May 2025

  • Updated
Table of Contents:

New Features

The following are the new features introduced in this release:

Introducing Entity Groups for Behavior-Based Risk Insights

Entity Groups is a new feature designed to help teams classify and monitor sets of related entities—such as users or hosts—based on common attributes or roles, enabling targeted analysis and risk detection.

With built-in support for behavior-based grouping, Entity Groups allow organizations to track entities exhibiting risky patterns aligned with MITRE ATT&CK tactics and techniques, such as:

  • Known Leavers: Detect exfiltration behaviors or suspicious activity before departure.
  • Cloud Admins: Monitor for abuse of privileged access (e.g., TA0004 - Privilege Escalation, TA0005 - Defense Evasion).
  • Former Employees: Identify unauthorized access attempts post offboarding.

These groups provide enriched visibility and behavioral context across key security workflows—supporting detection, scoring, and triage activities within the platform. Entity Groups can be used in dashboards, behavior models, and investigation workflows to prioritize high-risk scenarios.

Summary Tab for Entity Groups

A Summary tab has been introduced to provide centralized behavioral insights and risk analytics for both User and Host entity groups.

Introducing Agent Insights in Behavior analytics

The Behavior Analytics module now includes a new Agent Insights tab alongside the existing Models tab on the landing page. This enhancement introduces an agent trained on data from the past 7 days, with a specific focus on the principal.user.userid dimension. The agent analyzes behaviors detected by models using this dimension, establishes relationships between these behaviors, and generates contextual insights—each tagged with a risk level: High, Medium, or Low. These insights are enriched with entity metadata to provide a deeper understanding of user behavior.

Furthermore, Agent Insights evaluate user behavior within the context of entity groups, dynamically adjusting risk levels based on whether the observed actions align with the user’s legitimate responsibilities as defined by their entity group.

For example, if a senior engineer in the DevOps team performs maintenance and management of a Kubernetes pod, the agent may initially flag this as high risk. However, if the user is part of an entity group with authorized access to Kubernetes pods, the risk level may be reassessed and downgraded to medium or low, based on the context.

Each insight includes:

  • The model responsible for detecting the anomaly
  • A detailed hypothesis explaining possible tactics and techniques
  • An Attack Flow visualization showing the potential attack path with suggested mitigation strategies

To streamline investigation, users can filter insights by:

  • Time window (Last 7, 15, or 30 days)
  • Risk level
  • Source user

This capability provides security teams with enriched behavioral analytics and enables more accurate, context-aware risk assessments.

Enhancements

These are the enhancements made to existing functionalities on Resolution Intelligence Cloud.

Insights

Added Module and Dashboard Cloning Capabilities

We have introduced new module and dashboard cloning capabilities, enhancing flexibility and efficiency in managing dashboards across different hierarchy levels.

  • Module Cloning from Parent to Child Accounts: Users in child accounts can now clone published modules from the parent account. This cloning functionality creates a copy of the original module, allowing users to selectively include specific categories and dashboards from the source.  
    Note: Module cloning is available only for modules published from parent to child accounts.
  • Dashboard Cloning – Unrestricted by Hierarchy: Dashboards can now be cloned regardless of whether they were published from the parent to child accounts or created at the same hierarchy level. During cloning, users can specify the target module and category under which the cloned dashboard should be placed, offering more control over dashboard management.

UI Enhancements for Dashboard and Category Management

  • When adding a new category, users now have the option to either add existing dashboards or create a new dashboard directly under that category, streamlining content organization.
  • After creating a new dashboard, users are automatically redirected to the newly created dashboard’s page, simplifying the dashboard authoring process.

Hierarchy Creation Controls

Dashboards created within a module now have the hierarchy option disabled by default, ensuring that the dashboard is always created directly under the module at the appropriate hierarchy level. This change maintains structural consistency across the platform by automatically defaulting to the current hierarchy level, preventing any misalignment in dashboard placement.

Improved Module Name Validation Across Hierarchies

To prevent duplication, modules can now share the same name at different levels within the hierarchy. However, duplicate names are not allowed at the same level unless the module with the same name is shared by the parent account. This ensures better organization and clarity.

Resolutions

Updated Priority Icons Across the Platform

Priority icons have been visually refreshed across the platform for consistency and clarity. These updated icons are now visible in ActOn Settings, Functions, Signals, Situations, and ActOns—providing a more intuitive way to assess and respond to priority levels.

Streams

Set Any Stream as the Landing Page

Users can now configure any stream—parent or child—as the default landing page within the ActOns module. The selected stream opens automatically when accessing ActOns and is marked with a "default" tag for easy identification.

Support for Unassigned Teams and Owners in Streams

A new Unassigned option is available in the Owner dropdown during stream creation, allowing users to create or filter streams without assigning a specific team or owner. This provides better visibility into unassigned ActOns and improves queue management.

Edit Option Disabled for Parent Streams with Associated Child Streams

To preserve stream integrity, parent streams become non-editable once child streams are associated. While initially editable under the default name "All ActOns," parent streams are locked for edits once a hierarchy is established

Entity and Entity Group Filters on Key Pages

Entity and Entity Group Filters in Signal and Situations

New filters have been added to enhance investigation workflows:

  • Signals and ActOns: Filter by specific entities or entity groups directly from listing pages and streams.
  • Situations: A new Entity Groups filter enables focused analysis of related incidents.

Entity Groups Linked to ActOns

Entity Groups are now visible within the Entities & Evidences section of an ActOn. Users can view associated group names and drill into group details with a click, offering SOC teams deeper insights into entity behavior and contextual risk.

Support for Autosuggestion of Variables in Escalation Templates

Escalation templates now support auto-suggestion for variables to streamline the message editing process. When users type {{ in the Monaco editor, a drop-down of available variables appears automatically—supporting both Plain Text and Nunjucks formats. Users can also define custom variables in Nunjucks using {% set variable_name %}. As part of this update, the Add Field button has been removed to simplify the editing experience and reduce interface clutter.

Addition of New ActOn Attributes in System Notifications

Two new attributes have been added to ActOn data sources for use in system notifications:

  • acton.substatus – Enables targeting notifications based on the ActOn's sub-status (e.g., Scheduled Activity).

Signal Analytics

Copy & Share Agent Findings Links

Users can now copy and share direct links to Agent findings within the same tenant, available from both list and detail views. In multi-tenant environments, domain or org users must switch to the tenant to access shared insights.

Sort Ordering for Saved analyses

Saved analyses in the Stacks view are now ordered with the latest entries on top, improving accessibility to recent investigations.

Expand/Collapse All for Agent Findings

New Expand All and Collapse All buttons have been added to the Agent Findings tab, making it easier to navigate and manage multiple findings at once.

Behavior Analytics

Enhanced Signal Visualization: Before and After Model Creation

We’ve added support for distinguishing between signals generated before and after model creation:

  • Pre-model anomalies are now visible on the bar graph in an “Unavailable” state. These are not sent to Chronicle but are used for training purposes.
  • Post-model anomalies, trained on up to 60 days of historical data, are sent to Chronicle as valid signals.
  • If a model is temporarily disabled, anomalies during that period are displayed as grayed out and are not sent to Chronicle.

Addition of feedback option for Agent Insights

Users can now provide direct feedback on Agent generated insights using thumbs-up and thumbs-down icons. This allows users to highlight what was helpful and flag areas for improvement, enabling continuous refinement of Agent findings in behavior analytics. 

Added Activity Logs in Behavior Analytics

Two new activity logs have been introduced in the Behavior Analytics module:

  • Behavior Model Publishing Completed
  • Behavior Model Published Through Content Packs

These activities are now tracked in the model-level activity logs, providing enhanced visibility into the publishing process.

Integrations

Enhanced Filtering with Entity Groups, and Additional Attributes

Entities Overview and Inventory pages now support filtering by Entity Groups, State, and custom attributes, allowing users to efficiently organize, search, and analyze entities with greater precision.

Content Management System

Enhanced Breadcrumb Design

The breadcrumb navigation in the CMS module has been enhanced for better readability and space efficiency. Full breadcrumb paths are now visible by default and only truncate on smaller screens. When truncated, tooltips appear on hover. For long breadcrumb trails, the middle link is collapsed while the first and last remain visible for easier navigation.

New Activity Logs on Rules and Packs

Two new activity log types have been added to improve traceability:

  • Rule-to-Pack Association: Tracks when rules are linked to multiple packs.
  • Pack Publishing Completion: Captures the status once a pack has been successfully published.

These additions increase visibility into rule relationships and publishing workflows.

Redesigned Table Components Across CMS

Table components across the CMS—such as detection rules, reference lists, content packs, and threat feeds—have been updated for better usability. Action menus are now accessible without scrolling, improving interaction and workflow efficiency.

Accounts

Theme Preference Retention in Accounts

Users can now switch between dark and light mode, with their selected theme retained across sessions and accounts—delivering a consistent and personalized UI experience on every login.

Related articles

Comments

0 comments

Please sign in to leave a comment.