Aug 31, 202220220831


  • 360° XDR with InsightIDR + Threat Command: With Threat Command and InsightIDR together, unlock a complete view of your external and internal attack surface with Rapid7. You can now view Threat Command alerts alongside their broader detection set in InsightIDR:

    • Prioritize and investigate Threat Command alerts: Use InsightIDR’s investigation management capabilities and seamlessly pivot back to Threat Command to remediate the threat or ask an analyst for help.

    • Tune Threat Command detection rules directly in InsightIDR: adjust the rule action, set the rule priority, and add exceptions.

License Requirement

To use this integration, you’ll need a Threat Command license.

  • Exception Preview for ABA detection rules: Exceptions allow you to refine the behavior of ABA detection rules for specific users, assets, IP addresses, and more. When adding an exception, you can now click the Preview button to view whether your exception logic would have affected recent payloads that were generated by the detection rule. Exception Preview can help you determine if your exception will behave as expected, or if further tuning is needed.

  • Maintenance Notification: We added the ability to show in-product notifications while in maintenance windows, so you never miss a notification.


  • Endpoint data details: The Registry Key fields' Recursion Depth and Keys inputs can now be empty when querying for registry information as part of an investigation. You will no longer have to manually specify which keys you want to collect.

  • Visibility into Unknown IP addresses: The Unknown IP Addresses settings page now lists only individual IP addresses instead of ranges, so you can quickly identify the IP addresses that require your attention.

  • Improved parsing for Scadafence: We have made improvements to our parsing of Scadafence logs, allowing us to gather more accurate and better-enriched data from the event source.

  • Improved parsing for Sophos Central: Previously, the syslog key-value format was not supported for parsing Sophos Central logs. This support has been added, so that if you send your data in this format you will now see higher parse rates.

  • Investigation Details Table Action Buttons: To improve the legibility of your investigation details, investigation actions in table view are now displayed as a dropdown menu (rather than buttons).

  • Syntax highlighting: Syntax highlighting helps you to recognize when your LEQL filter or query might be missing a component or if it's written incorrectly. It is now available in the following areas:

    • The Dashboard filter
    • The Dashboard card builder
    • The forms for creating and editing custom alerts
    • In Investigation Details, in the query bar of the panel that opens when you click Explore Contextual Data -> Search Logs


  • We fixed an issue that was causing user names to show up as "undefined" when viewing Alert Modifications.
  • We fixed an issue that was preventing you from seeing Tombstone errors on the Data Collection Health page.
  • We fixed an issue that caused incorrect data to show up on the User Details page when switching between two users.
  • We fixed an issue that prevented you from adding new Endpoint Scan ranges.
  • We fixed an issue that was preventing links to InsightConnect from reloading the page navigation.
  • We fixed an issue that prevented CheckPoint Ingress Authentication logs from being parsed in CEF format.
  • We fixed a defect where the Rapid7 Universal Ingress logs were being parsed from logs containing an internal source IP address.
  • We fixed an issue causing Azure "failed" admin events to generate admin activity. These events will no longer appear in ‘cloudServiceAdminActivity’ documents.