Release notes
Detailed notes on the features, improvements, and fixes shipped in each IDPS-ESCAPE release. For the full list of all changes see the changelog.
v0.9
April 2026Apache/Nginx web access log support for GeoIP detection
The GeoIP detection scenario now covers HTTP/HTTPS web server traffic in
addition to SSH authentication events. A new accesslog decoder
(0375-web-accesslog.xml) parses Apache and Nginx access logs, and a new
detection rule 100902 triggers on requests originating from non-whitelisted
countries. The accompanying SRS-055 requirement has been expanded with web
server log monitoring scope and updated acceptance criteria covering the new rule and test
cases.
Unit tests for GeoIP enrichment have been extended to cover the new log formats, and the
geoip_detection_explained.md documentation has been updated with Apache and
Nginx configuration examples for enabling source-IP GeoIP monitoring over web traffic.
Multi-node Wazuh deployment support
IDPS-ESCAPE now fully supports multi-node Wazuh manager topologies. The deployment guides and Ansible automation have been updated with multi-node configuration parameters, topology guidance, and precondition details for the Ansible executable.
Optional data ingestion flag for detector training
A new --ingest flag for run-radar.sh decouples synthetic
dataset ingestion from scenario deployment, enabling both fresh deployments that require
training data and production deployments that rely on live data. A BATS test case
validates the flag’s behaviour end-to-end.
Webhook bootstrap & reliability improvements
A dedicated bootstrap_webhook.yml Ansible task enables independent
webhook service deployment. Container initialisation has been made more reliable through
state-aware checks and retry logic, and the health check now uses explicit file lists
instead of pattern matching for higher reliability.
Anomaly detection threshold-based filtering
Anomaly detection accuracy has been improved through configurable threshold-based filtering rules, reducing false positives in noisy environments without requiring model retraining.
Test specification TST-049 & report TRP-038
A new comprehensive test case specification TST-049 for RADAR integrity testing has been added, along with the corresponding execution report TRP-038 capturing the v0.9 test campaign results.
v0.8
March 2026SATRAP-DL DECIPHER integration for real-time CTI analysis
The stub SatrapClientMock has been replaced by a fully operational
DecipherClient connecting to the DECIPHER REST API.
RADAR now performs real-time Cyber Threat Intelligence (CTI) analysis via the
analyze endpoint and creates incident cases via create_incident
as part of the tiered active response pipeline.
A new system requirement SRS-061 formalises the tiered active response
logic with DECIPHER risk-based decision making. Environment configuration has been updated
with dedicated DECIPHER_BASE_URL, DECIPHER_VERIFY_SSL, and
DECIPHER_TIMEOUT_SEC variables, replacing the earlier FlowIntel-only env vars.
| Endpoint | Purpose |
|---|---|
analyze |
Real-time CTI enrichment — scores IOCs against threat intelligence sources (MISP, SATRAP). |
create_incident |
Opens an incident case in FlowIntel when the risk tier warrants escalation. |
RADAR health check
Manager-side and agent-side health checks via health-radar.sh verify the
status of all RADAR elements using dedicated Ansible tasks. The checks cover container
liveness, Wazuh connectivity, and RADAR component availability, enabling rapid
diagnosis of deployment issues.
RADAR attack simulation
A new simulate-radar.sh orchestration script drives attack simulations
across three RADAR scenarios — GeoIP detection, log volume,
and suspicious login — using Python simulation modules. An Ansible
playbook extends simulation support to remote agents via SSH key authentication, enabling
end-to-end validation of the full detection and response pipeline without real attacker
traffic.
Tiered active response configuration
The active response configuration has been redesigned around explicit tiers.
tier1_min defines the Tier 0 boundary for low-risk events handled without
escalation. Mitigations are now split into per-tier mitigations_tier2 and
mitigations_tier3 keys, and the redundant risk_threshold and
create_case keys have been removed. IOC extraction now includes country,
ASN, and agent fields; domain extraction filters out file-extension-like TLDs.
SpecEngine C5DEC v1.2 upgrade & new tooling
All SpecEngine scripts have been consolidated under docs/specs/SpecEngine/.
New tools added in this release include c5graph.py (interactive spec graph
viewer), c5mermaid.py (Mermaid diagram rendering), c5traceability.py
(traceability matrix with coverage metrics and HTML report), c5browser.py
(Bootstrap + DataTables items browser), prune_bad_links.py (link hygiene),
and doorstop_yml_to_md.py (item migration helper). The dev container has been
extended with Node.js 20, Chromium, and the Mermaid CLI to support diagram rendering.
TRP document type & v0.8 test campaign
The separate TRA and TRB Doorstop document types have been merged into a single TRP (Test Case Execution Report) document type. v0.8 test campaign results are captured in TRP-030 through TRP-037.
RADAR helper & suspicious login improvements
The velocity cap has been removed from the RADAR helper; speed calculation now uses
the log timestamp instead of the processing time, and a dt_eps constant
prevents division-by-zero when events share the same timestamp. A new suspicious login
correlation rule has been added. Country-change and ASN novelty tracking are now
maintained independently per user. Unit tests reflect all these changes with two
additional tests.