Investigator Release Notes

Here’s what’s new with Investigator.

November 2024

Features and enhancements

  • Added history to the Connection Details for an alert associated with a detection. The history provides both the encrypted character string plus an easily readable explanation of the connection details in order of occurrence. Hover the pointer over the history for more details.

  • Added DNS Details to the information provided for alerts associated with a detection.

  • Improved filters on the Detections page to allow the selection of multiple values in a single filter.

Fixed bugs

  • Fixed an issue where the Destination IP for a detection would only show a maximum count of 10 even if there were more destination IPs.

  • Fixed an issue where the Source and Destination titles in the Entity card on the Detection Details page were not visible with the light theme.

October 2024

Features and enhancements

  • Added related detection activity and a timeline view to detection details.

  • Added access to PCAP downloads (if configured in sensor logs).

  • Added the ability to map custom groups to Investigator roles with SSO.

  • Added these new search-based alerts:

Fixed bugs

  • Fixed an issue where the payload summary was missing with some configurations.

  • Fixed an issue with the alert details side panel that prevented it from showing See More links for all detail categories.

  • Fixed an issue that generated a 404 error when opening a dashboard in a new tab from the More Dashboards menu.

  • Fixed a navigation issue that prevented returning to the main dashboard page after opening dashboard widget.

  • Fixed an issue where the date specified in the time interval was not preserved when switching between the Overview page and the Detections page.

September 2024

Features and enhancements

Fixed bugs

  • Fixed an issue with the Suricata payload in the alert details where the page would incorrectly display empty payload and rule sections if the content was not available.

  • Fixed a display issue on the Detections Details pages for when only a single alert is associated with a detection in the Alerts table, the menu for the Investigate Logs button is hidden behind the table footer.

  • Fixed an issue on the Entities tab of the Overview page that when user clicked the View Detection button for an entity, that entity was considered as the source, so you would not get the correct result on the Detections page if the selected entity was a destination for the detection.

  • Clarified the alert export documentation to include more configuration details for CrowdStrike Falcon.

August 2024

Features and enhancements

  • Redesigned the overview page to provide more visibility into your network and security.

  • Merged the dashboards into the overview page for easier access and more logical placement. Highlighted the Network Overview and Security Posture dashboards.

  • Enhanced entity information for detections with source and destination details.

  • Redesigned the page layout for detection details.

Fixed bugs

  • Fixed an issue on the detection details page for federated tenants where the entity enrichment section displays a 404 error instead of a message indicating the entity integration needs to be configured on the child tenant.

  • Fixed an issue that generated Query failed and Writing job aborted messages in the logs.

  • Fixed an issue where the Configure Sensor button was not visible in Settings | Sensor Monitoring when using the light theme.

  • Fixed the conditions that generated the Apollo Server startup error in the logs.

July 2024

Features and enhancements

Fixed bugs

  • Fixed an issue where detections continued to be filtered after a host was removed from the exclusion list.

June 2024

Fixed bugs

  • Fixed an issue where Investigator incorrectly reported the number of sensors sending data.

  • Removed the character limit for the Category filter on the Related Detections page.

  • Fixed an issue that prevented the ability to copy the MFA code during initial setup.

  • Updated the behavior of buttons in the UI so you can right-click a button and open a new tab.

  • Corrected an issue the prevented the tenant display name from appearing in the page header.

  • Fixed an issue where the Entity panel was not populated in the Detections page table view.

  • Fixed an issue to ensure the search box only displays search matches (and not all users) if the focus moved away from the search results when searching for a user to assign a detection.

  • Fixed a sorting problem to ensure the searched for user was placed at the top of the search results when editing a Detection assignee in the quick view panel.

May 2024

Features and enhancements

  • Introduced support for federated tenants to provide administrators with a collective view of data from configured sub-tenants (child tenants). The aggregated data provides comprehensive insights into network security within a unified interface and streamlines the management of tenants.

Fixed bugs

  • Resolved an issue where LogScale dashboards returned a 404 error when opened in a new tab.

  • Fixed a content refresh issue related to LogScale tokens.

  • Fixed an issue where reactivated users encountered an invalid OTP error despite entering the correct OTP.

  • Corrected the icon representation for domain type entities in the excluded entities data table.

  • Resolved an issue where the toast message indicating an unsuccessful save did not disappear automatically while saving alert exporters.

  • Fixed issues related to the quick view functionality in the detection page.

  • Corrected UI distortion in the timeframe field and ensured proper detection listing when navigating from the Alert Catalog to the Detections page, particularly when a detection shares an alert name.

  • Improved the loading time of the details pane on the Detections page, ensuring faster data display.

  • Fixed the incorrect display of the local authentication state for some users.

  • Fixed an issue where a role change for a user was not reflected at the top of the Account Settings menu in the upper-right corner.

  • Corrected the mapping of MITRE techniques to their respective tactics on the Security Overview page.

  • Removed extra spacing in the Alert Overview card on the Security Overview page.

  • Fixed an issue where the Related Detections tab showed all detections instead of filtering to only related detections.

April 2024

Features and enhancements

March 2024

Features and enhancements

February 2024

Features and enhancements

  • Added a menu to the Dashboard item in the left navigation to provide quick access to dashboards.

  • Enhanced the Alert Category page so it preserves the search query and filters if you navigate from the page.

Fixed bugs

  • Fixed an issue where the Exfiltration via DNS alert displayed inconsistent severity scores.

  • Fixed an issue where you could not filter detections to exclude those with a score of 10 on the Detections page.

  • Fixed an issue where the Investigate Logs query did not work if the Suricata alert name changes.

  • Fixed an issue where not all Tor Connection detections were displayed if you navigate to the Detections page from the Alert Catalog details.

  • Improved security audit logging to eliminate extraneous entries, improve sorting, and track SSO users.

  • Fixed an issue where bulk updates for alert status in the Alert Catalog resulted in an invalid status on the back end and caused issues with alert filtering.

January 2024

  • Enhanced the search feature for the Alert Catalog to use AND/OR operators, wildcards, and regular expressions.

  • Enabled view-only access for Analyst users to the Integrations in System Settings.

  • Merged the Related Detections and Related Entities tabs on the detailed view of detections and added filters to easily find relevant alerts and entities.

December 2023

  • Reorganized System Settings and created a dedicated page for integrations.

November 2023

Features and enhancements

  • Added a table view to the Detections page that provides a more structured and concise representation of detections and lets you quickly scan rows and columns.

  • Added the ability to configure the autoclose time period for detections in General Settings.

  • Added the ability to use local authentication for all admin users and for analyst users not in the SSO domain when SSO is enabled.

  • Added new ML model for malicious certificates.

Fixed bugs

  • Fixed an issue where you could not open a link in a new tab if you signed in using SSO.

October 2023

Features and enhancements

  • Moved the System Settings to the left-side navigation. (Account Settings remain available in the menu that appears when you click your username.)

  • Added support for search-based alerts, which are Corelight-defined log search queries. You can review and manage search-based alerts through the Alert Catalog.

  • Repositioned and redesigned the sort and filter options on the Detections page.

September 2023

Features and enhancements

  • Transitioned content from the Alerts page to the Security Overview and the Detections pages and removed the Alerts page.

  • Added Highest Risk Detections section to the Security Overview page.

  • Added the ability to send a detection to ServiceNow and create a security incident for further investigation.

  • Added the ability to refresh the detections from the time window if Investigator identifies new detections.

August 2023

Features and enhancements

  • Added the Detections page for better grouping, filtering, and visibility to alerts and the ability to triage detections and take action.

    • Updated sort terms for the Detections page to be more meaningful.

    • Moved the time window to be in the upper-left corner for consistency.

    • Added a header to the Detection page.

    • Removed redundant inline actions.

  • Added GPT functionality to provide AI generated information to Suricata and machine learning detections.

  • Reorganized system settings and created a general settings area that includes licensing and GPT.

  • Added new ML detection: domain combosquatting.

Note

The Alerts page will be retired. The full functionality is available in the Security Overview and the Detections pages.

Fixed bugs

  • Fixed an issue where authentication through SSO was incorrectly prompting for a one-time password.

July 2023

Features and enhancements

  • Enhanced exported alerts to include a URL that links to the associated detection details page within Investigator.

Fixed bugs

  • Fixed an issue where the Modified By field would be empty for a changed severity score.

  • Fixed an issue with the Crowdstrike/IOC Overview dashboard where an error indicated a canceled query due to the regex backtrack limit.

June 2023

Features and enhancements

  • Updated the user interface for improved spacing, typography and readability, and accessibility.

Fixed bugs

  • Fixed an issue that prevented SAML configuration with the error “Identify Provider configuration already exists”.

  • Fixed an issue for Notices and Suricata detections that didn’t show the normalized severity in the Alert Catalog.

May 2023

Features and enhancements

April 2023

Features and enhancements

  • Added the Security Audit log to provide a record of user and system activities.

  • Upgraded the log search engine to Falcon LogScale 1.76.

  • For IDN homograph machine learning alerts, added a more readable version of the domain in Unicode next to the Punycode value to demonstrate why the domain was flagged.

Fixed bugs

  • Fixed an issue to let search functionality recognize special characters in the Alert Catalog details page.

  • Fixed an issue where full search terms where not returning appropriate results in the Alert Catalog details page.

March 2023

Features and enhancements

  • Added the ability for admin users to reset 2FA by deactivating and reactivating users.

Fixed bugs

  • Standardized the minimum normalized score for alerts to 1.

  • Fixed an issue where a low severity (benign) Machine Learning finding appeared in the Alert Catalog search results.

February 2023

Features and enhancements

  • Added support for SAML SSO user management.

  • Added support for multiple alert exports and for exports through Elastic, CrowdStrike Falcon LogScale, and a generic HTTP exporter.

  • Added the ability to select multiple entries in the Alert Catalog and change their status.

Fixed bugs

  • Fixed an issue to allow deep pagination (results beyond 1000 pages) for the Alert Catalog.

  • Fixed an issue where machine learning alerts displayed an incorrect time interval.

  • Fixed an issue where some search results do not match the specified search term.

January 2023

  • Fixed an issue where alerts were not suppressed properly when an alert category had more than 10 excluded entities.

  • Fixed an issue where you could not configure Splunk Exporter due to permission issue.

  • Fixed an issue where the Domain Typosquatting machine learning model generated an alert for google.com.

December 2022

  • Migrated the existing user database to support enhanced user management. This change requires each user to reset their password and 2FA token.

  • Added more information for machine learning alerts including the associated connection’s timestamp, source and destination IP, and domain. (The added information varies by the type of alert.) Added a View ML Analysis icon for easy access to details about how features influenced the model score.

  • Added a Suppress Entity button to the entity detail and alert detail pages that adds the entity to the Excluded Entities list. Excluded entities do not generate new alerts for the alert category.

November 2022

Features and enhancements

  • Added the ability to filter the alert categories and top entities on the Alerts dashboard based on a search term.

  • Suricata alert details include a View Rule button that shows the definition of the rule.

Fixed bugs

  • Fixed an issue where some top entities on the Alerts page did not show entity details when the pointer hovers over the entity.

  • Fixed an issue where you could not copy or download sensor export details.

  • Fixed an issue to properly sort search results in the Alert Catalog.

  • Fixed an issue where adding or deleting an excluded entity does not reflect in the list until a page refresh.

  • Corrected the entity type for the Social Engineering Domains and Domain Typosquatting models.

  • Fixed an issue where a previously configured sensor was not recognized in the interface and you were prompted to configure a new sensor.

  • Fixed an issue so the entity details page retrieves all alert types for the entity and not just a single alert type.

October 2022

Features and enhancements

  • The Alert Details page (available from the Alert Catalog) now shows the MITRE technique number as well as the technique description for relevant alerts.

Fixed bugs

  • Fixed an issue where alert details mistakenly showed zero analytics contributing to model score.

  • Fixed an issue where new machine learning alerts did not include machine learning feature data or the Top Model Advanced Analytics Summary data in the UI.

September 2022

Features and enhancements

  • Added the ability to change the status of alert categories and control if alert categories appear on the alert dashboard.

  • Added the ability to exclude alerts from specific entities for an alert category in the Alert Catalog.

Fixed bugs

  • Fixed an issue in the Users & Access page where selected users were not retained when navigating to a previous or next page in the list of users.

  • Fixed an issue where a low severity (benign) Machine Learning finding was generated as an alert.

August 2022

Features and enhancements

  • General Data Protection Regulation (GDPR) updates, including:

    • User-level consent to Corelight Privacy Policy during initial login.

    • Ability to manage cookies and tracking data during initial login and on the Account Settings page.

    • Investigator deletes raw log data at the end of the retention period. (Raw log data is kept for a minimum of 30 days and you can adjust the retention period with a license.)

  • Product availability in the European Union (EU).

  • The Alert Catalog provides a read-only list of all alerts in the system.

Fixed bugs

  • Fixed an issue where the Investigate Logs button for a Suricata alert on the Entity page returns an error.

  • Fixed an issue where the number of alerts shown on the Alert or Entity page was one number higher than the number of alerts shown when you click the Investigator Logs button. (The logs would drop the last event.)

  • Fixed an issue where some log data was deleted before reaching the log retention limit due to a data retention storage setting.

Known issues

  • Investigator displays Falcon LogScale (Humio) content in an iFrame, which can result in display issues with the content. For example, data can extend beyond the visible frame of the Humio logs at smaller screen sizes.

  • In the Falcon LogScale (Humio) frame of the Log Search page, the Save As | Export to File option returns only a blank page for large downloads (downloads taking more than 15 minutes). Smaller downloads are not impacted.