Release Notes v0.0.1 (MVP)
This release introduces the initial version of Sekoia Self-Hosted, providing a robust security operations foundation for disconnected and regulated environments.
New features
- Air-gap support: Enable full deployment and operational capabilities in restricted or isolated environments with no external connectivity.
- Deployment CLI: Access a unified orchestration tool designed to manage the platform lifecycle, from initialization to upgrades.
Technical foundation
- Kubernetes stack: The platform is built on a lightweight and certified K3s distribution for optimized resource management.
- OS Support: This release is officially certified for deployment on Debian 11 (Bullseye).
Functional scope
The functional scope of Sekoia Self-Hosted aligns with the Defend Core subscription, with specific exceptions related to air-gapped environment constraints.
| Feature | Available | Description |
|---|---|---|
| Meta-playbooks | Yes | Supports advanced automation workflows. |
| OC Notifications | Yes | Operations Center notification system. |
| Observable Tags Enrichment | No | Automatic enrichment of events with observable tags. |
| Cloud-to-Cloud Ingestion | No | Not supported for air-gapped deployments. |
| Encrypted Ingestion | Yes | Supports Syslog TLS, Relp TLS, and HTTPS ingestion. |
| Custom Intake Formats | Yes | Allows creation and management of custom parsing formats. |
| Sigma Correlation | Yes | Full support for Sigma-based correlation rules. |
| Playbooks | Yes | Built-in automation and orchestration capabilities. |
| Automatic Asset Discovery | Yes | Identifies assets within the monitored perimeter. |
| Retrohunt | Yes | Search for past indicators in historical data. |
| Anomaly Detection Engine | Yes | Statistical and behavioral anomaly detection. |
| Case Management | Yes | Standard security incident tracking and management. |
| Hot Storage | Yes | High-performance storage for active investigation. |
| Sekoia Endpoint Agent | Yes | Support for host-level visibility and response. |
| Contextualized Alerts | No | Requires real-time CTI embedding (unsupported in air-gap). |
| SOL Query Builder | Yes | Visual and syntax-based search interface. |
| Detection Rules | Yes | Access to the standard Sekoia.io detection library. |
| Event Drop Detection | Yes | Monitoring of log ingestion continuity. |
| Cases Custom Status | Yes | Ability to define specific incident lifecycles. |
| Investigation Graph | Yes | Visual representation of security incidents and entities. |
| Notebooks | Yes | Collaborative workspaces for threat hunting. |
| Sigma Pattern Validation | Yes | Built-in syntax checking for Sigma rules. |
| SOL Dataset | Yes | Logical grouping of event data. |
| Dashboard Filters | Yes | Dynamic filtering for visualization modules. |
| Roy Assistant | No | AI-assistant not compatible with air-gapped environments. |
| Dashboards | Yes | Customizable visual monitoring interfaces. |
| APIs | Yes | Full programmatic access to platform functions. |
| Member Management | Yes | RBAC and user administration. |
| Usage Reporting | Yes | Statistics on data volume and platform usage. |
| Subscription Management | Yes | Internal license and subscription tracking. |
| SSO / MFA | Yes | Integration with identity providers for secure access. |
| Region Threat Telemetry | Yes | Geographic-based threat visualization. |
Specific environment constraints
Deploying in air-gapped or restricted environments introduces the following operational changes:
Threat Intelligence and Detection
While the standalone Threat Intelligence (CTI) research module is not available in air-gapped deployments, the platform remains fully powered by Sekoia.io intelligence.
- Detection Rules: All rules (Sigma, patterns) are embedded in the release and fully operational.
- CTI Context: Live cloud-based enrichment and manual exploration of the CTI database (threat actors, malwares, reports) are not supported without external connectivity.
Security content delivery
To ensure continuous protection, every product release includes the latest version of:
- Sekoia detection rules.
- Integration connectors (Intake formats).
- Automation library (SOAR modules)
This ensures your deployment remains up to date with the latest threat detection logic even without external connectivity.