New
- Custom Detection Rules is in Open Preview: You can now create detection rules that uniquely fit your organization’s security needs. Get started by clicking Create Detection Rule on the Detection Rules page, or by clicking Detection Rules > Custom Detection Rule in Log Search. Read the documentation
- ABA Detection Rules: This month, we added new detection rules for 4 threats. You can find the latest updates by navigating to the Detection Rules page and filtering by Added in the last 30 days:
- Suspicious Network Connections
- Suspicious Process Access
- Suspicious Registry Events
- Visibility Monitoring
Improved
- We added name validation when creating or editing credentials in Settings.
- We added a help documentation link to the setup pages for Microsoft IIS event sources.
- We added filtering to the investigations audit log, so you can now see when alerts have been added or removed from an investigation.
- We improved event sources that use OAuth so that they now check to see if an OAuth token exists before prompting you to create a new one.
- We added support for the Cisco Meraki Firewall events format from Firmware MX18.101 and newer.
- We added support to parse the hostname and account name fields for the BlueCoat ProxySG event source.
- We improved the visual navigation of Log Search so the Search bar is more accessible. You can now run a query or access query actions while the Search bar is collapsed.
Fixed
- We fixed an issue where log lines with string encoded epoch time stamps could not be added to investigations.
- We fixed an issue where the Allowlist and Close options did not populate correctly for some investigations.
- We fixed help documentation links so they now direct to specific event source pages.
- We fixed an issue where end users without multi-customer investigations had access to multi-customer investigation routes.
- We fixed an issue so that right clicking and choosing Open in New Tab now works for the multi-customer investigation experience.
- We added an additional check to ensure that Palo Alto Prisma logs in LEEF format are parsed more consistently.
- We fixed the SnortIds parser to now parse logs that don’t have a host name in the header and added provider tests.
- We fixed an active directory race condition that caused events to go to the Unparsed Data log set instead of generic windows.
- We fixed an issue where the Palo Alto Network event source wasn’t correctly parsing the CONNECTION_STATUS field.
- We fixed an issue in the Log Search Table view where values wrapped in a cell were expanding when reviewing certain log entries.