# February 12, 2026

***

## Highlights

* **Blast Radius Analysis for email incidents \[Private Beta]** to automatically map impact and recommend remediation steps after confirmed malicious email alerts.
* Added a first-class **reinvestigation workflow for Microsoft Defender** when Microsoft updates an existing alert with new information.
* Expanded integration capabilities for **Exabeam \[Private Beta]**, **Splunk**, **Microsoft Sentinel**, **Microsoft Defender**, and **CrowdStrike** to improve investigation context and scalability.
* Enhanced investigation tuning for recurring alert patterns (cloud patching, VPN usage, SaaS file access, macOS AppleScript activity) to reduce false positives and highlight true attacks.

***

## New Features

### Blast Radius Analysis for Email Incidents \[Private Beta]

* Automatically analyzes completed malicious or suspicious email investigations.
* Identifies affected users and assets.
* Summarizes overall impact.
* Proposes prioritized remediation steps.

### Microsoft Defender Reinvestigation Workflow

* When enabled, automatically launches and links a new investigation whenever Microsoft Defender updates an existing alert or incident with a newer `lastUpdateDateTime`.
* Ensures you always have an up-to-date assessment tied back to the original case.

***

## Improvements

### Investigation List & Deep Linking

* Updated investigations view with swimlane-style grouping.
* Improved pagination reliability when switching tabs.
* Added deep links that navigate directly to specific findings and evidence.

### System Events Auditing

* Improved System Events filtering so chat-related events can be reliably filtered by user.
* Makes auditing who ran which investigations easier.

### Context Memory Management

* Added support for deleting and restoring archived context items.
* Improved filtering and facet counts.
* Refined summaries to focus on your environment rather than internal platform details.

### Strategy Explanations

* Strategy cards now display rationale and toggle guidance.
* Helps administrators understand why each system strategy exists and when to enable or disable it.

### Investigation Outcome Quality

Refined classification across several recurring alert patterns, including:

* Cloud patching activity
* VPN usage
* Log ingestion stoppage
* Non-sensitive SaaS file downloads
* Static CVE-only detections
* macOS AppleScript abuse
* PUP vs remote access tooling

These updates reduce false positives and better distinguish malicious, suspicious, benign, and misconfigured behavior.

***

## Security & Reliability

### Device Enrichment Resilience

* Improved Microsoft Defender device enrichment to gracefully fall back to alternative endpoint data when primary inventory lookups fail.
* Ensures more investigations return usable device details.

### IP Enrichment & Cloud Ranges

* Improved cloud provider IP range handling.
* Always combines hosting-provider enrichment with AbuseIPDB checks for richer and more consistent IP reputation context.

***

## Bug Fixes

### Microsoft Defender & Microsoft Sentinel

* Resolved edge cases where missing or malformed timestamps in Microsoft telemetry could prevent process trees or certain Sentinel queries from completing reliably.
* Fixed a timestamp comparison issue in Microsoft Sentinel query handling when mixing offset-aware and offset-naive datetime formats.

***

## Integration Improvements

### Exabeam \[Private Beta]

* Expanded support with user, IP, and device behavior baselines.
* Added query capability for pivoting directly into Exabeam logs.
* Improves understanding of typical vs anomalous activity.

### Splunk

* **\[Private Beta]** Introduced optional smart sourcetype grouping.
* Removed unused source metadata to significantly reduce scan volume and memory usage.
* Updated evidence to show human-readable timestamps for “first seen” and “last seen” fields.
* Improved scanner logging with structured parameters for easier troubleshooting.

### Microsoft Sentinel & Microsoft Defender (Microsoft Graph)

* Improved enrichment reliability by using partial query results when Sentinel queries partially succeed.
* Batched related alert retrieval for large incidents.
* Expanded device and user activity investigations and threat hunting coverage.
* Corrected timestamp handling to ensure consistent time windows in generated queries.

### CrowdStrike & CrowdStrike Next-Gen SIEM

* Enhanced file-origin investigations by searching additional file creation event types.
* Added explicit time ranges to Next-Gen SIEM evidence citations.

### Google Cloud Security Command Center

* Migrated to the Security Command Center v2 API.
* Supports organizations created after December 2024 and prevents ingestion issues on newer tenants.

### Sumo Logic

* Updated query handling to prefer aggregated record results when available.
* Improved summaries for high-volume datasets.
* Reduced duplicate raw message output.

### Vectra AI \[Private Beta]

* Added Vectra host detail enrichment to device investigations.
* Surfaces host information alongside other endpoint context.

### Elasticsearch

* Improved async task management using task groups.
* Reduced warnings related to unclosed connections.
* Improved stability for long-running queries.

### IP Reputation & Enrichment

* Updated IP enrichment flows to always combine hosting-provider checks with AbuseIPDB reputation data when both succeed.

### Palo Alto Cortex XSIAM

* Reduced query generation latency using a lighter-weight approach.
* Added summarized dynamic capability descriptors to clarify what each XSIAM integration can answer.

### Panther

* Improved handling of errors and rate limits in historical activity analysis.
* Captures more detailed error information in evidence to clarify when upstream limits affect results.

***