Jan 31, 202420240131

New

  • Find potential threats faster with expanded dashboard cards: You can now expand a dashboard card to view additional log data associated with your card. This log data appears in a table underneath your card so that you can quickly scan the related logs for anomalies. This gives you quick and easy access to additional context that otherwise you would need to pivot to Log Search to view.
  • Simplified Cloud Threat Alerts in InsightIDR: You can now get context faster when assessing alerts during an investigation. Simplified Cloud Alerts takes what was previously a large JSON object and converts it to a human readable format that quickly allows you to view an Alert Overview, Impacted Resources, Remediation Scripts & Queries, as well as the original JSON.
  • Custom Role Creation: If you are a platform administrator, you can now specify granular access control over features and permission levels for product capabilities. We’ve also added a new “read only” permission for the Collector to allow team members to validate if event sources are in good health without the ability to perform more administrative actions, such as removing or editing an existing configuration. Read the documentation

Improved

  • We now display the latest time the Insight Agent was viewed on the Asset Details page.
  • We updated the Endpoint Query forms to reduce the number of clicks that are required to fill them out.
  • The "Add" link on the Event Sources page now shows all event sources of that type.
  • We updated the language in the product to be more clear about the distinction between an "Alert" and an "Investigation".
  • We added information to the cloud event source setup experience to describe why you might want to leverage a cloud event source.
  • We improved the parsing for Code42 events.
  • We improved parsing for Cisco Meraki Cloud VPN events.
  • Microsoft IIS events that contain an empty XFF (x-forwarded-for) address now fall back to the source address if it’s valid.
  • We have improved the Code42 event source query parameters and introduced deduplication logic. Customers can expect Code42 Alert events to send to IDR.
  • We added logic to validate and check if the source_ip address is internal so that Ingress Authentication documents are not produced.
  • Windows Event codes that do not contain field data will no longer log warnings, as they do not indicate any problem with event parsing.
  • We have improved the Google Apps event source by updating the code to a modern format, improving deduplication of events, and creating more robust error handling. Customers can expect to no longer see duplicate events from the Google Apps API.
  • We created a new Splunk event format to improve parsing of Splunk logs for the Generic Windows/Active Directory processor.
  • We improved the error message that appears when archiving to Amazon S3.
  • We updated the empty state for the Entries Exports page of Log Search settings to provide more context and help.
  • We've added additional third party reputation data to enhance the detection capabilities of our Ingress From Threat Legacy UBA detection rule.

Fixed

  • We fixed an issue where the help documentation link for setting up an event source did not always appear in the same place in the UI.
  • We removed the "File Events" checkbox from the Code42 event source. That feature is no longer supported.
  • We fixed an issue where the View Details button in Investigation Details didn't open the relevant information panel when clicked.
  • We fixed an issue that caused trailing spaces in values to be removed from a query when using the context menu in Log Search.