Dec 01, 202120211201


  • InsightIDR Asset Page Updates: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:

    • Top IDS events triggered by asset
    • Top DNS queries

    For customers with Insight Network Sensors and ENTA, these additional elements are available:

    • Top Applications
    • Countries by Asset Location
    • Top Destination IP Addresses
    • Top Destination IP Addresses
  • Priority for UBA Detection Rules: You can now set a Rule Priority level for User Behavior Analytics detection rules. The Rule Priority is applied to investigations created by the rule, helping you to sort and filter your investigations by criticality.


  • Extended GovCloud support: We added GovCloud support for all event sources that collect data from S3 buckets, giving you more storage options.
  • Exporting an investigation via PDF: PDF Exporter now uses the native browser print modal, making the process faster and more reliable.
  • Microsoft Azure Event Source: We have added user first and last names to your log data, helping to provide additional detail and clarity.
  • Windows Management Instrumentation event sources: We extended our character support in event collections, improving error handling and reporting. For example, we now support umlauts characters.
  • Improved search performance in Log Search: The following have improved search performance speeds, helping you find specific values in Log Search faster:
    • Calculate (count) and (bytes) queries with an empty where clause can now expect a 10x performance speed increase.
    • Queries that match a few events within the data being searched can now expect a 2.5x performance speed increase. For example, where (hostname) calculate (count) may match thousands of events over time range with millions of events.
    • Regular expressions with named capture groups can now expect increased search performance speeds, provided the named group is not referenced as part of the where clause. For example, "where(/(?P\d{3})/) groupby(year)".


  • We fixed an issue where Platform admins with read/write permissions could view the entire InsightIDR settings menu but only could access Log Search settings.
  • We fixed an issue where the Event Source Health page wasn’t resizing to fit smaller browsers.
  • We fixed an issue where inline help information wasn’t available in the SQS event source help panel.
  • We fixed an issue where queries in Log Search did not run when a URL containing a statistical search was clicked.
  • We fixed an issue where the header and logline information in Darktrace alerts were unreadable. We fixed this issue by ensuring both the logline and header were in JSON format.
  • We fixed an issue where the Proofpoint event source would not produce WebProxy documents for ClicksPermitted events which were not malware.
  • We fixed an issue where the Carbon Black event source generated alerts with ‘unassigned’ user details. We have added a method to check if the account value is ‘unassigned’, if so, the field is removed from the alert.
  • We fixed an issue where the Kaspersky event source couldn't parse loglines in French. Loglines are also no longer generating false alerts.
  • We fixed an issue with the groupby table view in Log Search, which caused long values to overflow. All the information now should be aligned in the same view.
  • We fixed an issue where typing in the Log Search query bar was causing unnecessary performance demands on the browser. Enjoy a smoother, more responsive experience again when entering queries.