New
- Google Cloud Platform Event Source: We’ve added support for Google Cloud Platform, which you can use to parse alert types as Cloud Services and Ingress Authentication events. Check out the documentation
- New LEQL IN function: We added a new function that allows you to search through long lists without writing complex queries. For example, instead of writing
where(a=v1 OR a=v2 OR a=v3 OR a=v4 a=v5)
, you can now usewhere(a IN [v1,v2,v3,v4,v5])
Improved
- Cisco Meraki IDS logs: We have added support for IDS type logs lines from Cisco Meraki. If you have this event source configured, you will now get these types of documents automatically.
- Checkpoint VPN login log lines: We added support for an alternative format of Checkpoint VPN login log lines which will produce Ingress Authentication documents.
- PUT Operation for logs and log sets: We created an API that allows you to avoid creating two logs or log sets if one already exists with the same name and token.
- Azure Security Center 3rd Party Alerts: The Azure event source now supports continuous export of Azure Security Center data in addition to currently supported activity log data. InsightIDR generates 3rd party alerts for both log formats. You do not need to update your configuration or data source to get these changes.
- CrowdStrike 3rd Party Alerts: We have updated the CrowdStrike integration to reduce unnecessary alerts. We now generate a 3rd party alert only when we receive a DetectionSummaryEvent from CrowdStrike. Supplementary updates to the event will not generate additional 3rd party alerts, but will still be available in log search as unparsed events.
Fixed
- Site administrator actions from SharePoint will no longer cause associated users to be tagged as Office 365 admins. These actions are now classed as ordinary cloud service activity instead of cloud service admin activity.
- We fixed an issue to ensure that the correct document type is generated for Cisco IDS.
- We fixed an issue on the Asset Details page where not all the tables displayed complete data when you clicked “More”.
- We improved the IP Addresses page and the IP Addresses table on the Asset Details page so columns now sort correctly.
- The Mimecast event source can now handle errors generated by devices that sit between the collector and Mimecast APIs.
- Cisco Umbrella and Amazon GuardDuty socket closed exceptions have been significantly reduced.
- In Enhanced Endpoint Telemetry, we fixed the field name for parent process environment variables to be parent_val. Previously it was incorrectly set as parentVal.
- We fixed an issue when a user changed their password in Okta, Cloud Activity Admin events from the log were raised to flag the changes to InsightIDR. This resulted in those users being flagged as Admins in InsightIDR. We have changed this functionality so that password reset events now create Cloud Activity Events. If you have any users that have been unintentionally flagged by InsightIDR, contact support.