Aug 02, 202120210802

New

  • Auth0 Event Source: We have added Auth0 as a new event source! It can be found in the “Cloud Service” category. You can leverage Auth0 logs in IDR to provide further insight into your environment. IDR will also parse cloud service activity logs from the new event source. Check out the documentation.
  • Changes to Import/Export Archive Settings: We've created a new section within Settings to encompass all Log Search configurations moving forward.
    • You can now find Import and Export Archive under Settings > Log Search as Cold Storage Logs and Entries Exports.
    • You'll also notice we moved Automatic Log Structuring and S3 Archiving under Settings > Log Search.
  • Subscription Management: For customers with an InsightIDR Advanced or Ultimate subscription, we introduced a new Subscription Management page. This page provides you with visibility into your licensing information including what Insight products are included with your license, and when you're up for renewal. You can access it by selecting Account Settings > Subscription Management in the top navigation menu.

Improved

Customer Requested
  • Alerts: You now have more control when configuring your custom alert notifications! If you have compliance or security concerns you can choose to send only the matching log line or entirely suppress any log information being sent as a notification (for example, email or slack message). The matching log line and context is still included by default.
  • Language Update: We made some changes to add clarity and align with our inclusive language standards.
    • We renamed the "Alert Triggers" tab on the Automation page to "UBA Alert Triggers", to provide more clarity on what kinds of alerts are being configured.
    • We updated the copy when closing investigations, changing "whitelist" to "allowlist" and “blacklist” to “denylist” to align with our inclusive language guidelines.
  • Dark Theme Updates: We added dark theme support to the Auto Configure section of InsightIDR. To access this page, click Data Collection > Add Event Source > Auto Configure
  • Detection Logic: We enhanced our detection logic so we can more accurately determine whenever an account that is a part of a privileged LDAP group performs an ingress action. This provides you with improved visibility into where and how privileged users are logging in.
  • LEQL Search Queries: We added new LEQL syntax, 12 new keywords, and operators that make it easier for you to write detailed queries and search for log events in case-sensitive and insensitive ways. For example, CONTAINS-ANY and ICONTAINS-ANY return log events where the values contain any of the substrings in the list. Read more: https://docs.rapid7.com/insightidr/use-a-search-language/#comparison-operators
  • Office365 Event Source: Oauth sign-ins are now reported based on the error code value within the logs.
  • VitalQIP: We added file tailing and directory watching as collection methods to the VitalQIP event source.
  • Zscaler NSS Event Source: We have improved the attribution of web proxy events from Zscaler NSS. Now, more web proxy documents will be attributed to users in your environment, even if no assets can be matched.

Fixed

  • We have fixed an issue where VectraNetworks log lines with CEF_V2 header format were not being parsed, adding support for V2 of the CEF Log format.
  • We have added support to correctly parse Fortigate DPD logline events which represent VPN termination activity.