InsightIDR Release Notes / Apr 28, 2023

Apr 28, 202320230428

New

  • Palo Alto Networks XDR Incidents API: We added support for the Palo Alto Networks XDR Incidents API. You can now set up a new event source to request Incidents from the Incidents API within Cortex XDR and generate third-party alerts.

  • Log Search Open Preview:

    • We added a home page concept to Log Search to provide a starting place for all search related activities. You now have single click access to recently run queries, any saved queries, and a curated list of example queries organized by log set.
    • We added the having clause functionality to the context menu. You can now build queries with the having clause by interacting with result data. By clicking on the numerical value in the table view of groupby results, the context menu will appear and provide options to filter the output related to (greater than, less than or equal to) the clicked value.

  • ABA Detection Rules: This month we added new detection rules for 6 threats. You can find the latest updates by navigating to the Detection Rules page and filtering by Added in the last 30 days:

    • Palo Alto Networks Cortex XDR
    • Suspicious Ingress Authentications
    • Suspicious Network Activity - IDS
    • Suspicious Processes - Linux
    • Suspicious Processes - Windows
    • Suspicious Services - Windows

Improved

  • Investigations: We have updated the audit log and investigations lists to provide you with more visibility:

    • Audit log: The audit log for an investigation now provides you with a record of who created an investigation and when it occurred. You can also now see records of when an investigation's status changes to waiting.
    • Investigations lists: The Recently created alerts and Recently accessed investigations lists on the Home page now include investigations that are in a waiting or investigating status, ensuring no data is hidden.

  • Improved filtering on the Active Users and Non-Expiring Users pages: You now have the ability to show and hide non-attributed accounts when viewing lists of accounts by navigating to the Users and Accounts page and selecting Active Users or Non-Expiring Users.

  • UBA Alerts: UBA alerts can now be tuned without installing an LDAP or Active Directory event source. You now only require an Insight Agent to collect Active Directory logs to be able to tune.

  • Event Sources: We have updated these event sources to optimize performance and improve data ingestion:

    • Increased capacity for Cisco Meraki events: We have increased the capacity for Cisco Meraki event sources from 500 pages to 1000 pages of events. As a result, the Cisco Meraki API now has higher performance and is more stable.
    • Kafka updates: We added multi-threading to Kafka in order to support greater ingestion for all logs.
    • Increased line limit: We have doubled the line length limit available for all directory watchers and file tailer sources. This update allows our system to parse larger logs and decreases the risk that errors with investigations will occur.
    • Cisco Meraki data source logs: Cisco Meraki event source logging now offers more explicit information regarding when events are fetched from the API and sent to the platform.
    • Duo cutoff time: We introduced a cutoff time for Duo API polls to help mitigate rate limiting issues.

  • In-product guidance and terminology updates: We have made improvements to certain in-product guidance, and updated our terminology for usability purposes.

    • Ingress Locations banner: A banner was added to the Ingress Locations card on the Home page to inform you that more ingressed data is available. The banner also provides a link to quickly find all of your ingressed data in Log Search.
    • Credential creation error message: When you create a credential for your event source it now displays an error message if the name exceeds the character limit.
    • Honeypots error message: Honeypots now show error messages when an activation key is already used.
    • Renamed alerts: We renamed Ingress from Domain Admin alerts to Ingress from Privileged Account to more accurately describe the alert’s behavior since those alerts can fire for more than just domain admin accounts.

Fixed

  • We fixed an issue where Managed Detection and Response (MDR) customers were unable to comment on investigations with responsibility assigned to the Rapid7 MDR SOC.

  • We fixed an issue where the Investigation audit logs panel was available for InsightUBA customers.

  • We fixed an issue where country code flags were rendered incorrectly.

  • We fixed an incorrect label that appeared when configuring a collection method for Palo Alto Networks Cortex XDR event sources.

  • We fixed an issue where an incorrect message was displayed when bulk closing an investigation. Now, the alert name is shown.

  • We fixed issues where InsightCloudSec was being referred to as DivvyCloud on pages related to event sources.

  • We fixed various bugs for Kafka and improved error reporting.

  • We fixed an issue where failed reset password events were generated as cloud service activity events. Users will no longer be falsely added as active enabled users.

  • We fixed an issue that occurred when you create event source credentials. The subdomain field no longer shows when it is not required.

  • We fixed an issue where Fortigate alerts marked as "Critical" were downgraded to "High" in InsightIDR. Now, "Critical" Fortigate logs will generate investigations of "Critical" priority in InsightIDR.

  • We fixed the parsing rules for Fortigate logs to ensure logs with timestamps are parsed correctly and generate Firewall alerts.

  • We have modified Darktrace so you see a more accurate threat title in InsightIDR.