InsightIDR Release Notes / Oct 31, 2024

Oct 31, 202420241031

New

  • Event sources: We added new cloud event sources for Microsoft Security, Microsoft Office 365, and Palo Alto Networks XDR. We also added event sources for AWS GuardDuty parsing to AWS Security Lake.
  • WinMonitorLog: We added logic to the WinMonitorLog data source to reduce duplicate events.

Improved

  • User Details: We redesigned User Details to use a three-column layout and to keep it visually cohesive with our other pages.
  • Pre-computed queries: You will now see a notification message on Log Search indicating if a pre-computed query has not fully populated.
  • Log Search: Using the new limit clause, you can now control when searches halt by setting an upper bound of matches. For example, you can find the earliest (or latest) time an event was observed by adding limit(1) and you can focus on the relevant matches for that time range.
  • Data Collection: We updated the Orchestrators page in Data Collection Management to have more modern and useful filtering.
  • CloudTrail event source: We updated the CloudTrail event source to allow customers to enable it and assume a role.
  • Settings: We enhanced some pages in the Settings menu to be more consistently themed and modern.
  • Firewall Activity: We enabled more firewall activity generation from Cisco ISE logs.
  • Event logs: We now ingest event logs with null insertion strings.
  • CloudTrail SQS event source: We added the ability to assume roles in the CloudTrail SQS event source using Amazon STS.
  • Azure event source: Microsoft Azure sign-in events with a result code of 53003 will now generate failed ingress documentation and will not generate SSO (single sign-on) documentation.

Fixed

  • We fixed an issue where all possible variables within your organization were shown when you clicked on a variable. You are now shown the contents of the specific variable being used to quickly understand the query definition.
  • We fixed an issue where user names were not displayed correctly in the Audit Logs panel of the Investigation Details page.
  • We fixed an issue where bulk-closing investigations caused the product to slow down.
  • We fixed an issue where cloud event sources weren't always displayed in the list of event sources after being created.
  • We fixed some strings that are used in the Amazon Security Lake third-party alerting data. They now more closely match product names.
  • We fixed an issue with the collection of windows versions from Windows Management Instrumentation (WMI) collected data.
  • We fixed an issue that caused an error on Azure Event Sources.
  • We fixed an issue that caused the misattribution of events by no longer producing DHCP events when machine accounts are the hostname.
  • CrowdStrike Falcon CEF logs with headers containing a severity value greater than 10 now parse correctly.
  • In the Pulse Connect Secure event source, account names are now separated from domain names when delimited by backslashes.