AgileSec 3.5.0 Release Notes

This release includes a new unified data model, enhanced policy coverage, platform and sensor improvements, and expanded deployment, monitoring, and integration capabilities.

New Features and Enhancements

New Data Model

• The updated schema captures a comprehensive range of cryptographic asset types — including keys, certificates (x509), algorithms, protocols, keystores, libraries, tokens, and databases — providing structured, detailed coverage across all finding types.

• All sensors now produce findings in a unified format, eliminating inconsistencies across source types and enabling reliable cross-source analysis.

• Policies written against the schema work uniformly across all sensor types and sources, removing the need for sensor-specific policy variants.

• Data migration supports both automatic and manual options. Backwards compatibility is optional — existing data can either remain queryable alongside new schema data, or be fully migrated to the new schema. Refer to the Data Migration Guide for details, including the new schema.

Policy Updates

• Updated cryptographic algorithm classifications to improve detection coverage for weak and insecure algorithms.

• Enhanced identification of weak RSA and ECC public key algorithms across keys and certificates.

• Extended weak signature algorithm detection to cover additional hash algorithms used in certificate signing.

UI Updates

• New layout aligned with Keyfactor branding across the following screens:

  • Overview

  • All Findings

  • Finding Details

  • Scan History Details

  • Analysis by Sources

  • Analysis by Filter

• The updated Finding Details screen now displays alerts and raw cryptographic details for findings.

• Unified Sensor packages for Linux, Windows, and macOS are now available for download directly from the UI.

• When SAML 2.0 SSO is configured, an SSO button is now displayed on the login screen.

API updates:

• Bearer token authentication for the Scan API. Header token authentication is now deprecated.

• Audit logs can now be forwarded to API logs.

• Several performance improvements.

Indexing Service

• Introduced a new backend microservice: the Indexing Service. The Indexing Service replaces Fluentd, which is now deprecated. Fluentd remains available for backwards compatibility with v2 sensors.

• The Indexing Service simplifies data transformation and pipeline throughput, enabling higher scalability and reduced memory overhead.

Unified Sensor Updates

• macOS sensor package now available.

• Switched to bearer token authentication. Header token authentication is now deprecated.

• Added incremental scan support for the host sensor.

• EDR-based sensor deployment now includes support for the following additional platforms:

  • Linux, Windows and macOS sensor deployment via CrowdStrike.

  • Linux and Windows sensor deployment via Tanium.

Sensor Updates

• Azure Key Vault Sensor now supports the following filtering capabilities:

  • Filter by Tenant ID.

  • Filter by one or more Subscription IDs. If not specified, all subscriptions are scanned.

  • Include or exclude specific Resource Groups. If not specified, all resource groups are scanned.

  • Include or exclude specific vault names.

• Keyfactor Command Sensor includes the following enhancements:

  • OAuth flow support for token-based authentication.

  • Query filter to limit which certificates are scanned — for example, by name, status, expiration date, or metadata attributes.

ServiceNow VR Module

• Release 3.5 adds support for the ServiceNow VR module.

Updates for On-Premise Deployments

• Platform admin users can now SSO into OpenSearch Dashboards with full admin access, eliminating the need to log into OpenSearch directly.

• manage.sh can now be run using sudo or as root. Only HAProxy runs as root when configured for ports below 1024; all other services start as the installation user.

• API audit logs can now be written to api.log in the logs folder by setting AUDIT_MODE="logger" in config_envs/api.

• Several internal routing improvements for enhanced performance.

Unified Installer Updates for On-Premise Deployments

• The Unified Installer supports in-place upgrades from version 3.4 to 3.5.0.

• Added a non-interactive installation mode (--non-interactive flag) for installer script install_analytics.sh, allowing the installation process to run without user input. The --non-interactive flag has also been added to the following supporting scripts: generate_envs.sh, generate_certs.sh, and uninstall.sh.

• Added a new install sub-command to install_analytics.sh to support additional operations in future releases. Existing usage without the sub-command remains unchanged.

• Added support for configuring frontend nodes to listen on port 443 (standard HTTPS port). Binding to this privileged port requires sudo privileges.

Monitoring

• Prometheus exporters are now available for Kafka, OpenSearch, and MongoDB. All backend services are monitored via Kubernetes Node Exporters, providing node-level CPU, memory, and disk usage metrics across Kubernetes deployments.

Kubernetes

• The AgileSec platform now supports Kubernetes 1.33.

Sensors and Connectors

The following additional sensors are available with v3.5:

Bug Fixes

• When the Artifactory sensor is configured with a non-existent repository, the sensor now correctly reports a failure status instead of completing with a successful status.

• If a Git repository contains an invalid archive, the Git sensor now skips the invalid archive and continues scanning. Previously, the sensor would fail upon encountering an invalid archive.

• Fixed an issue where Kafka cluster formation could fail in deployments with three or more backend nodes due to voter ID mismatch. To avoid this in future release, node_id values in multi_node_config.confare now auto-generated.

• Fixed an issue where the MongoDB replica set connection URI was incorrectly generated when deploying with three or more backend nodes, causing service startup failures.

• Fixed incorrect flagging of ECC keys by RSA weak public key policies, caused by exact match failure on compound algorithm names like ECC NIST P.

• During installation, frontend installation no longer fails if Kafka brokers have not formed a cluster yet. Installer goes into retry mode and gives users opportunity to wait for the Kafka cluster to form or retry the restarts manually if needed.

• tune.sh uses --disablerepo=* flag to prevent the installer from hanging or failing when attempting to contact unregistered or unreachable repositories.

• Fixed issue with installer failing when using .local for analytics domain. Now installer checks and fails during prerequisite stage.

• On SSO settings screen, the configuration is now consistently displayed, and settings can be updated through the UI.

• Fixed several UI usability issues

Vulnerabilities Status

• For confluent-init-container, the security blast-radius is reduced due to this container being alive only during the Pod initialization process. Additionally, the Pod in which confluent-init-container lives is exposed only to internal network.

Download Links

Release packages can be download from: https://download.infosecglobal.com/index.php/s/pzcHKfzNqSQftTQ

Access credentials are required for all download links.