation - Agent installation commands for Linux and Windows devices enhanced with IPv6 address support. Installation process now handles both IPv4 and IPv6 addressing, ensuring compatibility with modern network infrastructures and dual-stack environments.

• Windows DNS Logs Filtering Improvements - Windows DNS Logs filtering interface enhanced with improved usability and clarity. Refinements to filtering options support more efficient DNS log configuration and management.

🐛 Bug Fixes​

User Management​

• Transfer Ownership Error - Fixed error encountered by users with Owner role when performing transfer ownership operations. Ownership transfer now completes successfully, ensuring smooth administrative transitions.

Director Management​

• Reinstall Director Command Display - Fixed issue where reinstall director option displayed incorrect commands and error messages. Command generation now produces accurate installation commands, and error messaging provides proper feedback during reinstall operations.

User Interface​

• Quick Routes Error Messages - Refined error messages in Quick Routes interface for improved clarity and user guidance. Error feedback now provides clearer information for troubleshooting configuration issues.

---

This maintenance release addresses a critical configuration management issue. We've fixed a bug where configuration strings sent from the web interface to the Director could be incorrectly formatted, preventing proper configuration application and data flow. This fix ensures reliable configuration transmission and uninterrupted telemetry processing.

🐛 Bug Fixes​

Configuration Management​

• Configuration String Field Format Corruption - Fixed issue where configuration strings sent from the web interface to the Director could be incorrectly formatted, causing configurations to fail and preventing data flow. String fields now maintain proper formatting throughout transmission, ensuring reliable configuration management and uninterrupted data processing.

---

This release introduces powerful new capabilities for pipeline management and multi-tenant security. The new Pipeline Updates system provides intelligent update notifications with side-by-side comparison, while Sub-Tenant Access Control enhances security with approval-based workflows for parent tenant access. We've expanded platform capabilities with Advanced Route Scheduling, Director Filtering, and Linux Agent enhancements, plus comprehensive Windows DNS Logs Filtering. Important bug fixes improve configuration persistence and cross-browser compatibility.

🚀 New Features​

• Pipeline Updates - Comprehensive update notification and review system for Content Hub pipelines. When updates are detected for downloaded pipelines, users receive automatic notifications about available improvements. Side-by-side comparison view displays both current and updated pipeline versions, allowing detailed review of proposed changes before implementation. Users maintain full control over update acceptance, choosing which modifications to apply based on operational requirements and configuration preferences.

• Sub-Tenant Access Control with Approval Workflow - Parent tenants now require explicit permission to access sub-tenant resources, ensuring enhanced security and access transparency across organizational hierarchies. Access requests can be submitted for individual modules, providing granular control over resource visibility and management capabilities. Sub-tenants review and approve requests through dedicated permission management interface, maintaining full authority over resource access and supporting principle of least privilege.

• Log Usage Limit Control - Platform tracks log consumption against allocated limits and displays persistent usage alerts in the interface. Visible warnings appear when log usage approaches or exceeds defined limits, with alerts remaining displayed at the top of the page until addressed for continuous visibility into resource utilization.

🔧 Improvements​

Component Enhancements​

• Linux Agent Event Collection Enhancement - Linux monitoring capabilities expanded with audit event and firewall event collection options. Configure Linux agents to collect audit logs and firewall logs in addition to system and application logs, providing comprehensive visibility into security events and network activity across Linux infrastructure.

• Import DCR Option - Enhanced Windows device configuration with automatic DCR (Data Collection Rule) to XML conversion capability for Security Events and Event Logs custom options. This conversion feature streamlines configuration management by translating DCR configurations into XML format, improving compatibility and simplifying event collection setup.

• Advanced Route Director Filtering - Director-specific deployment control added to Advanced Routes, enabling targeted configuration distribution across infrastructure. Select specific Directors to receive Advanced Route configurations, with deployments limited only to the selected Directors. When no Directors are explicitly selected, the system maintains default behavior by deploying configurations to all available Directors, supporting staged rollouts and environment-specific routing.

• Advanced Route Scheduling - Time-based execution control added to Advanced Routes, enabling automated periodic processing based on defined schedules. Configure Advanced Routes to run automatically using either cron expressions for precise scheduling or interval-based timing for regular periodic execution. Supports batch processing workflows, off-peak data processing, and automated routine operations without manual intervention.

• Windows DNS Logs Filtering - Comprehensive filtering capabilities added for Windows DNS Logs, enabling precise log collection control through include and exclude filters. Configure DNS log collection using multiple filter criteria including Event ID, Response Code, Question Type, Device IP Address, Source IP, Destination IP, and Question Name filters. Reduces unnecessary log volume while maintaining visibility into critical DNS activity.

• Content Hub Pipeline Template Expansion - New pipeline templates added to Content Hub, providing additional pre-configured processing options for common use cases. Ready-to-use templates accelerate pipeline deployment and simplify configuration for standard data processing scenarios.

• Target Execution Tab - New Execution tab added to all target configurations, providing centralized control over target-specific operational settings. Configure scheduling operations directly within the target interface for automated execution based on defined schedules. Enable debug mode at the target level for troubleshooting and detailed execution visibility. This enhancement consolidates execution controls in a dedicated interface, supporting both automated workflows and diagnostic operations.

🐛 Bug Fixes​

Configuration Persistence​

• Pipeline Update Display - Fixed issue where pipeline changes were not immediately reflected in the interface after applying updates. Pipeline modifications now properly display, ensuring accurate visibility of current configurations.

• Windows Event Log XML Queries - Fixed issue where custom XML queries for Windows Event Log were not being saved correctly. Custom XML configurations now persist properly, ensuring reliable event collection based on user-defined XML queries.

• Pre-processing Pipeline Selection - Fixed issue preventing proper editing of pre-processing pipeline selections in Linux and Windows device log type configurations. Pipeline selection changes now save correctly, ensuring accurate log processing configuration.

User Interface​

• Advanced Route Table Actions - Fixed missing enable/disable action in Advanced Route table actions. Users can now properly enable or disable Advanced Routes directly from the table interface, improving route management accessibility.

• Quick Route Pipeline Search - Fixed search functionality in Quick Route pipeline selection. Pipeline search now works correctly, making it easier to locate and select pipelines when configuring Quick Routes.

• Firefox Browser Compatibility - Fixed issue where Advanced Route edit functionality was not displaying correctly in Firefox browsers. Advanced Route editing now works properly across all supported browsers, ensuring consistent user experience.

• Sub-Tenant Email Links - Fixed incorrect link redirection in email sent to sub-tenant owners upon tenant creation. Email links now direct sub-tenant owners to the correct login page, ensuring smooth onboarding experience.

• User Preferences Date & Time Format - Fixed issue where date & time format selection under user preferences could not be loaded properly, redirecting users to an error page. Date format preferences now load correctly, ensuring smooth user preference management.

This release focuses on usability improvements and important bug fixes. The Content Hub receives significant enhancements with improved content format display and expanded filtering options, while the Pipeline search functionality is now more flexible. Critical fixes address documentation links, device notifications, IP address display issues, and interface functionality across Quick Routes and language support features.

🔧 Improvements​

Content Hub Enhancements​

• Content Format Conversion - Content display converted from JSON to string format for significantly improved readability and usability. Comments within content are now visible, providing descriptive context and making information easier to understand. This enhancement offers better clarity when reviewing content, enabling more efficient data workflows and informed decision-making.

• Enhanced Filtering Options - Content Hub filtering capabilities expanded with additional device types and vendors. Enhanced filtering makes it easier to locate and filter relevant content, improving navigation efficiency and helping users quickly find specific configurations for their devices and vendor products.

User Interface​

• Pipeline Search Character Limit Removal - Removed character limit restrictions in Pipeline search functionality that were preventing searches from being performed. Search feature now operates properly regardless of query length, enabling comprehensive pipeline discovery without limitations.

🐛 Bug Fixes​

Documentation and Navigation​

• Documentation Link Corrections - Fixed incorrect documentation links throughout the platform. All documentation references now direct users to correct pages, improving accessibility and facilitating greater utilization of documentation resources for enhanced user support and guidance.

Device Management​

• Windows and Linux Device Notifications - Resolved issue with incorrect notifications on Windows and Linux devices. Notifications now display accurate information, providing reliable alerts and status updates for monitored systems and ensuring proper visibility into device health and events.

• Windows Device IP Address Display - Fixed issue where IP addresses were appearing empty for some Windows devices. All Windows devices now properly display their IP addresses, providing complete visibility and easier identification of monitored systems across the infrastructure.

Interface Functionality​

• Quick Routes Table Enhancements - Corrected missing columns and filtering issues in Quick Routes device and target selection tables. All relevant columns now display correctly, and filtering functionality operates as expected, streamlining route selection and configuration processes.

• Language Support Corrections - Resolved issues where language support was not functioning properly in certain platform areas. All language-related features now work as expected, ensuring consistent multilingual experience across the interface for international users.

---

This release introduces flexible Director configuration management with Self Managed Director mode and comprehensive Linux Agent monitoring capabilities. The new Splunk HEC target integration expands data forwarding options, while important bug fixes improve agent visibility, device management, and user authentication workflows.

🚀 New Features​

• Self Managed Director - Two configuration management modes provide flexibility for different operational requirements. Managed Mode maintains automatic connection between platform and Director, pushing configuration changes in real-time for simplified operations. Self-Managed Mode enables administrators to download configurations from the platform and upload manually to Directors, providing enhanced control over configuration deployment. System displays warnings when new configurations are available but not yet applied, ensuring visibility into configuration status. Directors continue sending health status and statistics automatically in both modes, maintaining operational visibility while supporting diverse security policies and environment requirements.

• Linux Agent - Comprehensive monitoring capabilities for Linux systems enable collection of system logs, application logs, and audit data from Linux infrastructure. Two deployment modes support different operational approaches: Agent Mode provides direct installation and configuration control on individual systems, while Agentless Mode enables remote deployment across multiple Linux machines without manual installation requirements. This dual-mode architecture ensures flexible Linux environment monitoring tailored to operational requirements and infrastructure configurations.

• Email Validation - Email verification process implemented during user registration to confirm email address validity and accessibility. Verification emails sent automatically during sign-up ensure reliable user communication and enhanced account security. This validation step prevents registration with inaccessible email addresses and improves platform communication reliability.

🔧 Improvements​

New Targets​

• Splunk - Splunk HEC (HTTP Event Collector) target enables direct data transmission to Splunk infrastructure. Integration intelligently preserves structured fields when recognized, or ingests as raw data when unrecognized, ensuring comprehensive data forwarding. Seamless integration with existing Splunk deployments expands data routing options for analytics and monitoring workflows.

Device and Target Enhancements​

• TCP and Syslog Framing Field Update - Framing field configuration for TCP and Syslog devices updated to use rfc6587 option, replacing the previous octet designation. This change aligns with standard protocol specifications, ensuring improved compatibility and clarity in device configuration.

• Extended Target Name Length - Target name character limit increased from 30 to 64 characters, providing greater flexibility for descriptive and meaningful target identifiers. Extended naming capability supports more detailed target identification and organizational naming conventions.

User Interface​

• Statistics Decimal Precision - Numerical data display in Stats menu standardized with maximum two decimal places for improved readability. Simplified decimal formatting makes statistics easier to read and interpret at a glance.

🐛 Bug Fixes​

• Fixed IP address display issue for agents where addresses were not showing correctly in the interface. Agent IP addresses now properly display, improving system visibility and identification.

• Resolved Quick Routes issue where newly added device types were not appearing in the device list. All device types now correctly display in Quick Routes interface, ensuring complete device visibility.

• Fixed User Management issue where password reset button was missing when SSO was disabled. Password reset functionality now properly accessible in non-SSO mode.

---

This release introduces powerful new capabilities for Azure integration and data management. With the new Settings menu and Microsoft Stats dashboard, managing your workspace and monitoring data flow has never been easier. We've expanded our device and target support with Azure Blob Storage, Azure Event Hubs, Microsoft Sentinel data lake, and Elasticsearch, while enhancing Windows device capabilities with additional log types and pipeline selection options. Important bug fixes improve configuration persistence and content management workflows.

🚀 New Features​

• Settings - Comprehensive Settings menu centralizes all important configurations and information. Manage team members, toggle SSO (Single Sign-On) authentication with a single click, and view detailed package information. Access and update company information from one convenient location for streamlined administrative tasks and better workspace control.

• Microsoft Stats - New statistics dashboard helps monitor and optimize data flow. Track the volume of data collected from sources and the amount transmitted to destinations in real-time. Dashboard displays data reduction metrics, showing how efficiently data is being optimized before transmission for informed decisions about resource allocation and optimization opportunities.

• Usage and Limit - Users can now view their usage and package details through the Usage and Limit screen where they can track usage trends over specific time periods and analyze data across main and sub-tenants using the tenant filter. This enhancement improves visibility and control over resource consumption, helping users manage their limits more effectively.

New Devices​

• Azure Blob Storage - Collect and process log data stored in scalable Azure Blob Storage object containers. Seamlessly ingest data from Azure Blob Storage accounts and route it to preferred destinations.

• Azure Event Hubs - Ingest and process large volumes of log and event data in real-time. This integration enables high-throughput data collection from Azure infrastructure.

New Targets​

• Microsoft Sentinel data lake - Route data to Microsoft Sentinel data lake for long-term security analysis and large-scale investigations. Preserves both structured and raw data for comprehensive forensic analysis.

• Elasticsearch - Index data into Elasticsearch for powerful search and analytics. Structured fields are stored for efficient searching, while unstructured data is preserved to maintain all information for comprehensive log analysis.

• Azure Event Hubs - Stream data to Azure Event Hubs for large-scale event processing and integration. Structured fields are transmitted, or raw data is forwarded if unrecognized, enabling real-time data pipelines and downstream processing.

🔧 Improvements​

Device and Target Enhancements​

• Windows Log Type Pipeline Selection - Optional pre-processing pipeline selection for Windows devices provides greater control over Windows log processing. Choose specific pipelines to transform and enrich data before it reaches its destination, enabling customized data processing workflows tailored to security and operational needs.

• Windows New Log Types - Windows devices now support additional log types including Event Logs and Firewall Logs with both Basic and Custom configuration options. Event Logs provide comprehensive system, security, and application event data, while Firewall Logs capture network traffic and security events, enhancing visibility into Windows infrastructure and strengthening security monitoring capabilities.

• Director Proxy Fields - Added proxy fields to Azure Data Explorer, Microsoft Sentinel, and Azure Blob Storage targets for enhanced metadata tracking. These fields provide additional context about data routing and processing through the Director component, enabling better traceability and debugging of data pipelines across multiple Azure destinations.

• Target Deletion Protection - Enhanced target deletion controls prevent accidental removal of targets in use. If a target is selected in an advanced route configuration, the system now blocks its deletion, protecting data pipelines from unintended disruptions and ensuring configuration integrity.

User Interface​

• Sticky Button Areas - In the Quick Routes view, Add and Cancel buttons are now fixed in place when working with long device and target lists. Makes it easier to perform actions without scrolling, enhancing user experience and reducing clicks when managing multiple sources and destinations.

• Content Hub License Tab - New License tab added to Content Hub for better visibility into content licensing information. Users can easily view and understand license terms associated with each content package before installation, ensuring compliance and informed decision-making.

🐛 Bug Fixes​

Content Management​

• Content Download Pipeline Naming - Fixed issue where child pipelines were incorrectly created with "clone" suffixes when downloading content, resolving potential name matching problems and ensuring proper pipeline identification across configurations.

• Content Hub Dependent Content Display - Resolved bug that limited display of dependent content to maximum of 15 items in Content Hub. System now correctly shows all dependent content packages, providing complete visibility into content dependencies.

Configuration Persistence​

• Target Configuration Saving - Fixed bug where configuration changes were not being saved when adding or editing targets. Target configurations now properly persist, ensuring settings are correctly applied and maintained.

• Pipeline Configuration Updates - Resolved issue where pipeline configurations were not updating correctly after modifications. Pipeline updates now properly save and apply configuration changes, maintaining consistency across data processing workflows.

• Advanced Route Target Selection - Fixed bug where target selections in Advanced Route configurations were not being saved after selection. Target choices now correctly persist, ensuring routing rules are properly configured and executed.

• Child Pipeline Deletion - Resolved bug where child pipelines were not properly removed during "delete entire pipeline" operations. System now correctly cleans up all associated child pipelines, preventing orphaned configurations and maintaining a clean workspace.

---

This release introduces major enterprise-focused features, along with important improvements in content management. With Single Sign-On, RBAC, and the first phase of the MSSP module, our platform becomes more secure, flexible, and enterprise-ready than ever before. We've also added more vendors to the Content Hub and introduced Auto Syslog Discovery to simplify log management.

🚀 New Features​

• Single Sign-On (SSO) - Authentication method allowing users to access multiple applications with one set of credentials, integrated with Microsoft Azure AD for enhanced security, reduced password fatigue, and centralized access management

• Role-Based Access Control (RBAC) - Fine-grained access management system with predefined roles (Admin, Contributor, User) and customizable roles for Enterprise plan users, providing structured access control and scalable permission management

• MSSP Support (Phase 1) - Managed Security Service Provider module enabling Enterprise-level customers to manage multiple tenants under a single account, offering centralized tenant management, quick switching between tenants, and enhanced operational efficiency with usage visibility and control

🔧 Improvements​

Get More from Content Hub​

• More Vendors Added - We expanded the list of supported vendors, giving customers access to a wider range of parser packs out of the box. Added support for Barracuda, Infoblox, VirtualMetric vendors and Syslog target in Content Hub
• Auto Syslog Discovery - Automatically identifies the source behind each syslog message, ensuring clean and normalized logs without manual effort.
• Added filtering functionality for targets and vendors after device type selection in Content Hub

Streamlined Device Configuration​

• Added Active Directory checkbox functionality for agentless device access - when Active Directory checkbox is enabled, the system attempts to connect using the AD user credentials from the server
• Added edit functionality for syslog forwarding addresses, eliminating the need to remove and re-add entries for updates
• Added enable/disable functionality to Windows device detail pages
• Made Sentinel target rows editable after adding stream configuration

🐛 Bug Fixes​

Content Hub & Interface​

• Updated logo structure and fixed text alignment issues in Content Hub
• Fixed text overflow issues in Content Hub display
• Fixed incorrect total count display in Content Hub
• Fixed font sizes and overflow issues in pipeline and content hub displays

Device & Agent Operations​

• Fixed Agent Connection Status showing "not-connected" even when running
• Fixed IP address not displaying in UI for agentless devices
• Fixed default line delimiter for TCP/Syslog devices and file target location field

User Settings & Account Management​

• Fixed password reset flow redirect and display issues
• Fixed error page redirect when clicking audit actions
• Corrected font sizes and UI elements in Account Settings to match design specifications

Routing & Workflow​

• Fixed issue preventing removal of disabled devices and associated routes in Quick Routes

Fixed minor UI issues in the Settings pages. Resolved inconsistencies in pipeline latency reporting.

---