2. New features¶
2.1. Gatewatcher Licensing Center¶
Starting with version 22.214.171.124, the management servers (GCenter) use the new GATEWATCHER LICENSING CENTER (GLC) licensing system.
The license includes at least one perpetual GWAPI license associated with a GCenter.
The administrator must add a licence in order to configure the hardware.
In turn, the operator can access the data in the GCenter.
To obtain a version 126.96.36.199 license, please contact your Gatewatcher business engineer or firstname.lastname@example.org.
2.2. Gatewatcher Update Manager¶
Starting with version 188.8.131.52, GCenters rely on a new unified update tool GATEWATCHER Update Manager (GUM).
It enables managing the various types of releases: update, upgrade, and hotfix.
A real time status is visible on the GCenter WEB interface.
Updates are now unified in a single package with the desired engines (Codebreaker, Sigflow, and Malcore) and can be done:
- This requires an intelligence account. This requires an intelligence account.
Locally, by setting a default directory.
The Malcore online update is differential and encrypted.
Customisation of the preferred schedule is possible via the GCenter WEB interface.
Hotfixes enable a patch to be applied without having to restart the GCenter.
Up to three GCenter upgrade packages and/or the detection probe (GCap) can be stored.
The GUM configuration is possible via a proxy server (PROXY).
2.3. Connector Endpoint Detection and Response (experimental)¶
It is possible to add a HarfangLab Hurukai connector (EDR) to the GCenter. The configuration of this feature is possible via a proxy server (PROXY).
2.4. Backup and restore¶
It is henceforth possible to perform an encrypted backup of the GCenter configuration (license included) and the GCap for restoration.
This can be exported locally in SCP or FTP via the GCenter WEB interface
It is possible to schedule a backup and its export via the GCenter WEB interface.
2.5. MISP connector: Malware Information Sharing Platform¶
It is possible to add a MISP connector to the GCenter in order to convert Indicators of Compromise (IOC) into Sigflow signatures. The configuration of this feature is possible via a proxy server (PROXY).
2.6. GBox Interconnection¶
It is now possible to interconnect a GBox to the GCenter and automatically send malware to it.
Configuring the GBox is possible via a proxy server (PROXY).
2.7. Sigflow advanced settings¶
It is possible to configure the advanced options of Sigflow for all GCaps via the WebUI of the GCenter.
It is now possible to configure many parameters such as:
Local GCap filtering (XDP Filter).
The Sigflow Manager container was unified through the GCenter WebUI container.
2.8. Rulesets per physical interface¶
Configuring a global ruleset via the GCenter WebUI or by physical interface with a GCap compatible with GCenter version 184.108.40.206 is now possible.
All containers in the GCenter are now based on a Debian 10 (Buster) Linux distribution.
2.10. Python 3.6 or higher¶
All GCenter Python code is in Python 3.6 or higher.
2.11. GCenter API¶
GCenter’s internal API aggregates almost all of the application configuration templates of the host machine and/or its containers.
2.12. Simplifying the configuration script¶
It is now possible to use a python command line with arguments to configure the GCenter.
2.13. Startup of GCenter services¶
When the GCenter is started, a check of each service is performed to verify whether it was started correctly.
2.14. GCenter Urls¶
In an effort to simplify and organise, all the URLs of the GCenter WebUI were unified.
GCenter is now also capable of detecting the absence or loss of a GCap using a Heartbeat daemon.
2.16. ElasticSearch (ES) and Index Life Cycles (ILM)¶
Starting with version 220.127.116.11, GCenter includes version 6.8 of the ELK suite.
It enables reinforcing the security of the clusters.
The KIBANA tables were completely revised.
The Index Life Cycle (ILM) enables increasing the retention capacity of alerts and metadata by using these features:
Using hot data on SSD media.
Using cold data on an HDD type media.
The ILM enables storing the last 24 hours of data in the hot zone. Beyond this delay, the data is archived in the cold zone.
N.B: performance and time purposes, only the ‘logstash-‘ and ‘malwares-‘ indexes are retained. In version 18.104.22.168, the nomenclature of the ‘logstash-‘ indexes is changed to ‘suricata-‘.
2.17. Orchestration daemon¶
In order to ensure the continuity of the GCenter services, an orchestration daemon was added.
2.18. Machine Learning and ‘Domain Generation Algorithm’¶
As of version 22.214.171.124, GCenter embeds artificial intelligence through Machine Learning based on deep-learning to search for Domain Generation Algorithm (DGA).
This new feature enables detecting DGAs that may be linked to Command and Control (C&C) servers used by malware.
The threshold for triggering an alert is configurable via the GCenter WebUI.
2.19. Malicious powershell detection based on Machine Learning¶
Starting with version 126.96.36.199, we are now able to self-learn and analyse powershell scripts in order to detect their malicious nature. Only available with a compatible GCap.
2.20. Shellcodes visualisation¶
In order to simplify the understanding of a Shellcode attack, it is possible to view a chart via the GCenter WebUI.
2.21. KIBANA - NETDATA tables¶
Implementing the new version of KIBANA and the ES partition enables creating tables to display GCap logs via the ‘GCenter/Trackwatch Logs’. Eventually, the KIBANA tables will centralise the logs of all the hardware.
2.22. LastInfoSec / Sigflow¶
From now on, Sigflow integrates the external sources ‘LastInfoSec’ (French CTI). This feature is experimental.
2.23. Malcore analysis¶
Version 188.8.131.52 enables correlating files analysed by Malcore with a flow based on a ‘flow_id’.
It is possible to activate multi-tenant support via the GCenter WebUI. Only with a compatible GCap.
2.25. Customisation of the session duration¶
As of version 184.108.40.206, it is possible to customise the WEB session duration per user.
2.26. LDAPS / AD centralised authentication¶
Lightweight Directory Access Protocol (LDAP) no longer requires creating specific groups in the directory. It now uses mappings.
It is now possible to use it via SSL or STARTTLS.
LDAP authentication can be done anonymously or using a dedicated account.
Validating self-signed server certificates is possible and optional.
As of version 220.127.116.11, the KAFKA export no longer exists.
2.28. Public API¶
Version 18.104.22.168 introduces the development of a public API and its documentation. This is based on the open source tool SWAGGER.