Skip to main content

· 6 min read
Dominik Lohmann

Tenzir v4.6 is here, and it is our biggest release yet. The headlining feature is the all-new context feature, powered by the context and enrich operators and the new context plugin type.

· 6 min read
Matthias Vallentin

Enrichment is a major part of a security data lifecycle and can take on many forms: adding GeoIP locations for all IP addresses in a log, attaching asset inventory data via user or hostname lookups, or extending alerts with magic score to bump it up the triaging queue. The goal is always to make the data more actionable by providing a better ground for decision making.

This is the first part of series of blog posts on contextualization. We kick things off by looking at how existing systems do enrichment. In the next blog post, we introduce how we address this use case with pipeline-first mindset in the Tenzir stack.

· 4 min read
Dominik Lohmann

Here comes Tenzir v4.5! This release ships a potpourri of smaller improvements that result in faster historical query execution and better deployability.

· 3 min read
Dominik Lohmann

Tenzir v4.4 is out! We've focused this release on integrations with two pillars of the digital forensics and incident response (DFIR) ecosystem: YARA and Velociraptor.

· 6 min read
Matthias Vallentin

The new yara operator matches YARA rules on bytes, producing a structured match output to conveniently integrate alerting tools or trigger next processing steps in your detection workflows.

· 4 min read
Christoph Lobmeyer
Matthias Vallentin

The new velociraptor operator allows you to run Velociraptor Query Language (VQL) expressions against a Velociraptor server and process the results in a Tenzir pipeline. You can also subscribe to matching artifacts in hunt flows over a large fleet of assets, making endpoint telemetry collection and processing a breeze.

· 15 min read
Matthias Vallentin

One thing we are observing is that organizations are actively seeking out solutions to better manage their security data operations. Until recently, they have been aggressively repurposing common data and observability tools. I believe that this is a stop-gap measure because there was no alternative. But now there is a growing ecosystem of security data operations tools to support the modern security data stack. Ross Haleliuk's epic article lays this out at length.

In this article I am explaining the underlying design principles for developing our own data pipeline engine, coming from the perspective of security teams that are building out their detection and response architecture. These principles emerged during design and implementation. Many times, we asked ourselves "what's the right way of solving this problem?" We often went back to the drawing board and started challenging existing approaches, such as what a data source is, or what a connector should do. To our surprise, we found a coherent way to answer these questions without having to make compromises. When things feel Just Right, it is a good sign to have found the right solution for a particular problem. What we are describing here are the lessons learned from studying other systems, distilled as principles to follow for others.

· 7 min read
Jannis Christopher Köhl
Matthias Vallentin

Exciting times, Tenzir v4.3 is out! The headlining feature is Fluent Bit support with the fluent-bit source and sink operators. Imagine you can use all Fluent Bit connectors plus what Tenzir already offers. What a treat!