# March 12, 2026 ## Highlights * Added concise detection objective summaries to investigations for quick alert understanding. * Expanded and refined investigation context across Microsoft 365, Defender, Sentinel, Splunk, GCP, and Palo Alto Cortex to improve signal quality and reduce noise. *** ## New Features ### Detection Objective Summaries Each investigation now includes a 1–2 sentence, plain-language description of what the detection is trying to identify, helping analysts quickly understand alert intent. ### \[BETA] Threat Hunter Catalog and Reports Introduced initial UI pages to: * Browse threat hunt definitions * Review completed hunts with timelines, key insights, and findings Currently available as a limited preview. *** ## Improvements ### Alert Summaries & Evidence Timestamps * Prioritized human-readable timestamps and automatic epoch conversion * Evidence entries now include explicit time ranges for better context visibility ### Email & Phishing Investigations * Improved parsing of complex or nested email headers * Correct sender address display in Microsoft phishing alerts * Enhanced detection of credential-harvesting campaigns with reduced false positives ### User & Identity Enrichment * Expanded support for `DOMAIN\user` identifiers * Improved Microsoft and GCP telemetry integration * Better distinction between successful and failed Entra ID sign-ins ### Process, File, and Domain Forensics * Parallel querying across multiple sources (e.g., EDR + SIEM) for file origin * Human-readable filenames shown alongside hashes * Improved domain reputation checks for suspicious domains ### Endpoint and Windows Servicing Scenarios * Browser-cached documents treated as suspicious until analyzed * Reduced false positives for legitimate Windows servicing activity ### Palo Alto Cortex Investigations * Improved process-tree reconstruction anchored on alerted processes * Clearer WildFire alert action types (detected, blocked, scanned) * Optimized query generation and dataset selection ### \[BETA] Threat Hunting Engine * Added Splunk as a data source for threat hunts * Introduced safeguards for performance (record caps, syntax validation, aggregations) ### Context Memory & Knowledge Base * Optimized context-memory API to reduce latency and database load ### Investigations & Interviewer Flows * Improved AI interview flow accuracy and completion handling ### System Events & Auditing * \[BETA] Added system events for API calls and evidence lookups * Improved UI performance with deferred loading of large evidence payloads *** ## Security & Reliability ### General Robustness * Improved MS Graph file lookup error handling * Missing permissions now surface as clear investigation evidence instead of errors *** ## Bug Fixes ### Microsoft Sentinel & Microsoft Defender * Fixed ingestion delays caused by severity changes and large lookbacks * Updated default ingestion to use Incidents instead of raw Alerts ### Microsoft 365 Email Alerts * Fixed incorrect sender display in phishing alerts ### Email Parsing * Resolved failures with malformed or deeply nested headers ### Splunk Alert Polling * Fixed blocking behavior in alert poller to prevent missed polls *** ## Integration Improvements ### Palo Alto Cortex XDR / XSIAM * Improved enrichment for Entra ID authentication and WildFire alerts * Optimized XQL queries for efficiency * Enhanced process-tree reconstruction for better endpoint visibility ### Splunk * Improved schema detection and SPL generation * Expanded context for GCP and network activity * Removed hard-coded IP/CIDR exclusions * Added scanner configuration options for performance tuning **Customer Action:**\ For large Splunk environments, review scanner configuration options (lookback window and tstats exclusion). *** ### Microsoft Defender, Sentinel & KQL * Added status-based filtering for alerts and incidents * Improved KQL generation for Windows Event logs ### Microsoft 365 & Entra ID * Improved query coverage for accurate sign-in timelines ### SentinelOne * Added support for default Site ID configuration **Customer Action:**\ If using Site IDs for tenant separation, configure a default Site ID. *** ### Panther * Expanded network-activity context using Panther telemetry ### Elasticsearch * Added ISO-formatted time ranges to evidence for better validation ***