New
- Additional ABA Detection Rule Functionality: The following updates only apply to our ABA detection rules.
- You can now view detection rule logic written in Log Entry Query Language (LEQL). Go the the Rule Logic tab of any ABA detection rule for enhanced visibility into how InsightIDR generates a detection. Check out the documentation.
- You can now edit the exceptions you make to detection rules. We have added additional operators,
Contains
andStarts-With
, as well as case-insensitivity to give you more flexibility when writing exceptions. - You can now use an escape character helper when creating exceptions. The helper spots escape characters which are often copied from the evidence panel and gives you the option to remove them. In some cases, this fixes an issue, making it easier for you to write an exception.
- Comprehensive MITRE ATT&CK Mapping Views: Whether you're in Detection Rules or Investigations, you can view how an ABA detection rule maps to tactics and techniques defined by the MITRE ATT&CK Framework.
- You can see this mapping on the Detection Rules page when you click the new MITRE ATT&CK Matrix tab. This view allows you to better understand your threat coverage and attack surface to more effectively investigate, prioritize and remediate threats.
- You can also find an in-context view of rules mapped to MITRE ATT&CK within an Investigation. On the Investigation Timeline, find the detection rule that created the investigation and click Evidence > MITRE ATT&CK tab to see information on associated tactics and techniques.
- 526 New Attacker Behavior Analytics Process and Command Line Detection Rules: These detection rules have been expertly vetted and tuned by our Rapid7 Threat Intelligence team. They cover a wide range of attacker tactics but generally focus on process and command line activity across Windows, macOS, and Linux. While these new detection rules help provide deeper detection coverage across your digital landscape, they may also create an unexpected increase in investigations as a result of this release. You can tune ABA Detection Rules from an investigation or from the Detection Rules page.
Improved
- Log Line Labels for Pattern Detection Alerts: We improved how labels are applied to log lines for Pattern Detection Alerts. Previously, labels were only applied when events were ingested into InsightIDR. Now, they are automatically applied to all matching log events. This provides you with improved visibility into suspicious patterns that emerge in historical events that are tagged in Log Search.
- Log Search: We made it easier to search for fields with nested keys. Previously, you had to use additional LEQL syntax if you wanted to ensure that a nested key would included as part of a field in a log event. With this release, we added a Presence Check for nested keys, so you no longer need different syntax when searching for nested keys. We’ll demonstrate using this log event as an example:
{"obj":{"fld1":{"fld2":"val"}}}
.- Previously, to check for the nested key presence, you had to enter
where(obj.fld1.fld2 = /.*/)
- Now, you just need to enter
where(obj.fld1.fld2)
- Previously, to check for the nested key presence, you had to enter
- Dark Theme: The Admin Activity Tables page is now dark theme compatible!
Fixed
- The Entry Inspector now supports triple quotes syntax in LEQL. When building a query with the Entry Inspector, you no longer need to manually add regex to your query in the Search bar. Just open the Entry Inspector, and point-and-click to add fields to your query. The Entry Inspector will automatically wrap triple quotes around the applicable value to match the exact string when running the search.
- We fixed the issue of missing text in the detection rules section of the UBA page.
- We fixed an issue where the Monitor Health button was appearing on displayed cards in the Event Source create peek panel.
- We fixed an issue regarding Cisco Umbrella event sources timestamps. It now uses UTC time so new investigations generated from those alerts will have the correct timestamp.