Jul 29, 202220220729


  • ABA Automation: You can now trigger an InsightConnect automation workflow to run every time a detection occurs for an Attacker Behavior Analytics (ABA) detection rule. To use ABA automation, you’ll need either of the following:
    • InsightIDR Advanced package with an InsightConnect license
    • InsightIDR Ultimate package
  • Anomalous Data Transfer: We’ve added a new Attacker Behavior Analytics (ABA) detection rule called Anomalous Data Transfer (ADT) that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior. View and customize this rule by visiting Detection Rules and searching for Network Flow - Anomalous Data Transfer.
  • Comments and Attachments: We've added the ability for all users to add comments and upload and download attachments, both in the Investigation Details screen in the UI, and through the API.


  • Cylance Protect Cloud Event Source: The Cylance Protect Cloud event source can now parse threats on devices from the Cylance Protect Threat API.
  • Sophos UTM Event Source: InsightIDR now supports parsing of failed authentication attempts from Sophos UTM.
  • Windows and Active Directory Parsing: We have improved the performance of the parsing engine for the Generic Windows and Active Directory event sources, resulting in an increased parsing rate for those event sources.
  • Terminology and in-app guidance:
    • User Details: We changed the “Notable Behaviors” chart title to “Notable Behaviors and Alerts" to more accurately reflect the data it displays. Additionally, accounts listed on the User Details page now display field-specific guidance when you hover over the name.
    • Endpoint Scan: We added detailed in-app guidance to clarify the difference between the Endpoint Scan and the Insight Agent and help you choose the best option in any given use case.


  • We fixed an issue that was causing the event source creation flow to show an empty peek panel.
  • We fixed an issue that caused the User Details page to print with incomplete data.
  • We fixed an issue that allowed customers to deploy event sources to unregistered collectors.
  • We adjusted colors to make Anomalous Data Transfer evidence more readable in dark theme.
  • We fixed an issue that was causing the Credential Management page in Settings to ignore search terms after you deleted a credential.
  • We fixed an issue within the Okta event source, which was causing administrator users to have incorrect accounts associated with them in InsightIDR.
  • On the Domain controller page, the labels on the toggle for Settings were updated to Yes and No to match the page copy.
  • We fixed an issue that was preventing customers from bulk closing investigations when they selected the Not Applicable disposition.
  • InsightIDR no longer creates users from unsuccessful login attempts from Okta event source.
  • Metadata for individual investigations now displays in a consistent order.
  • We fixed a bug that prevented Azure Admin Activity events from appearing on the User Details page.