InsightIDR Release Notes / Nov 30, 2022

Nov 30, 202220221130

New

  • Cisco Meraki Cloud API Support: You already have the ability to ingest Cisco Meraki events through a Syslog integration, however smaller security teams may not have the bandwidth to continually set up and manage multiple event sources. To reduce this pressure, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This enables you to deploy and add new event sources with less management.

  • Rename Collectors and honeypots: Previously, you could not rename a Collector or Honeypot without entering the database through a developer. We have added the ability to edit the name of Collectors and honeypots directly in the user interface.

Improved

  • Addition to Log Search's groupby function: We have simplified the process of reducing the volume of results returned with groupby. When viewing groupby results, some data is more interesting based on its frequency. You can now use the having clause to reduce the set of groups displayed when using the groupby function. For example, where (login!= success) groupby(user) HAVING(count > 10) will only show the groups of users who have not logged in successfully more than ten times. This functionality helps you prioritize investigations by giving you control over what is visualized in dashboard cards or log search results.
  • UI updates for Investigation Details: We altered the layout of headings on the Investigation Details page to provide more vertical space. We also improved the PDF printing experience for Investigation Details to hide parts of the UI that aren’t pertinent to the investigation's details.
  • Support for additional box.com events: To provide you with more visibility, InsightIDR now supports all box.com event types. These events are now available in Log Search, and parsing support for these events will be added in a future release.
  • Improved parsing for Active Directory: We improved parsing of insertion strings for WMI-collected active directory events.
  • Updated third party event sources links: We updated the in-product documentation links for third party event sources so they link out to the most relevant page.

Fixed

  • We fixed an issue where attachments on investigations were uploaded with duplicate comments.
  • We fixed an issue where the attachment count for an investigation was not updating after a new attachment was added.
  • We fixed an issue on InsightIDR Home, where the key performance indicators were linked to different setup pages, even after they’ve been set up.
  • We fixed an issue that was causing an incorrect count to appear when adding actor activity to an investigation.
  • We fixed an issue where empty configuration values would prevent the Cisco AMP event source from running. This fix has reduced polling intervals to 30 minutes.

Other Changes

  • The Third Party Agents tab has been removed: All features in the Third Party Agents tab within Settings page have been deprecated.