Dec 19, 202320231219

New

  • Quarantine assets and users faster with Response Actions: InsightConnect-powered containment automations are now available for use in InsightIDR. With Response Actions you can:
    • Disable users with Active Directory.
    • Quarantine assets with the Rapid7 Insight Agent and the following third-party agents: Crowdstrike Falcon, Microsoft Windows Defender, SentinelOne, and VMware Carbon Black Cloud.
  • Reference log data more easily in Investigations: When viewing an alert’s details in an investigation, the Alert Details panel now includes a View Log Entry button, which you can click to view the log entry associated with the alert. The log entry displays in a new panel with the appropriate time range selected. In this panel, you can search logs in more detail and add log data to the investigation, enabling you to research alerts without leaving the investigation.
  • Custom Detection Rules is now in General Availability: Customize your detection coverage by writing rules specific to your security needs. Read the documentation and FAQs to get started.

Improved

  • We have removed the JWT authentication option when you create a new Zoom event source. You must use server-to-server OAuth authentication.
  • We have improved our Box data source by adding better pagination logic, reducing the duplication of events, and creating more robust error handling. You can expect to see an increase in the number of logs collected in Box.
  • We have updated the Active Directory and Generic Windows event sources, including:
    • Improved parsing for Snare format
    • Improved parsing for XML format
    • Improved parsing for CEF format
    • Improved parsing for Splunk format
    • Reduced the time it takes to parse
    • Refactored the datasource to better handle capturing events
  • We have updated the throttling limit for legacy detection rules. Now, the number of investigations created by legacy rules are restricted to 50 investigations for each legacy rule, for every 5-minute window.

Fixed

  • We now ignore Zerofox combolist leaks, as they are composed of other leaks and cause duplicate investigations in InsightIDR.
  • We now support more AWS regions for the AWS CloudTrails event source.
  • We added logic that allows for a period in syslog data headers when Microsoft DNS logs are parsed.
  • We fixed an issue where the cursor on the Log Search query bar was unexpectedly jumping positions. You can now build and update queries without this issue.
  • We added logic for the AWS security lake and AWS fabric event sources to check if the source_ip key contains an internal IP address, so that Ingress Authentication documents are not produced based on any internal IP addresses.
  • We fixed an issue where the rows in a CSV file did not match the order of Log Search query results if you had manually reordered your data. You can now rearrange rows in your query results, and that order of keys will be respected when you export results to CSV.
  • We fixed an issue where the key or value in Log Search that triggered the context menu did not remain highlighted in your search results. You can now view where contextual options are being applied when navigating through the context menu options.