February 12, 2026

Release Notes: February 12 – 18, 2026

Highlights

• Blast Radius Analysis for email incidents [Private Beta] to automatically map impact and recommend remediation steps after confirmed malicious email alerts.

• Added a first-class reinvestigation workflow for Microsoft Defender when Microsoft updates an existing alert with new information.

• Expanded integration capabilities for Exabeam [Private Beta], Splunk, Microsoft Sentinel, Microsoft Defender, and CrowdStrike to improve investigation context and scalability.

• Enhanced investigation tuning for recurring alert patterns (cloud patching, VPN usage, SaaS file access, macOS AppleScript activity) to reduce false positives and highlight true attacks.

New Features

Blast Radius Analysis for Email Incidents [Private Beta]

• Automatically analyzes completed malicious or suspicious email investigations.

• Identifies affected users and assets.

• Summarizes overall impact.

• Proposes prioritized remediation steps.

Microsoft Defender Reinvestigation Workflow

• When enabled, automatically launches and links a new investigation whenever Microsoft Defender updates an existing alert or incident with a newer lastUpdateDateTime.

• Ensures you always have an up-to-date assessment tied back to the original case.

Improvements

Investigation List & Deep Linking

• Updated investigations view with swimlane-style grouping.

• Improved pagination reliability when switching tabs.

• Added deep links that navigate directly to specific findings and evidence.

System Events Auditing

• Improved System Events filtering so chat-related events can be reliably filtered by user.

• Makes auditing who ran which investigations easier.

Context Memory Management

• Added support for deleting and restoring archived context items.

• Improved filtering and facet counts.

• Refined summaries to focus on your environment rather than internal platform details.

Strategy Explanations

• Strategy cards now display rationale and toggle guidance.

• Helps administrators understand why each system strategy exists and when to enable or disable it.

Investigation Outcome Quality

Refined classification across several recurring alert patterns, including:

• Cloud patching activity

• VPN usage

• Log ingestion stoppage

• Non-sensitive SaaS file downloads

• Static CVE-only detections

• macOS AppleScript abuse

• PUP vs remote access tooling

These updates reduce false positives and better distinguish malicious, suspicious, benign, and misconfigured behavior.

Security & Reliability

Device Enrichment Resilience

• Improved Microsoft Defender device enrichment to gracefully fall back to alternative endpoint data when primary inventory lookups fail.

• Ensures more investigations return usable device details.

IP Enrichment & Cloud Ranges

• Improved cloud provider IP range handling.

• Always combines hosting-provider enrichment with AbuseIPDB checks for richer and more consistent IP reputation context.

Bug Fixes

Microsoft Defender & Microsoft Sentinel

• Resolved edge cases where missing or malformed timestamps in Microsoft telemetry could prevent process trees or certain Sentinel queries from completing reliably.

• Fixed a timestamp comparison issue in Microsoft Sentinel query handling when mixing offset-aware and offset-naive datetime formats.

Integration Improvements

Exabeam [Private Beta]

• Expanded support with user, IP, and device behavior baselines.

• Added query capability for pivoting directly into Exabeam logs.

• Improves understanding of typical vs anomalous activity.

Splunk

• [Private Beta] Introduced optional smart sourcetype grouping.

• Removed unused source metadata to significantly reduce scan volume and memory usage.

• Updated evidence to show human-readable timestamps for “first seen” and “last seen” fields.

• Improved scanner logging with structured parameters for easier troubleshooting.

Microsoft Sentinel & Microsoft Defender (Microsoft Graph)

• Improved enrichment reliability by using partial query results when Sentinel queries partially succeed.

• Batched related alert retrieval for large incidents.

• Expanded device and user activity investigations and threat hunting coverage.

• Corrected timestamp handling to ensure consistent time windows in generated queries.

CrowdStrike & CrowdStrike Next-Gen SIEM

• Enhanced file-origin investigations by searching additional file creation event types.

• Added explicit time ranges to Next-Gen SIEM evidence citations.

Google Cloud Security Command Center

• Migrated to the Security Command Center v2 API.

• Supports organizations created after December 2024 and prevents ingestion issues on newer tenants.

Sumo Logic

• Updated query handling to prefer aggregated record results when available.

• Improved summaries for high-volume datasets.

• Reduced duplicate raw message output.

Vectra AI [Private Beta]

• Added Vectra host detail enrichment to device investigations.

• Surfaces host information alongside other endpoint context.

Elasticsearch

• Improved async task management using task groups.

• Reduced warnings related to unclosed connections.

• Improved stability for long-running queries.

IP Reputation & Enrichment

• Updated IP enrichment flows to always combine hosting-provider checks with AbuseIPDB reputation data when both succeed.

Palo Alto Cortex XSIAM

• Reduced query generation latency using a lighter-weight approach.

• Added summarized dynamic capability descriptors to clarify what each XSIAM integration can answer.

Panther

• Improved handling of errors and rate limits in historical activity analysis.

• Captures more detailed error information in evidence to clarify when upstream limits affect results.