Kestrel-lang

==================

Changed
-------

- GitHub Actions upgraded to setup-pythonv3 + Python 3.10

Fixed
-----

- *The description failed to render* when uploading to PyPI.
- README.rst misses images when rendered at non-github sites, e.g., PyPI.

==================

Added
-----

- internal data model upgraded to firepit 2.0.0 with full graph-like database schema:

- new firepit data schema named `normalized <https://firepit.readthedocs.io/en/latest/database.html>`_.
- the normalized schema extracts/recognizes entities/SCOs from STIX observations and stores them and their relations.
- the normalized schema fully enables a Kestrel variable to refer to a list of homogeneous entities as a view in a relational-DB table.
- older hunts will need to be re-executed.

- syntax upgrade: introducing the language construct *expression* to process a variable, e.g., adding a ``WHERE`` clause, and the processed variable can be

- assigned to another variable, so one does not need another ``GET`` command with a STIX pattern to do filtering.
- passed to ``DISP``, so ``DISP`` is naturally upgraded to support many clauses such as ``SORT``, ``LIMIT``, etc.

- new syntax for initial events handling besides entities:

- entities in a variable do not have timestamps anymore; previously all observations of the entities were listed in a variable with timestamps.
- use the function ``TIMESTAMPED()`` to wrap a variable into an expression when the user needs timestamps of the observations/events in which the entities appeared. This is useful for analyzing and visualizing events of entities through time, e.g., time series analysis of visited ``ipv4-addr`` entities in a variable.

- unit tests:

- 5 more unit tests for command ``FIND``.
- 2 more unit tests for command ``SAVE``.
- 2 unit tests for expression ``TIMESTAMPED()``.

- new syntax added to language reference documentation

- ``TIMESTAMPED``
- ``DISP``
- assign

- repo updates:

- Kestrel logo created.
- GOVERNANCE.rst including *versioning*, *release procedure*, *vulnerability disclosure*, and more.

Removed
-------

- the copy command is removed (replaced by the more generic assign command).

Changed
-------

- repo front-page restructured to make it shorter but providing more information/links.
- the overview page of Kestrel doc is turned into a directory of sections. The URL of the page is changed from `overview.html <https://kestrel.readthedocs.io/en/latest/overview.html>`_ to `overview <https://kestrel.readthedocs.io/en/latest/overview>`_.

==================

Added
-----

- error message improvement: suggestion when a Python analytics is not found
- performance improvement: cache STIX bundle for any downloaded bundle in the stix-bundle data source interface
- performance improvement: pre-compile STIX pattern before matching in the stix-bundle data source interface
- performance improvement: skip prefetch when the generated prefetch STIX pattern is the same as the user-specified pattern
- documentation improvement: add building instructions for documentation
- documentation improvement: add data source setup under *Installation And Setup*
- documentation improvement: add analytics setup under *Installation And Setup*

Fixed
-----

- STIX bundle downloaded without ``Last-Modified`` field in response header 187
- case sensitive support for Python analytics profile name 189

==================

Added
-----

- remote data store support
- unit test: Python analytics: APPLY after GET
- unit test: Python analytics: APPLY on multiple variables

Fixed
-----

- bump firepit version to fix transaction errors
- bug fix: verify_package_origin() takes 1 argument

Removed
-------

- unit test: Python 3.6 EOL and removed from GitHub Actions

==================

Added
-----

- unit test: python analytics basic tests
- unit test: stix-shifter connector verification

Removed
-------

- dependency: matplotlib

==================

Added
-----

- Kestrel main package

- matplotlib figure support in Kestrel Display Objects
- analytics interface upgraded with config shared to Kestrel

- Python analytics interface

- minimal requirement design for writing a Python analytics
- analytics function environment setup and destroy
- support for a variety of display object outputs
- parameters support
- stack tracing for exception inside a Python analytics

- STIX-shifter data source interface

- automatic STIX-shifter connector install

- connector name guess
- connector origin verification
- comprehensive error and suggestion if automatic install failed

- pretty print for exception inside a Docker analytics

- documentation

- Python analytics interface
- Kestrel debug page
- flag to disable certificate verification in STIX-shifter profile example

Changed
-------

- abstract interface manager between datasource/analytics for code reuse

Fixed
-----

- auto-complete with data source 163
- exception for empty STIX-shifter profile
- STIX-shifter profile name should be case insensitive
- exception inappropriately caught when dereferencing vars with no time range

Removed
-------

- documentation about STIX-shifter connector install