Feb 28, 202220220228


  • Amazon GuardDuty detections are now available in our Attacker Behavior Analytics (ABA) detection rules: AWS GuardDuty detections have migrated from User Behavior Analytics (UBA) to Attacker Behavior Analytics (ABA). This recategorization increases your ability to customize and fine-tune your rules. You can now set rule actions, tune rule priorities, and add an exception on an individual GuardDuty detection rule.
  • Syntax highlighting in Log Search: Syntax highlighting applies different colors and text formatting to the distinct components of a LEQL query. This aims to improve the overall readability and help you to easily identify errors within your queries.
  • Note count in Investigation Management: We have reintroduced the note count back into our Investigations management experience. This allows you to track the status of ongoing collaboration on an investigation at a glance, which saves time, manual effort and allows teams to maintain even stronger alignment during the investigation.
  • Compliance dashboard additions: We have added three new dashboards for CIS, one of the most common security frameworks. These new dashboards can save you time because you won’t need to build them out yourself. Our new dashboards cover:
    • CIS Control 5: Account Management
    • CIS Control 9: Email and Web browser Protections
    • CIS Control 10: Malware Defense
  • Cato Networks event source improvements: Cato Networks event source released to GA with suggested improvements from the early access period.


  • Insight Network Sensor updates: We have made several performance updates to allow for easier deployments and better error handling. This should help to ensure that you have full visibility of important sensor health metrics so that they can optimize sensors for your environments.

  • The User Details - Ingress Locations page update: We now show the last 28 days' worth of ingresses instead of the last 7.

  • Copy updates: We updated the copy for cloud event sources to make it more clear about where attribution comes from.

  • Authentication graph color updates: We adjusted the colors on the recent authentications graphs to make them more readable in dark theme.

  • Simplified process for modifying and closing investigations: We're now linking to Detection Rules when modifying and closing investigations. Previously, we linked to Settings. This update helps you avoid an extra click!

  • Additional event source support: These products now support using both the IDR engine and the event log when attributing assets and accounts:

    • Checkpoint Firewall 1
    • Cisco ACS
    • Cisco FireSIGHT
    • Cisco Firepower
    • Cisco ISE
    • McAfee Web Gateway
    • McAfee Web Reporter
    • Mimecast
    • Netskope
    • Sophos UTM
    • Sourcefire 3D
    • Symantec Endpoint Protection
    • Trend Micro Apex One
  • Reformat IndicatorOccurrence descriptions: Timestamps in investigation timelines are now formatted more consistently.

  • Replace ZScaler parser with Processor: ZScaler parser in event-parser has been removed and replaced with a Processor in doc-normalizer-service.

  • Cisco Umbrella parsing: The Cisco Umbrella parser has been refactored to help add any additional versions and the extractor for both proxy versions have been implemented. The customer can now parse both v5 and v6 loglines into Web proxy documents.


  • We fixed an issue with descriptions for empty charts on the Asset Details page not rendering correctly.
  • We fixed a bug that was preventing the Copy to Exception button in investigation evidence from working.
  • We fixed a bug that prevented you from selecting multiple alert types when creating an alert trigger.
  • We fixed a bug that was preventing tooltips from showing up on some pages.
  • We fixed a bug that was causing an unneeded dialogue to show up on the Network Policy settings page.
  • We fixed an issue where certain loglines would cause high doc-normalizer CPU usage.