Sep 30, 202220220930


  • New logs in the Endpoint Activity log set: We have added new logs to Log Search for Local Service Creation and Netbios Poisoning. The Local Service Creation log will contain any new services that are installed on an asset, for example, PowerShell. Netbios Poisoning will contain any time protocol poisoning that is seen on an asset. These logs will be visible to any customer who has Enhanced Endpoint Telemetry (EET), such Managed Detection and Response (MDR), InsightIDR Ultimate, and customers with the InsightIDR EET Add-on.


  • Maintenance Notifications: You are now able to see in-product notifications while maintenance is being done in InsightIDR. The new notifications will provide you with information about the service’s maintenance status.
  • Assets now recognized as actors: Lateral Movement - Administrator Impersonation investigations now include the assets that are involved as actors. This improvement will provide more details about the asset that the authentication occurred on, which can be used as evidence.
  • Updated Last Endpoint Monitoring Errors card: Within Assets and Endpoints, we improved the logic of the card to display only when you have endpoint scan errors. Because of this improvement, we have renamed the card Latest Endpoint Scan Errors.
  • Additional support for Azure Active Directory admin activity: We added support for displaying Azure Active Directory administrator activity on the User Details page. This improvement means you can now view this activity in User Details and related pages.


  • We fixed an issue that was preventing usernames from showing up when running workflows on an investigation.
  • We fixed an issue that was causing the string "undefined" to show up on the Data Collection Health page.
  • We fixed an issue that was preventing workflows from running on investigations if they contained multiple users with the same name.
  • We fixed the capitalization on the navigation menu hover labels to improve consistency.
  • We fixed an issue that was causing Salesforce event sources to stop working after they were edited.
  • We fixed issues where some URLs and Common Event Format (CEF) headers were being read incorrectly. You should now see an increase in parsed logs.