# February 26, 2026 *** ## Highlights * Introduced a new **Threat Intel workspace** and internal Dropzone threat intelligence source to enrich investigations with curated file and behavior context. * Strengthened URL analysis with deeper recursive browsing, improved redirect handling, and better stability to uncover hidden phishing destinations. * Improved investigation quality for cloud analytics and Microsoft 365 activity, reducing noise from expected BI usage, ticket portals, and cloud app traffic. * Delivered reliability and performance enhancements across Splunk, Palo Alto Cortex XDR/XSIAM, Microsoft 365 Defender / Graph, QRadar, Okta, Google Workspace, ReversingLabs, VirusTotal, Exabeam, CrowdStrike, and more. *** ## New Features ### Threat Intel Workspace * Added a dedicated **Threat Intel section** in the UI. * Enables browsing, searching, and managing threat intelligence collections. * Supports both Dropzone-provided and customer-provided indicators. ### Dropzone Threat Intelligence Enrichment * Introduced an internal threat intelligence source: * Known file hashes * Typical file behaviors * Provides richer file reputation context and basic process relationship insights during investigations and API lookups. *** ## Improvements ### URL Analysis * Enhanced URL analysis to: * Follow selected links one level deeper * Apply domain registration checks on redirects * Wait for dynamic pages to fully load before analysis * Handle more edge cases without errors * Improves detection of hidden phishing pages and redirect chains. *** ### Investigation UX * Investigations list now opens on the **“All” tab by default**. * Improved handling of Microsoft security portal and ticket URLs: * Treated as reference links instead of reputation targets * Reduces unnecessary lookups * Improved identification of Microsoft cloud applications during investigations. * Adjusted classification for cloud data warehouse export alerts: * Better recognizes expected BI activity using approved tools. *** ### Context Memory * Fixed duplicate entity display when multiple tenants share identifiers. * Hardened identifier handling to prevent backend errors from malformed values. * Reduced prefetching overhead when sorting by investigation count. * Improves performance in large environments. *** ### Evidence & Findings * “No results” evidence tags are now clickable to inspect underlying queries. * Normalized storage of empty evidence payloads for consistent UI rendering. *** ### Custom Strategies * Preserved line breaks in custom instructions. * Improves readability for long or structured strategy definitions. *** ## Security & Reliability ### API Permissions * External API endpoints now consistently enforce API key permissions. * Aligns API access with UI role-based permissions. *** ### Platform Performance * Updated web service process for improved responsiveness and resilience under load. *** ### Search Backends * Improved handling of Elasticsearch timeouts: * Timeouts are recorded as investigation evidence * Do not interrupt overall investigation flow *** ### Ongoing Hardening * Continued updates to dependencies, containers, and configurations. * Improves platform security and stability. *** ## Bug Fixes ### Splunk ES Alerts * Fixed issue where timestamp-style start times caused parsing failures during database creation. ### Context Memory API * Resolved backend errors caused by invalid identifier characters. ### Palo Alto Cortex Datasets * Fixed invalid dataset identifier issue during XDR/XSIAM dataset updates. ### VirusTotal File Reputation * Fixed errors when certain hash fields (e.g., MD5) are missing from responses. *** ## Integration Improvements ### Microsoft 365 Defender / Microsoft Graph * Added detection-source filters for incident ingestion. * Improved retry and timeout handling for Graph queries. * Refined cloud app and ticket URL handling to focus on relevant activity. *** ### Palo Alto Cortex XDR / XSIAM * Improved XQL query generation and dataset handling: * Better escaping and syntax handling * Improved handling of Windows paths, regex, and special characters * Added graceful handling when daily XQL quota is exhausted. * Improved clarity in multi-dataset investigation summaries. *** ### Splunk * Reduced scanner overhead using wildcard index grouping. * Clarified configuration labels (sourcetypes vs indexes). * Normalized empty evidence payloads. * Improved handling of non-ISO timestamps in Splunk ES alerts. *** ### IBM QRadar * Improved scanner resilience: * Longer query wait times * Limited default lookback windows * Isolated failures per log source *** ### Okta * Expanded device enrichment using Okta device APIs. * Enables richer device context from IP or hostname-only investigations. *** ### Elasticsearch * Improved timeout handling and grouped timeout errors. * Prevents long-running queries from disrupting investigations. *** ### CrowdStrike Next-Gen SIEM * Treated missing repositories (HTTP 404) as expected conditions. * Logs warnings instead of raising errors. *** ### ReversingLabs * Improved handling of malformed inputs. * Now surfaces file names from analysis reports when available. *** ### VirusTotal * Updated parsing to support API schema changes. * Prevents missing-field errors and improves reliability. *** ### Google Workspace * Added support for new audit log types. * Enables richer activity analysis from updated APIs. *** ### Panther * Improved query generation to handle reserved words in column names. * Prevents compilation errors in certain schemas. *** ### Microsoft Fabric / Azure Data Explorer * Improved summarization of query-based evidence. * Retains clearer per-query context in investigation findings. *** ### Exabeam * Tuned query generation and selection logic. * Improves quality and relevance of returned results. *** ### Dropzone Threat Intelligence * Enabled investigations and APIs to query the new internal threat intelligence collection. * Supports: * File hash and filename lookups * Basic parent/child process relationships * Frequency analysis of observed files ***