# February 5, 2026 ## Highlights * New Investigation list view with swimlanes so teams can scan and prioritize work more quickly. * Added customer-facing Dropzone Integration management APIs to automate configuration, testing, and lifecycle operations. * Microsoft Azure, Exabeam, and ServiceNow entering private beta as new Data Source integrations. * Improved classification quality for phishing, VPN, identity, and authorized tooling alerts to reduce false positives and missed threats. * Enhanced cloud infrastructure and SIEM query handling across Panther, Splunk, and other integrations for more reliable investigations. *** ## New Features ### Dropzone Integration Management APIs * Added REST APIs to list, create, update, test, enable/disable, and delete integrations. * Added an endpoint to retrieve available integration types and schemas. **Customer action:**\ Review the integration API documentation if you plan to automate onboarding, configuration drift checks, or health monitoring for integrations. ### Investigation List & Triage * Updated the investigations list with swimlanes and visual adjustments so teams can scan and prioritize work more quickly. *** ## Improvements ### Alert Titles, Email Analysis & URLs * Improved robustness of automatic alert and investigation title generation when handling very large context, reducing failures in edge cases. * Updated email summarization logic to better distinguish between what the message claims and what can be independently validated, avoiding overconfident statements. * Improved URL extraction from plaintext email bodies to avoid treating non-URL tokens as links, reducing noise from reputation lookups. * Improved handling of complex recipient headers so email-based alerts parse reliably across more providers. ### Cloud Infrastructure IP Context * Added IP range intelligence for major cloud providers (AWS, Azure, Google Cloud, and Microsoft 365). * Investigations can now distinguish cloud infrastructure endpoints from end-user locations and better understand associated services and regions. *** ## Dashboard & Reporting * Capped “Top Assets” on the metrics dashboard to the top 20 items to keep visualizations focused and performant. * Hardened dashboard APIs to handle incomplete alert asset data gracefully and avoid errors when rare edge-case values are present. * Extended investigation metrics to expose additional outcome and priority breakdowns, enabling richer Q1 dashboard views and fleet-level analysis. *** ## Identity & VPN Investigation Quality * Refined identity logic to more accurately recognize invalid credential scenarios and avoid misclassifying logins that rely solely on non-Microsoft identity providers for device registration. * Improved handling of successful logins from consumer and corporate VPNs (including Cloudflare WARP and other providers) by combining device posture, MFA strength, and user history, reducing unnecessary alerts on well-secured access patterns. * Tuned impossible-travel assessments where one side of the event is a managed device and the other is an internal IP, treating common corporate network topologies as benign while preserving visibility into genuinely risky scenarios. *** ## Endpoint & Tooling Investigation Quality * Improved handling of alerts generated by authorized security tools and scripts (including DNS-heavy workflows and vendor-bundled interpreters) so routine operations on managed endpoints are less likely to be misclassified as exfiltration or tampering. * Reduced false positives for CrowdStrike sensor tampering when benign system processes (such as systemd) legitimately manage sensor services during shutdown, restart, or update operations. *** ## Phishing Investigation Quality * Improved outcomes for phishing emails that use file-hosting and other legitimate SaaS platforms by taking into account unverifiable hosted content and the sending history of similar campaigns. * Increased consistency when classifying phishing messages that combine legitimate infrastructure (e.g., NetSuite, cloud storage) with prior confirmed malicious activity from the same sender patterns. *** ## Context & Knowledge APIs * Added sorting options to the context knowledge APIs, allowing results to be ordered by last update time, identifier, or usage count in ascending or descending order. *** ## System Events & Auditability * Improved user-based filtering for system events related to chat queries, ensuring audit trails accurately reflect which users initiated each query and making investigations into historical activity easier. *** ## Security & Reliability * Updated third-party dependencies in both the core and SaaS services (including JavaScript libraries and HTTP clients) to address known security advisories and improve compatibility with upstream APIs. * Corrected base container configuration for core services to ensure package repositories are consistently valid across architectures, improving build and runtime reliability. *** ## Bug Fixes ### Microsoft 365 & Microsoft Defender * Ensured device enrichment retains hostnames and related context when pivoting from IP-based detections, avoiding incomplete endpoint summaries. * Added a delayed lookback for Microsoft Graph threat submissions so late-created submissions are still ingested even when their creation time falls outside the primary polling window. * Resolved rare query errors in advanced hunting scenarios caused by empty or malformed time fields. ### Email Processing * Fixed an issue where certain RFC-encoded recipient headers could cause email parsing errors, improving reliability for email-derived alerts. ### Dashboards * Resolved an issue where dashboard metrics could error when alerts contained entities or assets with null values, ensuring metrics endpoints remain stable even with imperfect source data. *** ## Integration Improvements ### Panther * Improved query generation and execution for Panther-backed investigations, including better handling of deprecated fields, JSON path syntax, GROUP BY clauses, and time-chunked queries—particularly for GitHub and GuardDuty data. * Reduced the likelihood of multi-attempt query failures, leading to more consistent results when Panther is used as a log source. ### Splunk * Removed reliance on Splunk `TERM()` directives that could silently return zero results for certain log formats (such as unquoted Fortinet firewall logs), improving query reliability. * Updated backup connectivity test queries to use explicit search syntax for clearer behavior across environments. * Stopped collecting and storing unused per-sourcetype “sources” metadata in the Splunk scanner, significantly reducing memory usage for tenants with many log sources. ### Microsoft Azure & Microsoft Sentinel * Added support for generating and executing KQL queries against Azure Monitor Logs from within investigations. * Introduced Azure resource querying to surface key attributes (such as resource identifiers and locations) when investigating Azure assets. * Enhanced Microsoft Sentinel alert enrichment to consume partial query results when Analytics rule queries only partially succeed, ensuring usable telemetry is still surfaced to analysts. ### Microsoft Graph & Entra ID * Improved device and authentication investigations by preserving full device context (including hostnames) when pivoting from IP addresses and hardening queries for directory and sign-in telemetry. * Reduced the chance of missed or misinterpreted events in Entra ID hunting queries due to subtle API or timestamp behaviors. ### PhishTank * Updated PhishTank URL reputation handling to avoid excessively long backoff intervals under heavy rate limiting, keeping phishing investigations responsive even when the service returns multiple 429 responses. ### Datadog * Upgraded the Datadog API client in both core and SaaS components to maintain compatibility with the latest Datadog API behavior and reduce client-side warnings. ### GreyNoise * Updated the GreyNoise configuration so environments using Dropzone-provided GreyNoise credentials are correctly shown as “provided” in the integrations UI, distinct from customer-managed configurations. ### Elasticsearch (Mimecast & Other Logs) * Added and refined Elasticsearch query examples for Mimecast and related logs, improving out-of-the-box coverage when investigating email and web security events stored in Elasticsearch. ### Microsoft Sentinel ASI Enrichment * Updated Microsoft Sentinel enrichment to collect and use partial query results returned by Analytics rule queries, providing analysts with as much available data as possible even when queries partially fail.