Mar 30, 202220220330


  • Integration with Threat Command by Rapid7’s threat intelligence platform (TIP) Threat Library: We have integrated our Attacker Behavior Analytics (ABA) detection engine with Threat Command’s Threat Library intelligence. As a result, all InsightIDR and MDR customers have access to broader detections and new threat groups, with around 400 new ABA detection rules, powered by thousands of new IOCs. We also added or updated 138 threat actors in our library to bring the total number of threat actors we monitor to 169. You can view all detections that are “Powered By Threat Command” in the Detection Management view.
  • Bulk close investigations: You can now bulk close investigations in Investigation Details, and we have brought back the ability for you to bulk close investigations in Investigation Management. You will no longer need to individually close investigations, making investigation management more efficient.
  • Edit InsightConnect workflows from InsightIDR: You can now edit InsightConnect workflows from InsightIDR by clicking the new Edit in InsightConnect button. Clicking on the link redirects you to InsightConnect where you can edit the selected workflows. To use this feature, you must have an InsightConnect license.
  • Parsing for log types in ZScaler Cloud: We have added parsing support for DNS and Firewall logs. You can now add a new Zscaler-NSS event source for each of these additional log types and their logs will be parsed into relevant documents where possible.
  • New HTTP API Endpoint: A new HTTP API endpoint allows you to retrieve a list of event sources and discover what entities are generating your logs. This new API endpoint provides you with greater visibility into where your alerts are originating.
  • Anomalous Data Transfer (ADT) open preview program: Starting April 4, you will be able to opt-in to the open preview. Please contact your CSM for more details. Once enabled, you will be able to see ADT alerts directly within InsightIDR and use Detection Rule Management to add exceptions. ADT is a new type of detection rule that identifies data exfiltration attempts on a network and outputs alerts for easier monitoring of data transfers and unusual behavior. To use ADT, you will need either of the following:
    • Enhanced Network Traffic Analysis
    • InsightIDR Ultimate package
  • Increase to the Network Sensor's IDS ruleset: The Insight Network Sensor ships with a default set of Intrusion Detection System (IDS) rules to alert when the sensor detects potentially malicious network activity within your network. This ruleset is curated by our internal threat intel team to ensure a low false positive rate. We have released a 6X increase to the IDS Network Sensor’s ruleset; this brings the number of detections up to 4,575 from approximately 750. Each rule can be tuned individually and exceptions can be added. You can view IDS rules in the Detection Management view by using the Network Sensor Rules filter. If you have an Insight Network Sensor deployed, your sensors will receive the updated ruleset automatically.


  • Improved Running Processes path name format: Long path names are now word-wrapped when you view running processes on an asset.
  • Improved dark theme compatibility: Colors for the free trial countdown timer have been altered to make it more readable in dark theme.
  • Renamed fields for collecting API keys for Carbon Black Cloud: Configuration fields for Carbon Black Cloud (previously known as Carbon Black Defense) event sources have been renamed to align better with the Carbon Black documentation.
  • Deactived time out for investigation bulk close: If you are closing investigations across a long time range, the bulk close action in Investigation Details no longer times out.
  • Improved Palo Alto Firewall parsing: Palo Alto Firewall parsing now handles invalid values in URLs.
  • Improved Auth0 parsing: We have added support for generating Ingress Authentication Docs.
  • Updated managed log deletion: You can now permanently delete logs generated by inactive sources using the Log Selector. With this update, you can remove logs after the associated collector, event source, or network sensor has been uninstalled. If you previously activated Platform Audit Logging, a record of the deletion will be logged.
  • InsightVM/Nexpose and InsightIDR integration rewrite: The InsightVM data source suffered from frequent timeouts causing many issues. We have completely rewritten the integration to identify better ways to source the required data, which corrects the lack of vulnerabilities being reported in InsightIDR.
  • Custom Alerts now supports LEQL: You can now use LEQL to write Custom Alert queries as you would when searching in Log Search or creating dashboards. This update simplifies Custom Alert creation, readability, and maintenance by reducing the need to use complex regex.


  • We fixed an issue with descriptions for empty charts on the Asset Details page not rendering correctly.
  • We fixed a bug that was preventing the Copy to Exception button in investigation evidence from working.
  • We fixed a bug that prevented you from selecting multiple alert types when creating an alert trigger.
  • We fixed a bug that was preventing tooltips from showing up on some pages.
  • We fixed a bug that was causing an unneeded dialogue to show up on the Network Policy settings page.
  • We fixed an issue where certain loglines would cause high doc-normalizer CPU usage.