New
- Support for Exchange and Sharepoint audit logs in Microsoft Azure event source: Now the audit logs for these applications parse into the Cloud Service Activity and Cloud Service Admin Activity log sets when ingested using the Microsoft Azure event source.
Improved
The Exploits page has a new design: We have redesigned the Exploits page in Assets & Endpoints to improve performance and readability.
New styling for IP Addresses tables: We updated the IP Addresses page and the IP Addresses table on the Asset Details page. Now columns are correctly sorted, and the style matches the other updated InsightIDR tables.
SharePoint admins are now classified as Cloud Service Activity: SharePoint admins used to get flagged as full Office 365 admins. Now, site admin actions from SharePoint are tagged as ordinary Cloud Service Activity.
Fixed
The option to delete unused IPs is now visible when a tombstone error occurs.
We removed the expectation of producing ingress documents for F5 LTM. Originally, F5 LTM was expected to produce ingress authentication documents, but we identified that the loglines were incapable of it. This is due to these loglines always having an internal IP address. As these loglines were never actually producing ingress documents, we have now removed the functionality for the parsing of these loglines.
We have aligned the severity of IDS events with the current Check Point documentation. For example, Check Point Severity 2 is mapped to MEDIUM Severity.
You will now receive web proxy alerts from DNSQuery loglines instead of firewall alerts. The DNSQuery has been added to extract the top level domain and domain of the url. The protocol scheme can be generated and appended to the front of the DNSQuery value and assigned to the url rawfield based on the destination port in the raw event.
The Trend Micro Deep Security IDS/IPS module events will be parsed into IDS events, and will no longer produce asset authentication events.