August 2025

The New-Scale Security Operations Platform includes the following addressed features and new features for August 2025.

Attack Surface Insights

Feature	Description
Pre-Built Attack Surface Insights Rules Criticality Enhancement	To prevent inflated risk scores for Threat Center cases and alerts, all pre-built Attack Surface Insights rules now automatically apply the Low criticality to entities. Review all pre-built rules and ensure they accurately reflect your environment. If not, disable the pre-built rule. You can then duplicate the pre-built rule and change the criticality it applies to entities or create a new rule that better reflects your needs.
User Risk Trend Enhancement	You can now get more information about alerts and cases associated with a user entity with the User Risk Trend chart. In the minimized User Risk Trend chart, you can now view the number of open cases and alerts associated with a user entity during the selected time frame. To view details about the cases and alerts, click <#> cases or <#> alerts. In the expanded User Risk Trend chart, you now view more detail about the case or alert with the highest risk score on a specific day when you hover over a point in the chart.

Feature

Description

Pre-Built Attack Surface Insights Rules Criticality Enhancement

To prevent inflated risk scores for Threat Center cases and alerts, all pre-built Attack Surface Insights rules now automatically apply the Low criticality to entities.

Review all pre-built rules and ensure they accurately reflect your environment. If not, disable the pre-built rule. You can then duplicate the pre-built rule and change the criticality it applies to entities or create a new rule that better reflects your needs.

User Risk Trend Enhancement

You can now get more information about alerts and cases associated with a user entity with the User Risk Trend chart.

In the minimized User Risk Trend chart, you can now view the number of open cases and alerts associated with a user entity during the selected time frame. To view details about the cases and alerts, click <#> cases or <#> alerts.

Minimized User Risk Trend showing the open cases tooltip.

Minimized User Risk Trend showing the alerts tooltip.

In the expanded User Risk Trend chart, you now view more detail about the case or alert with the highest risk score on a specific day when you hover over a point in the chart.

The User Risk Trend chart showing a specific point on the chart.

Automation Management

These features were released on August 22, 2025.

Feature

Description

Automation Agents

You can now securely connect Automation Management to segmented networks using automation agents.

An automation agent is a process that securely connects Automation Management to on-premises or network-segmented systems so you can run advanced playbooks and actions remotely on those systems.

To connect Automation Management to a segmented network, you create an automation agent, then run the automation agent using Docker. When you run an automation agent, it's assigned a JSON Web Token (JWT) for authenticating HTTP requests to your network.The JWT is valid for 365 days, after which it expires. When the JWT is deleted, revoked, or expired, you can delete the automation agent.

View all automation agents in the Automation Agents tab.

The Automation Agents tab in Automation Management.

After you create an automation agent, you assign a given action the specific automation agent it uses to connect to your network.

The list of automation agents in an action highlighted with a red rectangle.

Pre-Defined Case Closed Reasons in Rule-Based Playbooks

To better track and report Threat Center case closures, you can now select a pre-defined reason for why cases were closed if you use rule-based playbooks to change the case stage to Closed.

You can select a pre-defined case closed reason when the playbook action is Escalate to a case and and stage to is Closed:

A rule-based playbook showing the list of pre-defined case closed reasons.

Cloud Collectors

Feature	Description
AWS CloudWatch Alarms Cloud Collector	The AWS CloudWatch Alarms Cloud Collector now available as part of Cloud Collectors to facilitate ingestion of AWS CloudWatch alarms related events.
AWS GuardDuty Cloud Collector	The AWS GuardDuty Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of GuardDuty Findings from AWS S3 bucket.
AWS Security Lake Cloud Collector	The AWS Security Lake Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of security events from AWS S3 Security Lake bucket.
DataBahn Cloud Collector	The DataBahn Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of events from DataBahn sources.
Dropbox Cloud Collector	The Dropbox Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of team activity logs from Dropbox.
Qualys Cloud Collector	The Qualys Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of Activity Logs, and Vulnerabilities including VM host detection events from Qualys sources.
Slack Cloud Collector	The Slack Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of events from the Audit Logs API endpoints.
Tenable Cloud Collector	The Tenable Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of vulnerability events from Tenable APIs.
Zoom Cloud Collector	The Zoom Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of events from the sign-in/sign-out activity and operational logs endpoints.
Early Access Collectors
GitHub Cloud Collector	The GitHub Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of GitHub enterprise audit logs that include events such as repository access, authentication attempts, permission changes, and more from the GitHub Enterprise Audit API endpoint to monitor your enterprise GitHub server or cloud-based GitHub service. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
GCP Cloud Logging Cloud Collector	The GCP Cloud Logging Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of logs from Google Cloud services. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
GCP Security Command Center Cloud Collector	The GCP Security Command Center Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of logs from GCP Security Command Center. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Progress ShareFile Cloud Collector	The Progress ShareFile Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Context Management

Feature	Description
Pre-Built Vulnerability Scanners Context Table	Context Management now provides new pre-built correlation rules context tables. The first of these to be made available is the Vulnerability Scanners context table. The correlation rules context tables support the detection activities of correlation rules and are documented along with pre-built New-Scale Analytics and Attack Surface Insights context tables. For more information, see Pre-Built Detection Context Tables.

Feature

Description

Pre-Built Vulnerability Scanners Context Table

Context Management now provides new pre-built correlation rules context tables. The first of these to be made available is the Vulnerability Scanners context table. The correlation rules context tables support the detection activities of correlation rules and are documented along with pre-built New-Scale Analytics and Attack Surface Insights context tables.

For more information, see Pre-Built Detection Context Tables.

Log Stream

Feature	Description
Standardize Usage of bytes_in and bytes_out Fields	The definition of `bytes_in` and `bytes_out` fields will be standardized across all Exabeam content, including default parsers and rules, starting in the first week of September, 2025. The standardized fields will be defined as follows: `bytes_in` – number of bytes received by the device or interface (data ingress) `bytes_out` – number of bytes sent from the device or interface (data egress) These fields have become inconsistent in some cases because of an attempt to match vendor definitions, which may use reverse logic. Historically, enrichment rules have been created to handle exceptions, adding further confusion to the definitions. After a thorough content review, it has been decided to standardize the use of `bytes_in` and `bytes_out` across all parsers and any downstream content. Furthermore, these definitions will be independent of enrichment rules. You can, however, customize default parsers to use reverse logic if necessary for your business scenarios. It is recommended that you check any enrichment rules or downstream correlation rules that leverage the `bytes_in` and `bytes_out` fields, to ensure that they are still operating properly. Data coming from the following vendors and products may be affected: Cisco - Cisco Network Security Fortinet - FortiGate Google - Google Cloud Platform , GCP CloudAudit Microsoft - Azure Monitor

Feature

Description

Standardize Usage of bytes_in and bytes_out Fields

The definition of bytes_in and bytes_out fields will be standardized across all Exabeam content, including default parsers and rules, starting in the first week of September, 2025. The standardized fields will be defined as follows:

bytes_in – number of bytes received by the device or interface (data ingress)
bytes_out – number of bytes sent from the device or interface (data egress)

These fields have become inconsistent in some cases because of an attempt to match vendor definitions, which may use reverse logic. Historically, enrichment rules have been created to handle exceptions, adding further confusion to the definitions.

After a thorough content review, it has been decided to standardize the use of bytes_in and bytes_out across all parsers and any downstream content. Furthermore, these definitions will be independent of enrichment rules. You can, however, customize default parsers to use reverse logic if necessary for your business scenarios.

It is recommended that you check any enrichment rules or downstream correlation rules that leverage the bytes_in and bytes_out fields, to ensure that they are still operating properly. Data coming from the following vendors and products may be affected:

Cisco - Cisco Network Security
Fortinet - FortiGate
Google - Google Cloud Platform , GCP CloudAudit
Microsoft - Azure Monitor

Search

Feature

Description

Improvements to Search Results Views and Detail Panels

Search includes the following improvements to certain aspects of the way search results are displayed:

In the Timeline view of search results, numbering has been introduced when multiple events are grouped. You can see the event numbering when you expand the event row in the Timeline view or when you view the Event tabs in the Details panel.
In the Timeline view, numbering is also applied when multiple detections are associated with a single event. You can see the detection numbering in both the Timeline view of results and when you view the Detection tabs in the Details panel.
To streamline the display of detection events in the Timeline view, information about use case and about MITRE tactics and techniques has been moved to the Detection tab in the Details panel.
The names of the Details panel and it's tabs have been updated for consistency: Events, Detections, Data Insights.
When you enter the Details panel from a grouped event in the Timeline view or from an event associated with multiple detections, the event and detection information is presented in a set of numbered tabs. The numbers correspond to the numbering in the Timeline view.
A new Rules section has been added to the Detection tab of the Details panel. The Rules section lists the triggered rules that generated the detection event. You can expand each rule to view the rule fields and MITRE labels associated with each rule.
The Summary view of fields returned in the search results has been improved so that it stays pinned to the top of the left-hand column in all views. Once the Summary panel is displayed, it no longer moves when you scroll through results on the Timeline, List, or Table views.

For more information about any of these views or Details panel tabs, see the Search Results section of the Search Guide.

Support for Sort Order in Saved and Exported Searches

The selected sort order information is now persisted in a new Sorting column for both recent and saved searches lists. The column shows which sort order options was selected when the search query ran. For more information, see Saved Searches in the Search Guide.

Improved Titles for Detection Events

The Search Timeline view is using new logic to display more meaningful titles for detection events. To make the detection titles more useful for understanding why a detection was triggered, the titles will now be derived from critical triggering logic. This change ensures that titles are not based on context rule information, which is less useful for understanding the cause of a detection. Rather they will be based on triggering rule information so the reason for the detection is more obvious.

Site Collectors 2.12

Feature	Description
Windows Event Log Collector Auto-Restart (version 2.11.0 +).	The Auto-Restart feature for the Windows Event Log Collector automatically restarts exabeam-welc-collector-service and exabeam-welc-management if they fail unexpectedly, except when stopped by you via the user interface (UI) or API. The Auto-Restart feature restores collectors, improves reliability, reduces downtime, and minimizes manual recovery.
Advance Configuration Settings for the Windows Template	For Windows Event Log Collector, while creating a Windows template, you can now use advanced configuration options. Using these options you can set the number of records to commit per batch, the number of events to read per batch, and the percentage for item substitution. You can enable or disable Security Identifiers (SID) lookup and caching SID.

Threat Center

Feature	Description
Pre-Defined Case Closed Reasons	This feature was released on August 22, 2025. To better track and report case closures, you can now select a pre-defined reason for why a case was closed. You can select between: Already mitigated/resolved – The threat has been addressed or resolved. False positive or duplicate – The threat was mistakenly identified as a threat and is actually normal, non-malicious activity. Low risk – The threat is insignificant or unlikely to harm the system or data. Rule misconfiguration – Monitoring or detection content was misconfigured. Policy or setup issue – The activity described in the case occurred because of known operations in your environment, like scheduled maintenance, authorized testing, or temporary workarounds. Other – Enter a custom reason for why you're closing the case in the text box. You can enter up to 600 characters. To better communicate your message, you can also format the text.Format Text in Threat Center In the case Overview tab, review the reason why the case was closed, the queue and assignee assigned to the case when it was closed, and the date and time the case was closed under Case Closed.

Feature

Description

Pre-Defined Case Closed Reasons

This feature was released on August 22, 2025.

To better track and report case closures, you can now select a pre-defined reason for why a case was closed.

You can select between:

Already mitigated/resolved – The threat has been addressed or resolved.
False positive or duplicate – The threat was mistakenly identified as a threat and is actually normal, non-malicious activity.
Low risk – The threat is insignificant or unlikely to harm the system or data.
Rule misconfiguration – Monitoring or detection content was misconfigured.
Policy or setup issue – The activity described in the case occurred because of known operations in your environment, like scheduled maintenance, authorized testing, or temporary workarounds.
Other – Enter a custom reason for why you're closing the case in the text box. You can enter up to 600 characters. To better communicate your message, you can also format the text.Format Text in Threat Center

In the case Overview tab, review the reason why the case was closed, the queue and assignee assigned to the case when it was closed, and the date and time the case was closed under Case Closed.

threatcenter-august2025releasenotes-overviewcaseclosed.png

Threat Detection Management

Feature	Description
Analytics Rules Reduced anomalyThreshold Minimum	To track anomalies over smaller intervals, the minimum valid value for the anomalyThreshold field is now 1 day for the following analytics rule types: profiledFeature numericSumProfiledFeature numericDistinctCountProfiledFeature numericCountProfiledFeature
Analytics Rules Limit Chart Enhancement	To better track how many custom analytics rules have been created in your environment, you can now view the number of custom analytics rules enabled compared to the maximum your entitlement allows in the Limit chart under Custom Rules.

Resolved Issues

Search Resolved Issues

ID	Description
ENG-74006	An issue has been fixed so that when you save a search with a relative time range, the time range remains relative when the saved search is run on subsequent days. Previously, if you defined a query with a relative time range from 10 days ago to now, and you ran the saved search two days later, it returned results from 12 to 2 days ago. This issue is resolved so that a relative search remains relative whenever you run it.

Description

ENG-74006

An issue has been fixed so that when you save a search with a relative time range, the time range remains relative when the saved search is run on subsequent days. Previously, if you defined a query with a relative time range from 10 days ago to now, and you ran the saved search two days later, it returned results from 12 to 2 days ago. This issue is resolved so that a relative search remains relative whenever you run it.

Site Collector 2.12: Security Vulnerabilities Remediations

The Site Collectors 2.12 (August 2025) release includes remediated security vulnerabilities. For more information about Exabeam’s commitment to remediating vulnerabilities for Site Collector, see the Vulnerability Remediation Policy. Vulnerability Remediation Policy

There are no open known CVEs in any container image (Nifi). Toolkit has been deprecated and is no longer in use hence no security vulnerabilities update is available for that.

The following table lists the CVEs remediated for the Nifi container and their severity.

Critical	High	Medium	Low
Total: 0	Total: 0	Total: 14	Total: 2
–	–	CVE-2025-32988 CVE-2025-32989 CVE-2025-32990 CVE-2025-40909 CVE-2025-4877 CVE-2025-4878 CVE-2025-48924 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5702 CVE-2025-5987 CVE-2025-6395 CVE-2025-6965	CVE-2024-23337 CVE-2024-53427

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

August 2025

Attack Surface Insights

Automation Management

Cloud Collectors

Context Management

Log Stream

Search

Site Collectors 2.12

Threat Center

Threat Detection Management

Resolved Issues

Search Resolved Issues

Site Collector 2.12: Security Vulnerabilities Remediations