InsightIDR Release Notes / May 31, 2023

May 31, 202320230531

New

  • Log Search Open Preview: We made updates to the Log Search Open Preview, including:

    • Time zone display: You can now customize how the time zone is displayed in the Log Search Open Preview. The log ingestion times now appear in UTC or your local time zone, depending on the option you select in Settings > User Preferences > Time Zone.
    • Adjustable column width: You can now resize the widths of columns in the analysis view, providing more flexibility for longer values, such as Directory Listings or command line parameters. You now scan this information in a single view.
    • Search filter for saved query list: You can now search within the saved query list on the Log Search Home tab. The search filter is applied across the query name and contents of the query. This allows you to quickly find previously created queries within your organization as it relates to name or key and values of interest.
    • Additional access to your saved and recent queries: You can now access saved and recent queries directly from the Data and Analysis tabs. Click Recent Queries or Saved Queries below the time range to begin searching when viewing your log data or visualizations.

  • Multi-customer experience toggle moved out of Early Access: If you’re an MSSP partner you now have access to the multi-customer investigation experience within InsightIDR. You can enable the experience in Settings > User Preferences > Multi-Customer Investigations.

  • Customize detection rules with LEQL exceptions: We’ve added the ability to define exception logic using Log Entry Query Language (LEQL), in addition to the existing key-value pair mode. To learn more about writing exceptions in LEQL, read the documentation.

Improved

  • Virus Scan event source documentation links: We updated the help links for the Virus Scan event sources to go to the matching documentation page.
  • New authentication method for Zoom event source: You can now authenticate to the Zoom event source using the Server-to-Server OAuth authentication method. This new authentication method allows you to continue leveraging the Zoom event source despite Zoom's deprecation of the JWT API authentication method.
  • Specify Active Directory domain in Cato Networks event source: You can now specify the Active Directory domain for incoming logs in the Cato Networks firewall event source.
  • (MDR Customers) Comment on Rapid7 investigations: MDR customers can now leave comments on investigations that are the responsibility of Rapid7.
  • User Risk Ranking copy update: We improved the copy on the User Risk Ranking page in Users and Accounts to clarify why an empty state is appearing and what you can do to fix it.
  • Increased limits for file processors: We increased the file processor limits for File Tailer and Directory Watcher from 4,096 to 8,192. You can now read longer logs through any event source with the File Tailer or Directory Watcher collection methods.
  • Removal of brute force false positives from Active Directory: Active Directory code 4771 now produces log content. Previously, BruteForceFromUnknownSource false positive alerts were being generated. This was because it seemed that users were authenticating directly to the Active Directory Domain Controller when this was not the case.
  • Log Search enhancement: Log Search fields now contain only JSON headers, and the syslog headers are removed. These changes help sanitize the data so custom parsing rules work more effectively.
  • Virus infection documents prevented for a Carbon Black Cloud event type: We updated the parsing rules to prevent the Carbon Black Cloud event source from generating virus infection events from NON_MALWARE event types.
  • Increased visibility into Box.com events: We now allow the SHIELD_ALERT event type to generate third-party alerts. We also increased parsing support for when users collaborate on a file, such as editing, deleting, or downloading a file. These events are known as COLLABORATION events.

Fixed

  • We fixed an issue that prevented you from selecting existing credentials when creating or editing event sources.
  • We fixed a spelling mistake to update "free trail" to "free trial”.
  • We fixed an issue where newly created event sources displayed in the initializing state until the page was reloaded.
  • We fixed an issue in Microsoft Active Directory LDAP events where some event fields containing null were parsed as a valid value instead of ignored.