New
- Dashboard Visualizations: You can now visualize your log data using the new donut chart, helping you spot trends and anomalies at a glance.
- Extended Sentinel One EDR ingestion support: Sentinel One EDR can now ingest activities and device control events, providing additional context to your log data.
Improved
- When creating a custom detection rule from a Log Search query, you can now access the creation panel as an overlay within the same tab, providing a seamless transition between both experiences. Other recent enhancements to detection rules include:
- You can now use LEQL variables when writing rules or creating exceptions.
- For custom detection rules with a Rule Action of Creates Investigation, alerts are now grouped by the same keys in the detection rule conditions, allowing analysts to triage more effectively.
- We raised the number of custom detection rules to 30 per organization.
- We have converted Carbon Black Cloud from a parser to a processor, which allows for third-party support in the future.
- We have improved our legacy event code parsing support for Active Directory.
- When reviewing search results in Log Search, you can now scroll vertically to automatically collapse the search bar to analyze your data. The sharing actions and log view settings menu are accessible within the header to support the export of results or changing the display options.
Fixed
- We fixed an issue where users were unable to automatically configure event sources.
- We fixed an issue where the User Details page was displaying information for only the first VPN asset a user was associated with.
- We fixed an issue where Duo Security's previous event version, known as classic events, were not being parsed when they were sent by the Duo API.
- We fixed an issue where Watchguard XTM was not parsing some firewall events.
- We fixed an issue where Azure was incorrectly attributing users.
- We fixed an issue in the LDAP data source collection to handle situations where the LDAP groupType attribute is null.
- We fixed an issue where alerts were being generated for Palo Alto Cortex XDR when the Alert Type was Under Investigation, rather than New.
- We fixed an issue where the Active Directory event source wasn't able to capture some errors that occurred.
- We fixed an issue where the Code42 event source plugin type didn't match the user interface.
- We fixed an issue that prevented the MicroTik event source from being configured unless encryption/TLS was enabled.
- We fixed an issue that prevented the Windows Log Monitor data source from sending all captured events.
- We fixed an issue that caused the Mimecast data source to produce a code 200 response instead of the appropriate error handling.
- We fixed an issue that improves how the Generic Windows Event Log data source handles sessions, allowing for more consistent polling behavior.
- We fixed an issue that prevented fields in Duo Security auth events from appearing in the parsed data.
- We fixed an issue where the Log Search context menu did not append
predicated
to the query, depending on spaces between thewhere
clause and opening bracket of the query. - We fixed an issue that prompted users to refine log selections unnecessarily when using the query action menu in Log Search to create a custom detection rule.
- We fixed an issue regarding Sentinel One's polling interval time, reducing it to 5 minutes.