Dec 27, 202220221227

New

  • Investigation responsibility for Managed Detection and Response (MDR) customers: If you’re an MDR customer, it’s now easier to tell which investigations Rapid7 is responsible for triaging. InsightIDR now assigns responsibility to an investigation based on the detection rule that created it:
    • Rapid7 Managed investigations: In Investigations, a Managed icon with the Rapid7 logo indicates the investigations that Rapid7 is responsible for. This new icon replaces the “MDR Investigative Lead” portion of the investigation title, which has been deprecated. Investigations without this icon are your organization’s responsibility and will not be reviewed by the Rapid7 SOC.
    • Your organization’s responsibility: We added a Responsibility filter so that you can narrow your view by the responsible party (Rapid7 or your organization). As part of this feature, MDR customers can also now modify their User Behavior Analytics detection rules. Investigations generated by User Behavior Analytics, third-party alerts, and a subset of Attacker Behavior Analytics detection rules that identify anomalous user activity are your organization's responsibility and don't display the Managed icon.
Customer Requested
  • Display more table data in Dashboards and Reports: You can now create tables with multiple columns, allowing you to see all of your data in one view. When you add a query that has only a where clause and select a table display, you can now also select the columns that you want displayed in the table. For example, you could create a table with columns for Timestamp, User, and User Action.
  • Display cards on their own page in PDF reports: When you create a PDF report from a dashboard, you can now specify for one or more cards to display on individual pages by leveraging a new PDF Customization Settings option. This option enables you to view more data on each page, which can be helpful for showing visualizations with a lot of data.

Improved

  • Precomputed Queries for dashboards: We updated the experience for creating a card on a dashboard in the following ways:

    • The Log Derived Metrics option has been renamed Precomputed Queries to better describe its functionality.
    • New Precomputed Queries are available in the Card Library, allowing you to create visualizations that load quickly on the dashboard.
  • Enhanced Data Collection error message for Nexpose: We added more detail to the error message that displays on the Event Sources tab when a health check fails for a Nexpose event source. The error message now includes the reason for the health check failure, which makes the failure easier to troubleshoot.

  • Improved processing for Darktrace: We updated the processing for the Darktrace event source to be more sensitive to third-party alerts. You might notice an increase in third-party alerts generated from Darktrace.

  • Support for new NetScaler event source format: We now support a new format that NetScaler uses for events, enabling InsightIDR to create alerts based on ingress authentication events.

Fixed

  • We fixed an issue where the Cisco Umbrella event source was parsing the user and host fields with a value of unknown instead of the values from the event.
  • We fixed a parsing issue that caused some events from the Cato Networks event source not to be processed. You might notice an increase in Cato Networks events as a result.

Other Updates

  • Insight Agent version 3.2.0: On December 8, 2022, we released Insight Agent version 3.2.0, which upgraded the Sysmon service from 13.30 to 14.13 to patch CVE-2022-41120. We have observed that in some rare cases, Sysmon 14.1.3 may cause a system crash. Because of the history of system crashes associated with Sysmon, the Insight Agent has the functionality to uninstall Sysmon as a precaution when it detects any system crash. For a few customers this version of Sysmon may not have been successfully uninstalled, in which case we will reach out to you individually to help resolve the issue.