Release Notes

The following changes have since been reverted. Refer to the note from March 13, 2025 for more details.

Improved

• Linux and MacOS Process Start events collected by the Insight Agent now include the Current working directory field. Windows Process Start events collected from Insight Agents with the Events Monitor component include the Import hash and Current working directory fields.
• Windows Event Log payloads now include the data.eventData (or data.userData) field corresponding to the EventData (or UserData) field from the Windows event. This allows users to query or write detection rules on key/value pairs in Windows Event insertionStrings.

Fixed

• The Insight Agent's file information job will no longer exceed memory limitations when reading large filesystems.
  • Note: This change has since been reverted. See the release notes for product version 4.0.15.31 for details.
• We fixed a bug that caused the Insight Agent to sometimes take over a minute to stop if the Insight Agent also had a pending metrics update.
• We restored key/value pairs in Windows Events that were removed in a previous release so that custom detection rules will work as expected.
• We reduced the likelihood that the Insight Agent's real-time monitoring process will be shut down unnecessarily on macOS 15 assets with low memory resources.
• We fixed an issue that caused the Insight Agent logs to incorrectly report that a process failed to terminate, despite the process terminating successfully.
• We added support for an updated add_user auditd event schema used in some newer Linux distributions. The Insight Agent's realtime monitoring job no longer fails to parse events using the new schema.