InsightIDR Release Notes / Nov 30, 2023

Nov 30, 202320231130

New

  • Execute InsightConnect Quick Actions in Log Search: You can now execute Quick Actions configured with InsightConnect by simply clicking on values in your Log Search results and selecting Open in Quick Actions. You can enrich data such as IP addresses, hash values, and domain lookups to learn more about specific log events without navigating through multiple areas of the product.
    • Note: This feature requires an InsightConnect license.
  • Detection Rule Migration: We migrated 9 legacy detection rules (formerly known as User Behavior Analytics rules) to the Detection Rule Library tab. These detections will continue to alert on the same user behaviors, but you will now have access to additional customization capabilities, including exceptions. To use the new versions of these rules, you must opt in by following the steps in the documentation.

Improved

  • In an effort to continue our focus and commitment to improved user experiences and elevation of security outcomes, we have enabled Automatic Log Structuring for all accounts who had it disabled previously. Automatic log structuring converts logs from known formats (such as CEF and JSON) into a human readable format, which allows you to write LEQL queries and search your logs with ease.
  • Crowdstrike now generates third-party alerts based on the severityName field value of High or Critical if the field is present.
  • Cisco Meraki client_vpn_(dis)connect_v2 events are now supported in InsightIDR.
  • We added parsing for Cisco Amp third-party alert hostnames.
  • We adjusted the Cylance Protect Cloud data source to reduce the size of payloads that are produced. We removed fields that contain learning evidence for a detection, but aren’t required for a third-party alert.
  • We added a message that explains when a change to a LEQL variable is attempted that would cause a detection rule to no longer function. You are now directed to the relevant detection rule where you can understand the impact of the change and decide how to proceed.
  • You can now use the having clause in queries that contain multiple groupby clauses. This allows you to control what data you want to view before you run your query. For example, when viewing failed logins by user and country of login attempt, you can choose to limit results to users who performed this activity a certain number of times so you can prioritize your response.
  • You can now click on the ingestion time value for any Log Search query result to access the context menu and center the search time range before and after this specific event was received. This allows you to quickly find any events that occurred around the same time.
  • We altered the parsing logic for Palo Alto logs forwarded with syslog in CEF format to account for Palo Alto field name changes coming in December 2023.
  • We added an additional filter to the Detection Rules page that allows you to easily toggle between viewing custom detection rules and Rapid7 out-of-the-box detection rules.

Fixed

  • We fixed an issue where Arista Firewall event sources were not being configured correctly.
  • We fixed an issue that was preventing Carbon Black Cloud event sources from being edited.
  • We fixed an issue where alerts could not be removed from an investigation timeline.
  • We fixed an issue where the KPI count for users on the watchlist did not match the default search results for users on the watchlist.
  • We fixed an issue that caused error messages to overproduce despite successful log ingestion on the Mimecast event source.
  • We fixed the logic in the parser to no longer require an exact match to extract query values since they differ across customers.
  • We fixed the datasource.callback key from the Zoom data source to ensure the error is being reported to the frontend.
  • We added methods to extract the correct group name value from Okta logs.
  • We reduced the data source polling interval to 15 minutes so that events are pulled in more consistently.
  • We fixed a date parsing issue for Active Directory logs in snare format.
  • We fixed an issue that caused snare format Active Directory events with event codes 540, 4624, 4625, 4768 that are missing an IP address to fail to produce Unified Asset Authentication logs. They will now produce Generic Windows logs.
  • We fixed an issue where results from a Log Search query using a calculate function could not be exported to a CSV file. You can now download this query data to a CSV file using the sharing actions menu in Log Search.
  • We fixed an issue where the order of the keys exported to a CSV file from Log Search did not match the order that was presented in the product.
  • We fixed an issue to allow for a period after a date in a syslog header.