AirMDR Release Notes

• Persistent View Preference:
  Users may choose Reader or Analyst view; the choice is saved per user and applied across sessions and cases.
• Reader View — Streamlined & Read-Only:
  • All edit controls are hidden (no edit buttons).
  • Non-essential sections removed: Linked Cases, Additional Case Fields (reader scope).
  • Empty sections (for example, Actions Required when empty) are automatically collapsed/omitted.
  • Collapsible chevrons redesigned for clearer affordance; section dividers added for improved visual separation.
  • Table rendering improvements for stable, full-row display in reader mode.
• Case UX Improvements (general):
  • New Investigation Log section added (M22 scope) to surface a consolidated execution and decision history.
  • Global Collapse / Expand All control at user level to expand or collapse all case sections with one action.
  • Evidence UX: thumbnails load reliably; evidence opens when users click anywhere on the evidence card (not only the thumbnail).
  • Dynamic section height: sections now expand/shrink to content, eliminating cropping of tables or action blocks.
  • Alert details: Sources section is now visible by default (no longer hidden behind “Show more”).
  • Key Indicators dropdown & other subsection behaviors fixed so they open immediately (no extra clicks).
  • Visual and spacing fixes to prevent table rows from being clipped and to avoid ugly cropping in Actions Required.
• Quality & Polishing:
  • Ongoing minor UI adjustments (spacing, dividers, chevrons) and bug fixes to ensure parity between Reader and Analyst experiences and to improve transferability for demos and audits.

• Enforced read-only experience for consumers of case content with clear visual distinction from analyst workflows.
• Persistent preference reduces accidental edits and improves user efficiency across repeated reviews.
• Faster, more reliable evidence access and viewing behavior for analysts and readers.
• Robust layout handling that prevents cropped tables or truncated sections.
• Centralized investigation history in the new Investigation Log for traceability and audit.

• Executive Review / Stakeholder Readouts: Executives and non-analyst stakeholders use Reader view to review case summaries without edit controls or distracting details.
• Customer Demos & Training: Trainers or sales presenters reset to Reader view to present a consistent, read-only narrative of cases.
• Post-Incident Audits: Investigators and auditors rely on Investigation Log and persisted view context to reproduce decisions and evidence access exactly as presented to reviewers.
• Analyst Workflows: Analysts switch to Analyst view to perform edits, run re-investigations, or access the full case toolset; persistence returns them to the same view on next login.
• Improved Usability: Faster access to evidence (click anywhere) reduces friction during live triage and case handoffs.

​

🔌 New Integrations Added

• Exabeam
• Tines

​

✨ New Skills Added

• Preserve archived case snapshot (read-only) while creating a linked, re-investigation execution instance separate from the archive.
• Automatically tag re-investigation runs and generated artifacts to indicate origin (archived case ID + re-investigation execution ID).
• UI flow includes confirmation modal that explains archived state and resulting new execution snapshot.

• Reproduce investigative flows from archived evidence without altering archived artifacts.
• Maintain auditable separation between archived record and new investigation outputs.

• Re-evaluating closed incidents with new intelligence without modifying archived records.
• Compliance-driven audits that require archived case immutability while permitting follow-up analysis.
• Post-incident re-analysis after new IOC/TTP discovery that affects previously closed cases.

• Improved in-editor validation with clearer error messages and input hints.
• Inline preview of skill inputs/outputs (one-level nested fields) to aid authors while editing.
• Faster save/publish flow with optimistic UI feedback and clearer publish state.
• “Revert to previous” and “View usage” quick-actions added to each skill block for safer edits.
• Reduced reliance on LLM/code edits by surfacing common string/collection operators and templates in the editor.

• Faster, safer skill iteration with immediate validation and contextual previews.
• Reduced deployment friction via optimized publish workflow and one-click revert.
• Improved discoverability of operator options and runtime inputs to decrease authoring errors.

• Rapidly updating enrichment or fetcher skills (e.g., change an API parameter) and validating outputs without running full test executions.
• Authors auditing skill usage across playbooks before making changes (via “View usage”).
• Lowering support requests related to malformed skill input or confusing error messages.

• In create/edit/delete flows for leaf org users, org selector fields and ancestor metadata are hidden or disabled by default.
• Toggle Child Organisation: Introduced a per-org toggle that allows authorized admins to permit (or restrict) parent-context visibility in child org workflows. Changing the toggle is audited and controlled by RBAC.
• UI shows clear, contextual messaging indicating the action will apply only to the current leaf org.
• Validation ensures operations cannot escalate scope to parent orgs (no accidental shared-scope changes).
• Audit entries capture whether an action originated from a leaf org and which effective org scope was used.

• Simplified and context-correct org workflows for leaf org users.
• Admin-controlled opt-in visibility for child orgs via the toggle child organisation setting.
• Clear audit trail that indicates origin (leaf org user) and effective target org.

• Leaf-org administrators creating or editing facts, connections, or other org-scoped resources without exposure to parent-org controls.
• Preventing accidental creation of shared-scope resources by leaf-org users.
• Streamlined onboarding for leaf org users who only require single-org workflows.

• Private Chat Sessions from App Mentions:
  When a user invokes the AirMDR Slack app via @airmdr (app mention), the chat session created is private to the initiating user and is not visible or accessible to other users in the workspace. This ensures sensitive investigative context remains confidential.
• Subscribe to app_mention:
  Administrators can enable a new subscription option in the Slack app configuration to forward app_mention events to AirMDR. On subscription, mentions are routed to Darryl for automated assistance, triage, or to initiate workflows.
• Darryl Integration:
  app_mention payloads forwarded to Darryl are parsed and handled according to configured skills—enabling real-time assistance, quick lookups, or playbook triggers directly from Slack.
• Security & Privacy Controls:
  The feature enforces access boundaries so only the initiating user and authorized systems (Darryl / AirMDR backend) can view the session content. Audit logs record inbound mentions and subsequent actions.

• Private, user-scoped chat sessions initiated from Slack mentions.
• Ability to subscribe workspace app to app_mention events and route them to Darryl.
• Immediate, in-Slack AI assistance and orchestration via Darryl without exposing session data to other users.
• Auditability through event logging and traceable workflows for governance.

• **User-Initiated Triage: **An employee mentions the AirMDR app to report a suspicious email or login; Darryl immediately analyzes available data and returns guidance privately to the reporter.
• **Secure Escalation: **Analysts can initiate private investigations from Slack mentions without exposing details to the broader channel.
• **Quick Contextual Lookups: **Field engineers use @airmdr to request account activity or alert summaries; Darryl responds privately with findings or next steps.
• **Automation Triggering: **App mentions can kick off lightweight playbooks (e.g., fetcher, enrichment) via Darryl while keeping the interaction private to the requester.

​

🔌 New Integrations Added

1. JumpCloud

​

✨ New Skills Added

• Unified Rendering Component: Facts use the same component and layout across Facts management, Playbook execution, and Case re-investigation, ensuring identical display and metadata surface.
• Prominent Investigator Inputs: Investigator-facing inputs—Facts and Investigation Notes—are surfaced earlier in the case/re-investigation layout to improve readability prior to the workflow steps.
• UX Fixes & Stabilization: Multiple UI issues were addressed, including button background behavior, icon spacing, cursor focus during inline edits, and accurate display of org codes/names and scope labels.
• Scoped Issue Triage: Any regressions discovered during rollout have been triaged into a follow-up work item so validated fixes can be shipped without blocking the broader release.
• Reopened Test & Verification Cycle: Fixes were validated in a test environment and remaining items scheduled for prompt resolution to ensure production readiness.

• Consistent fact presentation across management and runtime contexts—reduces cognitive load and prevents mismatches during investigations.
• Editable, accurate metadata (org, scope) displayed consistently for facts used in playbooks.
• Improved editing fidelity with corrected cursor and focus behaviour for inline edits.
• Isolated regression handling to avoid blocking validated UX improvements while follow-up fixes are completed.

• Case Re-investigation: Analysts editing facts or investigation notes during a re-run see the same formatted view as in the Facts Page, enabling fast corrections and accurate reruns.
• Playbook Execution Review: Reviewers and auditors can examine fact content and metadata in the execution context without ambiguity or layout differences.
• Shared-Scope Governance: Parent and child org users can more clearly distinguish shared vs. org-specific facts and understand editability constraints.
• Support & Demos: Consistent visuals reduce friction during customer demos and technical support sessions, improving clarity and reproducibility.

• Step-by-Step Child Execution:
  Child playbook runs are now shown inline as discrete, ordered steps within the parent execution, including step outputs, artifacts (facts, notes, lists), and execution status.
• New Execution View (Visualization Upgrade):
  A redesigned execution UI provides clearer layout, improved grouping of nested steps, and easier navigation between parent and child execution contexts.
• Automatic Adoption for New Playbooks:
  All newly created playbooks use the enhanced execution view by default.
• Simple Upgrade Path for Existing Playbooks:
  Existing playbooks retain the legacy view until explicitly upgraded. To enable the new view, open a playbook and select Automate → Publish; the visualization will be upgraded automatically.
• No Logic or Runtime Impact:
  This change affects only the visualization layer; playbook logic, executions, alerts, and outcomes remain unchanged.

• End-to-end visibility into nested (child) playbook behavior and outputs.
• Faster root-cause analysis by stepping through child executions inline.
• Cleaner visualization with grouped, navigable execution steps for complex playbooks.
• Low-friction adoption path with automatic use for new playbooks and a one-click upgrade for existing ones.
• Safe rollout: no change to execution semantics or alerting.

• **New Operators Implemented: ** STARTSWITH, ENDSWITH, CONTAINS, LEN, IN, NOT IN are available in all comparison/condition editors.
• Operator Selection UI: Dropdowns/operator pickers updated to include string operators alongside numerical operators.
• Input Guidance & Validation:
  • For LEN, the UI enforces a string on the left-hand side and an integer on the right-hand side and displays a clear validation prompt if the RHS is not numeric.
  • For IN / NOT IN, the UI guides users to provide list/collection inputs where applicable.
• Improved Error Messages: User-friendly messages replace cryptic runtime errors (e.g., explicit guidance like “Please enter a number for length comparison”).
• Playbook & Condition Editor Support: All editors that allow condition construction now surface the new operators and validate inputs at authoring time.
• Operator Enum Update: System operator lists and APIs have been updated so the new operators are consistently available wherever operator selection occurs.

• Native string matching and containment checks in playbook conditions without resorting to LLM code.
• Deterministic LEN-based rules for string-length gating.
• Clear, contextual validation that prevents common authoring mistakes and reduces runtime failures.
• Consistent operator availability across all condition editors and UIs.

• **Input filtering: STARTSWITH / CONTAINS **to match known prefixes or markers in log messages or alert payloads.
• **Type/length gating: LEN **to detect unusually short or long identifiers before enrichment or routing.
• **Allowlist / blocklist checks: IN / NOT IN **to test membership against configured lists (e.g., Allowed Content List).
• **String-based routing: UseENDSWITH ** to route alerts based on file extensions or domain suffixes.
• **Cleaner authoring: **Rule authors can write precise conditions in the UI, lowering dependency on custom code or LLM interventions.

• **Global Availability: **Org context switcher added to all admin pages (and other previously missing pages) so context is consistently visible.
• **Breadcrumb Design: **Preferred breadcrumb-style layout adopted to display org hierarchy and current selection unobtrusively while remaining discoverable.
• **Full-Name Tooltip: **Full org name appears on hover when names are truncated, preventing ambiguity for long names.
• **Responsive Space Handling: **Min/max width limits applied so the switcher adapts to short or long org names without creating awkward spacing.
• **Context Sensitivity: **UX decision points added for pages where user-specific context may be more appropriate (for example, API tokens or Guide pages) allowing product teams to opt for contextual visibility where required.
• **Persistent Context Indicator: **A clear visual indicator (label/chevron) shows the active org and its ancestry so users can verify context at a glance.

• Universal visibility of organizational context across product and admin flows.
• Reduced risk of cross-org mistakes during configuration, onboarding, or customer calls.
• Improved discoverability of org hierarchy via breadcrumb presentation and hover-tooltips.
• Adaptive layout that preserves visual balance regardless of org name length.
• Configurable presence on sensitive, user-scoped pages (e.g., API tokens) to avoid unnecessary complexity.

• Customer Support & Demos: Support engineers and sales reps can verify the active org during live calls to avoid making changes in the wrong tenant.
• Admin Operations: Platform administrators performing org-scoped tasks (user management, RBAC, org properties) can confirm context before applying updates.
• Multi-Org Workflows: Analysts and integrators working across parent/child org hierarchies quickly identify which child org is selected for deployments or tests.
• Audit & Compliance Checks: Auditors and reviewers can reliably capture screenshots or notes with the org context visible, easing traceability.
• Onboarding & Training: New users experience clearer navigation when learning platform workflows, reducing training time and support tickets.

• Initiate Re-Run (Step-Level Reinvestigation):
  • A new “Initiate Re-Run” button is available at the bottom-right of the case view.
  • Executes only the final step of the playbook, allowing users to revise Facts and Investigation Notes before rerun.
  • Reduces unnecessary execution of upstream logic when only the conclusion needs re-evaluation.
• AI Reasoning Trail – “How did Darryl Investigate?”
  • Displays a dynamic, real-time flow of how Darryl AI reasoned through the investigation.
  • Helps users understand which inputs led to specific decisions, improving explainability.
• Improved Layout for Analyst Inputs:
  • Investigation Notes and Facts have been repositioned to appear at the top of the case view, offering a cleaner, more accessible layout prior to the workflow view.
• Live Executive Summary Generation:
  • A new left-pane summary provides immediate insights during the re-run.
  • Users no longer need to wait for the full execution to complete to view key findings and conclusions.

• Enables step-level reprocessing of investigative workflows, improving agility and resource usage
• Enhances AI decision explainability with visible reasoning paths from Darryl
• Supports on-the-fly revision of key investigative inputs without restarting full workflows
• Improves case readability with clearer separation between analyst inputs and playbook logic
• Live summary preview during re-run execution shortens turnaround time

• Rapid Correction:
  An analyst discovers incorrect or missing facts and wants to update the case conclusion without re-executing the full playbook.
• Investigation Refinement:
  Use the AI decision trail to pinpoint where logic can be adjusted and quickly validate updates by re-running only the final decision step.
• Post-Incident Review:
  During case audits, users can view Darryl’s original reasoning to assess if human oversight or AI logic needs adjustment.
• Performance Optimization:
  Large playbooks with multiple upstream enrichment steps no longer need to be fully rerun for minor outcome revisions.

• Extended Input Options:
  Users can now configure Alert Triage Playbooks to be consumed as inputs within Case Automation Playbooks, in addition to traditional skills.
• Unified Execution Context:
  Case Automation Playbooks can now trigger based on enriched outputs from Alert Triage Playbooks, supporting more dynamic, context-aware case creation.
• No Impact to Existing Skills:
  This enhancement preserves all existing skill-based configurations while expanding flexibility for more advanced automation scenarios.

• Enables playbook chaining across Alert Triage and Case Automation domains
• Supports contextual case generation based on structured triage workflows
• Facilitates modular playbook design, reducing duplication and improving maintainability
• Seamless integration with alert fetcher-investigator-helper logic

• End-to-End Alert Handling:
  Automatically launch a Case Automation Playbook using the output of an Alert Triage Playbook that already validated and enriched the alert.
• Triage-to-Case Handoff:
  Enable alerts verified through investigation playbooks to automatically escalate into full cases, preserving analysis context.
• Reusable Triage Logic:
  Teams can create specialized triage playbooks (e.g., for phishing or cloud misconfigurations) and reuse their output across multiple downstream case automation scenarios.

​

🔌 New Integrations Added

1. Stellar Cyber

​

✨ New Skills Added

1. Reset Tour: A control in the Guide section that restarts the guided tour for key onboarding flows (Explore the Alert Catalog, Connect your Tools, Upload or Paste any Alert). When a user clicks Reset Tour → Reset, the guided tour state is cleared and the tour will restart from the first step on next invocation. If the tour is not reset, users will continue from their previous position in the tour.
2. Confirm Alert Properties: A confirmation modal shown when a user imports or pastes alert content. The modal prompts the user to select the Source Provider and Alert Type for the ingested alert and requires explicit confirmation to proceed.

• Added Reset action to clear guided tour progress and allow a full restart of the tour.
• Guided tour reappears from step one after reset; otherwise it resumes from the last completed step.
• Introduced Confirm Alert Properties modal to validate source and type before creating an alert from imported/copied content.
• Improved onboarding resilience and reduced ingestion errors by making source/type selection explicit.

• Re-startable, deterministic guided tours for core onboarding flows.
• Persistent tour state with single-click reset for retraining or demos.
• Pre-ingest validation of alert metadata (provider & type) to prevent misclassification.
• Reduced false-positive/false-negative ingestion due to missing or ambiguous alert metadata.

• New-user onboarding: Trainers can reset the guided tour for trainees so each user experiences the tutorial from the beginning.
• Customer demos: Sales or support can reset the guided tour prior to product demonstrations to ensure a consistent walkthrough.
• Alert import validation: Analysts importing alerts from varied sources confirm provider and type to ensure correct parsing and downstream routing.
• QA & troubleshooting: Support teams reproduce onboarding or ingestion issues by restarting the guided tour and re-ingesting alerts with explicit provider/type selections.

​

User Onboarding Flow

• Rapid onboarding through automated organization and user creation
• Frictionless experience for evaluating AirMDR’s core alert investigation capabilities
• Support for trial environments under a controlled FREEMIUM org model
• Seamless email-based account activation and password setup

• Product Evaluation:
  New users can independently explore alert workflows, dashboards, and triage features to assess AirMDR’s value.
• **Sales Enablement:
  AirMDR **Sales and marketing teams can direct prospects to the self-serve trial for hands-on engagement.
• Demo/Test Environments:
  Enables internal teams or partners to simulate investigations in a sandbox without affecting production data.

​

Key Enhancements

• Python-Based Integration Editor:
  Users can write and manage custom integration logic in Python, directly within the AirMDR UI.
• Draft & Update Support:
  Work-in-progress (WIP) integrations can be saved as Drafts and iteratively updated.
• Custom Authentication Support:
  Integrations can be grouped and managed by authentication type, with support for common patterns like API keys, OAuth, and custom headers.
• Execution Environment:
  Custom integrations are executed in isolated containers with security constraints of AWS Lambda environments.
• Library Support:
  A limited set of Python libraries is currently available. Additional core package requests are subject to review and approval by the AirMDR Engineering team, with fulfillment typically completed within one business day.
• Scoped Access:
  This feature is accessible only to designated admin users, ensuring safe and controlled deployment of custom logic.

• Set-up of integrations such as Okta, AWS, or **Google **within an hour
• Secure execution of user-submitted code in sandboxed environments
• Flexible authentication handling with minimal engineering overhead
• Ability to update authentication and skills as long as input parameters remain unchanged

• Sales Engineering Acceleration:
  AirMDR Field Engineers (Sales Team) can quickly set up and demo on requested integrations within hours not days.
• Partner-Led Development:
  Channel partners and advanced customers can build and test their own integrations on the platform in hours, not days.
• Lightweight Customization:
  Quickly build one-off connectors for internal tools or uncommon third-party services without waiting for productized support.
• Controlled Custom Logic:
  Securely run custom Python logic without compromising platform integrity or other tenant data.

​

🔌 New Integrations Added

1. Forescout 
2. Freshservice 
3. Cortex XSIAM
4. DNIF 
5. Wiz

​

✨ New Skills Added

​

Key Enhancements:

• Parent ↔ Child Org Access Controls:
  • Admins can now define what access a Parent Org has to its child orgs and vice versa. Access levels are configurable both during and after organization creation.
• RBAC Permission Templates & APIs:
  • Created reusable permission templates with full CRUD API support to manage access rights programmatically.
• Org Management API Updates:
  • Existing org-related APIs have been updated to support RBAC controls and expose accessible orgs and ancestor relationships via dedicated endpoints.
• UI Support for RBAC Enforcement:
  • UI now reflects RBAC settings but maintains design consistency
  • Access flags are fixed and cannot be edited individually
  • Preset configurations determine mutual access, ensuring uniform enforcement

​

Key Capabilities:

• Centralized control of Parent-to-child and child-to-Parent access configurations
• RBAC enforcement at the organizational level with reusable templates
• API-first model for scaling access control operations
• Readable and queryable org hierarchy with accessible/ancestor orgs APIs
• UI support for secure and predictable access visibility

• Multi-Tenant Governance:
  Enforce clear data and workflow boundaries between Parent and their child orgs for compliance and operational clarity.
• Security Hardening:
  Prevent unauthorized cross-org access by applying RBAC at the org creation level and restricting edits to critical flags.
• Platform Consistency:
  Provide users with a predictable and consistent access model in both API and UI layers.

• Prioritizes User relevant workflows for faster access
• Ensures role-based discoverability with support for conditional visibility (e.g., AirMDR-only pages)
• Enables future expansion without cluttering the top-level experience.

• Customer Portal Simplification:
  End users can now easily access core capabilities like cases, reports, alerts, and knowledge assets.
• Efficiency:
  All the Users benefit from structured access to playbooks, chat sessions, and configuration settings.

​

🔌 New Integrations Added

1. Lima Charlie
2. Extrahop
3. Permiso
4. IT Glue

​

✨ New Skills Added

​

Key Enhancements

• Left panel: Product list organized into three dynamic sections:
  • Needs Attention: Connections nearing expiry or failed (specific to logged-in user’s org or child orgs)
  • Configured: Products with active connections in the org/child orgs
  • Not Configured: Remaining products (including shared-only connections for restricted users)
• Right panel: Displays selected product details with tabs for Connections, Skills, and Playbooks

• Displays product name, logo, category, description, documentation link, and a “+New Connection” button
• Connections and skills presented in expandable rows with nested details
• Skill view now includes:
  • Tabbed view: Details (input/output specs) and Playbooks Using
  • Output spec supports one-level nested fields

• Product list includes a dedicated search bar and category filter
• Skill/Connection-level search with dropdown result preview and Jira-like navigation
• Selecting a result highlights the product and opens the item in the right pane

• Create Connection now includes:
  • Expiry date support for all supported types

• Organized product list with clear indicators for failed, active, and unconfigured integrations
• Efficient triage and maintenance of connections via expandable, searchable UI
• Accurate visibility into which playbooks use which skills
• Seamless navigation between integration components with reduced clicks and better context

• Integration Monitoring: Analysts can quickly identify failing or expiring connections using the “Needs Attention” view
• Skill Dependency Mapping: Map which playbooks use a specific skill or connection for impact assessment
• Cloud Integration Setup: Set up multi-mode connections (e.g., AWS) through a guided and verified creation workflow
• Operational Efficiency: Minimize navigation overhead with a Jira-style search bar and in-context loading of components

​

Key Enhancements

• Left panel: List of alerts across accessible orgs with key details—Alert ID, Type, Product logo, Created timestamp, Investigator status, and Case link(s).
• Right panel: Selected alert’s detailed view including severity, MITRE tactics, alert source metadata, execution details, and linked cases.

• Quick filters: Unresolved, No case attached, In Progress
• Advanced filters: Org, Product, Alert Type, Status, Creation Timestamps (source & platform), Connection used

• Clicking on investigator execution opens the Case Manager directly in execution view
• Enables access to the re-investigation flow

• Failed alerts now support manual resolution via confirmation pop-up with reason
• Supports toggle between Resolved and Unresolved states (latest execution only)

• Alert list and selected alert status auto-refresh in real-time, mirroring Case Manager behavior

• Intuitive alert triage with side-by-side context for faster action
• Accurate tracking of alert-to-case relationships, including multiple case links
• Built-in resolution workflow for failed alerts to support SOC operations
• Real-time updates reduce analyst lag and ensure operational accuracy

• Alert Investigation:
  Analysts can immediately view execution status, linked cases, and alert metadata to initiate or continue triage.
• Failed Execution Handling:
  SOC teams can resolve failed alerts with justification, maintaining alert hygiene and audit trails.
• Cross-org Monitoring:
  Analysts managing multiple orgs can view, filter, and act on alerts across the hierarchy with fine-grained controls.

• Changes to AWS resources (e.g., EC2, IAM, S3)
• Actions performed by specific IAM users or roles
• Suspicious activity patterns in AWS CloudTrail logs
• Audit trail generation for compliance reviews

• Count failed authentication attempts
• Security incident detection
• Custom metric computation

• User login activity
• Password resets or changes
• MFA enrollment or failures
• Application access and assignment

• Contextual Data Interpretation:
  AI JSON Agent understands structured logs and dynamically extracts the information requested—whether it’s simple field-level values or complex pattern recognition.
• Identity-Centric Investigation:
  The AI Okta Agent provides context-rich answers to identity-related questions, reducing manual log correlation for access-related alerts.
• Natural Language Query Support:
  Analysts can interact with both agents using natural language prompts, simplifying log analysis and reducing time to insight.
• Modular Integration:
  These agents can be used across chat sessions, automated workflows, and triage tasks, allowing seamless interaction with AI-driven insights.

• Incident Triage:
  Use the JSON Agent to quickly extract suspicious activity from structured alert logs and respond to anomalies in real time.
• Identity Investigation:
  Leverage the Okta Agent to trace user login patterns, detect unauthorized access, or confirm MFA status during investigation of suspicious behavior.
• Access Review & Audit:
  Validate user-to-application mappings and identity changes during compliance audits without manually digging through raw Okta logs.
• Operational Efficiency:
  Save time by offloading data parsing and summarization tasks to AI agents, enabling human analysts to focus on decision-making.
• Cloud Security Audit:
  Leverage the AWS Agent to investigate resource changes, monitor privileged access, or trace actions back to IAM identities for compliance.

​

🔌 New Integrations Added

1. OpenSearch
2. Hexnode MDM
3. Bamboo HR
4. Kaseya VSA X
5. Trend Micro

​

✨ New Skills Added

• Editable Playbook-Based Inputs:
  Analysts can now modify key playbook-generated data fields directly from the case view, including:
  • Facts
  • Investigation Notes
• Re-Investigate & Fork a New Case:
  After updating the relevant inputs, analysts can re-run the investigation workflow, resulting in the creation of a new case. This enables more accurate and context-rich analysis when initial inputs evolve or are incomplete.

• Triage Correction: An analyst realizes the initial facts or notes were incorrect or incomplete and needs to re-run the investigation with updated data.
• Playbook Optimization: SOC teams fine-tune playbook templates by modifying cases and measuring output accuracy.

​

Key Enhancements

• Dedicated Timeline for Re-Investigated Cases:
  For any case that has been re-investigated, the timeline will now begin from the point at which the re-investigation was initiated, rather than from the original alert.
• Updated Timestamp Handling:
  The “Alert Raised At” and “Alert Acknowledged At” timestamps will be excluded from the timeline to reduce confusion and keep the focus on re-investigation actions.
• Visual Indicators in Timeline:
  The timeline view will clearly display key stages such as:
  • Re-investigation Started
  • Re-Investigated
  • Contained
  • Closed

• Clear differentiation between original investigation and re-investigation time-line.
• Improved timeline clarity and visual traceability of analyst actions and ensures reporting metrics are not skewed by re-investigation efforts.

• Post-Incident Review:
  Allows SOC teams to isolate re-investigation workflows for performance assessment and process improvement.
• Root Cause Validation:
  Provides visibility into the re-investigation without conflating it with the original alert’s lifecycle.

• Investigation Summary Field:
  Enables analysts to capture a concise narrative of the investigation, including:
  • Key findings
  • Thought process
  • Decision-making rationale
• Improved Case Transparency:
  Supports better collaboration and hand-offs by making analyst reasoning explicit within the case.

• SOC Collaboration: Facilitates better case handover between analysts by providing context on investigative reasoning.

• Analytics Dashboard Access
  View aggregated data on alert volumes, case trends, resolution timelines, and detection efficacy..

• Executive Visibility
  Users can view the case resolution metrics and threat landscape summaries.
• SOC Performance Tracking
  Visualize trends in alert volume, analyst triage time, and case closure rates.
• Client-Specific Insights
  Provide partner or MSSP clients with tailored security operations data aligned to their environment.

• Email Integration (New):
  The checkpoint now supports sending prompts via email to the user involved in an alert or event. The investigation resumes based on the user’s reply or upon timeout.
• Slack Integration (Existing):
  Continues to support interactive Slack messages with Yes / No / Unsure buttons or free-text input for user feedback.

• Workflow Suspension:
  Automatically pauses playbook execution until a user response is received or a timeout occurs.
• Customizable Prompts:
  Email and Slack prompts are dynamically tailored based on playbook context to improve clarity and engagement.
• Conditional Flow Control:
  Based on the user’s input, the playbook can proceed with actions such as escalation, case closure, or further investigation.

• Suspicious Login Verification:
  AirMDR sends a prompt to the user via Slack or Email to confirm whether a suspicious login was legitimate.
• Phishing Alert Clarification:
  The system queries the email recipient to validate if they interacted with a suspected phishing message.
• Case Closure Validation:
  Before closing a case, AirMDR requests user acknowledgment to ensure accuracy and completion.

​

🔌 New Integrations Added

1. OpenAI 
2. Cloudflare
3. Recorded Future
4. Security Scorecard

​

✨ New Skills Added

1. SumoLogic
   • Skill: Execute a query in sumologic with aggregation
     • This executes a SumoLogic query with aggregation to retrieve and analyze log data from specified time ranges.
2. Astrix
   • Skill: List Astrix Events
     • Get events from Astrix based on various filtering criteria.

• Improved Case Manager Interface:
  The Case Manager UI has been refined for better clarity, accessibility, and efficiency. The layout now enables faster navigation and a more intuitive handling of Need Attention Cases, Active Cases & Closed Cases.
  Centralized access to all active cases from a single UI component and reduced cognitive load by minimizing context switching between tabs.
  Enhanced situational awareness with quick toggling between docked cases with streamlined UI tailored to incident response workflows.
• New “Add to Dock” Functionality:
  Analysts can now pin active cases directly to a persistent dock view using the newly introduced **Add to Dock **button. This allows them to monitor and access multiple ongoing cases without the need to open separate browser tabs.
  Users can revert to the previous version by selecting the Legacy Mode option.

• Security Analysts: Maintain real-time access to multiple ongoing cases during triage and investigation without cluttering the browser workspace.
• Incident Responders: Effortlessly switch between linked investigations for correlation and evidence tracking.
• SOC Managers: Improve analyst efficiency by reducing time spent navigating between cases.

• Search Allowed Content List (Updated):
  This skill has been updated to reference the newly provisioned Allowed Content List specific to the organization, supporting context-aware decision-making.
• Search Blocked List (New):
  A new skill has been introduced to enable playbooks to query the organization’s Blocked List for threat indicators, facilitating automated escalation or blocking actions.

• List Auto-Provisioning:
  Automatically creates Allowed Content and Blocked Lists during organization setup, minimizing manual configuration and standardizing policy application.
• Hierarchical Sharing:
  Parent organizations can maintain shared lists that are inherited by child organizations, supporting uniform governance and streamlined policy management.
• Integrated Skill Support:
  Playbooks can dynamically interact with the lists for contextual filtering during alert triage, enrichment, and remediation.

• Threat Intelligence Application:
  Automatically suppress known benign indicators using the whitelist or escalate known malicious indicators via the blacklist.
• Playbook Automation:
  Use the Search Whitelist and Search Blacklist skills to drive decision-making in real-time such as skipping enrichment for whitelisted IPs or triggering containment steps for blacklisted domains.

​

Key Enhancements

• AI-Based Description Generator:
  Automatically creates contextual playbook descriptions by analyzing the logical flow and components used within a playbook.
• Execution-Aware Prompting:
  If a user attempts to generate a description before the playbook has been executed, a confirmation modal will prompt for validation.
• Scope & Access Controls:
  • The feature is available for all playbook types, including:
    • Alert Triage
    • Case Automation
  • Child organization users are restricted from generating AI descriptions for parent-shared playbooks, preserving control and data boundaries.
• Editable Output:
  Users retain full flexibility to manually add or modify the generated description as needed.

• SOC Analyst Efficiency:
  Analysts save time by auto-generating technical summaries for newly created or updated playbooks.
• Playbook Reviews & Approvals:
  Managers and auditors can quickly understand the purpose and logic of a playbook before approving or deploying it.
• Cross-Team Collaboration:
  Clear descriptions help different teams (e.g., detection engineering, incident response) better understand shared automation assets.

• Investigation Notes:
  A centralized log which helps in providing guidance to the agent for investigation and decision making.
• Facts:
  Captures organization specific information like domains used, known IP addresses, known workflows, privileged users, etc
• Case Template:
  A method to define the structure of each case section and provide prompts that guide how each part should be written, making cases easier to read and understand.
• Meta Playbook:
  Meta Playbooks coordinate multiple sub-playbooks, actions, and decision points based on predefined logic. Meta Playbook is for orchestrating structured, analyst-defined investigation workflows. 

• Contextual Automation:
  Enables automated evidence collection and triage using predefined templates and facts.
  Use Case: Auto-triage phishing alerts with contextual enrichment and initial classification.
• Dynamic Decision Making:
  Agents dynamically choose the next best action based on current facts and investigation state.
  Use Case: Automatically pivot from credential theft detection to privilege misuse investigation.
• Customizable Framework:
  Users can extend or adapt templates, facts, and logic to align with specific detection and response requirements.

• Slack-Based Interaction
  Sends an interactive message to selected colleagues via Slack, including options such as UI buttons (Yes, No, Unsure) or a free-text chat for open responses.
• Workflow Suspension
  Automatically pauses the playbook until a response is received or a timeout is reached, ensuring that key decisions are made by the appropriate internal personnel.
• Customizable Prompts
  Messages can be tailored dynamically based on the incident type or playbook context, ensuring relevance and clarity.
• Timeout & Fallback Handling
  Define time limits and fallback actions (e.g., proceed with default action, escalate) to avoid indefinite pauses.

• Credential Update Confirmation
  Asks the relevant user whether a password change was intentional. Based on their response, the system can choose to create or escalate a case.
• Containment Approval
  Requests confirmation from internal stakeholders before executing critical actions like isolating a host or revoking credentials.
• Escalation Confirmation
  Verifies with internal teams whether an incident should be escalated to engineering, legal, or other business units.

​

🔌 New Integrations Added

1. Incident.io
2. Jamf (Just Another Management Framework) Pro
3. Jamf (Just Another Management Framework) Protect
4. Microsoft Teams
5. Push Security
6. SOCRadar Extended Threat Intelligence
7. Squadcast

​

✨ New Skills Added

1. Update SentinelOne Threat Status: (SentinelOne)
   • Added SentinelOne Threat note 
   • Enrich endpoint
2. Azure Sentinel:
   • Update Incident
3. SumoLogic:
   • To Fetch Sumologic entities

• Flexible Pattern Matching
  Use regular expressions to match multiple alert types with shared naming patterns.
• Reduced Triggers Duplication
  Consolidate alert matching logic without needing to specify each alert type individually.

• Existing Alert Type: TrojanDropPoint
• Regex Used: Trojan[.*]Point
• Result: Matches any alert type that begins with “Trojan”, includes any characters in between, and ends with “Point” — e.g., TrojanXPoint, TrojanExfilPoint, etc.

• **Variant-Based Alert types **
  Match multiple malware or behavioral alert types without explicitly listing all names.
• Simplified Trigger Maintenance
  Reduce effort in updating alert-matching logic as new alert types emerge.

• Child-to-Parent Parameter Access
  Fetch and utilize output parameters generated in child playbooks directly within parent playbook logic.
• Quick Filters for Parameters
  Easily locate relevant output fields with enhanced filtering options during playbook configuration.
• “Add on Output Specific Field” Option
  Introduced a contextual action to selectively add specific fields from the child playbook’s output to the parent.

• Modular Playbook Design
  Reuse child playbooks across multiple scenarios while returning context-specific outputs to the parent workflow.
• Data-Driven Decisions
  Use child playbook results (e.g., verdicts, enrichment data) to influence next steps in the parent playbook.
• Simplified Maintenance
  Reduce redundancy by centralizing logic in child playbooks while maintaining flexible output control.

• Expiry Date Support
  Added the ability to define an expiry date for list entries, enabling automated cleanup and lifecycle management.
• Playbook & Schedule References
  Lists now display references to associated playbooks and schedules, providing better visibility into where and how each list is being used.

• Temporary Blocklists

• Change Impact Analysis

• Authentication and authorization setup
• API endpoints with request/response examples
• Error handling guides
• SDK and code samples
• Best practices and usage limits

• View a detailed log of all changes made to a playbook over time, including changes made to any step’s text, or if a user had to change the automated playbook step manually

• The new version of Darryl is capable of creating proper plans to answer any query, use skills wherever needed, follow a chain of thought, and course correct wherever needed.

• Centralized Lists reduce redundancy and improve consistency across multiple playbooks.
• During playbook execution, alerts are checked against Lists to determine if they involve

• Trusted VPN IPs
• Admin accounts
• Known user locations
• Blocklisted domains or IPs

• Safelisted IOCs (e.g. internal scanners)
• Blocklisted IOCs (e.g. phishing domains)
• User metadata (admin users)
• IP ranges, device names, or email addresses)

• Run playbooks automatically when a case is Created, Updated (e.g., status, assignee, severity, or custom fields)
• Users can define custom workflows
  • Sending an email or Slack message when the assignee is changed
  • Adding a comment if a field like status and for category is updated
  • Notifying external systems when a case is closed
• Use Cases
  • Case reassignment alerts to on-call analysts
  • Audit logging for field changes
  • Auto-tagging or auto-closing cases based on predefined conditions

• Incident Type
• Business Unit
• Risk Level
• Asset Ownership

• Supports a variety of field types:
• Text Fields (e.g., Case Description, Analyst Notes)
• Boolean (e.g., Is Escalated: Yes/No)
• Date/Time Fields (e.g., Detection Time)

​

🔌 New Integrations Added

1. Recorded Future
2. Crowdstrike
3. Google Chronicle
4. Joe Sandbox Security

​

✨ New Skills Added

1. Update SentinelOne Threat Status: (SentinelOne)
   • Added skill to update threat status and analyst verdict in SentinelOne, enabling marking threats as in progress, resolved, or assigning verdicts like false positive, suspicious, or true positive.
2. List Astrix Events: (Astrix)
   • Get events from Astrix based on various filtering criteria

• Escalation Email Control
  • Users can now toggle off the automatic escalation email when escalating a case, preventing email notifications from being sent to stakeholders.
• Use Cases
  • Escalation of cases without triggering an email notification.

• Unacknowledged Alerts: Filter and view all alerts that have not yet been acknowledged by the team.
• Failed Investigations: Easily identify and filter alerts that have failed their investigation process, helping to prioritize re-evaluation or remediation.
• Creation Time: Sort and filter alerts based on their creation time, enabling teams to prioritize more recent alerts or focus on specific time periods.

• Quick filters streamline alert management by offering relevant options that can be toggled in a single click, reducing the time spent searching or applying complex queries.

• These filters help teams prioritize and focus on specific types of alerts, improving overall efficiency and response time during case triage.)