InsightIDR Release Notes / Apr 01, 2021

Apr 01, 202120210401

New

  • ‘Unspecified’ Ingress Activity: We added a new "Unspecified" label to the Ingress Locations map. Now, when an event source doesn't provide enough information for InsightIDR to determine whether an authentication attempt succeeded or failed, we classify it as "Unspecified," providing you with a more accurate view of ingress activity.

Improved

  • User Watchlist: We updated the User Watchlist page so you can now search, filter, and bulk apply actions for risky users.
  • Multiple Country Authentication: We have added the ability to configure Multi-Country Authentication alerts if you don't have LDAP event sources.
  • Event Indicator: We have updated the attacker behaviour notable events entries to include the name of the indicator for the event, on the basis that those events are included in the investigation timeline.
  • LEQL Search: We have added the ability to search for values within arrays without having to specify an index.
  • Query Builder: We have enhanced the design of the query builder so that it adapts to all screen sizes.

Fixed

  • We fixed an issue with the Salesforce event source where an error code was being displayed without the associated error message.
  • We fixed an issue with Microsoft SQL Database Audit Logs where error messages were not displayed when exception errors occurred.
  • Web Proxy documents are now produced for Cisco FTD logs that contain a URL with no top-level domain. This will reduce the number of firewall documents produced for Cisco FTD and increase the amount of Web Proxy documents produced.
  • We fixed an issue where the Cybereason data source wasn’t resetting the number of events processed at the end of each run. Processed events will now reset at the beginning of a run.
  • OneLogin event sources now have their default subdomain set correctly when they're created.
  • We fixed an issue where logs were not being mapped to their associated service. These changes will result in some logs that previously did not produce attributed documents to do so. This fix has been applied to the following event sources:
    • F5Ltm
    • Idaptive
    • Centrify
    • SophosXG
    • TrendMicroApex
    • TrendMicroDeepSecurity