Now supporting endpoint integration with Cisco AMP EDR.
- Now supporting CIDR notation on whitelists to allow users to whitelist a range of values.
- Now detecting and checking Ransomware files that have double file extensions.
- Users can now edit or delete a single entry in the Network Table. They can also delete multiple entries at once.
- Users can now view more information in the log files of an incident or notable event under the JA3 hash.
- Users can now enable packet capture (PCAP) in the UI and download PCAP files for specific incidents or cases.
Added several detection capabilities. The following detections and alert tags can be viewed on the Hunt Activity page:
Detection Alert Tag Description Clear Text Authentication over HTTP AlertEvent When connections in a network use a clear text authentication over HTTP, they are recorded on the Hunt Activity page with the AlertEvent tag. Expired Certificate NoticeEvent When connections in a network use an expired certificate, they are recorded on the Hunt Activity page with the NoticeEvent tag. Weak Cipher AlertEvent When connections in a network use a weak cipher, they are recorded on the Hunt Activity page with the AlertEvent tag.
Improved UI functionality for several actions so they respond as expected: query behavior and search results, saved configurations, and Rapid7 integrations and queries.
- Data Transfer visualizations on the Main Dashboard now represent total networking traffic.
- No deprecated features in this release.
Salesforce Case ID
After correctly configuring the Rapid7 integration, user now receives confirmation message.
|DE13086||N/A||All SMB types now display correctly in Special Investigation SMB results.|
Escape characters (\) in a search query are now retained when the query is saved.
Queries run against Rapid7 now return results as expected.
|DE13343||N/A||Data Transfer visualizations on the Main Dashboard now represent total networking traffic.|
|DE13366||423300||When drilling down on hunt query search results, the original query is now appended with an AND to filter results further.|
|DE13382||423557||Slack notification is now disabled by default in configuration, and the services are restricted from sending Slack notifications from customer environments to outside networks unless approved.|
|DE13385||423642||IOACount field in incident detail page is now working in Lenovo for MistNet user account.|
|DE13420||N/A||The geoip pipeline is now installed in all nodes.|
The Destination Hostname is now displayed under the Host Menu.
|DE13610||N/A||Email notifications edit page now displays the correct email value.|
The username is now parsed as User_name and not User_id.
|DE13996||N/A||When any network, host, or user is set to critical or watched, the setting is now stored and applied permanently.|
|DE14209||N/A||Query now works based on NTLMv2 to enable MistNet to use all available authentication methods for active directory integration.|
LDAP query now picks only computers and not groups.
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.
|Bug ID||Components||Description||Release Notes|
|Firewall Integrations: Palo Alto||Palo Alto integration only works with PAN OS 10.|
Expected Results: The Palo Alto integration should work with any PAN OS.
Workaround: There is currently no workaround for this issue.