Kestrel-lang

==================

Added
-----

- links to Black Hat 2022 website, recording, and demo/lab
- Kestrel logo in PNG
- link to the Kestrel binder service blog post

Fixed
-----

- consistent stix-shifter and connector versions

Changed
-------

- lowercase grammar strings

==================

Added
-----

- multi-user cache folder support in debug mode 236
- ppid used in process identification (post-prefetch) 238
- process identification upgraded to a two-step approach
- fine-grained process identification time offsets
- per entity type prefetch config support 241
- support for automatically converting input files to STIX in stixbundle interface

Fixed
-----

- prefetch when parent_ref not in process table
- false positives in generic relation resolution
- second execution of a failed query should raise exception
- master runtime directory test case fix
- ``~`` support in config file path (env var)

==================

Fixed
-----

- Fix NameError: name 'DataSourceError' is not defined
- Pass stix-shifter profile options into translation 230

Added
-----

- Relative timespans instead of START/STOP 181
- e.g. ``LAST 5 MINUTES``
- Group by "binned" (or "bucketed") attributes
- e.g. GROUP foo BY BIN(first_observed, 5m)

Changed
-------

- bump min Python version to 3.7
- update OCA slack invitation link

==================

Fixed
-----

- broken /tmp/kestrel symbol link will crash a new session
- double close (double release resources) with context manager and aexit
- AttributeError with timestamped grouped variable 224
- subsequent GET would return no results 228

Added
-----

- documentation on macOS debug folder path
- interface figure updated with new planned interfaces
- dynamically load stix-shifter YAML profiles 227
- new exception: MissingEntityAttribute
- unit test: disp timestamped group by

Changed
-------

- codecov GitHub App enabled instead of codecov-bot
- stixshifter interface module ``connector`` split from ``interface``.

==================

Fixed
-----

- Jupyter kernel crashing upon restart

==================

Added
-----

- runtime warning generation for invalid entity type 200
- auto-complete relation in FIND
- auto-complete BY and variable in FIND
- add logo to readthedocs
- upgrade auto-complete keywords to be case sensitive 213
- add testing coverage into github workflows
- add codecov badge to README
- 31 unit tests for auto-completion
- the first unit test for JOIN
- two unit tests for ASSIGN
- five unit tests for EXPRESSION
- use tmp dir for generated testing data
- auto-deref with mixed ipv4/ipv6 in network-traffic

Fixed
-----

- missing ``_refs`` handling for 2 cases out of 4 205
- incorrectly derefering attributes after GROUP BY
- incorrectly yielding variable when auto-completing relation in FIND
- pylint errors about undefined-variables

Changed
-------

- update grammar to separate commands yielding (or not) a variable
- change FUNCNAME from a terminal to an inlined rule
- differentiate the terminal "by"i between FIND and SORT/GROUP