Telovix Docs

Appearance

Release Notes

Release notes for the Telovix Console and Sensor. Each entry covers the Console binary, Sensor binary, and any changes to the policy pack catalog. Entries are tagged (Telovix Cloud) or (Telovix self-hosted) when a change applies to only one deployment mode.

For upgrade instructions, see Upgrading Sensors and the Console self-update section in Console Installation.

1.2.0 - April 2026

Console ingestion and performance

  • Split-plane ingestion endpoints - The Console now processes sensor event batches and inventory reports on separate dedicated paths, improving throughput and reducing heartbeat payload size. Both use the same mTLS authentication as the heartbeat.

  • zstd compression on ClickHouse event inserts - The Console now compresses event batches with zstd (level 1) before writing to ClickHouse when Redpanda is not active. ClickHouse decompresses natively on the HTTP layer. Typical telecom sensor batches of 200 events compress from ~150 KB to ~8 KB, reducing Console-to-ClickHouse traffic by approximately 18x.

  • Inventory delta suppression - The Console now tracks a per-sensor hash of each inventory type (active connections, process list, listening services, container images, Kubernetes policies/services/workloads/ingresses, UDP listeners). An incoming inventory payload is only written to PostgreSQL when its hash differs from the previously stored value. Unchanged inventory across heartbeat cycles no longer produces redundant DB writes.

1.1.0 - April 2026

New features

  • Sensor IPv4/IPv6 addresses - The sensor now collects and reports the host's active IPv4 and IPv6 interface addresses. Addresses are displayed on the sensor detail page in Sensors and are available in the sensor summary API response.

  • Real-time process viewer (Telovix Top) - The Runtime Inspector now includes a live process viewer showing CPU percentage, memory usage, and user for all active processes on the sensor host. Updates on every heartbeat cycle.

  • User Tracking dashboard - A new dashboard widget shows active user sessions, shell activity, and privilege change events aggregated across the fleet. Useful for quickly identifying interactive access during incident response.

  • Fingerprint-to-policy promotion workflow - The behavioral fingerprint view now includes a guided workflow to promote an approved baseline directly into a Guardian Profile policy. Reduces the manual steps from observing a binary to protecting it.

Improvements

  • Kubernetes view rebuilt - The Kubernetes section has been rewritten with a new tab layout: Pods, Workloads, Services, Images, Network Policies, and Admission Decisions. All six tabs support CSV and JSON export. The Workloads tab shows rollout status for Deployments, StatefulSets, and DaemonSets.

  • Kubernetes cross-resource navigation - A global namespace selector now scopes all Kubernetes tabs simultaneously. The Service tab resolves Pod topology via label selector matching. Investigation links are preserved in the URL for sharing.

  • Dashboard Kubernetes widget - The K8s widget on the main dashboard now shows real cluster data: running pod count, unhealthy pod count, and a mini workload health breakdown sourced from sensor heartbeats.

  • Kubernetes YAML export - YAML export is now available for all Kubernetes resource types: Pod, Service, Deployment, StatefulSet, and DaemonSet. The export panel is accessible from any resource row in the Kubernetes view.

  • Runtime Inspector expanded - The Runtime Inspector now includes System, Listening, and Container tabs alongside the existing Process and Network tabs. The Red Flags tab surfaces unusual process activity without requiring a custom rule.

  • Simple/Advanced search - The event search bar now switches between Simple mode (keyword search across message and executable) and Advanced mode (structured field filters). Both modes support saved searches.

  • Loading and empty states - Skeleton rows, progress bars, and empty state messages have been added across all major Console views. Pages no longer show blank content while data loads.

  • Auto-refresh interval - The Kubernetes view now includes a configurable auto-refresh interval selector. Options range from 10 seconds to 5 minutes.

  • Kubernetes pod identity in events - Runtime events from Kubernetes pods now include pod name, namespace, workload type, and workload name. These fields are shown in event detail views and are filterable in the Events search.

  • Kubernetes cluster metadata header - The Kubernetes view now shows a cluster metadata header with cluster name, node count, and namespace count sourced from the latest sensor heartbeats.

  • Helm upgrade guidance - The sensor detail page for Kubernetes-deployed sensors now shows the exact helm upgrade command needed to update that sensor, pre-filled with the current values.

Bug fixes

  • Fixed: missing event kinds in the heartbeat event kind whitelist caused some event types to be silently dropped before delivery to the Console.
  • Fixed: sensor health state flickered between watch and healthy when heartbeats arrived at the boundary of the stale threshold. The degraded window now uses a helper that smooths the transition.
  • Fixed: Pod YAML export fell back to incorrect data when container_images was empty; it now correctly falls back to sensor event history.
  • Fixed: Kubernetes topology viewport position was lost during background data refreshes. Position is now preserved.
  • Fixed: loading states were missing on several Kubernetes tabs, causing blank content to show briefly on page load.
  • Fixed: YAML export for workloads fell back to sensor events correctly but showed stale data on refresh. Now invalidates and reloads on tab activation.
  • Fixed: ApexCharts Element not found error when navigating directly to a tab URL that includes chart components.
  • Fixed: nc -zv localhost commands in shell sessions were incorrectly scored as suspicious. Port health checks using netcat are now recognized as a known-good pattern and scored accordingly.
  • Fixed: SSH root shell sessions with no commands executed were scored at full severity. Empty shell sessions now receive a 0.25 discount factor.
  • Fixed: Duplicate shell sessions from the same PID were shown in the Sessions view after sensor restart.
  • Fixed: Sensors enrolled from multiple Kubernetes clusters could create duplicate records when the cluster name was null. Deduplication now uses node_name and cluster_name together.
  • Fixed: Session expired message was shown on the wrong login page in multi-tenant Portal setups.
  • Fixed: Global 401 redirect now triggers the session-expired banner correctly across all Console views.
  • Fixed: VField component rendering errors with VTextarea and VInput in certain layouts.
  • Fixed: Teleport and Transition component crash when alert inbox mounted with null vnode.

1.0.0 - April 2026

Initial general availability release of Telovix Console and Sensor.

Console

  • Fleet management with per-sensor health state, trust health, enforcement state, and policy pack assignment
  • Alert Inbox with rule-based detection, severity classification, MITRE ATT&CK mapping, and AI-assisted triage
  • Behavioral Analytics with per-binary process baselines, anomaly scoring, and suppression rules
  • Attack Chain detection with seven built-in multi-stage patterns and 30-minute correlation windows
  • Investigations for multi-alert case management with timeline, notes, and evidence linking
  • Compliance reports for CIS Controls v8, NIS2 Directive, 3GPP TS 33.117, O-RAN WG11, and NIS2 Telecom
  • Kubernetes Security view with pod inventory, security posture findings, admission webhook, and network policy visualization
  • SBOM scanning via bundled scanner with CycloneDX export and private registry credential management
  • Runtime Inspector for live process, network, and container snapshots from sensor heartbeats
  • Process Tree and Investigate view with fleet correlation, behavioral fingerprints, and shell session history
  • AI Assistant with 44 structured tools covering fleet, events, anomalies, compliance, Kubernetes, and telecom data
  • SIEM forwarding to Splunk, Microsoft Sentinel, Elasticsearch, QRadar, Observe, Huntress, Sumo Logic, and Syslog
  • Webhook notifications with Slack, Discord, Microsoft Teams, PagerDuty, OpsGenie, and TheHive formatting
  • SSO via OpenID Connect (OIDC) with support for Microsoft Entra ID, Okta, and Google Workspace
  • Role-based access control with five roles: admin, operator, sensor_owner, analyst, and viewer
  • API keys with HMAC-SHA256 signed requests and per-key scope control
  • Audit log with 51 action types, family-based filtering, CSV/JSON export, and compliance control coverage
  • Red team exercises for O-RAN WG11 threat validation with 10 exercise types and detection latency measurement
  • Sensor upgrade plans with rolling, canary, and immediate strategies
  • Enrollment token management with one-time, cluster, and re-enrollment token types
  • Federation support with standalone, regional, and central Console roles
  • License validation offline using Ed25519 signature verification

Sensor

  • eBPF event collection via embedded engine with no kernel module and no kernel patches required
  • Supports Linux x86-64 and ARM64, kernel 5.4 or later, BTF required
  • Standard flavor: process execution, network connections, file integrity monitoring, privilege changes, DNS, BPF tamper detection, kernel module monitoring
  • Telecom flavor: all standard capabilities plus NGAP, PFCP, GTP-U, F1AP, E1AP, XnAP, E2AP, SCTP, Diameter, RADIUS, SIP, SBI/HTTP2, NAS5G, and M3UA protocol parsing
  • Telecom flavor: 24 NF role types detected automatically from port binding, process name, binary path, and gRPC service signals
  • Telecom flavor: per-NF SLO monitoring with breach detection, MTTR tracking, and suppression
  • Telecom flavor: O-RAN WG11 checks for E2 peer verification, O1 management interface, O2 infrastructure, xApp/rApp security, CU/DU boundary, timing integrity, and management plane access
  • Telecom flavor: TLS uprobe coverage for OpenSSL, GnuTLS, Go TLS, and BoringSSL with SBI compliance enforcement
  • Telecom flavor: GTP-U visibility gap detection for AF_XDP, VFIO, and DPDK kernel bypass
  • Policy pack delivery with Ed25519 signature verification per policy file
  • Guardian Profiles with observe, audit, and enforce modes
  • Custom detection rules via TracingPolicy YAML with kprobe, LSM hook, and uprobe support
  • Enforcement rules with Signal (SIGKILL) and Override (kernel deny) action types
  • Behavioral baselines from 14 days of event history with per-binary anomaly scoring
  • On-disk event spool with 100,000-event buffer and automatic drain on reconnect
  • mTLS enrollment with per-sensor client certificates, 30-day TTL, automatic proactive renewal
  • Kubernetes DaemonSet deployment via Helm chart with init container, BPF map pin cleanup, and token rotation support
  • Sensor upgrade managed from the Console with version staging, rollout plans, and canary wave support

Policy packs

  • o-du-baseline-observe - O-RAN Distributed Unit baseline observation
  • o-du-fronthaul-observe - O-DU fronthaul interface activity monitoring
  • o-du-process-guard - O-DU execution path guard (enforcement-capable)
  • o-cu-baseline-observe - O-RAN Central Unit baseline observation
  • o-cu-core-signaling-observe - NGAP, F1-AP, and E1-AP signaling handler monitoring
  • o-cu-ims-session-observe - IMS session activity on O-CU nodes
  • o-cu-signaling-observe - O-CU signaling interface coverage
  • o-cloud-baseline-observe - O-Cloud host baseline coverage
  • o-cloud-core-observe - GTP user-plane, PFCP, and 5G Core control-plane monitoring
  • o-cloud-integrity-guard - O-Cloud mutable path execution guard (enforcement-capable)
  • o-cloud-interconnect-observe - O-Cloud interconnect and transport coverage
  • o-cloud-runtime-drift-observe - Runtime drift detection: unexpected launches, novel connections, integrity indicators
  • generic-linux-observe - General-purpose Linux baseline (development tier)

Upgrade notes

1.0.0 to 1.1.0

The Console and Sensor binaries are independently upgradeable. Sensors running 1.0.x continue to function with a 1.1.x Console; the new IPv4/IPv6 fields are populated automatically once sensors upgrade.

Telovix self-hosted: Update the Console binary using Settings > Updates or by replacing the binary and restarting the service. Stage new sensor binaries under sensor-binaries/ before creating an upgrade plan. See Upgrading Sensors for the full procedure.

Telovix Cloud: The Console is updated automatically. Sensor upgrades are coordinated by your Telovix Cloud administrator or triggered through the Console upgrade plans workflow.

Further reading

Released under the Telovix Commercial License.

Copyright © 2024–present Telovix