New
- Event Sources: We’ve added a new feature to improve the experience when you rename an event source. Here’s what you should know:
- When you rename an event source, we now rename the corresponding logs in log search to match the new name of the event source.
- If there is already a log in log search with the name of this event source (typically from another collector), we will map the event source to that log if the old log is no longer being used. Otherwise, we will create a new log with the new event source name instead. Any custom alerts or dashboards will need to be updated in this case to point to the new log.
Improved
- Data Collection: We renamed Data Collection to Data Collection Health in the top menu bar.
- Duo Security Event Source: We added additional support for Duo Security events!
- InsightIDR now generates Third Party Alerts for events with the "User marked fraud" label.
- We also support the collection of all Duo Security event types. To take advantage of this, select the Send Unparsed Data option in the Event Source setup panel.
- Entry Inspector: You can now copy a link to an individual log line for easy sharing and more efficient investigation and analysis.
- Incident Emails with Potentially Malicious URLs: Potentially malicious URLs are rewritten to ensure that they do not display as clickable links in the Investigation email you receive. For example, http://bad.link.com/hack becomes hXXp://bad[.]link[.]com/hack.
- InsightIDR Search Bar: Underscore and percent characters in typeahead searches are now treated as literals instead of wildcard characters.
- Investigations Timeline: When an ABA Notable Behavior appears on an Investigation timeline, we also display the Indicator for the event.
- Network Sensor Health: We made some improvements to give you better visibility into the health of your network sensors:
- View the number of deployed network sensors in your environment and errors related to your network sensors on the Data Collection Health page.
- Network sensor errors are now rolled into the Data Collection Issues KPI on the InsightIDR Home page and in the Data Collection Health menu item in the top menu bar.
Fixed
- We resolved an issue where honeypots occasionally generated false positive alerts in response to DNS queries the honeypot system made itself.
- We fixed a bug in the Event Source Setup Panel where the Data Export Type for some event sources was set incorrectly.
- The Cybereason event source now generates third party alerts based on malopLastUpdateTime to ensure that InsightIDR displays Malicious Operations events that were updated in Cybereason after initial creation date.
- We resolved an issue where the AWS SQS event source would quietly fail for an extended period without producing an error message.
- We improved the accuracy of the user attribution algorithm to reduce misattribution rates for Salesforce event source.
- We fixed an issue where the Investigation and Asset Details pages would display an asset as “Quarantined” or “Applying Quarantine" when the Agent failed to quarantine the asset. Now, when a quarantine fails, the investigation will return Quarantine Failed, and the Asset Details page will switch the asset quarantine toggle from “Applying Quarantine…” to “Unquarantined.”