Release notes

Here’s what’s new with Investigator.

June 2024

Fixed bugs

• Fixed an issue where Investigator incorrectly reported the number of sensors sending data. (INVEST-9649)

• Removed the character limit for the Category filter on the Related Detections page. (INVEST-9518)

• Fixed an issue that prevented the ability to copy the MFA code during initial setup. (INVEST-10013)

• Updated the behavior of buttons in the UI so you can right-click a button and open a new tab. (INVEST-10016)

• Corrected an issue the prevented the tenant display name from appearing in the page header. (INVEST-10017)

May 2024

Features and enhancements

• Introduced support for federated tenants to provide administrators with a collective view of data from configured sub-tenants (child tenants). The aggregated data provides comprehensive insights into network security within a unified interface and streamlines the management of tenants.

Fixed bugs

• Resolved an issue where LogScale dashboards returned a 404 error when opened in a new tab. (INVEST-9772)

• Fixed a content refresh issue related to LogScale tokens. (INVEST-9757)

• Fixed an issue where reactivated users encountered an invalid OTP error despite entering the correct OTP. (INVEST-9624)

• Corrected the icon representation for domain type entities in the excluded entities data table. (INVEST-9571)

• Resolved an issue where the toast message indicating an unsuccessful save did not disappear automatically while saving alert exporters. (INVEST-9569)

• Fixed issues related to the quick view functionality in the detection page. (INVEST-9548)

• Corrected UI distortion in the timeframe field and ensured proper detection listing when navigating from the Alert Catalog to the Detections page, particularly when a detection shares an alert name. (INVEST-9543)

• Improved the loading time of the details pane on the Detections page, ensuring faster data display. (INVEST-9602)

• Fixed the incorrect display of the local authentication state for some users. (INVEST-9474)

• Fixed an issue where a role change for a user was not reflected at the top of the Account Settings menu in the upper-right corner. (INVEST-9873)

• Corrected the mapping of MITRE techniques to their respective tactics on the Security Overview page. (INVEST-9589)

• Removed extra spacing in the Alert Overview card on the Security Overview page. (INVEST-7746)

• Fixed an issue where the Related Detections tab showed all detections instead of filtering to only related detections. (INVEST-10010)

April 2024

Features and enhancements

• Added a view only user role for individuals who need to view detections and their associated data without making modifications to the system or taking action.

• Added the ability to isolate entities from network activity to address potential compromises or ongoing attacks based on Corelight evidence. This feature requires a properly configured CrowdStrike integration.

• Streamlined the license model to include only an advanced license and evaluation version.

• Added these new search-based alerts:

  • JetBrains TeamCity Authentication Bypass CVE-2024-27198 and CVE-2024-27199
  • AsyncRAT remote access trojan
  • Fortra FileCatalyst remote code execution CVE-2024-251538
  • Onion domain
  • Fortigate RCE CVE-2024-21762

March 2024

Features and enhancements

• Added an integration for CrowdStrike EDR (Endpoint Detection and Response) that provides additional context to detections that helps analyze threats and helps analysts make informed decisions during the triage process. When configured, detections show valuable entity context and the expanded data. For details, see CrowdStrike data in detections.

• Enhanced log search queries from detections with pre-populated queries to provide more contextually relevant results.

• Added a new ML detection: C2 HTTP Frameworks.

• Added these new search-based alerts:

  • Citrix Netscaler CVE-2023-4966 (CitrixBleed)
  • ScreenConnect Authentication Bypass CVE-2024-1709
  • Sonicwall RCE/DOS CVE-2022-22274 / CVE-2023-0656

February 2024

Features and enhancements

• Added a menu to the Dashboard item in the left navigation to provide quick access to dashboards.

• Enhanced the Alert Category page so it preserves the search query and filters if you navigate from the page. (INVEST-8943)

Fixed bugs

• Fixed an issue where the Exfiltration via DNS alert displayed inconsistent severity scores. (INVEST-8935)

• Fixed an issue where you could not filter detections to exclude those with a score of 10 on the Detections page. (INVEST-8935)

• Fixed an issue where the Investigate Logs query did not work if the Suricata alert name changes. (INVEST-8921)

• Fixed an issue where not all Tor Connection detections were displayed if you navigate to the Detections page from the Alert Catalog details. (INVEST-8815)

• Improved security audit logging to eliminate extraneous entries, improve sorting, and track SSO users. (INVEST-8805)

• Fixed an issue where bulk updates for alert status in the Alert Catalog resulted in an invalid status on the back end and caused issues with alert filtering. (INVEST-9110)

January 2024

• Enhanced the search feature for the Alert Catalog to use AND/OR operators, wildcards, and regular expressions.

• Enabled view-only access for Analyst users to the Integrations in System Settings.

• Merged the Related Detections and Related Entities tabs on the detailed view of detections and added filters to easily find relevant alerts and entities.

December 2023

• Reorganized System Settings and created a dedicated page for integrations.

November 2023

Features and enhancements

• Added a table view to the Detections page that provides a more structured and concise representation of detections and lets you quickly scan rows and columns.

• Added the ability to configure the autoclose time period for detections in General Settings.

• Added the ability to use local authentication for all admin users and for analyst users not in the SSO domain when SSO is enabled.

• Added new ML model for malicious certificates.

Fixed bugs

• Fixed an issue where you could not open a link in a new tab if you signed in using SSO. (INVEST-8119)

October 2023

Features and enhancements

• Moved the System Settings to the left-side navigation. (Account Settings remain available in the menu that appears when you click your username.)

• Added support for search-based alerts, which are Corelight-defined log search queries. You can review and manage search-based alerts through the Alert Catalog.

• Repositioned and redesigned the sort and filter options on the Detections page.

September 2023

Features and enhancements

• Transitioned content from the Alerts page to the Security Overview and the Detections pages and removed the Alerts page.

• Added Highest Risk Detections section to the Security Overview page.

• Added the ability to send a detection to ServiceNow and create a security incident for further investigation.

• Added the ability to refresh the detections from the time window if Investigator identifies new detections.

August 2023

Features and enhancements

• Added the Detections page for better grouping, filtering, and visibility to alerts and the ability to triage detections and take action.

  • Updated sort terms for the Detections page to be more meaningful.

  • Moved the time window to be in the upper-left corner for consistency.

  • Added a header to the Detection page.

  • Removed redundant inline actions.

• Added GPT functionality to provide AI generated information to Suricata and machine learning detections.

• Reorganized system settings and created a general settings area that includes licensing and GPT.

• Added new ML detection: domain combosquatting.

Note

The Alerts page will be retired. The full functionality is available in the Security Overview and the Detections pages.

Fixed bugs

• Fixed an issue where authentication through SSO was incorrectly prompting for a one-time password. (INVEST-7379)

July 2023

Features and enhancements

• Enhanced exported alerts to include a URL that links to the associated detection details page within Investigator.

Fixed bugs

• Fixed an issue where the Modified By field would be empty for a changed severity score. (INVEST-7007)

• Fixed an issue with the Crowdstrike/IOC Overview dashboard where an error indicated a canceled query due to the regex backtrack limit. (INVEST-4085)

June 2023

Features and enhancements

• Updated the user interface for improved spacing, typography and readability, and accessibility.

Fixed bugs

• Fixed an issue that prevented SAML configuration with the error “Identify Provider configuration already exists”. (INVEST-6641)

• Fixed an issue for Notices and Suricata detections that didn’t show the normalized severity in the Alert Catalog. (INVEST-6727)

May 2023

Features and enhancements

• Added the ability to customize the severity score of an alert category.

April 2023

Features and enhancements

• Added the Security Audit log to provide a record of user and system activities.

• Upgraded the log search engine to Falcon LogScale 1.76.

• For IDN homograph machine learning alerts, added a more readable version of the domain in Unicode next to the Punycode value to demonstrate why the domain was flagged. (INVEST-5927)

Fixed bugs

• Fixed an issue to let search functionality recognize special characters in the Alert Catalog details page. (INVEST-6525)

• Fixed an issue where full search terms where not returning appropriate results in the Alert Catalog details page. (INVEST-5905)

March 2023

Features and enhancements

• Added the ability for admin users to reset 2FA by deactivating and reactivating users.

Fixed bugs

• Standardized the minimum normalized score for alerts to 1. (INVEST-5393)

• Fixed an issue where a low severity (benign) Machine Learning finding appeared in the Alert Catalog search results. (INVEST-5206)

February 2023

Features and enhancements

• Added support for SAML SSO user management.

• Added support for multiple alert exports and for exports through Elastic, CrowdStrike Falcon LogScale, and a generic HTTP exporter.

• Added the ability to select multiple entries in the Alert Catalog and change their status.

Fixed bugs

• Fixed an issue to allow deep pagination (results beyond 1000 pages) for the Alert Catalog. (INVEST-5892)

• Fixed an issue where machine learning alerts displayed an incorrect time interval. (INVEST-5890)

• Fixed an issue where some search results do not match the specified search term. (INVEST-5727)

January 2023

• Fixed an issue where alerts were not suppressed properly when an alert category had more than 10 excluded entities. (INVEST-5904)

• Fixed an issue where you could not configure Splunk Exporter due to permission issue. (INVEST-5858)

• Fixed an issue where the Domain Typosquatting machine learning model generated an alert for google.com. (INVEST-5523)

December 2022

• Migrated the existing user database to support enhanced user management. This change requires each user to reset their password and 2FA token. (INVEST-5725)

• Added more information for machine learning alerts including the associated connection’s timestamp, source and destination IP, and domain. (The added information varies by the type of alert.) Added a View ML Analysis icon for easy access to details about how features influenced the model score. (INVEST-5078)

• Added a Suppress Entity button to the entity detail and alert detail pages that adds the entity to the Excluded Entities list. Excluded entities do not generate new alerts for the alert category. (INVEST-5505)

November 2022

Features and enhancements

• Added the ability to filter the alert categories and top entities on the Alerts dashboard based on a search term. (INVEST-4646)

• Suricata alert details include a View Rule button that shows the definition of the rule. (INVEST-4629)

Fixed bugs

• Fixed an issue where some top entities on the Alerts page did not show entity details when the pointer hovers over the entity. (INVEST-5460)

• Fixed an issue where you could not copy or download sensor export details. (INVEST-5486)

• Fixed an issue to properly sort search results in the Alert Catalog. (INVEST-5399)

• Fixed an issue where adding or deleting an excluded entity does not reflect in the list until a page refresh. (INVEST-5191)

• Corrected the entity type for the Social Engineering Domains and Domain Typosquatting models. (INVEST-5501)

• Fixed an issue where a previously configured sensor was not recognized in the interface and you were prompted to configure a new sensor. (INVEST-5096)

• Fixed an issue so the entity details page retrieves all alert types for the entity and not just a single alert type. (INVEST-5002)

October 2022

Features and enhancements

• The Alert Details page (available from the Alert Catalog) now shows the MITRE technique number as well as the technique description for relevant alerts. (INVEST-4471)

Fixed bugs

• Fixed an issue where alert details mistakenly showed zero analytics contributing to model score. (INVEST-5059)

• Fixed an issue where new machine learning alerts did not include machine learning feature data or the Top Model Advanced Analytics Summary data in the UI. (INVEST-5319)

September 2022

Features and enhancements

• Added the ability to change the status of alert categories and control if alert categories appear on the alert dashboard.

• Added the ability to exclude alerts from specific entities for an alert category in the Alert Catalog.

Fixed bugs

• Fixed an issue in the Users & Access page where selected users were not retained when navigating to a previous or next page in the list of users. (INVEST-4147)

• Fixed an issue where a low severity (benign) Machine Learning finding was generated as an alert. (INVEST-3889)

August 2022

Features and enhancements

• General Data Protection Regulation (GDPR) updates, including:

  • User-level consent to Corelight Privacy Policy during initial login.

  • Ability to manage cookies and tracking data during initial login and on the Account Settings page.

  • Investigator deletes raw log data at the end of the retention period. (Raw log data is kept for a minimum of 30 days and you can adjust the retention period with a license.)

• Product availability in the European Union (EU).

• The Alert Catalog provides a read-only list of all alerts in the system.

Fixed bugs

• Fixed an issue where the Investigate Logs button for a Suricata alert on the Entity page returns an error. (INVEST-4187)

• Fixed an issue where the number of alerts shown on the Alert or Entity page was one number higher than the number of alerts shown when you click the Investigator Logs button. (The logs would drop the last event.) (INVEST-4213)

• Fixed an issue where some log data was deleted before reaching the log retention limit due to a data retention storage setting. (INVEST-4444)

Known issues

• Investigator displays Falcon LogScale (Humio) content in an iFrame, which can result in display issues with the content. For example, data can extend beyond the visible frame of the Humio logs at smaller screen sizes. (INVEST-4083)

• In the Falcon LogScale (Humio) frame of the Log Search page, the Save As | Export to File option returns only a blank page for large downloads (downloads taking more than 15 minutes). Smaller downloads are not impacted. (INVEST-4354)