Corelight-update Release Notes

v2.0.5 (April 2026)

Enhancements

  • Upgraded golang to 1.26.2 to address CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810.

  • Improved logging and error handling for STIX/TAXII Collection ID not found errors.

v2.0.4 (April 2026)

Enhancements

  • Increased the file size limit for unzipping downloaded files from 50MB to 200MB.

  • Upgraded Golang to 1.26.1 to address CVE-2025-68121, CVE-2025-61726, CVE-2026-25679, CVE-2025-61730, CVE-2025-61728, CVE-2026-27142, and CVE-2026-27139.

  • Upgraded github.com/go-git/go-git/v5 to address CVE-2026-25934, CVE-2026-34165, and CVE-2026-33762.

  • Upgraded github.com/aws/aws-sdk-go to address CVE-2020-8911 and CVE-2020-8912.

  • Upgraded github.com/cloudflare/circl to address CVE-2026-1229.

v2.0.3 (March 2026)

Bug fixes

  • Remove URL methods from Intel::URL indicators for Zeek intel.

v2.0.2 (December 2025)

Enhancements

  • Upgraded Golang to 1.25.5

Bug fixes

  • Fixed a bug related to TenableIO UserAgent header.

v2.0.1 (October 2025)

Enhancements

  • Added encrypted fields for all sensitive data in the config file.

  • Updated pre/post upgrade scripts.

v2.0.0 (September 2025)

Enhancements

  • Updated CrowdStrike Threat Intel integration to include Kill-Chain and other metadata.

  • Removed support for FireEye Threat Intel integration.

  • Removed support for Fleet Manager versions prior to version 28.3.

  • Updated STIX/TAXII integration to support discrepancies across different TAXII2 services.

  • Upgraded go-sqlite3 to v1.14.29 to get SQLite 3.50.3, to address CVE-2025-6965.

  • Upgraded golang to 1.24.5.

  • Improved processing of Input Sources when pushing to Fleet Manager.

Bug fixes

  • Improved logging and error handling when pushing to Fleet Manager.

  • Fixed an issue where the confidence field was not retrieved from OTX.

v1.16.2 (July 2025)

Bug fixes

  • Fixed an issue where Corelight-update would still push input files to the sensors after uploading the input file to Fleet Manager.

v1.16.1 (June 2025)

Enhancements

  • Added support for handling empty STIX/TAXII responses.

v1.16.0 (June 2025)

Enhancements

  • Added support for uploading Input file sources to Fleet Manager version 28.3 and later.

  • Added support for SID Prefix and RuleOptions in Suricata Rule modifiers.

  • Updated Suricata Rule formatting to handle missing GID and REV values.

  • Added support for Recorded Future in STIX/TAXII integration.

  • Changed the default to use db-config.yaml if the config filename is missing from the global configuration.

  • Input file validation errors are printed as a verbose log.

v1.15.1 (May 2025)

Bug fixes

  • Fixed a file permissions bug for the corelight-update.log file.

v1.15.0 (April 2025)

Enhancements

  • Added support for writing logs to the /var/log/corelight-update.d/corelight-update.log file.

  • Added user configurable color formatting to the terminal and/or logs.

  • Directed non-error logs to stdout instead of stderr and added color formatting to the logs.

  • Updated input validation logs to use verbose level instead of error.

  • Updated -v flag for verbose logging and added --version flag for printing version.

  • Added support for reloading the global config in each cycle and auto-creating the config file if missing.

  • Added a deprecation warning for FireEye Integration, which will be removed in v1.17.0.

  • Added a CLI option to reset the global config to defaults.

  • Added a CLI option to reset a policy config to defaults.

  • Updated the AlienVault OTX caching mechanism.

  • Updated the CrowdStrike caching mechanism.

  • Updated SentinelOne HostId field.

Bug fixes

  • Fixed a bug related to Axonius where it did not use all the returned results.

  • Fixed a bug where Suricata config files would not get pushed if the only push option enabled was suricata_configs.

v1.14.1 (March 2025)

Enhancements

  • Added support for Axonius returning random data types.

  • Renamed software sensor to microsensor in the configuration inventory settings.

  • Removed support for importing configurations before version 1.0.

v1.14.0 (March 2025)

Enhancements

  • Added support for STIX/TAXII Intel integration.

  • Added support for Analyst1 Suricata integration.

  • Added support for Analyst1 YARA integration.

  • Added support for Analyst1 Intel integration.

  • Added support for adding YARA source on Fleet Manager.

  • Added YARA policy source to download preformatted YARA rule file.

  • Added support for CrowdStrike YARA rules integration.

  • Added support to collect endpoint type and OS from SentinelOne Host integration.

  • Added support for adding Suricata source on Fleet Manager, if Suricata Automation is enabled.

  • Use proxy settings from environment variables.

  • Added support for Suricata testing logs.

v1.13.1 (January 2025)

Enhancements

  • Added a log message instead of showing an error when no new Suricata files are available for upload.

  • Added endpoint status field for MS Defender.

v1.13.0 (November 2024)

Enhancements

  • Added support for Microsoft Defender integration.

  • Optimized Suricata policy file update in Fleet.

v1.12.0 (September 2024)

Enhancements

  • Added support for TenableIO CVE integration.

  • Updated configurations for CrowdStrike integration.

  • Added cache cleanup and fallback to cached data in case of integration processing errors.

  • Stop printing unreadable characters in Debug mode.

  • Updated field to be used in SentinelOne HostUID.

v1.11.0 (August 2024)

Enhancements

  • Added support for Fleet Manager Intel Policies for FM 27.14 and later.

  • Added support for custom source filenames for downloaded files.

  • Added user configurable client timeout settings for downloading files.

  • Updated CrowdStrike integration to use new API. Improves performance and removes 10,000 host limitation.

  • Added SentinelOne Host integration.

  • Added SentinelOne CVE integration.

v1.10.1 (April 2024)

Enhancements

  • Add optional filename for downloaded sources

  • Updated directory permissions for /opt/corelight-update/corelight-recommended.

v1.10.0 (April 2024)

Enhancements

  • Added support for quotes in Intel and Input files.

  • Added support for multiple Global Suricata config files.

v1.9.4 (March 2024)

Bug fixes

  • Corrected permissions for .rpm files.

v1.9.2 (January 2024)

Enhancements

  • Improved xbit and hostbit parsing.

v1.9.0 (January 2024)

Enhancements

  • Added support for Intel files in sensor policies for Fleet Manager v27.9.

  • Added support for Axonius integration.

  • Added additional fields to CrowdStrike CVE and Host integration.

  • Added Suricata bit dependency correction feature.

  • Renamed host_uid field to uid in the vulnerability and hosts integrations.

  • Added cid field to the vulnerability and hosts integrations.

  • Improved Suricata and Intel file cleanup.

v1.8.1 (September 2023)

Bug fixes

  • Fixed the path for push published input files.

v1.8.0 (September 2023)

Enhancements

  • Added support for Suricata policies in Fleet Manager v27.8.

  • Added configuration option to specify Fleet Manager sensor policy and Suricata policy names.

  • Added a feature to remove “disable” individual intel indicators.

  • Added support for remote Input files.

  • Added support to use the same Input file from multiple sources at the same time.

  • Increased support for pushing in parallel to Fleet Manager managed sensors.

  • Added support to auto replace autoupdate policy config files when the database structure changes.

v1.7.3 (August 2023)

Enhancements

  • Added additional fields to the CrowdStrike Hosts integration.

v1.7.2 (August 2023)

Enhancements

  • Added a network timeout variable for waiting on a status from a sensor after a file upload.

Bug fixes

  • Fixed a bug that caused an exit if the icannTLD integration has an error.

v1.7.1 (August 2023)

Enhancements

  • Added a bash_completion script.

Bug fixes

  • Fixed a bug so checking the status of an uploaded file through Fleet Manager uses a bearer token.

  • Adding a new user in RPM based OS’s adds a ‘/sbin/nologin’ shell.

v1.7.0 (July 2023)

Enhancements

  • Added a new integration for CrowdStrike Exposure Management CVE.

  • Added a new integration for CrowdStrike Exposure Management Hosts.

v1.6.3 (July 2023)

Bug fixes

  • Fixed missing network settings after upgrade issue.

v1.6.2 (June 2023)

Enhancements

  • Improved logging output to log when a download attempt is intercepted by an external proxy.

  • Added support to configure network settings for sensor communications.

  • Added the following new CLI options:

    • show -network

    • update -network-setting [setting1=value1 setting2=value2 ... settingN=valueN]

    • update -network-settings [setting1=value1 setting2=value2 ... settingN=valueN]

Bug fixes

  • Fixed a bug that caused sensor traffic to use the same proxy configuration as download traffic.

  • Improved error output when updating policy configurations.

  • Fixed a bug that compared suricata config files before they are downloaded.

v1.6.1 (May 2023)

Enhancements

  • Added support to prevent policies from being created if the name begins with a -.

Bug fixes

  • Fixed an issue that prevented downloading intel sources for a policy without any suricata sources.

v1.6.0 (March 2023)

Enhancements

  • Added a global option to auto-update policies each time the service runs.

  • Added a global setting to push content to sensors in parallel (defaults to 10).

v1.5.0 (February 2023)

Enhancements

  • Added support for uploading Suricata configurations to all sensors.

  • Added support for pushing signed package bundles to all sensors, except Microsensors.

  • Added support for the new CSRF requirement in the Fleet Manager v27.3 API.

v1.4.1 (February 2023)

Bug fixes

  • Fixed an issue where empty options were written to Suricata rules.

  • Fixed an issue where an empty “If-Modified-Since” header is used during file downloads.

v1.4.0 (January 2023)

Enhancements

  • Added a new integration for Mandiant Threat Intelligence.

  • If Fleet Manager details are configured, and a matching policy exists, the Fleet Manager policy will be updated even if no sensors are assigned to it.

  • Added the following new CLI options:

    • add -policy and add -policies are interchangeable.

    • remove -policy and remove -policies are interchangeable.

    • -file and -path are interchangeable on all relevant CLI commands.

    • Most of the Global configuration settings can be updated directly from the CLI:

      • update -global-setting [setting1=value1 setting2=value2 ... settingN=valueN]

      • update -global-settings [setting1=value1 setting2=value2 ... settingN=valueN]

  • Added “basic” auth support for sources.

  • Added support for pulling Global Suricata config files from remote sources.

    • Includes support for no auth, basic auth, and token auth.

  • Added support for pulling Policy Suricata config files from remote sources.

    • Includes support for no auth, basic auth, and token auth.

  • Added the ability to append content to the Metadata and Other fields using modify.conf.

  • Added the ability to identify rules with Metadata contains string.

  • Added the option to include disabled Suricata rules in the ruleset file.

  • Simplified the global configuration by removing the global integration table. Each integration is now enabled using its own settings.

  • The update -policy command now uses a transaction. If any part of the update fails, the update is not applied.

  • Removed the config templates (obsolete). The import -policy <policy name> -file <path to config file> can be used to the same config to different policies.

  • Removed the policy backup functions (obsolete). The show -policy <policy name> -file <path to save config file> can be used to save a backup.

Bug fixes

  • Fixed a issue where package bundles were not created with other:read permissions on all files, causing packages not to load on sensors.

  • Pushing package bundles now updates a Fleet Policy instead of trying (and failing) to push through Fleet to the sensors.

v1.3.0 (November 2022)

Enhancements

  • Fleet managed sensors no longer have to be listed in the inventory section of the policy. The list will automatically be pulled from Fleet Manager.

  • Added support for AlienVault OTX.

  • Added configurable URL for ICANNTLD.

  • The Integration table has been removed, each integration is now enabled within it’s configuration.

v1.2.1 (November 2022)

Enhancements

  • Added a basic web menu to the root of the webservice.

Bug fixes

  • Fixed a bug that would cause a policy to fail if no intel files were present.

  • Added a redirect to the webservice if the trailing slash is missing for \docs\ or \files\.

v1.2.0 (October 2022)

Enhancements

  • Added support for global cache and policy level Intel sources that can be downloaded in Zeek format, like ThreatQ.

  • Added support for Token authenticated Suricata and intel sources like MISP.

  • Updated the web service to use TLS version 1.2+ and removed outdated cipher suites.

Bug fixes

  • Improved error handling with TenableSC.

  • TenableSC was not reading the keys from the policy in the database.

  • Moved the home directory for the corelight-update service account to /var/corelight-update/

  • Removed the requirement for experimental features to be enabled to upload Suricata rules to Fleet.

v1.1.0 (October 2022)

Enhancements

  • Support for encrypted passwords for inventory items.

  • Corelight-update now uses a umask of 0007 when creating files and directories.

Bug fixes

  • The before-install and before-upgrade scripts will not attempt to create the system user if it already exists.

  • Downloading content will now use the https_proxy or HTTPS_PROXY environment variables.

v1.0.1 (October 2022)

Enhancements

  • Policies are stored in a Sqlite3 DB”.

  • The Corelight-update service now runs as corelight-update and not root.

  • After install or upgrade, all files are owned by system user corelight-update:corelight-update.

  • All users must belong to the corelight-update user group to run Corelight-update.

  • Global configuration can be updated from either a yaml or json config file.

  • Policies configurations can be imported or updated from either a yaml or json config file.

  • Sources that do not require authentication can be added as type “suricata” or “intel”.

  • A Global Source Cache is automatically created.

  • Integration intervals are now referenced in hours See Third-party integrations settings for details.

  • The interval for processing policies is now referenced in minutes See General settings for details.

  • The web Service no longer requires root privileges to enable ports below 1024.

  • Pushing Suricata rulesets to Fleet managed sensors no longer proxies that push through Fleet. It uploads the ruleset to Fleet and updates the Fleet policy to use the new ruleset.

  • When pushing content to sensors, an inventory file is no longer used. The sensor details are part of the policy config.

  • Missing configuration files are automatically recreated.

Bug fixes

  • Set http.Transport idelConnTimeout for Fleet to 90 seconds.