Releases: FalconForceTeam/FalconHound
Minor update
Added some BH(C)E AP Cypher query output parsing, where all nodes are parsed.
Some examples have been added to generate CSV files for detection prioritisation or enrichment
BloodHound API support
BloodHound now supports Cypher mutations so most update tasks can be done over the BloodHound API in stead of directly to Neo4J. However not all Cypher is supported, for example CASE, WHERE duration.between, UNION and several more.
For queries there is limited support. The BloodHound team is currently working on custom output, so Neo4j access is still required. There is an input processor, but it has limited support, we will complete this once custom query output is available.
Added admin_tier_0 - 2 system_tags to all roles based on Thomas Naunheim project (https://github.com/Cloud-Architekt/AzurePrivilegedIAM)
New
- Added BloodHound CE / Enterprise output processor.
- Added HTTPS input processor, for Azure Tiering roles
- Added JSON output
- Added several new actions
Changes
- Fixed a parsing bug in the dynamic groups collector.
- Addressed dependency vulnerability in golang/x/net
v1.3.0 - SO-CON edition
Summary
This release has a ton of performance improvements and query refinements.
GraphApi extended support which allows the collection of MFA settings per user, OauthConsent including scope, Dynamic groups, Eligible roles and much more.
Markdown has been added for simple report tables.
Elastic cloud querying has been added, ingesting and on-premise is still being developed.
New
- Added GraphAPI SDK based input processor
- Added collection of per user MFA settings via GraphApi and changes via logs
- Added OauthConsent (with scopes)
- Added early Elastic and LimaCharlie support, query only for now
- Added MarkDown report generation
- Added Azure Dynamic group collection
Changes
- Optimized several queries.
- Neo4j updates are much quicker.
- Path calculation supports legacy and BHCE now
- Input processors without config are skipped, even if enabled
- CSV and Markdown targets support {date} in the path
Added new data processors and a source skip feature
- added Falcon LogScale / Humio query support
you can now query Falcon LogScale / Humio
- added Azure Data Explorer output support
you can now write results to an Azure Data Explorer Table
- added source skipping option
you can for example use -skip MDE to not run any of the MDE Queries
improved some queries
Splunk support and quality of life additions
- Added global debug commandline parameter
you can now use the -debug flag on the commandline to get debug output for all (selected) actions
- Added custom lookback commandline option for KQL queries
you can override the 15m setting in all Kusto queries from the commandline with the -lookback parameter
- Added Splunk query support with one example action
Splunk query support is working, support for additional actions is welcome via PR to dev
Breaking changes:
- Changed the Splunk config file to support querying and output.**
Review the config.yml-sample for required and changed items
FalconHound v1.0.0
First official release, we hope you'll enjoy it!
Contributions are most welcome!