# March 19, 2026 ## Highlights * Added beta support for Rapid7 InsightIDR as a new data source, including alert ingestion and query capabilities. * Introduced a ServiceNow data source integration. * Exposed new context memory APIs for programmatic access to organization-specific context. * Improved alert conclusions across multiple scenarios (VPN access, print servers, browser updaters, vendor processes, IIS workers, and new-domain downloads) to reduce noise and improve detection accuracy. *** ## New Features ### Context Memory API Added REST endpoints to: * List context memory items * Retrieve items with filtering, search, sorting, and pagination Enables easier integration with external tools and automation. *** ## Integrations ### Swimlane Threat Intelligence * Added enrichment for IPs, domains, URLs, file hashes, and email indicators using Swimlane TI apps * Enhances investigations with customer-owned intelligence **Customer Action:**\ Provide Swimlane app details and authentication in integration settings to enable enrichment. *** ### \[BETA] Rapid7 InsightIDR * Added beta support as a data source * Includes: * Alert polling * User and device enrichment * Process-tree visualization * LEQL-based queries **Customer Action:**\ Contact your Dropzone team to participate in the beta. *** ### ServiceNow * Added ServiceNow as a queryable data source during investigations * Enables retrieval of: * Incidents * Request items * Security alerts Reduces reliance on periodic scans. **Customer Action:**\ Configure ServiceNow instance URL and OAuth credentials in integration settings. *** ## Improvements ### Alert Classification & Outcomes Improved conclusions for recurring scenarios, including: * VPN egress IPs used in expected cloud activity * Kerberos Pass-the-Ticket alerts on print servers * Legitimate browser updaters via Task Scheduler * Benign vendor background processes and IIS workers * File downloads from newly registered domains Reduces false positives while improving detection of suspicious behavior. *** ### Email Investigations * Improved context by combining sender display name and email address * Enhances detection of impersonation scenarios *** ### Context Memory Usage in Investigations * Improved summarization to focus on stored organizational context * Reduced speculative conclusions *** ### Device Enrichment * Modernized enrichment workflows across: * CrowdStrike * Elastic * Microsoft 365 Defender * Okta * Palo Alto Cortex * SentinelOne * Splunk Improves device identification even with incomplete identifiers. *** ### Dashboards * Released **Impact dashboard tab** to all customers * Improved Sankey visualizations: * Alignment * Padding * Tooltips * Legend ordering * Enhanced fleet dashboard navigation and readability *** ## Security & Reliability * Upgraded multiple dependencies (authentication, serialization, etc.) to latest secure versions *** ## Bug Fixes ### Splunk * Fixed configuration scanner failures caused by certain macros or lookup definitions * Improved reliability of index and data model discovery *** ## Integration Improvements ### Splunk * Improved handling of concurrency limits with retry + jittered backoff * Expanded sourcetype selection for better dataset coverage * Hardened scanner against null/missing fields * Simplified alert poller setup for Splunk Enterprise Security *** ### Wiz * Added enrichment for Wiz “issue” and “threat” alerts * Included: * Related detections * Detailed issue context * Triggering events (when permitted) * Improved webhook handling for consistent structured context *** ### Microsoft 365 Defender (Microsoft Graph) * Added optional pagination for large-scale incident polling * Prevents API size-limit issues *** ### ServiceNow * Updated OAuth implementation to align with client-credentials flow * Improved authentication reliability *** ### CrowdStrike Falcon Sandbox * Enabled: * Querying existing sandbox reports * File detonation with behavioral summaries * Improved handling of CrowdStrike console URLs to avoid incorrect reputation checks *** ### Palo Alto Cortex XSIAM/XDR * Improved file-origin analysis * Added structured fallback summaries for clearer investigation results *** ### Swimlane Threat Intelligence * Migrated to official Swimlane SDK * Simplified field handling to return all non-empty fields *** ### Response Actions (Swimlane) * Added official Swimlane Python package to response environments * Enables pushing investigation results back into Swimlane more easily ***