Nov 01, 202120211101

Coming soon

  • Reimagined Investigations and Prioritized Detection Rules: We began rolling out updates to both Investigations and Detection Rules this month. Over the next few weeks, you can expect to see a revamped Investigations experience and a new Priority field that allows you to configure the priority level of your detection rules and investigations. You will receive an in-product notification when these changes are rolled out in your environment. For a preview of the changes, check out this webinar and read the Investigations and Detection Rules documentation.


Customer Requested
  • Copy investigation evidence to exception rules: The new Copy to Exception button allows you to more easily create exceptions for ABA detection rules. When viewing investigation evidence for ABA rules, you can just click ‘Copy to Exception’ button, which will copy the evidence, redirect you to the rule exception peek panel, and automatically populate Match Data in the exception panel.


  • Investigations Details page: The “Add Raw Logs” peek panel has been resized to 90 percent of the available browser width. We did this to ensure longer log lines no longer get cut off, to ensure you don’t miss any information. We have also moved the scroll bar for longer log lines upwards, for clearer visibility.
  • InsightIDR Essential Subscription: We have added a "Disabled Account Attempted Authentications" card onto the InsightIDR Essential homepage, to ensure you have quick access to cards we believe will be most useful to you!
  • Log line attribution: For Palo Alto Networks Firewall & VPN, Proofpoint Targeted Attack Protection, and Fortinet Firewall event sources, you now can choose from 4 attribution source options. This gives you greater tuning ability, so you can optimize your attribution rates. To read about the four options check out the documentation.
  • AWS S3 Data Source: We have made changes so that the AWS S3 Data Source is more resilient and resource-efficient, even when there are a large number of logs in your S3 Bucket.
  • Mixed quote support: We have added support for when you use the ‘query this pattern’ option after highlighting selected Log Search results. Triple quotes now automatically wrap around values that contain mixed quotes. You can select a pattern to query without needing to develop regular expressions for a mixed quote query.


  • We fixed a bug that affected the Endpoint Monitor, which prevented you from adding new ranges to Scan Agents.
  • We fixed an issue where you couldn't view the threat details for Community Defined Threats.
  • We have fixed an issue where Azure Self Service password reset would show the status as 'Unknown' if the operation failed. Now, the true ‘Failure’ status is shown.
  • We fixed a broken link in the Evidence panel for Account Leak Details alerts. You can now view a list of leaked accounts, and will no longer see an error.
  • We fixed a bug in the User Behavior Analytics tab, where text was missing for Third Party alerts from the Sophos Event Source.
  • Invalid user fields from Office 365 created users in InsightIDR that were not real. To prevent this, we have added a backend user filter.
  • Logs with invalid URL values will now appear within Log Search, if you select to send Unparsed Data when setting up the Event Source. However, they will not produce alert documents.
  • We have fixed an issue where the wrong user was being parsed from incoming emails from Office 365 exchange.
  • We fixed an issue with the ATP event source, which caused duplicate events to be ingested into InsightIDR. This change cuts down unnecessary investigation time.
  • We fixed a bug where the Salesforce Event Source was not reporting errors. To resolve this, we added an exception handler with an appropriate error message.