InsightIDR Release Notes / Feb 28, 2023

Feb 28, 202320230228

New

  • SentinelOne EDR API Collection Method: We have released a new API collection method for SentinelOne EDR to provide you with a simplified, more secure method to collect your logs.

  • Additional Log Search Time Range: You can now view your query’s time range directly above the timeline chart so you have full context of the period searched. This new feature is available in both Log Search and the Log Search Open Preview.

  • Waiting Status and Unknown Disposition for Investigations: Two new options are added in Investigations to help you more accurately describe an investigation’s current state:

    • You can use the Waiting status to indicate that the investigation is in a pending state while more information is gathered.
    • You can use the Unknown disposition to indicate that the maliciousness of the investigation couldn’t be determined.

  • ABA Detection Rules: This month we added new Log and Process Rules, Network Sensor Rules, and Threat Command Rules. You can find the latest updates by navigating to the Detection Rules page and filtering by “Added in the last 30 days”.

  • Log Search Open Preview: We released updates to New Log Search Open Preview:

    • You can now easily share and analyze Log Search query results by downloading a CSV file of up to 1 million parseable log lines. Click the arrow in the top right of your query results to export.
    • You can now customize the log data displayed in Table View, JSON Format, and Condensed Format by selecting Edit Keys from the Settings dropdown of the Data tab.
    • You can now use the back chevron on the Log Search Open Preview page so you can revisit previous searches.

Improved

  • UBA Settings: Account Enabled UBA alerts can now be tuned without the need to install the LDAP or Active Directory event sources.

  • Attribution Engine: We updated the attribution algorithm to more accurately filter out Service accounts, improving the attribution engine’s ability to determine the primary user of an asset.

Fixed

  • We fixed an issue where audit log downloads in investigations were including extra events. Only events visible in the UI appear now.

  • We fixed the KPI on the Home page for "Unspecified" investigations. It now links to the Investigation Management page and sets the filters correctly so you see investigations with an unspecified priority.

  • We fixed an issue with audit logs in investigations, that was causing events to show up in the wrong order. Now, new events show up at the top of the log and old events show up at the bottom.

  • We deprecated the Kaspersky Anti-Virus event source, meaning no new event sources of this type can be created. Existing Kaspersky Anti-Virus event sources will continue to be supported.

  • We fixed an issue where the Alert Modification settings weren't rendering text correctly for "Allow protocol poisoning" modifications.

  • We fixed r7_context.asset.name field values in process start logs to match asset names used everywhere else in log search.

  • We fixed an issue regarding reports that Log Entry CSV Exports are returning incomplete data sets.