What's New

Release highlights for recent CICADA IR versions. Current version: 1.58.0

1.58.0

PCAP pipeline overhaul — wireless analyzer, IOC promotion, performance

  • Wireless (802.11) forensics — captures that previously reported “no IP traffic” now produce a full breakdown: SSID inventory, BSSID tracking, client MAC sightings, deauth-flood detection, WPA 4-way handshake capture, and open-AP detection. Surfaced on the Timeline › Network tab and a new Wireless Overview card on the Sources › PCAP summary.
  • Wireless intel promoted to first-class IOCs — deauth-flood attacker MAC, WPA-handshake client MACs, and observed SSIDs now flow through the same enrichment and unified IOC store as IP / URL / hash indicators. Indicators filter adds MAC and SSID types.
  • Invalid-PCAP diagnostics — helpful error messages identifying Microsoft NetMon, Windows .etl, plain-text log files misnamed as .pcap, and unknown formats.
  • Threat-intel enrichment 30× faster — 10-way parallel gather replaces the sequential loop. Non-routable IPs (RFC1918, link-local, multicast, broadcast) hard-filtered before they hit external providers. Per-provider timeouts tuned.
  • PCAP queue reliability — analyze route no longer returns HTTP 429 when the semaphore is full. Rows mark as “queued” and wait for a worker slot. UI polling fallback recovers from dropped WebSocket progress events.
  • Active Directory collection no longer capped at exactly 2000 events — active ADs collect ~20k events per DC per run instead of 1000.
  • Dashboard and Timeline fixes — “Configured Sources” count now reflects wired-up integrations, not just agents that have reported status. Critical alert count on Timeline now matches Dashboard (both paths share a single severity resolver).

1.57.0

PCAP parser rewrite, Dashboard fixes, AD collection fix

  • PCAP parser — full per-link-type support. Raw 802.11, radiotap, Linux cooked (SLL/SLL2), BSD null/loopback, PPP, and raw-IP captures now decode correctly. Previously every non-Ethernet capture silently produced 0 flows with no diagnostic. 8 link types now have explicit, unit-tested branches.
  • PCAP completion now explains 0-flow results. Wireless auth captures surface “No IP traffic found — capture contains only 802.11 management/control frames, EAPOL/802.1X handshakes, or encrypted data frames”; wired L2-only captures note possible ARP/STP/LLDP-only content.
  • Dashboard “Configured Sources” count fixed. The card now reflects the analyst’s wired-up integrations the moment credentials are saved, not only after agents have emitted a status update.
  • Timeline Critical alert count matches Dashboard. Previously IOCs promoted to critical via TI reputation showed on Dashboard but stayed at base severity on Timeline. Both paths now share a single severity-resolver helper.
  • Active Directory collection no longer capped at exactly 2000 events. The cross-channel page_size cap was starving every channel after Security:auth. Each of the 16 event log channels now honors its own cap independently — active ADs collect ~20k events per DC per run.

1.56.0

Tiered IOC engine overhaul — 63 fixes, 8 new AD detections, YAML pattern library

  • 8 new AD attack patterns — Zerologon, DCShadow cleanup, AdminSDHolder modification, pre-auth-disabled (ASREPRoast prep), medium-window brute force, hour-scale password spray, Silver Ticket, and interactive admin logon.
  • Kill-chain aggregator — Detected sequences now assemble into per-actor attack narratives ordered by MITRE tactic: Recon → Credential Access → Lateral → Persistence. Severity rolls up by tactic breadth.
  • Detection feedback loop — Analyst confirm / clear decisions feed a system-wide calibration table. Patterns with chronic false-positive rates can be auto-disabled.
  • Pattern library as YAML — All Tier 2 detections now live in cicada/data/detections/tier2/patterns.yaml. Adding or tuning a detection no longer requires a code release. Per-tenant overrides supported via overlay files.
  • Rescore API — Replay the scoring engine against past investigations with the current pattern library. Surfaces newly-confirmed or newly-cleared IOCs after signature updates.
  • DC-aware detection — The known-DC list gates DCSync and workstation-to-DC patterns. Strict fallback regex eliminates false positives on hostnames like predcache,sandcastle, fpdcsvr.
  • New Tier 1 signatures — COMSVCS MiniDump (fileless LSASS dump), MiniDumpWriteDump API, Invoke-DCSync / secretsdump.py / Invoke-NTLMRelay, legacy dumpers (WCE, pwdump, fgdump), KRBTGT password reset.
  • Timezone correctness — All event timestamps normalized to UTC at ingest, fixing mixed-tz crashes in sequence windows, Tier 3 hour-binning errors, and impossible-travel miscalculations.
  • Categorizer improvements — Responder “likely malicious” flag now auto-confirms. New blocked_by field explains exactly which thresholds held an IOC in suspected state.
  • Performance — Event index projects specific columns (~5× memory reduction on 100k-event investigations). IOC extractor cache is now a bounded LRU.

1.55.0

Investigation export auth fix & production readiness audit

  • Investigation export — Encrypted.cicada-inv backups now correctly send session cookies with the backup request (credentials: ‘same-origin’), fixing export failures on deployments using cookie-based local auth.
  • Production readiness audit — Full security and code-quality review completed across the analysis engine, API layer, licensing, integrations, reporting, and frontend. Critical and High findings are being tracked for the upcoming hardening release.

1.54.0

Dashboard UX & NIST framework reference

  • Dashboard cards — “Active Sources” renamed to “Configured Sources” (integration sources only, excludes uploaded PCAPs/logs). New card order: Configured Sources | Evidence | Alerts | Actions Taken.
  • Response actions counter — Updates within 10 seconds (was 30s). Timeline quick-actions now immediately refresh the counter.
  • Guided IR — Panel now references the NIST SP 800-61r2 Computer Security Incident Handling Guide framework.

1.53.0

Observability, support bundle & UX fixes

  • Support bundle — Generate a downloadable diagnostic ZIP from Settings > Support. Logs are automatically sanitised (IPs, emails, UUIDs redacted) so you can inspect before sharing with our support team.
  • Runtime log level toggle — Change log verbosity from the API without restarting the service.
  • Log rotation — Automated daily log rotation (7 days retained, 50 MB max per file) to prevent disk fill on long-running deployments.
  • Timeline quick-actions fixed — Block/Isolate/Disable buttons now correctly detect available adapters and show a picker when multiple are configured.
  • Setup wizard no longer flashes on backend restart. Logout button added to header. TLS upload now shows accepted certificate formats before upload.

1.52.0

Local user authentication

  • Username/password authentication — Air-gapped and LAN deployments no longer require Cloudflare Access. Create local users with username and password directly in the platform.
  • Setup wizard admin account — First admin user is now created during initial setup (new step 3 in the wizard).
  • User management UI — Settings > Users tab with add, edit, delete, disable users, and password resets.
  • Seat enforcement — User count limited by the seats field in your product key. Managed via your licence tier.
  • Security hardening — OWASP ASVS Level 2 reviewed with 16 security controls including peppered bcrypt hashing, JWT fingerprinting, refresh token rotation with theft detection, and exponential backoff on failed logins.

1.50.0

Feature gating, tiered reporting & community trial

  • Tiered reporting — Investigation reports (executive summary, technical, MITRE mapping, blast radius, attack path, AI-enhanced) available at Professional tier. Compliance & legal reports (NDB, insurance, legal hold, regulatory, client exposure, executive briefing, IR playbook, post-incident review) available at Enterprise tier.
  • Community trial — 14-day free trial with download link delivered by email. No credit card required.
  • Active Directory moved to the free tier — all users can now connect to on-prem AD out of the box.
  • Source connectors and LLM providers are now gated by tier — locked features show a clear disabled state with upgrade prompts.

1.49.0

Behavioral engine hardening

  • Major accuracy improvements to the deterministic behavioral scoring engine — fewer false positives from service accounts, SYSTEM log operations, and correlated weak signals.
  • PowerShell deobfuscation — detects encoded commands, backtick escapes, and character array obfuscation before pattern matching.
  • New detection patterns: WinRM lateral movement, slow-and-low brute force, slow lateral movement campaigns.
  • Validated against a 16-scenario test suite covering true positives, false positives, and evasion techniques.

1.48.0

Ubiquiti UCG firewall integration & source selection redesign

  • Ubiquiti UniFi Console Gateway integration — collect firewall logs, block/unblock IPs via CICADA-BLOCKLIST firewall group. Supports API key and session-based authentication.
  • Source selection at investigation creation — when creating a new investigation, you now choose which data sources to import upfront. No more sources appearing automatically.

1.47.0

Correlation engine & detection coverage expansion

  • Correlation engine — individual detections now aggregate into entity-level correlated findings. Risk-based alerting escalates severity when multiple MITRE tactics are observed for the same entity.
  • 12 attack chain templates — temporal sequence matching for common attack flows: credential dump → lateral movement, brute force → compromise, full kill chain, DCSync + Golden Ticket, ransomware precursors, and more.
  • 17 new Windows Event IDs — domain policy changes, Zerologon/Netlogon, LSASS dump via SilentProcessExit, PowerShell pipeline, MSSQL xp_cmdshell, BITS persistence, Credential Manager, and more.
  • Evidence Events tab — search by entity name to see all normalised evidence events where they appear as actor or target.
  • Improved Defender alert parsing — process command lines, URL evidence, and registry evidence now extracted from alerts.
  • Noise reduction — successful auth IPs no longer create spurious IOCs, SHA1/MD5 duplicates removed, system accounts filtered from blast radius.

For the full changelog including all bug fixes and technical details, contact support@cicada-ir.ai.