# March This summary covers all product updates released in March 2026, including the releases from: * March 5 – 11 * March 12 – 18 * March 19 – 26 * March 27 – April 1 Across these releases, we focused on improving investigation clarity and accuracy, expanding integration coverage (including new enterprise systems), scaling performance for large environments, and enhancing analyst workflows with better context, automation, and APIs. *** ## Investigation Quality & Signal Clarity March releases significantly improved investigation precision and reduced noise across common enterprise scenarios: * Introduced **detection objective summaries**: * Plain-language descriptions of alert intent * Faster understanding for both junior and senior analysts * Improved alert conclusions across: * VPN and cloud-aligned activity * Print server and Kerberos scenarios * Browser updaters and scheduled tasks * Vendor background processes and IIS workers * Downloads from newly registered domains * Enhanced phishing detection: * Better parsing of complex email headers * Correct sender attribution in Microsoft alerts * Stronger identification of credential-harvesting campaigns * Improved handling of newly registered domains returning HTTP 404 * Expanded investigation context: * Microsoft 365 / Defender / Sentinel * Splunk * GCP * Palo Alto Cortex * Improved classification accuracy: * Better distinction between benign infrastructure activity and malicious behavior * Improved handling of Linux SSH brute-force alerts as endpoint activity *** ## Threat Intelligence & Enrichment March continued expanding enrichment depth and intelligence coverage: * Added **Swimlane Threat Intelligence integration**: * Enrichment for IPs, domains, URLs, hashes, and email indicators * Supports customer-owned intelligence sources * Improved domain and file reputation analysis: * More consistent handling of suspicious domains * Human-readable filenames alongside hashes * Expanded enrichment coverage across: * Identity (Entra ID, Okta) * Devices (multi-platform enrichment improvements) * Endpoint and process activity * Improved file-origin analysis: * Parallel queries across EDR and SIEM sources * Clearer provenance summaries * Added **CrowdStrike Falcon Sandbox support**: * Query existing reports * Detonate files and retrieve behavioral summaries *** ## Integration Expansion & Scalability March introduced major new integrations and expanded existing ones: ### New Integrations * **ServiceNow** * Query incidents, request items, and alerts during investigations * Supports investigation-time context retrieval (not just periodic ingestion) * **Rapid7 InsightIDR (Beta)** * Alert ingestion * User/device enrichment * Process-tree analysis * LEQL query support * **Swimlane Threat Intelligence** * Native enrichment integration using Swimlane apps *** ### Integration Improvements * **Splunk** * Major performance improvements: * Reduced scanner runtimes * Deduplicated ingest batches * Optimized `tstats` queries * Parallelized processing * Improved reliability: * Concurrency-aware retries with backoff * Better schema detection and sourcetype selection * Reduced scan failures in large environments * **Microsoft Defender / Sentinel / KQL** * Improved ingestion filtering and KQL generation * Better handling of dynamic fields and large datasets * **Microsoft 365 / Graph** * Improved phishing and sign-in timeline accuracy * Pagination support for large tenants * Better timeout handling and retry behavior * **ServiceNow** * OAuth improvements (client credentials flow) * Configurable table selection for investigations * **Elasticsearch** * Added time-range visibility in evidence * Introduced controls for large-cluster query scope * **Okta & Splunk** * Added **multi-slot support** for multi-tenant environments * **Wiz** * Added enrichment for issue and threat alerts * Improved webhook ingestion and context structuring * **Datadog, Panther, GCP, Slack** * Improved query reliability, enrichment accuracy, and error handling * Better diagnostics and handling of expected API responses *** ## User Experience & Investigation Workflows March introduced several improvements to analyst workflows and usability: * Enhanced **AI-driven investigation flows**: * Better interviewer behavior * Correct timeframe alignment * Proper completion handling * Improved **investigation summaries**: * Clearer conclusions grounded in evidence * Reduced speculation * Expanded **context memory capabilities**: * Introduced **Context Memory API**: * Filtering, search, sorting, pagination * Enables external automation and integrations * Improved context usage in investigations: * Focused on stored organizational knowledge * Introduced **Threat Hunter catalog and reporting (Beta)**: * Browse hunt definitions * Review hunt results with timelines and findings * Improved dashboards: * Released **Impact dashboard** to all customers * Enhanced Sankey visualizations and navigation * Added deep linking from visualizations to investigations * Improved KPI accuracy (date-based calculations) * Improved system observability: * Added system events for API calls and evidence lookups * Improved auditability and debugging *** ## Email, Identity & Endpoint Enhancements * Strengthened phishing investigation workflows: * Improved header parsing and sender attribution * Better impersonation detection * Enhanced identity analysis: * Expanded Entra ID and hybrid identity enrichment * Improved login success/failure differentiation * Improved endpoint and process analysis: * Better process-tree reconstruction (especially Cortex) * Enhanced handling of missing process IDs * Improved classification of endpoint-origin alerts * Expanded device enrichment: * Improved cross-platform lookup reliability * Better handling of incomplete identifiers * Improved script and automation analysis: * Detection of repeated PowerShell usage across hosts *** ## Security, Performance & Reliability March releases focused heavily on scalability and robustness: * Significant performance improvements: * Reduced Splunk scan times in large environments * Optimized query generation and dataset selection * Reduced database and API load (context memory optimizations) * Improved reliability: * Better handling of partial results and timeouts * More resilient enrichment pipelines * Reduced failures from malformed or missing data * Enhanced API and integration stability: * Improved error handling and retry strategies * Better handling of authentication and permissions * Platform hardening: * Dependency upgrades to secure versions * Improved HTTP client performance and diagnostics * Shared concurrency controls across integrations *** ## Overall Impact The March 2026 releases focused on: * Delivering **clearer, more explainable investigations with less noise** * Expanding **enterprise integration coverage**, including ServiceNow and Rapid7 * Improving **performance and scalability for large environments (especially Splunk)** * Enhancing **analyst workflows with better context, APIs, and dashboards** * Strengthening **platform reliability, observability, and resilience** Together, these updates significantly improve Dropzone’s ability to operate at scale in complex environments while providing faster, more accurate, and more actionable security investigations.