Jun 29, 202220220629


  • New Relative Activity for ABA detection rules: We’ve included a Relative Activity Score column in the ABA Detection Rules tab that visually represents how much activity a rule has in the context of your environment. Relative Activity is a score between 1-1000 that is given to each detection rule and is calculated on a rolling 24-hour period. The score is based on how often the Rule Logic matches data in your environment based on certain parameters.
  • New public APIs to automate your investigations experience: You can now build automations to quickly triage investigations, so you can focus on your most critical alerts. If you use third-party tools to service your case management and reporting needs, you can use one of these new APIs to extract more extensive investigation data and feed the data into your tools for a better understanding of your investigations.
  • New on-demand data archiving: You can now archive historical log data in a single process. You can define a time range (as far back as your retention limit allows) and send data to your own Amazon S3 bucket. Historical archiving is useful when you haven’t set up daily archiving, and you want to archive all data at once. Find out more about historical archiving in our documentation.


  • Asynchronous bulk close for investigations: You can now close multiple investigations over an expansive time range without worrying about APIs timing out.
  • Updated Investigation Details menu: We changed the menu copy in Investigation Details from Close all investigations of this type in this date range to Bulk Close.
  • New priority colors for UBA alerts: The priority settings dropdown for UBA alerts now includes colors for each priority to not only increase readability, but align with other priority scales throughout InsightIDR.
  • Improved Log Search load time and UI: Log Search’s table view will now only load the data that is visible on the page, increasing performance. With new sticky column headers, data context remains visible while you explore your tables. These two updates provide a more seamless log data viewing experience.
  • Updated SophosUtmParser mapping: The SophosUTM Parser will now map the FIREWALL_STATUS based on the action field from your SophosUTM logs; this maps to FirewallConnectionStatus.ACCEPT or FirewallConnectionStatus.DENY.
  • Updated Microsoft Defender ATP alertID population: We were previously unable to provide an alertID for Microsoft Defender ATP alerts that did not have the alertID field. We are now able to populate the alertID field for all Microsoft Defender ATP alerts.
  • Improved extraction of Azure sign-in error codes: Previously, we did not support some specific Azure sign-in error codes. We have added support for these error codes and can now accurately produce the relevant documents.
  • Added BitDefender parsing: We have added support for events with a module value of uc and events with a module value of av. uc events will be parsed as Web proxy documents, and av events will be parsed as virus infection documents.
  • Updated OneLogin parsing: Certain OneLogin events can now generate CloudServiceActivity documents due to the addition of the CloudServiceActivityGenerator class. Additionally, the OneLogin classes were refactored to reduce the use of Optionals as argument parameters.
  • Endpoint Scan feature updates: We added copy and updated the user experience for the Endpoint Scan feature to help explain why using the Insight Agent is preferred.
  • Updated Log Search viewing permissions: We updated how Log Search is presented when a user does not have permission to view or edit logs. Previously, it would display the Log Search left navigation bar and fail to load when an unauthorized user attempted to use the page. Instead of this error state, Log Search will only appear for authorized users - meaning it will no longer be visible for other users (inline with how other sections within InsightIDR are handled).
  • Added support for IPv6 addresses: Previously, IPv6 addresses were not being parsed correctly. We have added support for IPv6 addresses to result in fewer unparsed events.
  • Updated transport protocol for the McAfee Firewall event source: Transport protocol was not being recorded in the event parser for the McAfee Firewall event source. Collection for these fields has been added so that transport protocol is recorded and appears in the created documents.


  • We fixed an issue where customers who purchased an InsightOne package were missing some product features.
  • We fixed an issue with ZScaler events, which caused some date formats to be parsed incorrectly.
  • We fixed an issue that caused Infloblox Data Connector logs to parse incorrectly.
  • We fixed an issue with VPN/Ingress event parsing. VPN documents are now extracting the correct values. The Cato Networks event source is now generating Ingress Authentication documents.
  • We fixed an issue with Barracuda SSL VPN parsing that caused some potentially useful login events not to be parsed. Now, both VPN session initiates/terminates events and non-VPN session logins will be parsed.
  • We fixed an issue processing data from the SophosXG, CheckPoint Firewall, Forcepoint Firewall, and McAfee Web Gateway event sources. A method has been implemented in the parser to handle epoch timestamps, malformed URLs, and invalid hostnames with more reliability.
  • We fixed an issue that was preventing customers from closing investigations.
  • We fixed an issue that was preventing customers from bulk closing investigations when they selected the Not Applicable disposition.
  • We fixed an issue that was allowing Managed Detection and Response customers to create new Endpoint Scan ranges. Managed Detection and Response customers must use the Insight Agent to monitor their endpoints.
  • We fixed an issue where the Delete Log option was not available on the Log Selector Menu when permissioned with Role Based Access Controls.
  • We fixed an issue where clicking key suggestion in the Log Search query bar did not apply the selection.
  • We fixed an issue by adding provider tests for the McAfee Firewall event source.
  • We fixed an issue where the Duo data source did not correctly persist dateTime data resulting in duplicate logs and inaccurate log fetching.
  • We fixed an issue with the Fortinet Fortigate and SonicWALL Firewall and VPN event source’s event parsers to strengthen the parser and reduce errors leading to payload giveups.
  • We fixed an issue where InsightIDR was not extracting and verifying URLs as expected when parsing logs.