2. New features and improvements

2.1. Detection engines and features

2.1.1. DGA detection engine

A new version of our Domain Generated Algorithm (DGA) detection engine is available featuring:

An optimized algorithm to reduce false positives
The possibility of managing the motor sensitivity with six different levels
A system that helps the analysts to configure the list of domains to be ignored

2.1.2. Malcore detection engine

A new version of the Malcore engine is available, improving its performance and stability.

2.1.3. Beacon detect detection engine

A command and control (C&C) infrastructure tag detection engine is now available to detect encrypted communications between an infected host and a C&C server.

A system is available to help the analysts configure the list of IP addresses to be ignored.

2.1.4. Ransomware detect detection engine

A ransomware detection engine is now available to detect the activities of this type of malware over the SMB protocol.

It is possible to:

Manage the motor sensitivity with six different levels
Investigate on the basis of an SMB session identifier
Add IP addresses to a whitelist

2.1.5. GScan detection engine

The GScan engine's interface has been enhanced to provide more details on the files analyzed on demand.

2.1.6. Auto-threshold feature

A new auto-threshold feature is available to limit the number of alerts generated by the Sigflow engine.
This feature is based on threshold rules that will be directly applied to the Sigflow engine.
An analyst will be able to use one of the seven existing configuration profiles, or configure a custom profile.

2.1.7. Multitenant feature for network variables

A new feature to improve the support for multitenant architectures is available for the Sigflow engine.

This feature allows you to declare:

A variable with a different configuration per tenant
A customized network address type variable
A customized network port type variable

2.2. Analysts: WebUI and features

2.2.1. Home page improvement

The home page has been enhanced to quickly display the important information for analysts and administrators.

2.2.2. Improved alerts management

The alert management system has been enhanced to:

Acknowledge the alerts
Make alerts silent
Sort the alerts according to different criteria (risk level, name, date, number of occurrences)
Manage bulk alerts

Alerts that have been acknowledged are excluded from the risk level calculation.

2.2.3. Asset and user filtering

In the search bar, it is now possible to filter assets and users by risk level (risk_min and risk_max).

2.3. Administration: WebUI and features

2.3.1. New notification system

A new notification system in the Health menu is available to warn the users of malfunctions in certain components of the solution.

A notification can be triggered in many situations:

Engine update problems
Configuration problems
Connection problems between the GCap and the GCenter
Compatibility problems
Performance problems

These notifications can be silenced or acknowledged.

2.3.2. History of administrative actions

A new feature has been developed to log user actions.

The events generated can be exported to a Syslog server.

2.3.3. Standardized the event format

A new event format, ECS (Elastic Common Schema), is available for the alerts, metadata and administration events.

A compatibility mode exists for the data export, allowing you to keep the old format, which will be deleted in the next major release.

2.3.4. Improved data export

The data export feature now allows :

Filter alerts by engine
Export system events

2.4. WebUI – Kibana dashboards

2.4.1. Improvements of the existing dashboards

The existing dashboards have been restructured to improve the visibility and facilitate the investigation.

2.4.2. New Beacon detect dashboard

A new dashboard is available for viewing the events from the Beacon detect engine.

2.4.3. New Ransomware detect dashboard

A new dashboard is available for viewing the events from the Ransomware detect engine.

2.4.4. New Relations dashboard

A dashboard showing the relationships between the various IP addresses in the solution is available in the Hunting > Network Metadata > Relations menu.

2.4.5. New Administration dashboard

A new dashboard is available for viewing the administration events.

2.5. System

2.5.1. Update of the operating system

The operating system was updated to the latest Long-Term Support (LTS) version.

2.5.2. Update of the kernel

The operating system kernel was updated to the latest Long-Term Support (LTS) version.

2.5.3. Update of the components

The various operating system components have been updated.

2.5.4. Virtualization

GCenter is officially supported on VMware ESXi hypervisors.

2.5.5. ECDSA certificates

The ECDSA certificates are supported to secure the access to the GCenter web interface.

2.5.6. GCenter configuration tool

The GCenter configuration tool has been enhanced to facilitate the network setup and to add SSH keys to the "setup" user.

2.6. Other improvements

2.6.1. Contextual help

A contextual help is available on the GCenter web interface.

2.6.2. Reflex Interoperability

A new menu is available to interconnect with the Reflex solution.

2.6.3. API improvement

New API points have been added to automate certain actions.

2.6.4. PCI-DSS compliance

A new option has been added to replace the credit card numbers with a specific keyword.

2.6.5. LDAP authentication

When connecting using an LDAP server for authentication, if the account used is present in the GCenter's local database, it is deactivated to avoid conflicts.

2.7. Other changes

2.7.1. Renaming `active-hunt` in `active-cti`

The classtype of suricata rules generated by active CTI is renamed to active-cti.

2.7.2. Interoperability withdrawal

Interconnections with the following solutions have been removed:

Intelligence
Hurukai

2.7.3. IDMEF format

The IDMEF format is no longer supported when exporting events to a Syslog server.