29 Releases 37 Tags

RSS Feed

• v1.7.2 e984899d4c

  Compare

  v1.7.2 Stable

  tomas.kracmar released this 2026-04-22 12:43:13 +00:00 | 16 commits to main since this release

  v1.7.2 — Alert rules management UI

  What's new

  • Alert Rules panel in the UI — visible between Alerts and Filters sections
  • List all rules with severity badge, on/off toggle, and condition preview
  • Add Rule button opens a modal with form for:
    • Rule name
    • Severity (Low / Medium / High)
    • Alert message
    • Conditions builder (eq, neq, contains, in, after_hours)
  • Edit existing rules inline
  • Delete rules with confirmation
  • Toggle rules on/off without deleting

  Full changelog since v1.7.1

  • feat: alert rules management UI
  • chore: bump version to 1.7.2

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.7.1 3e1416cd52

  Compare

  v1.7.1 Stable

  tomas.kracmar released this 2026-04-22 12:21:46 +00:00 | 18 commits to main since this release

  v1.7.1 — Bug fixes

  Fixes

  • Alert panel is now always visible — previously hidden when no alerts existed, making it impossible to find. Now shows with an explanatory empty state.
  • Footer version display — normalized version string to prevent double 'v' (vv1.7.0).

  Full changelog since v1.7.0

  • fix: alert panel always visible, version display normalization
  • chore: bump version to 1.7.1

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.7.0 0a16cf6870

  Compare

  v1.7.0 Stable

  tomas.kracmar released this 2026-04-22 12:12:49 +00:00 | 20 commits to main since this release

  v1.7.0 — Admin Operations SIEM

  What's new

  • Alert notifications with retry logic: webhook, Slack, or Microsoft Teams formats
  • Alert deduplication: same rule + same actor within 15 minutes produces only one alert
  • 10 pre-built admin-ops rule templates seeded automatically on first startup:
    1. Failed Conditional Access
    2. After-Hours Admin Activity
    3. New Application Registration
    4. Admin Role Assignment
    5. License Change
    6. Bulk User Deletion
    7. Device Compliance Failure
    8. Exchange Transport Rule Change
    9. Service Principal Credential Added
    10. External Sharing Enabled
  • Alert dashboard in the UI with severity/status filters
  • Alert actions: Acknowledge, Resolve, False Positive, Reopen
  • Alert summary badge in the hero header showing open high/medium/low counts
  • New API endpoints: GET /api/alerts, PATCH /api/alerts/{id}/status, GET /api/alerts/summary
  • New env vars: ALERT_WEBHOOK_URL, ALERT_WEBHOOK_FORMAT (generic/slack/teams), ALERT_DEDUPE_MINUTES

  Design philosophy

  This is an admin operations alerting system, not a security SIEM. It focuses on things admins need to know about: policy changes, role assignments, license changes, compliance failures — not threat detection.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.6.4 5bda1dd616

  Compare

  v1.6.4 Stable

  tomas.kracmar released this 2026-04-22 10:16:32 +00:00 | 23 commits to main since this release

  v1.6.4 — Single-click filters, all services default, page size 24

  What's new

  • Single-click service pills are back: click to filter ONLY for that service
  • All services shown by default — removed the default Exchange/SharePoint/Teams exclusion (privacy controls now handle this server-side)
  • Page size 24 — divisible by 3 for the 3-column event grid
  • Removed +/- button experiment — simpler is better

  Full changelog since v1.6.3

  • fix: revert to single-click service filter, show all services by default, page size 24
  • chore: bump version to 1.6.4

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.6.3 aa62528862

  Compare

  v1.6.3 Stable

  tomas.kracmar released this 2026-04-22 10:02:28 +00:00 | 25 commits to main since this release

  v1.6.3 — +/- pill filters

  What's new

  • Service pills now have +/− buttons instead of a single click:
    • + adds that service to the current filter (keeps your other selections)
    • − removes that service from the current filter
  • Result pills keep the toggle click behavior (works well as-is)
  • Small inline button styling with hover effects

  Full changelog since v1.6.2

  • feat: +/- buttons on service pills for additive/subtractive filtering
  • chore: bump version to 1.6.3

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.6.2 ed7465f5cd

  Compare

  v1.6.2 Stable

  tomas.kracmar released this 2026-04-22 09:53:21 +00:00 | 27 commits to main since this release

  v1.6.2 — Clickable pills, configurable page size, CQRE.NET branding

  What's new

  • Clickable service pills: Click any event's service/category pill to filter the entire list by that service. Click again to clear.
  • Clickable result pills: Click Success/Failure/etc. pills to filter by result. Toggle behavior.
  • Configurable page size: New DEFAULT_PAGE_SIZE env var (default 25). Frontend loads it from /api/config/features.
  • Footer branding: Changed from CQRE to CQRE.NET.
  • Smaller default: Page size dropped from 100 to 25 events for faster initial loads.

  Full changelog since v1.6.1

  • feat: clickable pills, configurable page size, CQRE.NET branding
  • chore: bump version to 1.6.2

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.6.1 67f3c28e82

  Compare

  v1.6.1 Stable

  tomas.kracmar released this 2026-04-22 09:31:57 +00:00 | 29 commits to main since this release

  v1.6.1 — UI polish

  What's new

  • Top navigation bar with brand, repository link, documentation link, and compact action buttons
  • User chip shows logged-in display name + email from Microsoft Entra
  • Footer with version badge, report-issue link, source code link, and documentation link
  • Cleaner hero — just title and tagline, buttons moved to topbar
  • Responsive stacking on mobile screens
  • CSS cache-buster bumped to v=9

  Full changelog since v1.6.0

  • style: UI polish — topbar, footer, user info, product feel
  • chore: bump version to 1.6.1

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.6.0 f75f165911

  Compare

  v1.6.0 Stable

  tomas.kracmar released this 2026-04-22 07:55:21 +00:00 | 33 commits to main since this release

  v1.6.0 — Valkey caching + async queue for LLM scaling

  New features

  • Valkey caching for LLM responses (/api/ask and /api/events/{id}/explain)
    • Ask cache TTL: 1 hour
    • Explain cache TTL: 24 hours
  • Async queue (arq) for LLM requests to prevent timeouts at scale
    • POST /api/ask?async_mode=true returns a job_id immediately
    • GET /api/jobs/{job_id} polls for results
  • Valkey replaces Redis as the in-memory store (BSD-licensed fork)

  Infrastructure

  • New worker service in Docker Compose (runs arq jobs.WorkerSettings)
  • New redis/valkey service with healthchecks
  • REDIS_URL configuration setting

  API changes

  • AskRequest added async_mode: bool field
  • AskResponse added job_id: str | None field

  Dependencies

  • Added redis and arq

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.5.0 47e0dfc2ca

  Compare

  v1.5.0 — Saved Searches, AI Explain & Privacy Gating Stable

  tomas.kracmar released this 2026-04-22 06:30:20 +00:00 | 34 commits to main since this release

  What's New

  Saved Searches (Bookmarks)

  • Save filter combinations with a name and recall them instantly.
  • Save filters button in the filters panel.
  • Saved searches appear as pill chips — click to apply, × to delete.
  • Scoped per user (created_by from token sub).

  AI Event Explanation with GUID Resolution

  • New POST /api/events/{id}/explain endpoint sends an event + related events to the LLM for a security-focused explanation.
  • GUID resolution: extracts UUIDs from the raw event and resolves them via Microsoft Graph (users, groups, service principals, devices) before sending to the LLM.
  • The LLM now sees human-readable names instead of raw GUIDs.

  Operation-Level Privacy Gating

  • Replaced broad service-level blocking with fine-grained operation-level privacy controls.
  • PRIVACY_SENSITIVE_OPERATIONS hides specific operations (e.g. MailItemsAccessed, Send, Search-Mailbox) across all services.
  • PRIVACY_SERVICES still available for broad service-level blocking if needed.
  • Both gated by PRIVACY_SERVICE_ROLES (e.g. SecurityAdministrator, ComplianceAdministrator).
  • Unauthorized users still see admin actions like Add-MailboxPermission and Set-Mailbox, but not email reading/sending logs.

  UI Polish

  • Teams added to default noisy service exclusion alongside Exchange and SharePoint.
  • Filter state persisted to localStorage and restored on reload.
  • Result pills now treat "True" as green (success).
  • Copy and Explain buttons in the raw event modal.

  Upgrade Notes

  docker compose pull && docker compose up -d
  

  Optional: configure privacy gating in .env:

  PRIVACY_SENSITIVE_OPERATIONS=MailItemsAccessed,Search-Mailbox,Send,ChatMessageRead
  PRIVACY_SERVICE_ROLES=SecurityAdministrator,ComplianceAdministrator
  

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)
• v1.4.0 05f5f07e7b

  Compare

  v1.4.0 — Filter Persistence & Smarter Defaults Stable

  tomas.kracmar released this 2026-04-22 04:48:47 +00:00 | 39 commits to main since this release

  What's New

  Filter Persistence

  • Filter state is now saved to localStorage and restored on page reload.
  • Includes: actor, services, operation, result, time range, tags, limit, and search.
  • Saved services are validated against current API options — stale entries are silently dropped.

  Smarter Defaults

  • Exchange and SharePoint are now unchecked by default.
  • These services generate extremely high volumes of noise (e.g. MailItemsAccessed) and are rarely relevant for security investigations.
  • The Clear button resets to this default set rather than selecting all services.

  UI Polish

  • Result pills now treat "True" as a success state (green) in addition to success, succeeded, ok, and passed.
  • This fixes the orange pill colour on common Exchange admin events.

  Upgrade Notes

  docker compose pull && docker compose up -d
  

  No configuration changes required.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)