InsightIDR Release Notes / Apr 30, 2024

Apr 30, 202420240430

New

  • Context menu options for groupby query results: When you review the results of a groupby query, you can now open the search results from the table or bar chart. Simply left click on the value and select the new Search for log entries button. This will run a new query using the value you selected and display the results in a new tab. By removing the previous need to manually edit queries, you can speed up the time to insight without losing the context of the initial query.
  • Add a threshold and average line to a dashboard card: For cards that leverage a single query, you can now switch on a threshold line and an average line. To add these lines to your card, select Edit and navigate to the Chart tab. For now, this is only available to bar charts (vertical and horizontal), line charts, and area charts. This update gives our users greater flexibility in monitoring trends and anomalies. These new reference lines, especially the threshold line, makes it easier for you to identify and act on critical insights.
  • Now Available to all customers: Cloud Event Sources: In the past, you had to deploy a collector in your network to collect log data. This took time to set up and manage. Cloud-based event sources provide you with a quick and easy way to ingest your security events without setting up a collector. You can set up the cloud event source, add your credentials, and log data will flow into Log Search within 10 minutes. Here’s a list of the cloud event sources:
    • Cisco Umbrella
    • Proofpoint TAP
    • Mimecast
    • Okta
    • Duo
    • Zoom
    • Salesforce
  • Create your own pre-computed queries for fast decision making and instant visualizations: You can now create and manage your own pre-computed queries for near instantaneous summaries of query results that use a groupby clause or calculate function. Queries that search a large amount of data can take time to return results, and become a barrier to understanding what’s happening in your environment. A selection of prebuilt pre-computed queries are already available to you in InsightIDR Dashboards. Once you create a pre-computed query, you can use it in a dashboard card by selecting the pre-computed query option when you create or edit a card. You can create a new pre-computed query in two ways:
    • Navigate to Settings > Log Management > Pre-Computed Queries to create and manage your own pre-computed queries. You can also access this page from the Log Management dropdown on the Log Search page.
    • In Log Search, run a query that contains either a groupby clause, calculate function, or both. Open the query actions menu and select the option to Save as a pre-computed query.

Improved

  • Log Search sorting: We removed a constraint on the order of search results. Previously, it was restricted to searches within the last 30 days. You can now search beyond this limit to the log retention when ordering by newest log first.
  • Additional log set context: We added the log set name to the results displayed when you run a groupby(#log) query. By providing this additional information, you now have more context when you want to determine the relative activity across different logs.
  • Remove old logs: We added the ability to remove old logs with the log selector interface in Log Search. Provided the criteria for removal is met, an icon appears adjacent to the name in Log Search. This allows you to remove redundant and stale logs (where a collector, event source, or network sensor has already been deleted) and means you can focus their queries on relevant logs with live data.
  • Word clarification: We updated the wording on the Investigation Management and Detection Rules pages from Alerts to Detection Rules for clarity.
  • Event source counts: We updated Event Source filtering to recalculate Event Source counts after selecting filters.
  • Custom Parser UI improvements: We updated spacing, button designs, and link appearances in the Custom Parser Tool for better user experience.
  • Download Collector page improvements: We updated the Download Collector page for a better visual experience and added easier navigation to the Activate Collector page.
  • New authentication services: We added 1PASSWORD and WORKDAY as authentication services for new user accounts.
  • Event source form improvements: We updated the Event Source form to allow users to collapse and reopen the list of existing event sources.
  • Event source form clarifications: We updated the Event Source form to display the product logo, name, and type for clarity.
  • Addition to the User Details page: We updated the User Details page with a new section on User Information that contains information formerly located in the User Details page header.
  • Log Retention page messaging: We updated language on the Log Retention page to help users understand when a follow-up with a customer success manager regarding log retention may be necessary.
  • Context menu styling: We updated the styling of the context menu in Log Search for visual consistency in light and dark mode.
  • Package tag update: We updated the package tag that appears next to the product logo to keep the experience visually cohesive for our users.

Fixed

  • We fixed an issue where filters in Investigation Details for Ingress Authentication data were not filtering data correctly.
  • We fixed an issue where users were being notified of an error after editing an event source when no error had occurred.
  • We fixed an issue where the search results for Event Sources was blank when the list was empty rather than displaying contextual information.
  • We fixed an issue where users could elect that a collector-based event source can be cloud-based.
  • We fixed an issue where some timestamps in Investigation Details and Alert Triage pages weren't following user preferences.