Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.15.0
• Update Brimcap to v1.7.0, which includes a new Zeek v6.2.0-brim1
• For Zeek files events, the is_orig value is now used to determine the tx_host and rx_host values in the Correlation view (#3004)
• The Zed service launched by Zui now attempts to compact stored data every 5 minutes (#3006)
• Export Results has been enhanced to allow export to pools or the clipboard (paste buffer) (#2985, #3017)
• Improve syntax error presentation by using the /compile endpoint of the Zed service rather than the JS Zed query parser (#2972, #3034)
• Fix an issue where Zui's query editor would not load when running air-gapped (i.e., no Internet connection) (#3032)
• Fix an issue where issuing the query yield typeof({}) produced a stack trace (#2996)
• Fix an issue where issuing a new query while the stacked bar chart is loading triggered an error (#2996)
• Fix an issue in dark mode where font colors made text invisible during pool renames (#3028)
• Fix an issue where a large JSON object could not be loaded in Zui (#3026)
• Fix an issue where hitting the Back button too many times could cause the lost of session history (#3041)

Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.13.0
• Update Brimcap to v1.6.0, which includes a new Zeek v6.0.3-brim1
• Update Electron dependency to 28.0.0 (#2934, #2953)
• Enhance the Zui Installation docs to describe the new feature to control when the app is updated to newer releases (#2950)
• Simplify how the termination of a spawned zed serve process is tied to the parent Zui process (#2956, #2957)
• Add a dark mode and new designs for pins, toolbars, detail/history panes, and saving queries (#2895)
• Adjust how Zui correlates new Zeek events in reaction to changes in Zeek's files events (#2981)
• Fix an issue where repository links in Zui Insiders had been incorrectly pointing to the regular Zui repo (#2935)
• Fix an issue where Zui incorrectly surfaced Brimcap errors as "Error: write EPIPE" or "Error: write EPIPE" instead of the detailed errors from pcap analyzers (#2955, #2991)
• Fix an issue where very long pool names caused the Load Data and Query Pool buttons to disappear (#2993)

Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.12.0
• Update Brimcap to v1.5.5
• A new option in Settings now determines if checks for available Zui updates are performed at startup (default), at startup & daily, or manually (#2866)
• Add functionality to load data from the paste buffer (#2928)
• Add support for TSV load/export (#2916)
• Fix an issue with Chromium binaries being created in temporary storage (#2917)
• Fix an issue where the cursor position could become inaccurate while typing in the editor (#2922)

Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.11.1

Visit the Brim Data download page page to find the package for your platform.

---

Preview & Load

It's now possible to preview and shape your data as you load it into a Zed lake with Zui. For details, check out the video at the Zui docs site.

Other Changes

• Update Zed to v1.11.0
• Update Brimcap to v1.5.3
• Zui has a new Preview & Load workflow that allows for shaping data as it's loaded in to a Zed lake (#2834, #2864)
• Fix an issue where editing the "month" portion of a time range pin caused a crash (#2854)
• Fix issues where null values were incorrectly rendered (#2875, #2876)
• Use monospace fonts in more places (#2877)
• Limit column width for large values and add grid lines in the table view (#2881)

Visit the Brim Data download page page to find the package for your platform.

---

• Due to malware false positives, Windows releases no longer include a full initial set of Suricata rules (as always, up-to-date rules will be downloaded on first Internet-connected launch of Zui) (#2858)

Visit the Brim Data download page page to find the package for your platform.

---

Monaco Editor

The big change in this release is that Zui now uses the Monaco editor. This gives Zui a monospace font and basic syntax highlighting for easier editing of your Zed programs!

Other Changes

• Update Zed to v1.10.0
• Update Brimcap to v1.5.2
• The Zui GitHub repo is now structured as a monorepo (#2818)
• Fix an issue where a community_id field was incorrectly being treated as a prerequisite to activating the Packets button (#2830)
• Zui now uses the Monaco editor, which provides a monospace font and minimal Zed syntax highlighting (#2824, #2836)
• Fix an issue where invoking the -version option on the bundled zed and brimcap binaries was producing incorrect output (#2841)
• Upgrade Electron dependency to 22.3.25 (#2848)

Visit the Brim Data download page page to find the package for your platform.

---

Improved Tabs

This change is relevant for users that have have additional Zed lake connections besides just the one to the default lake that starts behind Zui. You'll notice that now each time you switch connections Zui updates the tabs so only the ones for the current-selected lake are shown.

Generalized Stacked Bar Chart

If you're familiar with Zui's history, you may know that its stacked bar chart was based on Zeek-style data such that it was hard-coded to expect a time field called ts that would provide data for its X-axis and a field called _path that was subject to count() by to make the colored segments in the bars. With this release the chart is now generalized so that:

• Any time field can be specified (and if you've configured a pool key other than ts, it will start out using that)
• count() by typeof(this) now populates the stacked bars by default, but you can change this to use any other field
• If a pool is created from an imported pcap, ts and _path are used by default as before
• You can also now toggle the chart off/on and resize it

For an example of the new behavior in action, this video uses the prs.zng GitHub test data from the zq tutorial. This has a time field called created_at so we use it as our pool key, then after observing the bars with the default count() by typeof(this) we change the Color Field setting to login.user so we can see stacked bars based on who opened Pull Requests. Try it yourself!

Other Changes

• Update Zed to v1.9.0
• Update Brimcap to v1.5.1
• The stacked bar chart is now generalized for any time-based data (not just Zeek-like with _path & ts fields) (#2785, #2794, #2805)
• The stacked bar chart is now resizable and can be toggled off/on (#2806, #2810)
• A single Zui window now shows tabs only for the currently selected Zed lake connection (#2797)
• Fix an issue where attempting to save a Zed query that contained a parse error caused a stack dump (#2803)
• Fix an issue where a table of results was sometimes rendered with blank rows (#2813)
• Fix an issue where comments at the end of a Zed program caused the queries that populate the stacked bar chart to fail (#2822)

Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.8.0
• Update Brimcap to v1.5.0
• Restore "alert" tiles for Suricata events (#2740)
• Fix an issue where use of Chinese and other wide characters caused errors during data import (#2744)
• Fix an issue where Zui would sometimes launch without a main window (#2743)
• Shift+Enter now also runs queries when the Run Query on Enter preference is unchecked (#2764)
• Fix an issue where selecting Reset State from the pull-down menu was having no effect (#2767)

Visit the Brim Data download page page to find the package for your platform.

---

• Update Zed to v1.7.0
• Update Brimcap to v1.4.1, which fixes issue #2715 with per-machine installs on Windows