# March 5, 2026 *** ## Highlights * Added concise **detection objective summaries** so analysts can quickly understand what each alert is looking for. * Expanded and refined investigation context across **Microsoft 365 / Defender / Sentinel**, **Splunk**, **GCP**, and **Palo Alto Cortex** to improve signal quality and reduce noise. *** ## New Features ### Detection Objective Summaries * Each investigation now includes a **1–2 sentence, plain-language description** of the detection’s purpose. * Helps both junior and senior analysts quickly understand alert intent. ### \[Beta] Threat Hunter Catalog and Reports * Added UI pages to: * Browse threat hunt definitions * Review completed hunts * Includes timelines, key insights, and findings. * Currently available as a limited preview. *** ## Improvements ### Alert Summaries & Evidence Timestamps * Prioritized **human-readable timestamps** across alerts and evidence. * Automatically converts epoch values. * Evidence entries now include **explicit time ranges** for clarity. *** ### Email & Phishing Investigations * Improved parsing of complex and nested email headers. * Ensures accurate extraction of: * Sender * Subject * URLs * Headers * Microsoft phishing alerts now display the **correct sender address**. * Enhanced detection of **credential-harvesting campaigns**: * Focuses on deceptive, attacker-controlled login flows * Reduces false positives from legitimate notifications *** ### User & Identity Enrichment * Added support for `DOMAIN\user` identifiers. * Expanded enrichment across Microsoft and GCP telemetry. * Improved handling of Entra ID sign-in events: * Better distinction between successful and failed logins *** ### Process, File, and Domain Forensics * File-origin analysis now queries multiple sources in parallel (e.g., EDR + SIEM). * File reputation findings include **human-readable filenames** alongside hashes. * Improved domain reputation logic: * Avoids skipping checks for suspicious domains * Still bypasses clearly benign, high-reputation services *** ### Endpoint & Windows Servicing Scenarios * Documents opened from browser cache are now treated as **suspicious until analyzed**. * Reduced false positives for legitimate Windows servicing activity: * Examples: `dismhost.exe`, `ntds.dit` access during updates *** ### Palo Alto Cortex Investigations * Improved process-tree reconstruction: * Anchored on the alerted process * Includes related file, registry, and network events * Enhanced WildFire alert handling: * Clearly reflects action types (detected, blocked, scanned) * Optimized query generation and dataset selection for efficiency. *** ### \[Beta] Threat Hunting Engine * Added **Splunk** as a collection source for threat hunts. * Includes safeguards: * Record caps * SPL validation * Aggregation usage for performance *** ### Context Memory & Knowledge Base * Optimized context-memory API: * Reduced unnecessary fields * Lower latency and database load *** ### Investigations & Interviewer Flows * Improved AI-driven interview experience: * Correct timeframe references * Stops prompting once interviews are complete *** ### System Events & Auditing * **\[Beta]** Added system events for: * External API calls * Integration evidence lookups (success, error, no results) * Improved System Events UI: * Lazy-loads large evidence payloads * Keeps pages responsive *** ## Security & Reliability ### General Robustness * Improved MS Graph file lookup error handling: * Missing permissions now appear as structured evidence * Reduces noisy errors in investigations *** ## Bug Fixes ### Microsoft Sentinel & Microsoft Defender * Fixed ingestion delays caused by: * Severity changes * Large lookback windows * Improved deduplication logic using KQL. * Updated default behavior: * New integrations now ingest **Incidents** instead of raw Alerts. *** ### Microsoft 365 Email Alerts * Fixed incorrect sender display in phishing alerts. * Ensures consistent entity attribution. *** ### Email Parsing * Resolved failures for malformed or deeply nested headers. * Ensures investigations can proceed with extracted metadata. *** ### Splunk Alert Polling * Fixed blocking behavior in alert poller caused by synchronous calls. * Improved polling reliability and reduced risk of missed alerts. *** ## Integration Improvements ### Palo Alto Cortex XDR / XSIAM * Improved enrichment for: * Entra ID authentication * WildFire malware alerts * Optimized XQL query generation: * Clamped oversized limits * Selected best dataset per query * Enhanced process-tree reconstruction for clearer endpoint context. *** ### Splunk * Improved schema detection and SPL generation. * Expanded coverage for: * Palo Alto cloud logs * Windows Event Logs * Added: * Scanner lookback window configuration * Option to skip `tstats` for large datamodels * Enabled Splunk as a threat-hunt data source. **Customer action:**\ Review scanner configuration options (lookback window and `tstats` exclusion) for large environments. *** ### Microsoft Defender, Sentinel & KQL * Added status-based filters for ingestion control. * Improved KQL generation for Windows Event logs: * Better handling of dynamic fields (e.g., `EventData`) * Improved detection of RDP and lateral movement patterns *** ### Microsoft 365 & Entra ID * Improved sign-in timeline accuracy: * Correct field ordering * Reduced misclassification of failed vs successful logins *** ### SentinelOne * Added support for configuring a **default Site ID**. * Enables correct tenant targeting in MSSP and multi-tenant setups. **Customer action:**\ Configure a default Site ID if using multi-tenant SentinelOne deployments. *** ### Panther * Expanded use in network-activity context. * Enables richer device-level network behavior analysis. *** ### Elasticsearch * Updated evidence to include **ISO-formatted time ranges**. * Improves transparency of query scope and timeframe. ***