Skip to main content

Tenzir v4.4

· 3 min read
Dominik Lohmann

Tenzir v4.4 is out! We've focused this release on integrations with two pillars of the digital forensics and incident response (DFIR) ecosystem: YARA and Velociraptor.

YARA Operator

The star feature of this release is the new yara operator. You can now match YARA rules directly within byte pipelines. This is a game-changer for threat intelligence and cybersecurity workflows, as it brings together all of Tenzir's connectors with the community's rich ecosystem of YARA rules for efficient malware detection and analysis. Evaluating a set of rules on a file located in an S3 bucket has never been easier:

load s3 bucket/file.exe
| yara path/to/rules/

We've written a blog post on the YARA operator that shows just how it works and explains in-depth how you can use it: Matching YARA Rules in Byte Pipelines

Velociraptor Operator

Velociraptor is an advanced DFIR tool that enhances your visibility into your endpoints. Not unlike our own TQL, Velociraptor comes with its own language for interacting with it programmatically: VQL. The velociraptor operator makes it possible to submit VQL queries to a Velociraptor server, as well as subscribe to artifacts in hunt flows over a large fleet of assets, making endpoint telemetry collection and processing a breeze.


Read our blog post on how we built this integration and how you can utilize it: Integrating Velociraptor into Tenzir Pipelines

AMQP Connector

The new amqp connector brings a full-fledged AMQP 0-9-1 client to the table. Relying on the battle-proven RabbitMQ C client library, the operator makes it possible you to interact with queues and exchanges as shown in the diagram below:

Noteworthy Improvements

Besides the new operators, I would like to highlight the following changes:

  • Live Exports: Start your pipeline with export --live to get all events in one pipeline as they are imported.

  • Blob Type: We've added a new blob type that allows you to handle binary data. Use the blob type over the string type for binary payloads that are not UTF8-encoded.

  • Rich Schema Inference for CSV: Inferring schemas for CSV files has been significantly enhanced. It now provides more precise types, leading to more insightful analysis.

  • Automated Pipeline Management: New controls for auto-restart, auto-delete and a runtime limit are now available when creating a pipeline. For a more granular control of the auto-restart and auto-delete behavior, the Stopped state for pipeline has now been divided into Stopped, Completed, and Failed. The states reflect whether a pipeline was manually stopped, ended naturally, or encountered an error, respectively.

  • Label Support for Pipelines: You can now visually group related pipelines using the new labels feature. This helps you in organizing your pipelines better for improved visibility and accessibility.

We provide a full list of changes in our changelog.

Check out the new features on We're excited to see the amazing things you will accomplish with them!

Your feedback matters and drives our growth. Join the discussion in our Discord!