Release Notes (2023-06)

June release notes detailing the evolution of the Stairwell platform

DateNew FeatureEnhancementBug Fix
June 30, 2023✔️
June 29, 2023✔️
June 28, 2023✔️
June 27, 2023✔️✔️
June 23, 2023✔️
June 22, 2023✔️
June 21, 2023✔️✔️
June 20, 2023✔️✔️
June 19, 2023✔️
June 16, 2023✔️✔️
June 07, 2023✔️
June 06, 2023✔️
June 01, 2023✔️

June 30, 2023 

YARA Enhancement

Team: Backend

New functions to create and delete rules added to library to accelerate and improve calls.

API Enhancement

Team:  Frontend

API v1 notifications format updated to provide multiple format options and to prevent existing integrations from breaking, we created a "Notification Version" to allow users to select which format they need.

"Current" being the newer format which should be used by all new integrations.
"Legacy" being our original format which can be used by existing integrations.

June 29, 2023

Search Enhancement

Team: Software, Frontend

New support added to allow for searching of product version using equals and ranch search. UI error handling implemented to provide message if unsupported/invalid search performed to keep UI from crashing.

Example Query:

pe.product_version == "1.2.3.4-alpha"

June 28, 2023

API Enhancement

Team: Backend

The Stairwell platform API has been enhanced to include the location information such as asset and directory and to annotate matches as [is_packed], similarly to what is already available to users in the UI.

June 27, 2023

YARA Enhancement

Team: Frontend

Warning when searches return more than maximum number of results.

Forwarder Bug Fix

Team: Forwarder

Support for file (previously supported) and folder of a file to be renamed without impacting the integrity of the path captured.

Webhook Enhancement

Team: Frontend

Webhook JSON notifications format updated. To provide multiple format options and to prevent existing integrations from breaking, we created a "Notification Version" drop-down menu to allow users to select which format they need.

"Current" being the newer format which should be used by all new integrations.
"Legacy" being our original format which can be used by existing integrations.

Forwarder Enhancement

Team: Forwarder

Optimization to the MacOS forwarder for improved performance and file handling.

Trigger Enhancement

Team: Backend

Trigger groupings designed to be flatter and simpler messages without arrays for easy user digest.

Object Seen - An asset has uploaded an object that matches conditions. All match conditions from a single trigger will be grouped together instead of separately.
New Result - New results are available for objects that appear in customer environments. No object groups to ensure Trigger Service will get all objects that a rule matches in a single update.

To enrich the messages provided, we will move the objects into a separate sub-message called "object_metadata" which will be consistent with our new APIs and nesting will be used for conditions and sightings.

Previous Example for New Result Case (rule_match):

{  
 "triggers_settings": "<https://app.stairwell.com/environment-settings?org_env_id=>\<ENVIRONMENT_ID>",  
 "rule_environment_name": "\<RULE_ENVIRONMENT_NAME>",  
 "rule_environment_id": "\<RULE_ENVIRONMENT_ID>",  
 "rule_name":"A Rule",  
 "rule_version": \<RULE_VERSION>,  
 "object_sha256": "<SHA256>",  
 "object_sha1": "<SHA1>",  
 "object_md5": "<MD5>",  
 "object_size": <SIZE>,  
 "object_link": "<https://app.stairwell.com/object/><SHA256>",  
 "seen_environment_name": "\<OBJECT_ENVIRONMENT_NAME>",  
 "seen_environment_id": "\<OBJECT_ENVIRONMENT_ID>",  
 "match_type":"rule_match",  
 "description":"A new rule match was found. This means that either a new rule was written that matches an existing object, or a new object was uploaded that matches an existing rule."  
}

New Example for New Result Case (rule_match):

{  
 "trigger_name": "\<TRIGGER_NAME>",  
 "trigger_settings": "<https://app.stairwell.com/environment-settings?org_env_id=>\<ENVIRONMENT_ID>",  
 "match_type": "rule_match",  
 "description":"A new rule match was found. This means that either a new rule was written that matches an existing object, or a new object was uploaded that matches an existing rule."  
 "object_metadata": {  
  "sha256": "\<OBJECT_SHA256>",  
  "sha3_256": "\<OBJECT_SHA3>"  
  "sha1": "\<OBJECT_SHA1>",  
  "md5": "\<OBJECT_MD5>",  
  "size": \<OBJECT_SIZE>,  
  "magic": "\<OBJECT_MAGIC_BYTES>"  
  "mime_type": "\<OBJECT_MIME_TYPE>"  
  "entropy": "\<OBJECT_ENTROPY>"  
  "imphash": "\<OBJECT_IMPHASH>"  
  "imphash_sorted": "\<OBJECT_IMPHASH_SORTED>"  
  "tlsh": "\<OBJECT_TLSH>"  
  "signing_status": {\<SIGNING_STATUS>}  
  "inception_link": "<https://app.stairwell.com/object/><SHA256>",  
 }  
 "yara_rule_matches": [{  
  "environment_name":"<RULE_ENVIRONMENT_NAME>",  
  "environment_id":"<RULE_ENVIRONMENT_ID",  
  "name": "<RULE_NAME>",  
  "version": <RULE_VERSION>,  
  "text": "<RULE_FULL_TEXT>"  
 }],  
 sighting_matches: [{  
  "seen_time": "<TIME_STAMP>",  
  "environment_name": "<SEEN_ENVIRONMENT_NAME>",  
  "environment_id": "<SEEN_ENVIRONMENT_ID>",  
  "asset": "<ASSET_HOSTNAME>",  
  "file_name":"<FILE_NAME>",  
  "file_path": "<FILE_PATH>",  
  "containing_object_sha256": "<SHA_256>",  
 },...]  
}

Conditions and sightings will have return limits and associated rates to them. For example -100:60s would be bucket size 100 and new token of 60 seconds. To keep the object_metadata current, we will recalculate it on API call and when a Trigger Notification is sent. If a condition or sighting happens above the allowance, it will be removed from the match and a match will only be allowed to proceed if it has at least one sighting and at least one condition.

Trigger enhancement is available once upgraded from api.stairwell.com/20211221 to api.stairwell.com/v1.

June 23, 2023

Trigger Enhancement

Team: Frontend

Allow triggers to be configured on different object and rule environments separately within the UI.

June 22, 2023

Scalability Enhancement

Team: Backend

Environment asset cap of 30,000 with internal notifications for approaching capacity at 95% implemented.

June 21, 2023

Search Bug Fix

Team: Backend

Searches on MalEval labels run as a regex search instead of exact match to ensure partial labels are still matched.

June 20, 2023

Storage Enhancement

Team: Backend

File upload process to include complete metadata fields within file storage.

Forwarder Bug Fix

Team: Forwarder

Back scans blocked until a policy is applied to an environment so that the scan doesn't complete immediately without uploading files.

June 19, 2023

Reporting Enhancement

Team: Software

Threat reports now include filtering on user generated content such as opinions (Ex. Trusted).

June 16, 2023

Forwarder Bug Fix

Team: Forwarder

Scans stalling when files had unrecognized file types resolved.

Reporting Enhancement

Team: Frontend

Live enrichment IOCs truncated at 500 results per indicator type.

Platform Enhancement

Team: Frontend

New vertical preview pane available on objects, assets, rules, and c2 which can be disabled by users if desired and opened in a new tab instead.

June 07, 2023

API Enhancement

Team: Backend

Raw reports from detonation engine using the GetReport API are now available.

June 06, 2023

Search Enhancement

Team: Software

New support added to allow for searching of MalEval label of stairwell-opinion.

Example Query:

mal_eval.label == stairwell-opinion

June 01, 2023

Platform Enhancement

Team: Frontend

Improvements made to icons and general styling on Hillbert views (baseball cards).