# March 26, 2026 ## Highlights * Expanded investigation context and configuration flexibility for ServiceNow, Okta, Splunk, and Elasticsearch integrations. * Improved Microsoft 365 phishing, hunting, and process-tree investigations for higher accuracy and coverage. * Significantly reduced Splunk scanner runtimes and improved reliability for large environments. *** ## New Features ### Multi-slot Support for Okta and Splunk Enabled multiple configuration slots for Okta and Splunk so you can onboard multiple tenants or environments within a single instance. *** ### \[BETA] ServiceNow Investigation Context Added ServiceNow as a data source so investigations can query configured ServiceNow tables alongside other context sources during alert analysis. *** ## Improvements ### Impact Dashboard Navigation * Added deep links from the alert flow Sankey visualization to the Investigation List * Filters are pre-populated using both original and final outcomes/priorities *** ### Impact Dashboard KPI Accuracy * Corrected “weeks” calculation to always reflect the exact absolute date range behind the selected time filter *** ### Phishing Investigations * Improved handling of phishing URLs that return HTTP 404 on newly created domains * These are now treated as higher risk when other phishing indicators are present *** ### Endpoint and Script Investigations * PowerShell investigations now check whether scripts have run on other hosts in recent weeks * Helps distinguish routine automation from suspicious one-off activity *** ### Linux SSH Brute-force Alerts * Improved classification so `linux:syslog` SSH brute-force alerts are treated as endpoint activity instead of Active Directory *** ### Knowledge Base Reliability * Prevented empty or invalid strings from being sent to embedding services * Reduced rare errors when entity data is missing *** ### Splunk Scanner Performance * Optimized data model queries * Parallelized post-processing * Significantly reduced scan times for large environments without increasing concurrency *** ### Web Page Analysis * Improved handling of late JavaScript navigations * Prevents scan failures once content has been captured *** ### Image Analysis * Improved handling of SVG and XML inputs * Unsupported formats are now safely skipped instead of causing errors *** ## Security & Reliability * Introduced shared permit managers and telemetry for better concurrency control across integrations * Tuned HTTP client limits and added diagnostics to reduce transient API connectivity issues *** ## Bug Fixes ### Microsoft Sentinel * Fixed enrichment failures by accepting partial Azure query results * Correctly escaped usernames containing backslashes in Kusto queries *** ### Microsoft 365 Defender / Microsoft Graph * Improved handling of advanced hunting timeouts (now surfaced as partial results) * Preserved critical filters (e.g., device identifiers) during retries *** ### Panther * Fixed issues with long-running queries by clamping future end times * Corrected handling of timezone-aware timestamps *** ### Datadog * Fixed AWS role activity queries by properly escaping special characters * Eliminated HTTP 400 errors caused by malformed queries *** ### Web Page Scanning * Fixed failures retrieving page titles/screenshots during late navigation * Added fallback to captured HTML *** ### Vision Analysis * Fixed errors caused by SVG files entering the image pipeline * Unsupported formats are now safely skipped *** ### Slack Interviewer * Improved Slack API error handling * Errors now include clear messages (e.g., missing scopes) instead of generic failures *** ## Integration Improvements ### Microsoft Sentinel * Improved enrichment reliability using partial query results * Enhanced handling of special characters in user identifiers *** ### Microsoft 365 Defender (Graph) * Expanded phishing submission capture window to hourly 7-day lookback * Improved process-tree construction when process IDs are missing * Enhanced timeout handling *** ### Splunk * Reduced scan times and failures by: * Deduplicating ingest batches * Removing duplicate fields from `tstats` queries * Optimizing datamodel enrichment * Prioritized commonly queried sourcetypes using historical search activity *** ### \[BETA] ServiceNow * Enabled ServiceNow context within investigations * Removed hard-coded default tables for greater configuration control **Customer Action:**\ Review ServiceNow integration settings to ensure desired tables are selected. *** ### Elasticsearch * Added option to prevent device enrichment queries from scanning all indices **Customer Action:**\ For large environments, consider disabling cluster-wide device lookups. *** ### Okta * Added multi-slot support for configuring multiple tenants or environments *** ### Datadog * Improved AWS role activity analysis * Ensured consistent evidence capture when errors occur *** ### Slack * Enhanced diagnostics by grouping API errors per workspace and error code *** ### GCP * Treated expected 404 API responses as informational instead of high-severity errors ***