Releases: opencybersecurityalliance/firepit
1.3.0
1.2.2
1.2.1
Try to improve markroot transform (used in SqlStorage.cache()
): For cases where, e.g., there are 3 IPs in a single observation, we have to pick one as the "primary" (or "root"). So we'll keep an ordered list of objects we see per type, in order of preference. Default is first-seen, but for some cases, like when a network-traffic object is present, we can use the object references to order our preferences: src_ref before dst_ref.
The main benefit of this scheme is when reconstructing the complete observation: if you LEFT OUTER JOIN by observation ID, you would get duplicates due to "fan out". Adding a WHERE clause for "x_root" IS NOT NULL will hopefully solve this.
1.2.0
Grouped views can now be modified (via assign()
or reassign()
). Doing so will cause the underlying SQL view to be converted into an actual table. As a result, a new API types()
is introduced that returns the list of STIX object types in the session (formerly you could use tables()
for this, but now the grouped "view" will be listed as well).
1.1.2
1.1.1
1.1.0
1.0.18
1.0.17
- PostgreSQL: switch from
BIGINT
toNUMERIC
to handle unsigned 64-bit ints. We need to eventually do something smarter since lots of numeric fields (likesrc_port
anddst_port
) don't require anything more thanINTEGER
. - Add optional batchsize keyword param to cache() for performance tuning