Corelight-update Release Notes

v1.15.0 (April 2025)

Enhancements

  • Added support for writing logs to the /var/log/corelight-update.d/corelight-update.log file.

  • Added user configurable color formatting to the terminal and/or logs.

  • Directed non-error logs to stdout instead of stderr and added color formatting to the logs.

  • Updated input validation logs to use verbose level instead of error.

  • Updated -v flag for verbose logging and added –version flag for printing version.

  • Added support for reloading the global config in each cycle and auto-creating the config file if missing.

  • Added deprecation warning for Fireeye Integration, to be removed in v1.17.0.

  • Added a CLI option to reset the global config to defaults.

  • Added a CLI option to reset a policy config to defaults.

Bug fixes

  • Fixed the bug related to SentinelOne HostId.

  • Updated AlienVault OTX’s caching mechanism.

  • Updated CrowdStrike’s caching mechanism.

  • Fixed a bug related to Axonius where it did not use all of the returned results.

  • Fixed a bug where Suricata config files would not get pushed if the only push option enabled was “suricata_configs”.

v1.14.1 (March 2025)

Enhancements

  • Added support for Axonius returning random data types.

  • Renamed software sensor to microsensor in the configuration inventory settings.

  • Removed support for importing pre 1.0 configurations.

v1.14.0 (March 2025)

Enhancements

  • Added support for STIX/TAXII Intel integration.

  • Added support for Analyst1 Suricata integration.

  • Added support for Analyst1 YARA integration.

  • Added support for Analyst1 Intel integration.

  • Added support for adding YARA source on Fleet Manager.

  • Added YARA policy source to download preformatted YARA rule file.

  • Added support for CrowdStrike YARA rules integration.

  • Added support to collect endpoint type and OS from SentinelOne Host integration.

  • Added support for adding Suricata source on Fleet Manager, if Suricata Automation is enabled.

Bug fixes

  • Fixed a bug related to Intel source creation.

  • Added a default value for the request limit in integrations where it was not applied.

  • Fixed a bug related to proxy settings.

  • Fixed a bug related to missing Suricata logs.

v1.13.1 (January 2025)

Enhancements

  • Added a log message instead of throwing an error when no new Suricata files are available for upload.

Bug fixes

  • Fixed a bug related to endpoint status field for MS Defender.

v1.13.0 (November 2024)

Enhancements

  • Added support for Microsoft Defender integration.

  • Optimized Suricata policy file update in Fleet.

v1.12.0 (September 2024)

Enhancements

  • Added support for TenableIO CVE integration.

  • Updated configurations for CrowdStrike integration.

  • Added cache cleanup and fallback to cached data in case of integration processing errors.

Bug fixes

  • Fixed bug related to unreadable characters in Debug mode.

  • Corrected field to be used in SentinelOne HostUID.

v1.11.0 (August 2024)

Enhancements

  • Added support for Fleet Manager Intel Policies for FM 27.14 and later.

  • Added support for custom source filenames for downloaded files.

  • Added user configurable client timeout settings for downloading files.

  • Updated CrowdStrike integration to use new API. Improves performance and removes 10,000 host limitation.

  • Added SentinelOne Host integration.

  • Added SentinelOne CVE integration.

v1.10.1 (April 2024)

Enhancements

  • Add optional filename for downloaded sources

Bug fixes

  • Updated directory permissions for /opt/corelight-update/corelight-recommended.

v1.10.0 (April 2024)

Enhancements

  • Added support for quotes in Intel and Input files.

Bug fixes

  • Fixed a bug that limited Global Suricata config files to a single file.

v1.9.4 (March 2024)

Bug fixes

  • Fixed an issue that disabled all new packages when a bundle was uploaded.

  • Corrected permissions for .rpm files.

v1.9.2 (January 2024)

Bug fixes

  • Fixed a xbit and hostbit parsing issue.

v1.9.0 (January 2024)

Enhancements

  • Added support for Intel files in sensor policies for Fleet Manager v27.9.

  • Added support for Axonius integration.

  • Added additional fields to CrowdStrike CVE and Host integration.

  • Added Suricata bit dependency correction feature.

  • Renamed host_uid field to uid in the vulnerability and hosts integrations.

  • Added cid field to the vulnerability and hosts integrations.

Bug fixes

  • Fixed an issue with Suricata and Intel file cleanup.

v1.8.1 (September 2023)

Bug fixes

  • Fixed the path for push published input files.

v1.8.0 (September 2023)

Enhancements

  • Added support for Suricata policies in Fleet Manager v27.8.

  • Added configuration option to specify Fleet Manager sensor policy and Suricata policy names.

  • Added a feature to remove “disable” individual intel indicators.

  • Added support for remote Input files.

  • Added support to use the same Input file from multiple sources at the same time.

  • Increased support for pushing in parallel to Fleet Manager managed sensors.

  • Added support to auto replace autoupdate policy config files when the database structure changes.

v1.7.3 (August 2023)

Enhancements

  • Added additional fields to the CrowdStrike Hosts integration.

v1.7.2 (August 2023)

Enhancements

  • Added a network timeout variable for waiting on a status from a sensor after a file upload.

Bug fixes

  • Fixed a bug that caused an exit if the icannTLD integration has an error.

v1.7.1 (August 2023)

Enhancements

  • Added a bash_completion script.

Bug fixes

  • Fixed a bug so checking the status of an uploaded file through Fleet Manager uses a bearer token.

  • Adding a new user in RPM based OS’s adds a ‘/sbin/nologin’ shell.

v1.7.0 (July 2023)

Enhancements

  • Added a new integration for Crowdstrike Exposure Management CVE.

  • Added a new integration for Crowdstrike Exposure Management Hosts.

v1.6.3 (July 2023)

Bug fixes

  • Fixed missing network settings after upgrade issue.

v1.6.2 (June 2023)

Enhancements

  • Improved logging output to log when a download attempt is intercepted by an external proxy.

  • Added support to configure network settings for sensor communications.

  • Added the following new CLI options:
    • show -network

    • update -network-setting [setting1=value1 setting2=value2 ... settingN=valueN]

    • update -network-settings [setting1=value1 setting2=value2 ... settingN=valueN]

Bug fixes

  • Fixed a bug that caused sensor traffic to use the same proxy configuration as download traffic.

  • Improved error output when updating policy configurations.

  • Fixed a bug that compared suricata config files before they are downloaded.

v1.6.1 (May 2023)

Enhancements

  • Added support to prevent policies from being created if the name begins with a -.

Bug fixes

  • Fixed an issue that prevented downloading intel sources for a policy without any suricata sources.

v1.6.0 (March 2023)

Enhancements

  • Added a global option to auto-update policies each time the service runs.

  • Added a global setting to push content to sensors in parallel (defaults to 10).

v1.5.0 (February 2023)

Enhancements

  • Added support for uploading Suricata configurations to all sensors.

  • Added support for pushing signed package bundles to all sensors, except Microsensors.

  • Added support for the new CSRF requirement in the Fleet Manager v27.3 API.

v1.4.1 (February 2023)

Bug fixes

  • Fixed an issue where empty options were written to Suricata rules.

  • Fixed an issue where an empty “If-Modified-Since” header is used during file downloads.

v1.4.0 (January 2023)

Enhancements

  • Added a new integration for Mandiant Threat Intelligence.

  • If Fleet Manager details are configured, and a matching policy exists, the Fleet Manager policy will be updated even if no sensors are assigned to it.

  • Added the following new CLI options:
    • add -policy and add -policies are interchangeable.

    • remove -policy and remove -policies are interchangeable.

    • -file and -path are interchangeable on all relevant CLI commands.

    • Most of the Global configuration settings can be updated directly from the CLI:
      • update -global-setting [setting1=value1 setting2=value2 ... settingN=valueN]

      • update -global-settings [setting1=value1 setting2=value2 ... settingN=valueN]

  • Added “basic” auth support for sources.

  • Added support for pulling Global Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added support for pulling Policy Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added the ability to append content to the Metadata and Other fields using modify.conf.

  • Added the ability to identify rules with Metadata contains string.

  • Added the option to include disabled Suricata rules in the ruleset file.

  • Simplified the global configuration by removing the global integration table. Each integration is now enabled using its own settings.

  • The update -policy command now uses a transaction. If any part of the update fails, the update is not applied.

  • Removed the config templates (obsolete). The import -policy <policy name> -file <path to config file> can be used to the same config to different policies.

  • Removed the policy backup functions (obsolete). The show -policy <policy name> -file <path to save config file> can be used to save a backup.

Bug fixes

  • Fixed a issue where package bundles were not created with other:read permissions on all files, causing packages not to load on sensors.

  • Pushing package bundles now updates a Fleet Policy instead of trying (and failing) to push through Fleet to the sensors.

v1.3.0 (November 2022)

Enhancements

  • Fleet managed sensors no longer have to be listed in the inventory section of the policy. The list will automatically be pulled from Fleet Manager.

  • Added support for AlienVault OTX.

  • Added configurable URL for ICANNTLD.

  • The Integration table has been removed, each integration is now enabled within it’s configuration.

v1.2.1 (November 2022)

Enhancements

  • Added a basic web menu to the root of the webservice.

Bug fixes

  • Fixed a bug that would cause a policy to fail if no intel files were present.

  • Added a redirect to the webservice if the trailing slash is missing for \docs\ or \files\.

v1.2.0 (October 2022)

Enhancements

  • Added support for global cache and policy level Intel sources that can be downloaded in Zeek format, like ThreatQ.

  • Added support for Token authenticated Suricata and intel sources like MISP.

  • Updated the web service to use TLS version 1.2+ and removed outdated cipher suites.

Bug fixes

  • Improved error handling with TenableSC.

  • TenableSC was not reading the keys from the policy in the database.

  • Moved the home directory for the corelight-update service account to /var/corelight-update/

  • Removed the requirement for experimental features to be enabled to upload Suricata rules to Fleet.

v1.1.0 (October 2022)

Enhancements

  • Support for encrypted passwords for inventory items.

  • Corelight-update now uses a umask of 0007 when creating files and directories.

Bug fixes

  • The before-install and before-upgrade scripts will not attempt to create the system user if it already exists.

  • Downloading content will now use the https_proxy or HTTPS_PROXY environment variables.

v1.0.1 (October 2022)

Enhancements

  • Policies are stored in a Sqlite3 DB”.

  • The Corelight-update service now runs as corelight-update and not root.

  • After install or upgrade, all files are owned by system user corelight-update:corelight-update.

  • All users must belong to the corelight-update user group to run Corelight-update.

  • Global configuration can be updated from either a yaml or json config file.

  • Policies configurations can be imported or updated from either a yaml or json config file.

  • Sources that do not require authentication can be added as type “suricata” or “intel”.

  • A Global Source Cache is automatically created.

  • Integration intervals are now referenced in hours See Third-party integrations settings for details.

  • The interval for processing policies is now referenced in minutes See General settings for details.

  • The web Service no longer requires root privileges to enable ports below 1024.

  • Pushing Suricata rulesets to Fleet managed sensors no longer proxies that push through Fleet.

    It uploads the ruleset to Fleet and updates the Fleet policy to use the new ruleset.

  • When pushing content to sensors, an inventory file is no longer used.

    The sensor details are part of the policy config.

  • Missing configuration files are automatically recreated.

Bug fixes

  • Set http.Transport idelConnTimeout for Fleet to 90 seconds.