2. New features and enhancements

2.1. Detection engines and features

2.1.1. DGA detect engine

A new version of our DGA (Domain Generated Algorithm) detection engine is available with:

Optimization of the algorithm to reduce false positives
The ability to manage motor sensitivity with six different levels
A system that helps analysts configure the list of domains to be ignored

2.1.2. Malcore Detection Engine

A new version of the Malcore engine is available, improving its performance and stability.

2.1.3. Beacon detect engine

A command and control (C&C) infrastructure tag detection engine is now available to detect encrypted communications between an infected host and a C&C server.

A system is present to help analysts in configuring the list of IP addresses to be ignored.

2.1.4. Ransomware detect engine

A ransomware detection engine is now available to detect the activities of this type of malware on the SMB protocol.

It is possible to:

Manage motor sensitivity with 6 different levels
Investigate based on the identifier of an SMB session
Add IP addresses to a whitelist

2.1.5. GScan Detection Engine

The GScan engine interface has been enhanced to provide more details on the files analyzed on demand.

2.1.6. Auto-threshold feature

A new `auto-threshold` feature is available to limit the number of alerts generated by the Sigflow engine.
This feature is based on threshold rules that will be directly applied to the Sigflow engine.
An analyst will be able to use one of seven existing configuration profiles or configure a custom profile.

2.1.7. Multi-tenant feature for network variables

A new feature to improve support for multi-tenant architectures is available for the Sigflow engine.

This feature offers the possibility to declare:

a variable with a different configuration per tenant
A customized `network address` type variable
A customized `network port` type variable

2.2. Analysts: WebUI and features

2.2.1. Home Page Improvement

The home page has been improved to quickly visualize important information for analysts and administrators.

2.2.2. Improved alerts management

The alert management system has been improved to:

Acknowledge the alerts
Make alerts silent
Sort alerts according to different criteria (risk level, name, date, number of occurrences)
Manage alerts in bulk

Alerts that have been acknowledged are excluded from the risk level calculation.

2.2.3. Asset and user filtering

In the search bar, it is now possible to filter assets and users according to a risk level (`risk_min` and `risk_max`).

2.2.9. Reporting

It is now possible to generate a predefined report in docx format.

2.3. Administration: Web UI and features

2.3.1. New notification system

A new notification system in the `Health` menu is available to warn users of malfunctions in certain components of the solution.

A notification can be triggered in many situations:

Engine update problems
Configuration problems
Connection problems between the GCap and the GCenter
Compatibility problems
Performance problems...

These notifications can be silenced or acknowledged.

2.3.2. History of administrative actions

A new feature has been developed to log user actions.

Events that are generated can be exported to a Syslog server.

2.3.3. Standardization of the event format

A new event format, ECS (Elastic Common Schema), is available for alerts, metadata, and administrative events.

A compatibility mode exists, for data export, allowing to keep the old format which will be removed during the next major version.

2.3.4. Improved data export

The data export feature now allows:

Filter alerts by engine
Export system events

2.4. WebUI – Kibana Dashboards

2.4.1. Enhancements to existing dashboards

The existing dashboards have been restructured to have better visibility and facilitate investigation.

2.4.2. New Beacon Detect dashboard

A new dashboard is available to view Beacon Detect engine events.

2.4.3. New Ransomware detect dashboard

A new dashboard is available to view Ransomware detect engine events.

2.4.4. New Relations dashboard

A dashboard for the relationships between the different IP addresses reported in the solution is available in the `Hunting > Network Metadata > Relations` menu.

2.4.5. New Administration dashboard

A new dashboard is present to be able to consult the administration events.

2.5. System

2.5.1. Operating system update

The operating system has been updated to the latest LTS (Long-Term Support) version.

2.5.2. Kernel update

The operating system kernel has been updated to the latest LTS (Long-Term Support) version.

2.5.3. Component updates

The various components of the operating system have been updated.

2.5.4. Virtualization

The GCenter is officially supported on VMware ESXi hypervisors.

2.5.5. ECDSA Certificates

ECDSA certificates are supported for securing access to the GCenter web interface.

2.5.6. GCenter Configuration Tool

The GCenter configuration tool has been enhanced to facilitate the network setup and to add SSH keys to the `setup` user.

2.6. Other enhancements

2.6.1. Contextual help

Context-sensitive help is available on the GCenter web interface.

2.6.2. Reflex Interoperability

A new menu is available to interconnect with the Reflex solution.

2.6.3. API improvement

New API points have been added to automate certain actions.

2.6.4. PCI-DSS Compliance

A new option has been added to replace credit card numbers with a specific keyword.

2.6.5. LDAP authentication

When connecting using an LDAP server for authentication, if the account used is present in the GCenter's local database, then it is deactivated to avoid conflicts.

2.7. Other changes

2.7.1. Renaming `active-hunt` to `active-cti`

The classtype of suricata rules generated by active CTI is renamed to `active-cti`.

2.7.2. Removal of interoperability

Interconnects with the following solutions have been removed:

Intelligence
Hurukai

2.7.3. IDMEF format

The IDMEF format is no longer supported when exporting events to a Syslog server.