The following features and enhancements have been added:

• Support to configure fatal_cvss_score in the osquery-scan script.
• Support for the regex patterns ending with .*$ in the kernel.
• Support for ECS fargate tables.
• Support for farquery to include secrets/hostname in the ENV instead of private image.
• Fix for removing custom exclusion rules from osquery. Removing the rules from config now removes them from osquery successfully.
• Support for labels on older containerd events.
• Support for the exe path validation (specified by syscall audit rules) at defined intervals. Added two new flags to support the enhancement, i.e. audit_exe_rules_sync and audit_exe_rules_sync_period.
• Support to validate if the audit rules pushed to a kernel are in sync with the audit rules pushed by the Uptycs cloud. Added two new flags to support the enhancement, i.e. audit_rules_sync and audit_rules_sync_period.
• Support for screenlock query when the watchdog is active.
• Improvements in generic conditional checks for compliance.
• Fix for the missing PIDs in the docker_container_stats table.
• CIS support for macOS 10.15 and rhel7.
• Fix for unsupported JSON input formats.
• Support to include YARA rule metadata in the yara_process_events table.
• Added a new column version_info in the processes and process_events tables that includes file version information for PE executables.
• Added a new column ancestor_list in the yara_process_events table to correlate yara rule alerts in a detection.
• Added a new table ntp to identify any clock drift. A new flag enable_ntp_query is introduced to enable this feature.
• Support to capture file attribute changes for auditd based FIM events.
• Event exclude profiles now support CIDR values in the remote/local addresses for socket_events.
• Support to handle osquery runtime at a scale for Windows endpoints.
• Support to keep the count of event records discarded by the event exclude profile rules for Linux endpoints.
• Added a new column container_age in the eBPF events table to improve event time handling.
• Support for Kringle decision cache.
• Added generic compliance checks for file exist, permission and owner.
• Added a new table firmware_password to capture events for firmware password settings on macOS endpoints.
• Added a new table mdm_profile to capture events for MDM profile settings on macOS endpoints.
• Added ARM64 (Apple Silicon) support to the apps table.
• Enhanced support for vulnerability scans to report threat indicators download error instead of zero count.
• Integrated Santa macOS application blocker.
• Fix for Xcode compiler warnings and potential leaks.
• Support to specify check IDs as a rule for Windows endpoints.
• Enhanced support for osquery-scan to detect all .jar and .JAR files in the docker images and scan them for vulnerabilities.
• Fix for the diag_watcher_stats table for macOS endpoints.
• Support to detect a process from non ELF files (scripts, etc.).
• API support for downloading Santa/Kringle rules.
• Support to capture file attribute changes (chown and chmod) for FIM events.
• Support for Automated Table Creation (ATC) queries.
• Added file_vault status to the disk_encryption table.
• Support to re-check the list of packages in an image for new vulnerabilities.
• Support for JAR package listing and vulnerability scanning.
• Cleaned up logs due to parameter mismatch.
• Carving support for a file without write permission.
• Support for PCI Windows KIOSK.
• New compliance_on_demand table to run queries (global and real-time) on the selected hosts.
• Support for containerd.
• Added a new flag windows_event_excluded_ids to exclude Windows events based on event ID.
• Fix for multiple check_id execution with different parameters.
• Fix for empty columns in the process_file_events table.
• Support for the PCI Linux server checks.
• Enhanced the diag_watcher_stats table to display more granular details about osquery CPU utilization. This helps in debugging any high CPU issue.
• Support for a single compliance table.
• Support for the SQLite3.
• Support for the OpenSSL 1.1.1i version to address CVE-2020-1971.
• New osquery_log table to parse worker and watcher logs.
• Support to collect information about missing Windows patchers.