Add Santa team ID rules.
Multiple Elasticsearch indices/aliases for event lifecycle management.
Add event routing keys. Use routing keys for the event stores.
Refactor Puppet inventory souce.
Add Workspace ONE inventory source.
Add iOS and Android apps to inventory.
Upgrade to Django 3.2 LTS.
Replace U2F by WebAuthN for 2FA.
Add API endpoints for Munki, Osquery, and Santa enrollements.
Add shards in Monolith/Munki PkgInfos and Submanifests.
Add last seen filter to inventory machine list
Add inventory (JMESPath) and Osquery compliance checks
Collect AWS EC2 information in inventory.
Collect macOS profiles & payloads in inventory.
New incident architecture. Add incidents for Munki reinstalls and failed installs.
Bulk store worker on GCP Pub/Sub.
Add Santa metrics and targets views.
Add event linked objects search.
Splunk can be used as frontend store.
Shards for Santa Allow unknown and Upload all events options
Munki managed installs collection and metrics
Monolith managed installs collection and metrics
mdmcerts management commannd for the MDM vendor and push certificates
Secret engines can be used to encrypt the secrets stored in the database.
Zentral support for python 3.6 dropped. Zentral supports python 3.7, 3.8, 3.9, and 3.10.
They could not be updated, and are not compatible with the event routing keys.
The Puppet module has been refactored, and PuppetDB instances must be configured in the setup section.
excluded_event_types and included_event_types are deprecated. They have been replaced by excluded_event_filters and included_event_filters respectively.
The Osquery module has been completely overhauled. Better dedicated Osquery models replace the legacy Osquery probes.
The MDM module has been completely overhauled. There is a new Blueprint system, with a feedback mechanism to make sure artifacts have been installed on the endpoints. A first implementation of the declarative MDM protocol is also included.
The stores were updated (Datadog, Splunk), and the dependency on Elasticsearch for the UI is progressively being removed. Extra fingerprinting is put in place in the event pipeline, to be able to filter the events without relying on the full indexing of the event objects.
AWS SNS/SQS queues speedup (multithreading, subscription filters, …).
Bulk or concurrent storage of events works with the compatible queues/stores.
Legacy Osquery probe queries will be migrated, but make sure you have backups before upgrading!
You will have to manually review and update the Osquery configurations after the upgrade, to re-enable the scheduled queries.
Older distributed query results will not be deleted from the event stores, but you will not be able to fetch them from the Zentral UI.
Older file carving archives will not be deleted from the Django storage, but you will not be able to fetch them from the Zentral UI.
The MDM configuration will have to be manually imported in the new MDM system.
See #186
The probes matching an event are now serialized in that event. Inactive probes cannot be used anymore to look at past events, because the stored events do not contain a reference to these probes.
The Santa module has been completely overhauled.
- Implementation of the Bundle info/events part of the Santa sync
- ALLOWLIST_COMPILER rules
- API endpoint to apply sets of rules to one or many Santa configurations
- API endpoint to ingest the
santactl fileinfoJSON output to populate the sha256 and apps in Zentral
Rules are not managed in the Probes anymore. They are managed under each Configuration in the Santa Setup.
If you upgrade from a previous Zentral release, please, make a backup! The existing rules in the Santa probes will be automatically migrated to each existing Zentral Santa Configuration. You need to carefully review them afterwards.
You can read more about it in the updated documentation.