Zircolite

v3.7.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 19d SIEM & Threat Detection

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

auditd detection dfir dfir-automation dfir-tools evtx

+9 more

evtxtract forensics forensics-tools logs pysigma python sigma sigma-rules sysmon

Summary

AI summary

Graceful Ctrl+C shutdown introduces two-stage interrupt handling

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Graceful Ctrl+C shutdown implemented with two-stage interrupt handling. Graceful Ctrl+C shutdown implemented with two-stage interrupt handling. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	`--auto-index [N]` option auto-creates SQLite indices on top-N most-referenced columns (default N=5). `--auto-index [N]` option auto-creates SQLite indices on top-N most-referenced columns (default N=5). Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	ATT&CK Navigator export updated to ATT&CK v18 with tactic information and severity-based color legend. ATT&CK Navigator export updated to ATT&CK v18 with tactic information and severity-based color legend. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	New `zircolite/attack.py` module centralizes ATT&CK tag extraction (techniques + tactics, alias-normalized). New `zircolite/attack.py` module centralizes ATT&CK tag extraction (techniques + tactics, alias-normalized). Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Refreshed all 12 rulesets (`rules_.json`). Refreshed all 12 rulesets (`rules_.json`). Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Shutdown-request checks added in parallel and streaming loops for safer cancellation. Shutdown-request checks added in parallel and streaming loops for safer cancellation. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Database connection handling improved: clearer type signatures, thread-safe pragma setup, better error handling during backup. Database connection handling improved: clearer type signatures, thread-safe pragma setup, better error handling during backup. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixed `templateOutput` initialization when not supplied. Fixed `templateOutput` initialization when not supplied. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Consolidated ATT&CK parsing logic across core modules. Consolidated ATT&CK parsing logic across core modules. Source: llm_adapter@2026-05-21 Confidence: high	—
Other	Medium	Simplified `Advanced.md` examples and jq query patterns; condensed transform examples. Simplified `Advanced.md` examples and jq query patterns; condensed transform examples. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What's Changed

New Features

Graceful Ctrl+C shutdown — two-stage interrupt handling: first Ctrl+C finishes in-flight work cleanly, second forces exit
--auto-index [N] (default 5) — analyzes the loaded ruleset and auto-creates SQLite indices on the top-N most-referenced columns
ATT&CK Navigator export updated to ATT&CK v18 / Navigator 5.3.1, with tactic information and severity-based color legend
New zircolite/attack.py module centralizing ATT&CK tag extraction (techniques + tactics, alias-normalized)

Fixes & Improvements

Shutdown-request checks in parallel and streaming loops for safer cancellation
More robust database connection handling: clearer type signatures, thread-safe pragma setup, better error handling during connection backup
Fixed templateOutput initialization when not supplied

Internal

Consolidated ATT&CK parsing logic
Type annotations cleanup across core modules

Rulesets

Refreshed all 12 rules_*.json rulesets

Documentation

Simplified Advanced.md examples and jq query patterns; condensed transform examples

Full Changelog: https://github.com/wagga40/Zircolite/compare/v3.6.3...v3.7.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Zircolite

Get notified when new releases ship.

About Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

All releases →