Sep 08, 202120210908


  • A unified Alert Settings experience: Previously known as Alert Settings and now called Detection Rules, you can access this new, unified experience with expanded ABA tuning capability directly from the left menu.
    • We added new customization options to our Attacker Behavior Analtyics detection rules so you can tune them to fit your organization’s needs:
    • We relocated everything from Alert Settings to the new Detection Rules page. To find Custom Alerts, Alert Modifications, and Attacker Behavior Analytics and User Behavior Analytics detection rules, go to the InsightIDR left menu and click Detection Rules.
  • Terminology Updates: When we released our new Detection Rules experience, we also made some shifts in the terminology:
    • User Behavior Analytics Rules
      • Previously, you could modify rule behaviors. Now, you modify rule actions.
      • The 3 rule behavior options, Alert, Notable Behavior and Disabled, have been replaced by the following rule action options: Creates Investigations, Tracks Notable Events and Off.
    • Attacker Behavior Analytics Rules
      • Previously, you could only switch the rule "State" OFF and ON. Now you can configure the rule action using the same options as UBA rules: Creates Investigations, Tracks Notable Events, and Off.
      • Previously, you used Alert Modifications to allowlist a user or asset. Now, you create exceptions for trusted users and assets. We also converted all Alert Modifications made for Attacker Behavior Analytics detection rules to exceptions.
  • Event Source Health Monitoring: We released new functionality so you have visibility into the health of your event source data. You can now review visualizations of your data, view the percentage of parsed and unparsed data over time, and understand how parsing works for a given event source. Check out the documentation
  • Global Dashboard Filtering: We released dashboard filtering, giving you another level of flexibility to find insights within your dashboard. You can now filter your dashboard to focus on a particular user, asset, or IP Address. Create a filter using a LEQL query, or by typing the text you’re searching for in the Search bar. Check out the documentation
  • LEQL updates: We added triple quotes syntax in LEQL so you can search for strings with various combinations of quotes in them. Simply surround your search string with triple, single, or double-quotes. For example:
    • where("don't stop "the thing" /y")
    • where('''don't stop "the thing" /y''')


  • Search results in Log Search: We added an option to lock the query bar and timeline chart in place so you can scroll through your search results while maintaining friction-free access to your query for context or edits.
  • Table view in Log Search:
    • We added the new LEQL operators to Table view in Log Search. When searching by column values, you can now leverage the new comparison operators like contains and starts-with via the dropdown menu. See for the updated list of LEQL operators
    • We added the ability to persist row highlighting in Log Search Table View. You can now select the row that interests you and easily track it while horizontally scrolling left or right on the log event.
  • Settings menu: We reordered the InsightIDR Settings menu to reflect a more logical grouping of items.


  • We fixed a few missing translation strings related to first-time admin activity messages in Investigations.
  • We fixed a bug where a non-JSON response body failed to parse, causing an exception.
  • We updated our logic to parse 'report suspicious activity by enduser' events as Third Party Alerts.
  • We fixed a bug where log lines with gateway-hip-check were not parsing.