May 2025

Sprint 07

Enhancements 

These are the enhancements made to existing functionalities on Resolution Intelligence Cloud.

Resolutions

Organization and Tenant Filtering Based on User Scope in Streams 
Domain-level users can now filter ActOns by Organization and Tenant under the Tenant and Owner filters in streams. Similarly, organization-level users can filter ActOns by Tenant, allowing for more precise visibility into assignments across teams and owners within the hierarchy. 

New ‘Last Updated By’ Filter in Streams

A new Last Updated By filter has been added to streams and applied filters. This allows users to track who last modified an ActOn—whether a platform user or a system component like OpsAssist, SyncAgent, or Custom Actions.

Added User Preferences for Display, Data Density, and Table Settings 
Users can now personalize their default view mode (card or list), data density (compact or expanded), and table settings. These preferences are saved across sessions and persist until changed manually, providing a consistent and tailored user experience.

Behavior Analytics

Support for Bookmarking Agent Insights

The Agent Insights tab now includes a Bookmark option at the tenant level, allowing users to bookmark any insights generated by the agent. All bookmarked insights can be accessed under the Bookmarked pill. Users can add or remove bookmarks as needed, and only their own bookmarked insights will be visible to them, making this feature user specific. Additionally, users can see the count of how many others have bookmarked a particular insight, displayed next to the insight.

Introduced Email Notifications in Behavior Models 

Email notifications have been introduced to keep users informed about the publication status of behavior models.

Insights 

Account Switcher Drop-down Added to List View of Modules 
Users can now switch between hierarchy levels using the account switcher drop-down available in the list view of modules. This functionality, previously available only in the card view, has been extended to the list view, allowing seamless navigation across account levels regardless of the view.

Remove Dashboard Option Introduced in Kebab Menu (List View) of Dashboards 
A new option to remove a dashboard from a module has been added to the kebab menu in the dashboards list view. This allows users to delink a dashboard from one module and associate it with another.

Module Publishing Restriction Based on Ownership 
Enhancements have been made to module publishing. Users can now publish only those modules that they have created. In the publish module side sheet, only user-created modules are visible for publishing to lower-level accounts, ensuring better control and ownership.

Create Modules Directly from Clone Dashboard Side Sheet

Previously, users could create new modules only from the card or list view pages. This enhancement makes it easier to add a cloned dashboard to a newly created module without navigating away from the current context.

Visual Indicators for Dashboard Publishing Status 
New visual indicators have been introduced to display the publishing status of dashboards:

• Orange icon: Dashboard has not been published to any child account.
• Purple icon: Dashboard has been published to one or more child accounts.

When adding an existing dashboard to a module, the appropriate icon will indicate its current publishing status—making it easier to track and manage dashboard visibility across the hierarchy.

Integrations

Unified Single Entity Page Design for All Entity Types

The single entity page has been unified across all entity types, offering a consistent and dynamic layout that adapts based on the entity class. Previously limited to host and user entities, the updated design now supports all entity types, ensuring a streamlined experience.

Entity views vary by source:

• AWS, Azure, GCP: Display source-specific details.
• ManageEngine and similar: Use host layout.
• Chronicle, GitHub: Display user-specific layouts. 
  For host entities, Software Installed and Patches Missed tabs provide added visibility into system health. This enhancement improves usability and standardizes entity management across the platform.

Signal Widget enhancements and Navigation in Single Entity Page 

A new Signals widget has been added to the Single Entity Details page, providing a visual summary of signals generated by the entity over time. By default, it displays data from the last 30 days, with options to adjust the range to 24 hours, 7, 15, 30, or 60 days. Clicking on a data point reveals a detailed list of signals and affected entities for faster investigation.

Additionally, the Signals, Situations, and ActOns sections within the Security Activities widget are now clickable. These direct links allow users to quickly navigate to detailed views from the Summary tab on both the single entity page and Entity Groups, enhancing visibility and streamlining investigation workflows.

Support for Assume Role ARN in AWS Integration

A new Assume Role ARN field has been added to AWS integrations. When configured, it enables the integration to assume a specified role and use temporary credentials to access associated AWS resources. If left blank, the integration defaults to using a directly assigned role. This enhancement improves flexibility and security when accessing cross-account AWS resources.

Accounts

Restricting User Creation Based on Hierarchy 
Users can now only invite and assign roles that are equal to or below their own role in the platform hierarchy.

Additionally, the Modify Features option in the user creation workflow is now restricted to Owners and Global Admins only. This ensures tighter control over feature access and aligns user permissions with organizational policies.

Sprint 06

New Features

The following are the new features introduced in this release:

Introducing Entity Groups for Behavior-Based Risk Insights

Entity Groups is a new feature designed to help teams classify and monitor sets of related entities—such as users or hosts—based on common attributes or roles, enabling targeted analysis and risk detection.

With built-in support for behavior-based grouping, Entity Groups allow organizations to track entities exhibiting risky patterns aligned with MITRE ATT&CK tactics and techniques, such as:

• Known Leavers: Detect exfiltration behaviors or suspicious activity before departure.
• Cloud Admins: Monitor for abuse of privileged access (e.g., TA0004 - Privilege Escalation, TA0005 - Defense Evasion).
• Former Employees: Identify unauthorized access attempts post offboarding.

These groups provide enriched visibility and behavioral context across key security workflows—supporting detection, scoring, and triage activities within the platform. Entity Groups can be used in dashboards, behavior models, and investigation workflows to prioritize high-risk scenarios.

Summary Tab for Entity Groups

A Summary tab has been introduced to provide centralized behavioral insights and risk analytics for both User and Host entity groups.

Introducing Agent Insights in Behavior analytics

The Behavior Analytics module now includes a new Agent Insights tab alongside the existing Models tab on the landing page. This enhancement introduces an agent trained on data from the past 7 days, with a specific focus on the principal.user.userid dimension. The agent analyzes behaviors detected by models using this dimension, establishes relationships between these behaviors, and generates contextual insights—each tagged with a risk level: High, Medium, or Low. These insights are enriched with entity metadata to provide a deeper understanding of user behavior.

Furthermore, Agent Insights evaluate user behavior within the context of entity groups, dynamically adjusting risk levels based on whether the observed actions align with the user’s legitimate responsibilities as defined by their entity group.

For example, if a senior engineer in the DevOps team performs maintenance and management of a Kubernetes pod, the agent may initially flag this as high risk. However, if the user is part of an entity group with authorized access to Kubernetes pods, the risk level may be reassessed and downgraded to medium or low, based on the context.

Each insight includes:

• The model responsible for detecting the anomaly
• A detailed hypothesis explaining possible tactics and techniques
• An Attack Flow visualization showing the potential attack path with suggested mitigation strategies

To streamline investigation, users can filter insights by:

• Time window (Last 7, 15, or 30 days)
• Risk level
• Source user

This capability provides security teams with enriched behavioral analytics and enables more accurate, context-aware risk assessments.

Enhancements

These are the enhancements made to existing functionalities on Resolution Intelligence Cloud.

Insights

Added Module and Dashboard Cloning Capabilities

We have introduced new module and dashboard cloning capabilities, enhancing flexibility and efficiency in managing dashboards across different hierarchy levels.

• Module Cloning from Parent to Child Accounts: Users in child accounts can now clone published modules from the parent account. This cloning functionality creates a copy of the original module, allowing users to selectively include specific categories and dashboards from the source.  
  Note: Module cloning is available only for modules published from parent to child accounts.
• Dashboard Cloning – Unrestricted by Hierarchy: Dashboards can now be cloned regardless of whether they were published from the parent to child accounts or created at the same hierarchy level. During cloning, users can specify the target module and category under which the cloned dashboard should be placed, offering more control over dashboard management.

UI Enhancements for Dashboard and Category Management

• When adding a new category, users now have the option to either add existing dashboards or create a new dashboard directly under that category, streamlining content organization.
• After creating a new dashboard, users are automatically redirected to the newly created dashboard’s page, simplifying the dashboard authoring process.

Hierarchy Creation Controls

Dashboards created within a module now have the hierarchy option disabled by default, ensuring that the dashboard is always created directly under the module at the appropriate hierarchy level. This change maintains structural consistency across the platform by automatically defaulting to the current hierarchy level, preventing any misalignment in dashboard placement.

Improved Module Name Validation Across Hierarchies

To prevent duplication, modules can now share the same name at different levels within the hierarchy. However, duplicate names are not allowed at the same level unless the module with the same name is shared by the parent account. This ensures better organization and clarity.

Resolutions

Updated Priority Icons Across the Platform

Priority icons have been visually refreshed across the platform for consistency and clarity. These updated icons are now visible in ActOn Settings, Functions, Signals, Situations, and ActOns—providing a more intuitive way to assess and respond to priority levels.

Streams

Set Any Stream as the Landing Page

Users can now configure any stream—parent or child—as the default landing page within the ActOns module. The selected stream opens automatically when accessing ActOns and is marked with a "default" tag for easy identification.

Support for Unassigned Teams and Owners in Streams

A new Unassigned option is available in the Owner dropdown during stream creation, allowing users to create or filter streams without assigning a specific team or owner. This provides better visibility into unassigned ActOns and improves queue management.

Edit Option Disabled for Parent Streams with Associated Child Streams

To preserve stream integrity, parent streams become non-editable once child streams are associated. While initially editable under the default name "All ActOns," parent streams are locked for edits once a hierarchy is established

Entity and Entity Group Filters on Key Pages

Entity and Entity Group Filters in Signal and Situations

New filters have been added to enhance investigation workflows:

• Signals and ActOns: Filter by specific entities or entity groups directly from listing pages and streams.
• Situations: A new Entity Groups filter enables focused analysis of related incidents.

Entity Groups Linked to ActOns

Entity Groups are now visible within the Entities & Evidences section of an ActOn. Users can view associated group names and drill into group details with a click, offering SOC teams deeper insights into entity behavior and contextual risk.

Support for Autosuggestion of Variables in Escalation Templates

Escalation templates now support auto-suggestion for variables to streamline the message editing process. When users type {{ in the Monaco editor, a drop-down of available variables appears automatically—supporting both Plain Text and Nunjucks formats. Users can also define custom variables in Nunjucks using {% set variable_name %}. As part of this update, the Add Field button has been removed to simplify the editing experience and reduce interface clutter.

Addition of New ActOn Attributes in System Notifications

Two new attributes have been added to ActOn data sources for use in system notifications:

• acton.substatus – Enables targeting notifications based on the ActOn's sub-status (e.g., Scheduled Activity).

Signal Analytics

Copy & Share Agent Findings Links

Users can now copy and share direct links to Agent findings within the same tenant, available from both list and detail views. In multi-tenant environments, domain or org users must switch to the tenant to access shared insights.

Sort Ordering for Saved analyses

Saved analyses in the Stacks view are now ordered with the latest entries on top, improving accessibility to recent investigations.

Expand/Collapse All for Agent Findings

New Expand All and Collapse All buttons have been added to the Agent Findings tab, making it easier to navigate and manage multiple findings at once.

Behavior Analytics

Enhanced Signal Visualization: Before and After Model Creation

We’ve added support for distinguishing between signals generated before and after model creation:

• Pre-model anomalies are now visible on the bar graph in an “Unavailable” state. These are not sent to Chronicle but are used for training purposes.
• Post-model anomalies, trained on up to 60 days of historical data, are sent to Chronicle as valid signals.
• If a model is temporarily disabled, anomalies during that period are displayed as grayed out and are not sent to Chronicle.

Addition of feedback option for Agent Insights

Users can now provide direct feedback on Agent generated insights using thumbs-up and thumbs-down icons. This allows users to highlight what was helpful and flag areas for improvement, enabling continuous refinement of Agent findings in behavior analytics. 

Added Activity Logs in Behavior Analytics

Two new activity logs have been introduced in the Behavior Analytics module:

• Behavior Model Publishing Completed
• Behavior Model Published Through Content Packs

These activities are now tracked in the model-level activity logs, providing enhanced visibility into the publishing process.

Integrations

Enhanced Filtering with Entity Groups, and Additional Attributes

Entities Overview and Inventory pages now support filtering by Entity Groups, State, and custom attributes, allowing users to efficiently organize, search, and analyze entities with greater precision.

Content Management System

Enhanced Breadcrumb Design

The breadcrumb navigation in the CMS module has been enhanced for better readability and space efficiency. Full breadcrumb paths are now visible by default and only truncate on smaller screens. When truncated, tooltips appear on hover. For long breadcrumb trails, the middle link is collapsed while the first and last remain visible for easier navigation.

New Activity Logs on Rules and Packs

Two new activity log types have been added to improve traceability:

• Rule-to-Pack Association: Tracks when rules are linked to multiple packs.
• Pack Publishing Completion: Captures the status once a pack has been successfully published.

These additions increase visibility into rule relationships and publishing workflows.

Redesigned Table Components Across CMS

Table components across the CMS—such as detection rules, reference lists, content packs, and threat feeds—have been updated for better usability. Action menus are now accessible without scrolling, improving interaction and workflow efficiency.

Accounts

Theme Preference Retention in Accounts

Users can now switch between dark and light mode, with their selected theme retained across sessions and accounts—delivering a consistent and personalized UI experience on every login.