Skip to content

v1.7.1
Compare
Choose a tag to compare
@subbyte subbyte released this 14 Jul 00:15
v1.7.1
481ea6c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

We add LIMIT keyword to GET and FIND for a user to sample the limited number of return from a live data source in the case that the total return is too large and may take many minutes/hours to retrieve.

  • This makes it possible to hunt with super big data. In the super big data case, stix-shifter does not know how many entries remain, and Kestrel cannot estimate the entire retrieval time.
  • Use the LIMIT keyword to get some samples of the return, check the return, refine the pattern in GET/FIND, and rerun to better hunt down the suspicious entities at a smaller scale (and finally without LIMIT in the GET/FIND)
  • Check the syntax for GET and FIND in the Kestrel documentation for more details of its usage.

Known Issues

Fast translation is broken #370 and will be fixed in the next Kestrel release. Please do not enable fast translation in stix-shifter data source interface (stixshifter.yaml)

Added

  • LIMIT keyword in GET/FIND
  • LIMIT support in stix-shifter interface and stix-bundle interface
  • Unit tests for LIMIT
  • Documentation for LIMIT
  • New transform function RECORD
  • Documentation for RECORD
  • Unit tests for RECORD

Changed

  • Use prefetch results for GET/FIND if prefetched; instead of merging results with local/main query

Fixed

  • stix-shifter interface translator error msg passing bugs
  • stix-shifter interface transmitter error msg passing bug
  • infinite loop in stix-shifter interface transmitter
  • stix-shifter connector pip uninstall hanging issue
  • prefetch logic error with empty return
  • dataframe index error in CSV export
Assets 2
Loading