Release Notes

10.5.x Breaking Changes

  • AngularJS library is now updated to version 1.7.9 from version 1.4.8.

  • Updated the EUI Library from the Siren custom version, sirensolutions/eui#4.3.0-siren-patched-1, to "@elastic/eui": "22.1.0" across the entire Siren ecosystem.

  • Removed queries and the Query Viewer visualization, due to the removal of old data sources.

  • REST data source support was removed and replaced with the new Web services feature.

  • Two method signatures in the Siren scripting API have been changed: dashboard.getDashboardDataModelSearchByTitle and dashboard.getDashboardDataModelSearchByNodeId. These methods are now asynchronous and return a Promise. If you used them in any sirenapi scripts, you must update those scripts.

  • We no longer rely on field mappings while doing the CSV export. The format of exported fields in some specific situations can change if the field was of type date. Please use cell formatters to get the desired formats across the application.


Security Fixes

  • Upgraded the log4j2 dependencies to version 2.17.0 in the Gremlin Server component to address CVE-2021-45105. If you are using a custom logging properties file, which is specified by the investigate.yml setting investigate_core.gremlin_server.log_conf_path, you will need to upgrade the file to the Log4J2 format. A sample file in the new format is available here. If you are not using a custom logging properties file, you do not need to take action.


Security Fixes

Bug Fixes


  • Fixed an issue that caused all visible dashboard counts to be refreshed when a user was viewing a dashboard with the auto-refresh mode enabled. Introduced the timepicker:autoRefreshAllDashboardCount advanced setting in the Management app to allow this behavior to be enabled if required.

Graph Browser

  • Upgraded dependencies to address an issue that could cause the graph to not be rendered or crash on Chrome version 93 or higher.

Data import

  • Fixed an issue that prevented the upload of CSV files when a custom pipeline was specified in the import configuration.


  • Fixed an issue in the Analytic Table visualization that caused incorrect counts when configuring multiple buckets for both rows and columns.

  • Fixed an issue in the Enhanced Coordinate Map visualization that prevented the filter creation modal from appearing with disabled location filters.


Bug Fixes

  • Applied a critical licensing fix to third party graph dependencies.

  • Fixed an issue that caused an error to be logged in the browser console while saving the data model or a visualization in the visualization editor.

  • Fixed a regression issue where the Add filter button was not showing up in the visualization editor.


  • Updated Node.js to version 10.24.1.


Bug Fixes

  • Fixed an issue that prevented sorting from working in a Record Table visualization with a custom template.

  • Fixed an exception that occurred while editing the dashboard data model settings.

  • Fixed a broken script download link in the Elastic Stack Security documentation.

  • Fixed an issue that prevented a time range update from being applied to all dashboards when multiple dashboards were selected.

  • Fixed an issue that could cause an incorrect metric name to be displayed in the legend of Pie chart visualizations.

  • Fixed an issue that displayed the filter icon on the dashboard even after saving it.

  • Fixed an issue with the Other bucket feature, which was not working properly when applied to a nested terms aggregation.

  • Fixed an issue that occurred while saving the state of the selected relations in the Graph Browser and switching dashboards.

  • Fixed an issue where incorrect results were shown while switching from the Dashboard 360 to another dashboard by using the Relational Navigator.

  • Fixed an issue where pressing CTRL+F in a JSON document view would cause the system to crash when logged in as a non-administrative user.

  • Fixed an issue where wrong counts were reported for self-aggregated relations between EIDs in the Graph Browser visualization.

  • Fixed an issue where geohash aggregations were producing oversized circles in the Enhanced Coordinate Map visualization.

  • Fixed an issue where some old audit entries preserved in localStorage caused errors due to the tabId property still being present in them.

  • Fixed an issue where the JSON/CSV export did not work correctly on a dashboard built on top of a remote cluster search.

  • Fixed an issue that prevented the creation of watchers from templates on dashboards that were built on top of a remote cluster search.

  • Fixed a regression where dashboard groups were initially not collapsed and did not stay collapsed after certain operations.


  • In the session audit feature, added the ability to log the following:

    • The Investigate instance name

    • Response bodies

    • Operations on saved objects

    • Data export requests

    • Arbitrary HTTP headers and remote IP addresses

  • Marked all HTTP requests that are issued from the UI by the session audit feature as system requests, to avoid triggering the visual pending requests indicator.

  • The Relational Navigator now fully respects the siren:enableAllRelBtnCount flag when set to false.

  • Added an extra option to set the highlight type for all search fields.

  • Added the title of the sirenapi script to the warning notification, so it is possible to identify the script that’s causing the problem.

  • Added the trustAsUrl filter, which can be used in Angular.js templates to process variables through $sce.trustAsResourceUrl.

  • The session audit feature now logs clicks on the left menu bar.

  • Added automatic URI decoding of HTTP header values processed by the session audit feature.

  • Reduced the number of requests to retrieve field information for indices at runtime to improve dashboard loading performance.

  • Introduced the investigate_access_control.session_termination_whitelist.local_storage_keys option in the `investigate.yml file.

  • Now, session audit will flush the UI entries in batches of one hundred to prevent the error: "too large POST body".


Bug Fixes

  • Fixed an issue that caused the legend label to be incorrect on a pie chart visualization when an aggregation other than Count was selected.

  • Fixed an issue that caused the Enhanced Coordinate Map to throw an undefined error in certain situations.

  • Fixed an issue that caused the dashboard funnel icon to be incorrectly shown when the time mode was changed.

  • Fixed an issue that caused the filter bar to become hidden when a user disabled a pinned filter.

  • Fixed an issue that caused the application to crash when adding a visualization to a dashboard.

  • Fixed an issue that caused the --dont-backup flag to be ignored when used together with the -y flag during the upgrade procedure.

  • Removed an obsolete advanced settings option: indexPattern:fieldMapping:lookBack.


  • Removed an inconsistent loading message in the Boxplot visualization.

  • Reduced the number of calls to fetch mappings, which improves the system performance.

  • Optimized bulk_get requests to send only a single mget request to fetch the data from the back-end system, instead of many get requests.

  • Now, when opening the application, only visualizations for all visible dashboards are fetched.

  • When a user opens Siren Investigate first time, we now correctly mark all collapsed dashboard groups. This should reduce the number of count requests and improve the system performance.

  • Optimization introduced to skip a request for counts on a dashboard in certain situations.

  • The download package now includes Elasticsearch version 7.9.2 and Siren Federate version 7.9.2-21.1.

  • Added a confirmation message to notify the user that the pinned filters will be saved by clicking Save from the Dashboard, Data Model and Discover pages.

  • Added a new uiacl context, which allows you to show or hide the Expensive queries configuration section in the Data model → Options tab.

  • Added a range slider that controls the upper and lower bounds in the Input control visualization.


Bug Fixes

  • The Select - By Edge Count option in the Graph Browser now applies to the nodes that have been selected.

  • Fixed the address bar flickering when making changes in the Scatter Plot visualization.

  • The pagination of the data tab in the Data Model page no longer goes out of sync when moving quickly between pages.

  • Fixed the alignment of the breadcrumbs on the Visualization Permissions page.

  • If navigating to a shared link, logging into OpenID no longer redirects you to the default dashboard.

  • The backup directory must now be passed to the restore command as it is needed by the script.

  • The Data Import app now displays an error if an attempt is made to upload an unsupported file.

  • If a querystring cannot be parsed by topic clustering, the courier no longer appends invalid requests to msearches for the rest of the session.

  • Prevented field selectors in the visualization configuration from overflowing when field names were long.

  • Aborting the data import process is now reflected properly in the UI.

  • The text is now selectable in the cards of the Graph Browser visualization.

  • Fixed a problem that prevented the creation of new cards in the Graph Browser visualization.

  • Fixed a date formatting issue in the node labels of the Graph Browser visualization.

  • Filtering a dashboard that applies the maximum document limit now updates documents in the dashboard and visualizations.

  • Clicking Remove in the Data Import app now stops the import of the file.

  • Newly-created dashboards with a description now show a tooltip when they are hovered over.

  • Fixed an undefined error when rendering custom templates.

  • Removed an obsolete prompt about security permissions when upgrading Siren Investigate.

  • Fixed the Discover app showing a blank page after login when it is the default application.

  • Searchbar entries are now sanitized to prevent script execution.

  • Fixed a bug where updating the mappings of an index pattern and refreshing the fields would not update the index pattern saved object.

  • The Node Image lens in the Graph Browser visualization now renders the custom image that is selected.


  • Added OpenID Connect support for Elastic Stack Security.


Bug Fixes

  • Fixed a bug that would cause the incorrect ordering of entries in the dashboard sidebar.

  • Clicking View surrounding documents on a table row no longer results in an error.

  • Fixed a fatal error (blank screen) that displayed when the target index does not exist or when the response body does not contain aggregations.

  • A new warning message displays when an auto time field is specified, but there is no time filter field assigned to that search.

  • Fixed an issue that caused the Geofield type dropdown menu to reset while the user edited the Geo-time lens.

  • Error information is now displayed when a Web service invocation fails.

  • Prevented the automatic layout of the data model when a new relation is added.

  • The application toolbar is no longer minimized automatically when the user visits a new dashboard.

  • Relation names no longer run over the selector in the Relations page.

  • Fixed an issue that caused the Web Service Saved Object configuration page to rendering incorrectly.

  • Fixed a bug that caused the Saved Graphs section on the ManagementSaved Objects screen to appear empty.

  • When the user removes an invalid element from the 360 data model, the error message now disappears.

  • Fixed the cardinality limit to work when the user disables filters.

  • If a Dashboard 360 contains an invalid item in the tree, the application no longer displays an unhelpful warning.

  • Fixed a bug that caused visualizations to disappear behind the dashboard sidebar after the user resized the browser window.

  • Fix an issue that caused relations not to display in the Relation navigator.

  • Index pattern validation now only occurs when the user selects the option to validate indices.

  • Fixed an issue that caused the wrong date to display in CSV exports for indices that have date fields in the epoch_second format.

  • Fixed the CSV export to work correctly with non-ASCII visualization titles.

  • Brand icons are now applied correctly to the dashboard groups.

  • Dashboard 360 now supports icon packs.

  • Prevented queries without joins from being passed to the _siren endpoint.

  • Restored the ability to embed dashboards in an iframe.

  • Fixed a bug that occurred when the user selected a combination of time range and term filter in the Multichart visualization.

  • If a user does not have access to a subset of indices, the expansion of relations to authorized indices in the Graph Browser is not prevented.

  • Fixed an issue that caused the expensive query bar not to appear the first time the time is set above the threshold after the browser is refreshed.

  • Fixed an issue that caused an incorrect list of items to display when the user switched the page in a results table.

  • Types are now sent correctly in saved object requests.

  • Fixed a bug that caused the URL to flicker when the user created a filter when the time was modified in the Scatterplot visualization.

  • Fixed a bug in the Controls visualization that caused the list to populate only partially.

  • Fixed an invalid SVG attributes error in the Gauge visualization.

  • Added a message to the Web services interface to inform the user that no services are registered.

  • Fixed bug that caused the tooltip containing the dashboard description not to display when the dashboard did not belong to a group.


  • Removed custom highlight query to prevent errors when searching indices having more than 1024 fields

  • Siren Alert no longer schedules operations during the upgrade process.

  • If the user does not have permission to open Siren Alert, the Watcher button on dashboards is not displayed.

  • It is now possible to restrict access to the Web service manager application.

  • Added support for OpenID Connect when using Elastic Stack security.

  • The trigger handler on the Custom Record table template is enabled.

  • Query transformation is enabled only for Elasticsearch search/msearch requests.

  • Minor styling fixes and improvements.


Known Issues

  • The limits that are based on the number of documents are not enforced when a user disables the ‘invert’ filter or manually edits a filter that is saved with a dashboard.

Bug Fixes

  • Prevented standard users from being able to change the Siren Platform license from the Management section.

  • Prevented dashboard groups from expanding automatically when switching dashboards.

  • Prevented the dashboard sidebar from collapsing unexpectedly when switching dashboards.

  • Resolved an issue that prevented dropping a dashboard inside a dashboard group or between dashboard groups in some scenarios.

  • Resolved an issue where searches that were performed in Discover were inadvertently applied to dashboards that were bound to the same underlying index pattern search.

  • Resolved an issue that prevented users from inverting dashboard filters when editing their definition.

  • Prevented graph node counts from disappearing after expanding unrelated nodes in some scenarios.

  • Resolved an issue where a change to the dashboard filter settings did not signal a need for a recount on the Graph Browser.

  • Child searches with filters inside 360 dashboards are now handled correctly.

  • Restored the ability to set the legend positioning and customize axis labels in the Multi-Chart visualization.

  • Improved the display contrast of visualizations when a dark theme is enabled.

  • The OIDC flow is automatically restarted if the cookie with the nonce was not saved by the browser.

  • The Time Series Visual Builder visualization now works correctly with Elasticsearch 7.

  • Restored support for Font Awesome brand icons.

  • Support for long dashboard names and improved alignment of Data Model editor page in Dashboard 360.

  • Resolved issue with the color display for significant term option on the Graph Browser aggregated relations.

  • Resolved an issue that could cause the application to crash when data was not available in a visualization configured to display "other" or "missing" field counts.

  • Points no longer disappear on map clusters when zooming in.

  • Resolved usability issues with refresh count action on the Relational Navigator.

  • Resolved an issue of missing access control context for the Web Service Manager in tha Access Control UI.

  • Restored auto-completion of names in the Data Model relations list.

  • Rectified an issue that prevented loading system indices correctly on Elasticsearch 6.5.4 when using the "investigate restore" command.

  • Modified Siren Alert to create new daily indices only when an actual alarm or report is produced.

  • Improved invalid file handling in the map layers ingestion scripts.

  • Resolved the order of points in geo_polygon filters that are created by the Enhanced Coordinate Map visualization.

  • Resolved an issue with a continuously spinning indicator on Dashboard 360.

  • Resolved an issue in Dashboard 360 where a join filter from a leaf visualization was applied to the main search in certain scenarios.

  • Removed the obsolete "search" REST API endpoint from Siren Alert.


Known Issues

  • The number of document limits does not work as expected when a user disables the ‘invert’ filter or manually edits a filter that is saved with a dashboard.

Bug Fixes

  • Addressed an issue with the Record Table not flattening nested JSON. Now, nested fields can be added as columns.

  • Addressed a critical issue when adding a search to dashboard 360.

  • Addressed an issue with the dashboard filter disappearing when edit mode was opened, but the filter was not edited.

  • Addressed an issue with the blank list of saved objects in the Management page.

  • Addressed an issue with the time filter not being removed when turning off timeline mode.

  • Addressed an issue when adding nodes to the dashboard 360 model.

  • Addressed an issue with the graph browser’s ‘select by edge count’ not working when nodes are not visible.

  • Addressed the display of the data model subtitle text wrap within container.

  • Addressed the issues related to the time series visual builder not working in 10.5.0.

  • Improvements to the reliability of the drag-and-drop function when moving items onto the graph browser and map components.

  • Improvement to the relation and entity identifier dependency resolution on dashboard export.

  • Improvements to the geoLoad script to allow geohash aggregations by using the geo_point field type instead of the geo_shape field type.

  • Addressed the unexpected behaviour when changing time above limits and navigating away in the expensive query limit feature.

  • Addressed the issues with the tooltip display on the graph browser nodes.

  • Addressed an issue with the scatter plot visualization not working for 'Any Aggregator Data' or 'Filter Aggregator Data' configuration options.


New features and improvements

Product compatibility

  • Introducing compatibility with Elasticsearch version 7.x. You can use Siren Investigate with the latest version of Elasticsearch that is supported by the Siren Federate plug-in.

Improved performance

  • To improve system performance, the Web app bundle size is reduced and Siren Platform now employs more efficient dashboard rendering. This enhancement speeds up a typical dashboard-switching scenario by several seconds.

  • New ability to set limits on searches, which prompts the user with a warning before they configure large joins or set broad filters.

  • Back-end performance improvements for large, multi-index, multi-shard settings.

New look interface

  • The user interface has a new look, which provides a more cohesive experience as you navigate the modules.

New core features

  • Web services: You can now dynamically retrieve data from external APIs. This data can be stored in Elasticsearch and relationally linked to your existing data. Siren Platform includes examples of commonly-used Web services, such as Webhose, JsonWhois, and Twitter. Additionally, follow our documentation to create your own Web service driver for other APIs. Web services can form part of your graph scripts, dashboard scripts, alerting scripts, or your new visual components.

  • Scripting API: You can now automate workflows and create ad-hoc visualizations by using a layer of scriptable JavaScript.

  • Natural Language Processing (beta): The Siren NLP plug-in provides an out-of-the-box Elasticsearch ingestion pipeline with a variety of processors for enriching documents with entity extraction. It can enrich text fields with predefined taxonomies and annotation for named entities, such as organization, person, or location.

  • JDBC/ODBC drivers: In collaboration with CDATA, a featured SQL driver is now available for Siren Platform. The drivers allow custom data exports for use in scripts and integrations.

Updates to maps

  • Loading map layers from Elasticsearch: The Enhanced Coordinate Map visualization now allows you to load map references that are stored in Elasticsearch indexes into pre-defined spatial groups. You can add multiple layers of shapes and points of interest (POI), set properties for each layer, and arrange and activate them, dynamically, at the dashboard level.

  • Siren supports advanced positioning use cases, by making the following enhancements:

    • The Graph Browser can now be used as a “tracker map” to track the movements of entities, both historically and by using live updates.

    • Example scripts are provided to trace contact between individuals. Other proximity use cases are available in the dashboard

Updates to graphs

  • A new Cards tab is available in the Graph Browser. Graph cards are selection-dependent visualizations that can be configured for many purposes. When you select nodes, the out-of-the-box cards display a neat summary of specific field values and allow you to quickly select a subset.

  • Numbers in the graph now change instantly as you change the relations that are active in the sidebar. Numbers can also be easily refreshed.

  • A new common communicator graph algorithm allows you to find nodes that act as communicators between 3 or more other nodes.

Updates to alerts

  • Improvements to versioning, configuration, and editing.

Known Issues

  • Issues in expensive query limit feature:

    • The number of document limits should work when a user disables the ‘invert’ filter or edits by hand a filter that is saved with a dashboard but currently does not work as expected.

Bug Fixes

  • Addressed issue with visual builder giving an "Invalid Interval error" when changing the interval value.

  • Improved the responsiveness of the icon picker for the dashboard, dashboard groups, and index pattern searches.

  • Addressed an issue where changing the timeline in the graph browser multiple times in rapid succession would not update the layout.

  • Improved the automatic sizing of nodes in the graph browser.

  • Saved objects validation no longer verifies the existence of remote indices.

  • Addressed an issue where index data was not immediately visible in the data model page after creating a new index pattern.

  • Addressed an issue where it was not possible to fix an index pattern search that points to a missing index without disabling the saved objects validation.

  • Fixed a regression that caused a normal barchart series to appear as stacked.

  • Addressed an issue that prevented assigning a label through lenses to grouped nodes.

  • Siren now prevents the automatic download of Chromium when launching Investigate on Windows.

  • Addressed an issue that caused an error to be displayed when switching quickly between two dashboards that contain a graph browser.

  • Addressed errors that displayed in the graph browser when expanding nodes in a data model with a very high number of relations.

  • Addressed an issue in date fields processing when adding nodes from heterogeneous index pattern searches to the graph browser.

  • Addressed issue the inability to remove relations linked to the same entity type.

  • Addressed issue when calculating counts on relational buttons that are linked with virtual index.

  • Resolved the the inability to add nodes from a remote elasticsearch to the graph browser.

  • Resolved issue related to unreliable behaviour using force recount on the graph.

  • Addressed related to display of date picker in Dashboard 360 time filter.

  • Addressed issue of Dashboard 360 filter strategy not being persisted.

  • Addressed problems when changing an index pattern search from "time based" in datamodel.

  • Resolved issues related to display of filter state on the dashboard menu.

  • Resolved issues related to the display format of date in the graph browser tooltips and sidebar.