# January 22, 2026

## Highlights

* Added support for multi-signal alert investigations, breaking large SIEM cases into focused sub-investigations with a single consolidated conclusion.
* Expanded integrations with Azure Monitor / Log Analytics (new) and Vectra AI (new), plus major enhancements across Microsoft, SentinelOne, CrowdStrike, and more.

## New Features

### Multi-Signal Alert Investigations

* Added support for investigating multi-signal alerts by automatically breaking large SIEM cases into focused sub-investigations and generating a single consolidated conclusion.

### Alert Reinvestigation Chains

* Alert reinvestigation chains are now surfaced in the UI so you can see how an alert has evolved across multiple alert versions and investigations.

### New Insight Tags

* Added an **Invalid Credentials** insight tag to highlight investigations where authentication attempts fail across all observed attempts.

**Customer action:**\
Review and update your System Events / workflow rules (if applicable) to automatically de-prioritize these investigations when appropriate.

* Added a **Research Scanner** insight tag that recognizes known internet-wide research scanners and can automatically treat related activity as benign when it meets defined criteria.

## Integrations

### Azure Monitor / Log Analytics

### Vectra AI

## Improvements

* Reduced false positives across investigations by better recognizing expected activity (service accounts, test environments, MSP admin behavior, authorized security tools).
* Improved identity threat detection for suspicious login attempts from uncommon hosting providers.
* Improved Microsoft 365 file activity investigations using richer Microsoft Graph and audit telemetry where available.
* Improved summarization for large query results across Microsoft Defender, Microsoft Sentinel, Google SecOps, and Sumo Logic.
* Enhanced the context library with improved filtering and better links back to investigations.
* Improved platform reliability and performance during upgrades, long-running investigations, and large query workloads.

## Integration Improvements

### SentinelOne

* Added severity-based filtering options to restrict ingested alerts.

### Microsoft Graph

* Expanded Microsoft 365 audit and enrichment coverage for investigation context.

### Microsoft Defender

* Updated table mappings and expanded Advanced Hunting query coverage, including additional cloud activity scenarios.

### Microsoft Sentinel

* Improved performance with parallelized table queries.
* Improved summarization of large query results.
* Enhanced error handling for long-running queries.

### Azure

* Added automatic discovery of Log Analytics workspaces and table schemas to support richer queries.

### Sumo Logic

* Improved Windows event and email security querying.
* Enhanced evidence handling when queries return no results.
* Improved retry behavior for more consistent query results.

### CrowdStrike

* Added configurable case-name filtering for CrowdStrike Next-Gen SIEM cases.

### Cato Networks

* Improved evidence handling when no data is returned.

### Okta

* Improved user enrichment so it works even when only a username (not a full email address) is available.

### GreyNoise

* Improved identification of scanner-related activity to support scanner-aware insights.

### ReversingLabs

* Added stricter domain validation to prevent malformed lookups.

### Custom Threat Intelligence

* Improved indicator lookup reliability for asynchronous investigations.