February 5, 2026
Highlights
New Investigation list view with swimlanes so teams can scan and prioritize work more quickly.
Added customer-facing Dropzone Integration management APIs to automate configuration, testing, and lifecycle operations.
Microsoft Azure, Exabeam, and ServiceNow entering private beta as new Data Source integrations.
Improved classification quality for phishing, VPN, identity, and authorized tooling alerts to reduce false positives and missed threats.
Enhanced cloud infrastructure and SIEM query handling across Panther, Splunk, and other integrations for more reliable investigations.
New Features
Dropzone Integration Management APIs
Added REST APIs to list, create, update, test, enable/disable, and delete integrations.
Added an endpoint to retrieve available integration types and schemas.
Customer action: Review the integration API documentation if you plan to automate onboarding, configuration drift checks, or health monitoring for integrations.
Investigation List & Triage
Updated the investigations list with swimlanes and visual adjustments so teams can scan and prioritize work more quickly.
Improvements
Alert Titles, Email Analysis & URLs
Improved robustness of automatic alert and investigation title generation when handling very large context, reducing failures in edge cases.
Updated email summarization logic to better distinguish between what the message claims and what can be independently validated, avoiding overconfident statements.
Improved URL extraction from plaintext email bodies to avoid treating non-URL tokens as links, reducing noise from reputation lookups.
Improved handling of complex recipient headers so email-based alerts parse reliably across more providers.
Cloud Infrastructure IP Context
Added IP range intelligence for major cloud providers (AWS, Azure, Google Cloud, and Microsoft 365).
Investigations can now distinguish cloud infrastructure endpoints from end-user locations and better understand associated services and regions.
Dashboard & Reporting
Capped “Top Assets” on the metrics dashboard to the top 20 items to keep visualizations focused and performant.
Hardened dashboard APIs to handle incomplete alert asset data gracefully and avoid errors when rare edge-case values are present.
Extended investigation metrics to expose additional outcome and priority breakdowns, enabling richer Q1 dashboard views and fleet-level analysis.
Identity & VPN Investigation Quality
Refined identity logic to more accurately recognize invalid credential scenarios and avoid misclassifying logins that rely solely on non-Microsoft identity providers for device registration.
Improved handling of successful logins from consumer and corporate VPNs (including Cloudflare WARP and other providers) by combining device posture, MFA strength, and user history, reducing unnecessary alerts on well-secured access patterns.
Tuned impossible-travel assessments where one side of the event is a managed device and the other is an internal IP, treating common corporate network topologies as benign while preserving visibility into genuinely risky scenarios.
Endpoint & Tooling Investigation Quality
Improved handling of alerts generated by authorized security tools and scripts (including DNS-heavy workflows and vendor-bundled interpreters) so routine operations on managed endpoints are less likely to be misclassified as exfiltration or tampering.
Reduced false positives for CrowdStrike sensor tampering when benign system processes (such as systemd) legitimately manage sensor services during shutdown, restart, or update operations.
Phishing Investigation Quality
Improved outcomes for phishing emails that use file-hosting and other legitimate SaaS platforms by taking into account unverifiable hosted content and the sending history of similar campaigns.
Increased consistency when classifying phishing messages that combine legitimate infrastructure (e.g., NetSuite, cloud storage) with prior confirmed malicious activity from the same sender patterns.
Context & Knowledge APIs
Added sorting options to the context knowledge APIs, allowing results to be ordered by last update time, identifier, or usage count in ascending or descending order.
System Events & Auditability
Improved user-based filtering for system events related to chat queries, ensuring audit trails accurately reflect which users initiated each query and making investigations into historical activity easier.
Security & Reliability
Updated third-party dependencies in both the core and SaaS services (including JavaScript libraries and HTTP clients) to address known security advisories and improve compatibility with upstream APIs.
Corrected base container configuration for core services to ensure package repositories are consistently valid across architectures, improving build and runtime reliability.
Bug Fixes
Microsoft 365 & Microsoft Defender
Ensured device enrichment retains hostnames and related context when pivoting from IP-based detections, avoiding incomplete endpoint summaries.
Added a delayed lookback for Microsoft Graph threat submissions so late-created submissions are still ingested even when their creation time falls outside the primary polling window.
Resolved rare query errors in advanced hunting scenarios caused by empty or malformed time fields.
Email Processing
Fixed an issue where certain RFC-encoded recipient headers could cause email parsing errors, improving reliability for email-derived alerts.
Dashboards
Resolved an issue where dashboard metrics could error when alerts contained entities or assets with null values, ensuring metrics endpoints remain stable even with imperfect source data.
Integration Improvements
Panther
Improved query generation and execution for Panther-backed investigations, including better handling of deprecated fields, JSON path syntax, GROUP BY clauses, and time-chunked queries—particularly for GitHub and GuardDuty data.
Reduced the likelihood of multi-attempt query failures, leading to more consistent results when Panther is used as a log source.
Splunk
Removed reliance on Splunk
TERM()directives that could silently return zero results for certain log formats (such as unquoted Fortinet firewall logs), improving query reliability.Updated backup connectivity test queries to use explicit search syntax for clearer behavior across environments.
Stopped collecting and storing unused per-sourcetype “sources” metadata in the Splunk scanner, significantly reducing memory usage for tenants with many log sources.
Microsoft Azure & Microsoft Sentinel
Added support for generating and executing KQL queries against Azure Monitor Logs from within investigations.
Introduced Azure resource querying to surface key attributes (such as resource identifiers and locations) when investigating Azure assets.
Enhanced Microsoft Sentinel alert enrichment to consume partial query results when Analytics rule queries only partially succeed, ensuring usable telemetry is still surfaced to analysts.
Microsoft Graph & Entra ID
Improved device and authentication investigations by preserving full device context (including hostnames) when pivoting from IP addresses and hardening queries for directory and sign-in telemetry.
Reduced the chance of missed or misinterpreted events in Entra ID hunting queries due to subtle API or timestamp behaviors.
PhishTank
Updated PhishTank URL reputation handling to avoid excessively long backoff intervals under heavy rate limiting, keeping phishing investigations responsive even when the service returns multiple 429 responses.
Datadog
Upgraded the Datadog API client in both core and SaaS components to maintain compatibility with the latest Datadog API behavior and reduce client-side warnings.
GreyNoise
Updated the GreyNoise configuration so environments using Dropzone-provided GreyNoise credentials are correctly shown as “provided” in the integrations UI, distinct from customer-managed configurations.
Elasticsearch (Mimecast & Other Logs)
Added and refined Elasticsearch query examples for Mimecast and related logs, improving out-of-the-box coverage when investigating email and web security events stored in Elasticsearch.
Microsoft Sentinel ASI Enrichment
Updated Microsoft Sentinel enrichment to collect and use partial query results returned by Analytics rule queries, providing analysts with as much available data as possible even when queries partially fail.
Last updated
Was this helpful?