Skip to main content
Skip table of contents

NDR 2023.10 Release Notes

Welcome to the October 2023 release of LogRhythm NDR. This version has many updates, but we first want to highlight a few exciting recent developments for LogRhythm NDR.

LogRhythm NDR New UI - The procedure to switch to the Legacy UI during or after login is available in the Improvements section of this document.

Customer Feedback Opportunities

We always welcome your feedback!

NDR 2023.10 Updates

There are many updates in this version that we hope you'll like. Brief explanations of the updates are grouped into the following sections:

Key highlights include:

  • Load Balancer tracking improvements.

  • Persisting filters when hunting.

Detections Enhancements

In the LogRhythm NDR 2023.10 release, several improvements have been made around detections including:

Bulk Delete Threat Intel Rules

Customers can now bulk delete threat intel rules for faster tuning of their environment.


Okta Integration

  • Okta Integration can be done through Settings → SIEM Configurations → Okta Tab.

  • Users can update the Okta configuration.

Splunk Integration

  • Splunk configurations are listed in the table under Settings → SIEM Configurations → Splunk Tab.

  • Users can add a new Splunk configuration. An alert message is displayed indicating success or error once the new configuration is added.

  • Users can change the Splunk Server Configuration. An alert message is displayed indicating success or error once the update is complete.


Persisting Filters & Saved Views

When users hunt within incidents and cases, their filters will now persist. They can also save a filter as a view, allowing them to quickly apply filters they use often.

True IP Address Behind Load Balancers

Customers can now see the true IP address behind a load balancer by viewing the xff_ip field in event metadata.

NDR New UI Login Instructions

We want to continue to encourage LR NDR users to work in the New UI, follow the below instructions for login:

  1. Log in to the Legacy LogRhythm NDR UI.

  2. In the top right of the page, place your cursor over your profile name and click Edit Profile.
    The Edit Profile page appears.

  3. To enable the Keycloak login, click the Enable Keycloak Login checkbox.
    The Credentials for Keycloak login box appears. 

  4. Type a new password in the Password and Confirm Password fields.

  5. Click Create.  
    The message "Created Successfully" appears.

  6. Click Ok.

  7. At the top of the screen, click Try New UI.
    The new UI opens in a new tab.

  8. Enter your legacy username and the new password you created.

  9. Click Sign In
    The Dashboard of the new UI appears.


Switching to the Legacy UI after login

  1. Log in to the LogRhythm NDR new UI.

  2. Click the Profile icon at the top-right corner of the log in page.
    The Profile icon is expanded.

  3. Click the Switch to Legacy UI button.
    The Legacy UI's log in page opens as a new tab.

Switching to the Legacy UI during login

  1. Go to the log in page of the new UI.

  2. Click the Switch to Legacy UI option.
    The Legacy UI's log in page opens as a new tab.

Other Improvements

  • A Date Range picker has been added in the Reports page.

  • In the NDR dashboard, a Speaker icon is included at the top-right corner of the page to give the user a tour of the NDR platform.

  • Observed and Expected values are now shown for EXfill, Kerberos, and Okta anomaly events.

  • A preferences setting button has been included to add or remove a particular field from the entries under Cases, Hunt Activity, Hunt Geo Activity, Hunt Mitre, Incidents, and Policy Violations.

  • The metadata details generally include city/region/country information. The flag and country name have been added to the metadata. In the Activity column for external source or destination IP addresses, the flag will be displayed on Hunt Activity, Incident, Case, and Policy Violations pages.

  • The Incident score threshold and the Case score threshold can now be adjusted by using the sliders available in NDR dashboard → Settings → Score Threshold.

  • Whitelisted entries appear with a whitelist tag in the Hunt page.

Resolved Issues

Bug ID

Salesforce Case ID

Release Notes



Duplicate whitelist rule entries are no longer created when the user clicks the Add button.



Palo Alto integration now works with any PAN OS.



LogRhythm NDR analytics uses and Users can block additional WHOIS domains not used in the analytics codebase.



Safelist regex with a field trigger now works correctly, and incidents are no longer created for events that match the Safelist.



Users can now upload custom IDS rules to the new NDR UI.



Users can now share saved searches in the new NDR UI.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.