Release notes 8/20/2024
This release adds many significant new capabilities to Fusion!
- NQL Pattern Matching (Wildcards, Regular Expressions, Fuzzy Matching) - NQL now supports wildcards, regex, and fuzzy matching in certain fields
- DNS- This release introduces DNS logs (recursive request and response logs) as a new source of traffic data within Fusion. Specifically, Fusion now supports ingesting DNS logs from AWS Route 53 and GCP Cloud DNS. By combining DNS log data with network flow metadata, Fusion significantly enhances its capabilities in network forensics, compromise detection, and overall network visibility.
- AWS Transit Gateway flow logs are now supported
- Wiz context integration v2A new version of the Wiz context integration is now available that adds support for Wiz issues, Wiz network exposures, as is available as a NetoFuse module for on-prem deployment and customizing field transforms
- Detection model documentation is now directly available in the Fusion Portal
netosecretis a new field generated when creating an API key that encodes all the Fusion API credentials into a single string- The Fusion Portal property tray is now resizeable
- Dashboard widgets now have resizing buttons when editing
Naming updates:
- Traffic is used to refer to the combination of Flow and DNS
- Dashboards:
- Traffic Manager has been renamed Response Integration Blocks
- User Activity has been renamed Audit Log Activity
NQL now supports pattern matching (wildcards, regular expressions, and fuzzy) in certain fields
In NQL, pattern matching can now be used in certain fields. Pattern matching can be performed using regular expressions, wildcards, and fuzzy matching.
To execute a regex query, use the =~ operator for matching and the !~ operator for non-matching.
NQL fields supporting regex, wildcards, and fuzzy matching in this release
| Category | Supported Field |
|---|---|
| Flow | dstiprep.categories srciprep.categories tags |
| DNS | answers.rdata query.domain query.host query.name query.publicsuffix |
| Events | ipinfo.iprep.categories summary tags |
| Audit | description |
If you would like to use pattern matching on a field that is not supported today, reach out to Netography Support and let us know.
For more information, refer to NQL Overview and Syntax or NQL Quick Reference Guide.
AWS Transit Gateway flow logs are now supported
Fusion now supports ingesting VPC flow logs from AWS Transit Gateways. This feature allows for increased monitoring flexibility by enabling the ingestion of flow logs directly from the AWS Transit Gateway via S3, closely mirroring the setup process of AWS VPC flow logs.
Refer to the AWS Transit Gateway Flow Logs for more details.
DNS logs are a new traffic source in Fusion to complement flow logs
This release introduces DNS logs (recursive request and response logs) as a new source of traffic data within Fusion. Specifically, Fusion now supports ingesting DNS logs from AWS Route 53 and GCP Cloud DNS. By combining DNS log data with network flow metadata, Fusion significantly enhances its capabilities in network forensics, compromise detection, and overall network visibility. The analysis of DNS requests allows for various advanced use cases, including:
- Reconstruction of event timelines post-incident.
- Identification of suspicious or malicious domain communications.
- Detection of DNS patterns indicative of malware or command and control servers.
- Visualization and metric tracking for DNS activity in Fusion dashboards.
For more details on DNS support in Fusion and how to configure it, refer to DNS in Fusion.
Terminology Update: Traffic
The term Traffic is now used in the Fusion Portal to reflect the integration of Flow and DNS data sources.
Wiz context integration v2
The Wiz context integration has added support for Wiz issues and Wiz network exposures, as well as being available as a NetoFuse module (providing the ability to customize the fields retrieved into context and deploying it as an on-prem container).
Both the previous and new versions of the Wiz context integration is visible in the Fusion Portal while customers migrate to the new version. Use Wiz-2 for new Wiz integrations.
Refer to Wiz Context Integration or Wiz NetoFuse module for more details.
Detection Model documentation is directly viewable in Fusion
Now, when you click on a Detection Model's linked name in Fusion, detection information displays in the properties tray at the left of the page instead of you being redirected to the detection model's information page in the user documentation.
To view its complete information, scroll down in the property tray's pane. Note: The detection model information still exists at https://docs.netography.com/.
netosecret is a single string that encodes Fusion API credentials
netosecret is a single string that encodes Fusion API credentialsnetosecretis a new API key format for simplifying sharing API connection and authentication information with Netography Fusion API clients. Previously, authenticating to the Netography Fusion API required copy and pasting 5 separate values. netosecret is a base64 encoded JSON object containing these values (shortname, appname, appkey, sharedsecret, url), so when you generate a new API key in the Fusion Portal, you only need to copy the netosecret string.
netosecret encodes the fields used to generate a JWT request token to send to the API to authenticate; it does not replace or change the API authentication mechanism, which is still JWT. Support for usingnetosecret will be in upcoming releases of Netography's components that use the Fusion API (cloud onboarding automation, netofuse, netoflow). You can easily decode netosecret into the individual fields and use it with any existing API client from Netography or that you have developed yourself. For more details, refer to: Decoding netosecret.
Property tray is now resizeable
You can now click the border between the property tray (the section of the Fusion Portal that appears on the right-hand side of the page when you click on an item to see more details) and drag it left or right to resize it.
Dashboard widget resizer
When editing a dashboard, if you hover your mouse over the top of any dashboard widget, a set of buttons appears in the top-right corner of the widget. Two new buttons have been added to adjust widget sizes automatically based on the dashboard's widget set.
| Icon | Action | Description |
|---|---|---|
| Move Widget (Vertical) | Allows you to move the widget vertically within the dashboard layout. | |
| Move Widget (Horizontal) | Allows you to move the widget horizontally within the dashboard layou |
Dashboard name changes
The following system dashboards have been renamed to more clearly identify their purpose:
Traffic Manager dashboard has been renamed Response Integration Blocks. This system dashboard has not changed functionality.
User Activity dashboard has been renamed Audit Log Activity. This system dashboard has not changed functionality.