Skip to main content
Skip table of contents

NDR 2023.04 Release Notes

Welcome to the April 2023 release of LogRhythm NDR. We have many updates in this version, but first we want to highlight a few exciting recent developments for LogRhythm NDR.

  • India Availability Zone - LogRhythm NDR now has an availability zone in India.
  • Forrester Q1 2023 Landscape Report - LogRhythm NDR is one of the 25 vendors highlighted in Forrester's Network Analysis and Visibility Landscape, Q1 2023.
  • LogRhythm NDR Analytics Engine - we have made multiple general enhancements to our analytics engine, so customers get more refined detections and less noise.

Customer Feedback Opportunities

We always welcome your feedback!

Ubuntu 20.04 Upgrade

Since Ubuntu 18.04 LTS (Bionic Beaver) is reaching its End of Standard Support, LogRhythm is upgrading all customer probe nodes to Ubuntu 20.04 LTS (Focal Fassa). 

  • LogRhythm's SRE team will be contacting customers with more details on when their probe nodes will be upgraded.

NDR 2023.04 Updates

There are many updates in this version that we hope you'll like. Brief explanations of the updates are grouped into the following sections:

Key highlights include:

  • New LogRhythm University NDR Course
  • Documentation Updates
  • Probe Node Status Email Alerts 
  • Whitelisting Enhancements

Training & Documentation


LogRhythm University is now offering a new web-based class: What is NDR? It is designed as a first step for anyone new to Network Detection and Response (NDR). It describes what an NDR solution is, why it is helpful, and provides an overview of LogRhythm NDR's unique architecture.

  • Access this free self-paced course by using your Community credentials to log in to LogRhythm University. You can also click the University link in the main header bar on Community, and then search for What is NDR.


As a companion to the LogRhythm NDR 2023.04 release, we are publishing the initial draft of the user guide for our new UI. We will be building out the LogRhythm NDR User Guide incrementally with each subsequent release to keep pace with the functionality added to the new UI.

We also wanted to highlight some enhancements to our existing documentation:

Analyst Experience

In the LogRhythm NDR 2023.04 release, the functionality of the new UI continues to increase. The new UI now includes the following pages and tables, along with companion documentation:

Log in to the New LogRhythm NDR UI

  1. Log in to the Legacy LogRhythm NDR UI.
  2. In the top right of the page, place your cursor over your profile name and click Edit Profile.
    The Edit Profile page appears.
  3. To enable the Keycloak login, click the Enable Keycloak Login checkbox.
    The Credentials for Keycloak login box appears. 
  4. Type a new password in the Password and Confirm Password fields.
  5. Click Create.  
    The message "Created Successfully" appears.
  6. Click Ok.
  7. At the top of the screen, click Try New UI.
    The new UI opens in a new tab.
  8. Enter your legacy username and the new password you created.
  9. Click Sign In
    The Dashboard of the new UI appears.

Case Table Enhancements

The Cases page now displays a table with cases categorized by global time range and site. Users can modify the global time range and site, and the table updates the data to reflect the modified parameters.

Feature Configuration Page

The Feature Configuration page lets users enable or disable PCAP (Packet Capture) and Netflow services.

Host Page Enhancements

Users can click a timestamp in the History section of the Host Details page to immediately view the associated incident.

In the All Hosts tab of the Host page, users can view the total number of IOAs by clicking IOAs on the right side of the page. 

The Host Details page includes the Host Activity Timeline Graph, and Host Activity Chart and Table. Users can adjust the time range of activity shown in the Host Activity Timeline Graph.

Users can also view the host activity in chart and table form.

Hunt Geo Activity Page Enhancements

The Hunt Geo Activity page displays a global map and table based on site, query, global time range, anomaly, and threat severity. Users can filter to view a specific activity by clicking on a row in the table.

Users can also click on any pin in the global map and view the Entry UUID. They can also click on the displayed Entry UUID to view associated case events.

IDS Rules Page Enhancements

Users can perform multiple actions on the IDS Rules page, including: add, delete, enable, and disable. They can also add or delete IDS Interface Configurations.

Incident Table Enhancements

The Incidents page now displays a table with incidents categorized by global time range and site. Users can modify the global time range and site, and the table updates the data to reflect the modified parameters.

MistWatcher Page Enhancements

Users can now add, edit, and delete MistWatcher Rules and MistWatcher Profiles.

Network Page Enhancements

Users can now select multiple networks to export or delete in bulk.

Probe Node Status Email Alerts

Users can now enable email notifications to receive alerts when a probe node goes down.

Report Page Addition

Users can now access our reporting feature in the new UI.

Whitelist Page Enhancements

Users can now upload new whitelisting rules. We've also added more whitelisting fields, including: Site, Query, Path, Destination User, and Event_trigger_id. There is also a bulk upload option for uploading multiple rules at once.

Resolved Issues

Bug IDDescription
ENG-28150Users can now change the size of the Geo Activity chart on the Dashboard.
ENG-27047The legend text under the Hunt Activity chart now renders as expected.
ENG-26854Customers can now download a new user's certificate by entering the password and clicking Submit.

Filters on the Hunt Activity page now function as expected.


Clarification added for whitelisting check boxes to explain the difference between inputing plain text and regex into the fields.

In the new UI, customers can now view a tooltip. For the legacy UI, we added clarification to the documentation on the Proactively Create and Allow Whitelist page.

ENG-25590The Src and Dest columns in Cases and Incidents tables are now populated with the correct data.
ENG-25582Host and User scores are now displayed correctly.
ENG-25580Case and Incident pages now include more context in their history sections to help users track progress and updates over time.

Users can now search for a range of IP addresses by creating queries in the following format: [IPaddress TO IPaddress] 

For more details, see Search Quick Reference.

ENG-25578The date displayed in the Expiry Date field for a whitelist item no longer persists when navigating to other whitelist items.

Users can now enter spaces when creating saved queries.



A Notable User no longer disappears from the Dashboard after viewing the associated User Details page.



Users can now edit the parameters for an existing network.



Users no longer receive error codes when running queries against Rapid7 integrations.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.