InsightIDR Release Notes / Mar 31, 2025

Mar 31, 202520250331

New

  • ABA Detection Rules: This month we added new detection rules for 10 threats. You can find the latest updates by navigating to the Detection Rules page and filtering by Added in the last 30 days:
    • Suspicious Authentication - Multiple Country Authentication
    • Suspicious Authentication - Harvested Credential Authentication
    • Suspicious Authentication - Multiple Failed Ingress Authentication From Known Tor Exit Node
    • Suspicious Authentication - Tor Exit Node
    • Suspicious Authentication - Ingress From Anonymous Proxy
    • Suspicious Authentication - Ingress From Satellite Provider
    • Suspicious Authentication - Ingress From Disabled Account
    • User Behavior - First Ingress Authentication From Country
    • User Behavior - Restricted Asset Authentication - New User
    • Lateral Movement - Domain Account Authenticates to Many Assets

Improved

  • SentinelOne Event Source: We expanded the log types from SentinelOne to include 4003 activity type logs, which now means the event source creates third-party alert documents.
  • Microsoft Security Cloud Event Source: We improved the parsing of Microsoft Security Cloud Event Sources, ensuring that account and asset information is populated where available.
  • Office 365 Cloud Event Source: We made changes to logging and error handling for non-200 replies from the Office 365 API. In addition, the Office 365 Event Source should now report errors in the Event Sources UI when interaction issues occur with the Microsoft API.
  • Box.com Event Source: You will now see API errors from Box.com in the Event Sources UI.
  • Cisco Umbrella Cloud Event Source: We have updated the Cisco Umbrella Cloud Event Source to handle data collected within specific windows of time.
  • Settings: We updated some pages in the Settings navigation to be more visually modern and enhance clarity.

Fixed

  • Admin activity documents for Box.com Event Sources will no longer be created when source and created_by fields are the same in the source JSON.
  • We fixed an issue related to parsing for the CrowdStrike Cloud Event Source dealing with malformed JSON responses. You may see an increase in the number of InsightIDR documents produced now as a result.
  • ​​We fixed an invalid documentation redirect link in the Office 365 Event Source setup modal.
  • Generated documents from Event Sources now include the correct Event Source RRN (Rapid7 Resource Name).