The star feature of this release is the new
operator. You can now match YARA
rules directly within byte pipelines. This is a game-changer for threat
intelligence and cybersecurity workflows, as it brings together all of Tenzir's
connectors with the community's rich ecosystem of YARA rules for efficient
malware detection and analysis. Evaluating a set of rules on a file located in
an S3 bucket has never been easier:
load s3 bucket/file.exe
| yara path/to/rules/
We've written a blog post on the YARA operator that shows just how it works and explains in-depth how you can use it: Matching YARA Rules in Byte Pipelines
Velociraptor is an advanced DFIR tool that enhances your
visibility into your endpoints. Not unlike our own TQL,
Velociraptor comes with its own language for interacting with it
programmatically: VQL. The
velociraptor operator makes it possible to submit
VQL queries to a Velociraptor server, as well as subscribe to artifacts
in hunt flows over a large fleet of assets, making endpoint telemetry
collection and processing a breeze.
Read our blog post on how we built this integration and how you can utilize it: Integrating Velociraptor into Tenzir Pipelines
amqp connector brings a full-fledged AMQP
0-9-1 client to the table. Relying on the battle-proven RabbitMQ C client
library, the operator makes it possible
you to interact with queues and exchanges as shown in the diagram below:
Besides the new operators, I would like to highlight the following changes:
Live Exports: Start your pipeline with
export --liveto get all events in one pipeline as they are imported.
Blob Type: We've added a new
blobtype that allows you to handle binary data. Use the
blobtype over the
stringtype for binary payloads that are not UTF8-encoded.
Rich Schema Inference for CSV: Inferring schemas for CSV files has been significantly enhanced. It now provides more precise types, leading to more insightful analysis.
Automated Pipeline Management: New controls for auto-restart, auto-delete and a runtime limit are now available when creating a pipeline. For a more granular control of the auto-restart and auto-delete behavior, the Stopped state for pipeline has now been divided into Stopped, Completed, and Failed. The states reflect whether a pipeline was manually stopped, ended naturally, or encountered an error, respectively.
Label Support for Pipelines: You can now visually group related pipelines using the new labels feature. This helps you in organizing your pipelines better for improved visibility and accessibility.
We provide a full list of changes in our changelog.
Check out the new features on app.tenzir.com. We're excited to see the amazing things you will accomplish with them!
Your feedback matters and drives our growth. Join the discussion in our Discord!