Zircolite

v3.7.1 Feature

This release adds 1 notable feature for engineering teams evaluating rollout.

Published 11d SIEM & Threat Detection

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

auditd detection dfir dfir-automation dfir-tools evtx

+9 more

evtxtract forensics forensics-tools logs pysigma python sigma sigma-rules sysmon

ReleasePort's take

Light signal

editorial:auto 11d

ReleasePort v3.7.1 adds the `--template-append` CLI flag and corresponding YAML option to enable append mode for template outputs, while also restoring previous pre‑3.0 append behavior via a new flag and hardening its Docker build by removing an unused git dependency and running as a non‑root user.

Why it matters: The new `--template-append` flag lets developers control whether template files are overwritten or appended (critical for log aggregation), and the Dockerfile refactor reduces container attack surface by eliminating unnecessary tools and enforcing non‑root execution.

Summary

AI summary

Added opt‑in CLI flag --template-append (and YAML key output.template_append) to enable append mode for line‑oriented template outputs.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	Adds `--template-append` CLI flag and YAML config option to enable append mode for template outputs. Adds `--template-append` CLI flag and YAML config option to enable append mode for template outputs. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Restores pre‑3.0 append behavior for `--templateOutput` files via new flag. Restores pre‑3.0 append behavior for `--templateOutput` files via new flag. Source: llm_adapter@2026-05-23 Confidence: high	—
Refactor	Medium	Hardened Dockerfile: removed unused `git` apt step and now runs container as non‑root user. Hardened Dockerfile: removed unused `git` apt step and now runs container as non‑root user. Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

What's Changed

Fixes

--template-append (#133, fixes #132) — opt-in CLI flag (also output.template_append: true in the YAML config) that switches all configured --templateOutput files to append mode for that run. Restores the pre-3.0 behavior for users who build cumulative NDJSON feeds for Splunk/ELK across multiple runs. The default remains overwrite, so single-document exports such as the ATT&CK Navigator layer or SARIF stay valid.

Internal

Hardened Dockerfile: dropped the unused git apt step and the image now runs as a non-root user.

Usage

python zircolite.py --evtx logs/ --ruleset rules/rules_windows_generic.json \
    --template templates/exportForSplunk.tmpl \
    --templateOutput cumulative.ndjson \
    --template-append

output:
  templates:
    - template: templates/exportForSplunk.tmpl
      output: cumulative.ndjson
  template_append: true

[!WARNING]
Append mode is intended for line-oriented templates (exportForSplunk.tmpl, exportForELK.tmpl, exportForTimesketch.tmpl, exportNDJSON.tmpl). It is not appropriate for templates that produce a single JSON document, such as exportForAttackNavigator.tmpl or exportForSARIF.tmpl.

Full Changelog: https://github.com/wagga40/Zircolite/compare/v3.7.0...v3.7.1

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Zircolite

Get notified when new releases ship.

About Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

All releases →