November 2025

The New-Scale Security Operations Platform includes the following addressed features and new features for November 2025.

Attack Surface Insights

Feature	Description
Attack Surface Insights Rules for Entity Types	To simplify and better manage your Attack Surface Insight rules, rule management is now separated by entity type. You now manage rules for user entities on the Users tab and rules for device entities on the Devices tab.
Pre-Built Attack Surface Insights Rule Security Criticality Editing	To better customize pre-built Attack Surface Insight rules, you can now edit the security criticality of a pre-built Attack Surface Insights Rule.
Entity Details Organized By Source	To clarify from where attributes are derived, entity details are now organized by source. You can now view attributes derived from context tables under Context Data and attributes derived from events under Event Data.
Default View Enhancement	To help you get started searching for entities, you can now view a list of example queries in the default view of the Users and Devices tabs. When you click on an example, the query automatically populates the search bar.
Security Criticality Tiers	To improve clarity and align with standard tier models, the values for security critical now include a corresponding tier number. The updated values are High (1), Medium (2), and Low (3).

Automation Management

Feature

Description

Service and Action Deletion

To organize and maintain your automation tools, you can now delete custom services and actions. Before you delete a service or action, you must remove it from all existing playbooks.

The Delete Service dialog with a warning about removing the service from playbooks before deletion.

Increased Playbook Name Character Limit

To allow you to create more detailed and descriptive playbook names, you can now enter up to 205 characters for the playbook name.

The Create Advanced Playbook dialog displaying the criteria for the Playbook Name field.

The dialog to create a rule-based playbook showing the criteria for creating a New Playbook Name.

Increased No Trigger Playbook Creation Limit

To build a more comprehensive library of manual, on-demand playbooks, you can now create up to 20 advanced playbooks without a trigger.

The list of triggers in the Playbooks tab with no trigger highlighted in a red rectangle.

Service Created By Filter

To find a specific service, you can now filter services by creator. The searchthen applies only to those filtered results.

The Services tab with the Created By filter highlighted in a red rectangle.

Pre-Built Service Created By Enhancement

To better distinguish between pre-built and custom services, the Exabeam name and logo is now displayed under the CREATED BY column for pre-built services.

The threatcenter service with the Created By column value highlighted in a red rectangle.

Cloud Collectors

Feature	Description
Broadcom Carbon Black Cloud Collector	The Broadcom Carbon Black Cloud Collector is now available as part of Cloud Collectors, to facilitate ingestion of Alerts, Events, and Audit Logs from the storage bucket used by the data forwarder.
Cylance Protect (now Arctic Wolf) Cloud Collector	The Cylance Protect (now Arctic Wolf) Cloud Collector is now available as part of Cloud Collectors, to facilitate ingestion of logs from the following data sources: Memory Protection, to collect threats related to memory vulnerabilities, Threats, to collect threat detection alerts and related information, or both.
Early Access Collectors
Azure Blob Storage Cloud Collector	The Azure Blob Storage Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of the logs from Azure data sources such as threat detections, security alerts, and defender OTP logs. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Azure Virtual Network Flow Cloud Collector	The Azure Virtual Network Flow Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of the virtual network flow logs. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Palo Alto Networks XDR Cloud Collector	The Palo Alto Networks XDR Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of the security alerts logs generated by Cortex XDR. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Correlation Rules

Feature	Description
Trigger Schedules	To address specific use cases and improve correlation rule accuracy, you can schedule correlation rules to trigger on specific days or during specific periods only. When you create or edit a correlation rule, you can schedule a correlation rule to trigger daily, weekly, monthly, or during a custom time period with specific start and end times.
New Correlation Rule Templates	You can now better detect adversary reconnaissance techniques with new correlation rule templates: Fsutil Peripheral Device Discovery Command – Detects use of the fsutil command to enumerate drives, which may indicate reconnaissance or preparation for data exfiltration. Password Policy Discovery Commands – Detects use of commands used to access information about password policies. System Language Discovery Commands – Detects use of commands used to gather information about the system language of a victim to potentially infer the geographical location of that host. Log Enumeration Commands – Detects the use of commands used to enumerate system and service logs.

Feature

Description

Trigger Schedules

To address specific use cases and improve correlation rule accuracy, you can schedule correlation rules to trigger on specific days or during specific periods only.

When you create or edit a correlation rule, you can schedule a correlation rule to trigger daily, weekly, monthly, or during a custom time period with specific start and end times.

The Trigger Schedules section in the correlation rule builder highlighted in a red rectangle.

The correlation rule builder showing the Trigger Schedules dialog.

New Correlation Rule Templates

You can now better detect adversary reconnaissance techniques with new correlation rule templates:

Fsutil Peripheral Device Discovery Command – Detects use of the fsutil command to enumerate drives, which may indicate reconnaissance or preparation for data exfiltration.
Password Policy Discovery Commands – Detects use of commands used to access information about password policies.
System Language Discovery Commands – Detects use of commands used to gather information about the system language of a victim to potentially infer the geographical location of that host.
Log Enumeration Commands – Detects the use of commands used to enumerate system and service logs.

Dashboards

Feature	Description
Auto-Creating an Anomaly Fields Visualization from a Natural Language Prompt	As part of Exabeam Nova and its set of AI-driven capabilities, the use of the natural language prompt for auto-creating a dashboard visualization has been expanded to an additional data model. You can now use the natural language prompt for the Anomaly Fields data model. This enhancement means that you can leverage the natural language prompt in the Dashboard application to describe, in plain language, the Anomaly Fields data you want to visualize. Based on this plain language prompt, the measures, dimensions, filters, and even the chart type can be configured automatically. Note This auto-create option is also currently available to create visualizations for the Event and Alerts data models. (You must be using Threat Center to access the Alerts data model.) If the automatically generated visualization does not produce the data you want to visualize, you can modify the visualization settings manually to produce exactly the desired results. For more information about auto-creating visualizations, see Auto-Create a Visualization from a Natural Language Prompt in the Dashboards Guide.

Feature

Description

Auto-Creating an Anomaly Fields Visualization from a Natural Language Prompt

As part of Exabeam Nova and its set of AI-driven capabilities, the use of the natural language prompt for auto-creating a dashboard visualization has been expanded to an additional data model. You can now use the natural language prompt for the Anomaly Fields data model. This enhancement means that you can leverage the natural language prompt in the Dashboard application to describe, in plain language, the Anomaly Fields data you want to visualize. Based on this plain language prompt, the measures, dimensions, filters, and even the chart type can be configured automatically.

Note

This auto-create option is also currently available to create visualizations for the Event and Alerts data models. (You must be using Threat Center to access the Alerts data model.)

If the automatically generated visualization does not produce the data you want to visualize, you can modify the visualization settings manually to produce exactly the desired results.

For more information about auto-creating visualizations, see Auto-Create a Visualization from a Natural Language Prompt in the Dashboards Guide.

Log Stream

Feature	Description
Planned Removal of Custom Default Parsers	The Custom Default category of parsers will be discontinued in favor of a simpler, more streamlined approach to customizing default parsers. In January of 2026, Exabeam will begin, one region at a time, removing the custom default parsers from Log Stream. As these parsers are removed, the corresponding default parsers will become enabled. Exabeam will provide notifications in each region before beginning to remove the custom default parsers. The Custom Default category is a specific set of customized parsers that were migrated from legacy products. These parsers were originally created for use in your legacy product environments when a customization was needed. Once migrated to Log Stream, custom default parsers were treated like default parsers, except they were not updated by the regular Exabeam content packages. As a result, these parsers have become out-of-date and stale but continue to be enabled and active in Log Stream. Parsers in this category have higher priority ratings than their corresponding default parsers and cause the more up-to-date default parsers to be disabled. Discontinuing the Custom Default category will help resolve these issues and simplify the overall categorization of parsers. If you rely on any of the custom default parsers in your Log Stream environment and you want to retain the customizations they contain, you need to identify them and manually add the same customizations to the corresponding default parser. For more information about this change to parser customization, and for the steps necessary to retain customizations you rely on, see Parser Types in the Log Stream Guide.
Filtering Live Tail by Source Collectors	The filtering capabilities in Live Tail have been enhanced with an additional option. In addition to being able to filter for all logs parsed by a specific parser, you can now opt to filter the Live Tail stream based on the source collector the logs are being ingested from. For more information about filtering the Live Tail stream, see View and Filter Data in the Live Tail section of the Log Stream Guide.

Feature

Description

Planned Removal of Custom Default Parsers

The Custom Default category of parsers will be discontinued in favor of a simpler, more streamlined approach to customizing default parsers. In January of 2026, Exabeam will begin, one region at a time, removing the custom default parsers from Log Stream. As these parsers are removed, the corresponding default parsers will become enabled. Exabeam will provide notifications in each region before beginning to remove the custom default parsers.

The Custom Default category is a specific set of customized parsers that were migrated from legacy products. These parsers were originally created for use in your legacy product environments when a customization was needed. Once migrated to Log Stream, custom default parsers were treated like default parsers, except they were not updated by the regular Exabeam content packages.

As a result, these parsers have become out-of-date and stale but continue to be enabled and active in Log Stream. Parsers in this category have higher priority ratings than their corresponding default parsers and cause the more up-to-date default parsers to be disabled. Discontinuing the Custom Default category will help resolve these issues and simplify the overall categorization of parsers.

If you rely on any of the custom default parsers in your Log Stream environment and you want to retain the customizations they contain, you need to identify them and manually add the same customizations to the corresponding default parser.

For more information about this change to parser customization, and for the steps necessary to retain customizations you rely on, see Parser Types in the Log Stream Guide.

Filtering Live Tail by Source Collectors

The filtering capabilities in Live Tail have been enhanced with an additional option. In addition to being able to filter for all logs parsed by a specific parser, you can now opt to filter the Live Tail stream based on the source collector the logs are being ingested from. For more information about filtering the Live Tail stream, see View and Filter Data in the Live Tail section of the Log Stream Guide.

New-Scale Platform

Feature	Description
Multi-factor Authentication for Local Accounts	To reduce downtime in the event of SSO interruption, you can now require Multi-factor Authentication (MFA) for all local accounts. To activate MFA, enable it on the Single Sign-On/MFA settings page. When enabled, local accounts will require registration of a MFA token on the next login and then to authenticate on each subsequent login using a compatible TOTP authenticator. Reset a token anytime through the Users settings page, which will force new MFA on an account.
Improved Query Building for Secured Resources	The query building functionality available to define secured resources has been updated to include the improved capabilities already available in the Search application. These include the option to build queries using either Basic or Advanced search modes. The Basic mode allows you to select fields from pre-built options for fast, accurate query building. The Advanced mode provides the flexibility to manually build a query and includes the following upgrades: Improved suggestions as you enter query syntax Options to search in any column of a context table Server-side parsing of Exabeam Query Language For more information, see Secured Resources in the New-Scale Security Operations Platform Administration Guide.

Feature

Description

Multi-factor Authentication for Local Accounts

To reduce downtime in the event of SSO interruption, you can now require Multi-factor Authentication (MFA) for all local accounts.

To activate MFA, enable it on the Single Sign-On/MFA settings page. When enabled, local accounts will require registration of a MFA token on the next login and then to authenticate on each subsequent login using a compatible TOTP authenticator.

Reset a token anytime through the Users settings page, which will force new MFA on an account.

Improved Query Building for Secured Resources

The query building functionality available to define secured resources has been updated to include the improved capabilities already available in the Search application. These include the option to build queries using either Basic or Advanced search modes. The Basic mode allows you to select fields from pre-built options for fast, accurate query building. The Advanced mode provides the flexibility to manually build a query and includes the following upgrades:

Improved suggestions as you enter query syntax
Options to search in any column of a context table
Server-side parsing of Exabeam Query Language

For more information, see Secured Resources in the New-Scale Security Operations Platform Administration Guide.

Search

Feature	Description
Improvements to the Timeline View of Search Results	The layout and functional behavior of the Timeline view of search results has been enhanced to both reduce visual noise and make the investigational workflow more intuitive. To better represent the sometimes confusing relationships between events and detections distinct Events and Detections columns have been labeled and the associations between events and detections in these columns have been clarified. For more information, see Timeline View of Search Results in the Search Guide.

Feature

Description

Improvements to the Timeline View of Search Results

The layout and functional behavior of the Timeline view of search results has been enhanced to both reduce visual noise and make the investigational workflow more intuitive. To better represent the sometimes confusing relationships between events and detections distinct Events and Detections columns have been labeled and the associations between events and detections in these columns have been clarified. For more information, see Timeline View of Search Results in the Search Guide.

Site Collectors 2.15

Feature	Description
Custom Installation Folder	Site Collector now creates a custom installation folder during the Site Collector installation process. If the default folders /tmp and /opt do not exist, they will be created automatically. If the you specify a custom folder instead of the default /opt, for example, /opt123, the specified folder is created if it does not already exist, for Site Collector installation. If you specify a custom folder instead of the default /tmp, for example, /tmp123, the specified folder is created if it does not already exist, for Site Collector installation.
Enhancement for the Splunk Collector	Optimized performance for the Splunk collector for processing time-based conditions.
Precheck Implementation	Implemented a precheck that verifies that only valid SSL certificate files are stored in the /opt/exabeam_prep/ssl folder, and no other files such as certificate bundles or non-certificate items are included.

Threat Center

Feature	Description
Webhook Payload Enhancements	You can now get more context for automation and better track events with enhanced webhook payloads. When case or alert information is sent to a webhook, the payload now includes key timestamps: `alert_created_time`, `case_created_time`, and `case_closed_time` are now included in the case webhook payload. `alert_created_time` is now included in the alert webhook payload.

Threat Detection Management

Feature	Description
Correlation Rule Trigger Schedules	To address specific use cases and improve correlation rule accuracy, you can schedule correlation rules to trigger on specific days or during specific periods only. When you create or edit a correlation rule, you can schedule a correlation rule to trigger daily, weekly, monthly, or during a custom time period with specific start and end times.
Pre-Built Analytics Rule Update Enhancement	In pre-built analytics rule details, you can now more quickly identify and understand what's changed with an analytics rule update: If an analytics rule has an available update, you can view an UPDATE AVAILABLE status in the analytics rule details. You can view a streamlined summary of the specific fields and values that have been changed with the update.
Additional Analytics Rule Details Actions	To streamline rule management, you can now edit, export, and adjust severity from the analytics rule details.
Analytics Rule Details Summary Enhancement	To make the configuration of an analytics rules easier to understand, you can now view its key components in a human-readable format under Summary in the analytics rule details.
Analytics Rules Last Modified Column	You can now quickly identify and sort analytics rules by when they were last modified using the Last Modified column.
New and Updated Pre-Built Analytics Rules	You can now better detect adversary techniques, from initial reconnaissance and privilege escalation to defense evasion and data exfiltration, with new and updated analytics rules. New pre-built analytics rules include: NumCP-Git-EC-U – An abnormal amount of GitHub API access events have been observed for this user. NumDC-Git-RepoC-U-Object – An abnormal number of unique repository endpoints where secrets are generally stored, which may indicate unauthorized enumeration or insider reconnaissance activity. Repository name is parsed into the object field which is being counted here. Prof-Auth-U-Okta-AnonVPN – This is the first time an Okta user has used an anonymous VPN to authenticate. NumCP-FDel-LogFileCount-U – An abnormal number of log file deletion events have been observed for this user. NumCP-PC-InsmodCmdC-DE – An abnormal number of 'insmod' (Install Module) process executions have been observed on this endpoint. Prof-DL-U-O-Upit – This is the first time a kernel module/driver was loaded for this user. NumCP-DL-EC-SE – An abnormal number of kernel module or drivers have been loaded on this endpoint. Prof-PC-U-O-U-Modprobe – This is the first time a process execution of a 'modprobe' (Module Probe, a kernel module management tool) command has been observed for this user. Fact-PC-Visudo – The /etc/sudoers file is typically edited using the visudo command, which provides a safe way to make changes to the file and prevents multiple simultaneous edits, reducing the risk of syntax errors that could lock users out of administrative access. An attacker can try to read this file to know what user he should get access to, or he can try to write to this file and give a user he have access to these privileges. NumCP-PC-ModprobeCmdC-U – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed for this user. Fact-PC-Chmod-Setuid – An adversary may change the setuid bits set in order to get code running in a different (and possibly more privileged) user's context. Fact-FRead-Shadow – The shadow file is a file in Unix-based operating systems, including Linux and macOS, that stores password-related information for user accounts. It is a crucial component of the system's security as it helps protect user passwords from unauthorized access. An attacker can try to read it to get the passwords of the users. Fact-PC-DisableHistoryCol – History collection can be disabled in unix shells by modifying the history environment variables. This can help the attacker to evade detection. Fact-FA-Sudoers – The /etc/sudoers file is a critical configuration file in Unix-based operating systems. It controls the access and privileges granted to users and groups to execute commands with elevated privileges (root or superuser privileges) using the sudo command. An attacker can try to read this file to know what user he should get access to, or he can try to write to this file and give a user he have access to these privileges. Fact-PC-Setfile-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection. Fact-Fwrite-HiddenFile – Creating a file that starts with ".". File that starts with "." is a hidden file. An attacker can create hidden file to evade detection. NumCP-DL-EC-UPIt – An abnormal number of kernel module or drivers have been loaded for this user. Prof-DL-E-O-SE – This is the first time a kernel module/driver was loaded on this endpoint. Cntx-EL-UCrit-ADomain – User is a domain account: True/False. Fact-PC-SuspFind – Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. This command searches for files with the setuid (SUID) permission set for the owner. NumCP-PC-ChmodCount-U – An abnormal number of 'chmod' (Change Mode) process executions have been observed for this user. Prof-PC-E-O-SE-Modprobe – This is the first time a process execution of a 'modprobe' (Module Probe, a kernel module management tool) command has been observed on this endpoint. NumCP-PC-ChownCount-U – An abnormal number of 'chown' (Change Owner) process executions have been observed for this user. Prof-PC-E-O-SE-Insmod – This is the first time a process execution of a 'insmod' (Install Module) command has been observed on this endpoint. NumCP-PC-KextloadCmdC-U – An abnormal number of 'kextload' (Kernel Extension Load) process executions have been observed for this user. Fact-PC-Chmod-Setgid – An adversary may change the setgid bits set in order to get code running in a different (and possibly more privileged) user's context. Fact-PC-LoginHookFile – Adversaries may use a Login Hook to establish persistence executed upon user logon. The plist can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. NumCP-PC-SudoCount-U – An abnormal number of 'sudo' (Superuser Do) process executions have been observed for this user. Prof-Fwrite-U-O-U-KernelExtExt – This is the first time a kernel extension file was created on MacOS system by this user. Prof-PC-U-O-U-Insmod – This is the first time a process execution of a 'insmod' (Install Module) command has been observed for this user. NumCP-PC-InsmodCmdC-U – An abnormal number of 'insmod' (Install Module) process executions have been observed for this user. Fact-Fwrite-LoginHookFile – Adversaries may use a Login Hook to establish persistence executed upon user logon. They can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. Prof-FDel-U-O-U-LogFile – This is the first time a log file has been deleted by this user. NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed on this endpoint. Prof-PC-U-O-U-Kextload – This is the first time a process execution of a 'kextload' (Kernel Extension Load) command has been observed for this user. NumCP-PC-DirSearchCount-U – An abnormal number of unix file search process executions have been observed for this user. Fact-PC-Chflags-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection. Prof-PC-U-O-USudo – This is the first time a process execution of a 'sudo' (Superuser Do) command has been observed for this user. Fact-FRead-Passwd – The passwd file is a plain text file in Unix-based operating systems, including Linux and macOS, that stores essential user account information. An attacker can try to read it to get information about the users including the passwords. Fact-PC-ClearComHistory – This can help the attacker to evade detection. Fact-FWrite-EtcLldSo – The /etc/ld.so.preload file, if present, allows users to add additional shared libraries that will be loaded before the standard libraries. This can be useful for various purposes, such as implementing custom libraries, applying system-wide modifications, or debugging and profiling applications. Attackers could use this file to force the loading of their own malicious libraries, enabling them to modify system behavior, escalate privileges, or intercept sensitive data. Fact-PC-Shell-Base64 – Identifies base64 being decoded and passed to a Linux shell. Fact-Fwrite-RCScripts – Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution. Prof-Fwrite-U-O-U-Plist – This is the first time a plist file was created by this user. Pre-built analytics rules for which `featureValue` was updated include: Prof-STC-O-PN – This is the first time a scheduled task has been created and configured to execute this process for the organization. NumDCP-FWrite-EC-U-FP – An abnormal number of unique files have been written for this user. NumDCP-PCCEnum-TC-U-CEnum – An abnormal number of unique credential enumeration tools have been executed for this user. Prof-PCipconfig-NetDisc-U-PN – This is the first time a process execution of 'ipconfig.exe' has been observed for this user. Prof-PCpwrshell-En-O-PP – This is the first time a process execution of 'powershell.exe' with an encrypted command has been observed for this parent process. Prof-FPM-PublicCloud-B-U – This is the first time a cloud storage object was modified to become public in this bucket. By manipulating file permissions to make the object public, attackers can expose the data of important or sensitive files, making them available to read, download or even modify by everyone. Prof-PC-PN-PltUD-PN – This is the first time this process has been executed in this platform for users in this department. This feature only models processes from - Windows commands, pentest tools, system enumeration, account enumeration and network sniffers. Prof-PCIOC-IOCPenT-U-PenT – This is the first time a process execution of a known pentesting tool has been observed for this user. Prof-DllLoad-Dir-O-FD – This is the first time a DLL image file was loaded from this folder for the organization. Prof-PC-PN-PltSZ-PN – This is the first time this process has been executed in this platform from this network zone. This feature only models processes from - Windows commands, pentest tools, system enumeration, account enumeration and network sniffers. Prof-DllLoad-Dll-O-FN – This is the first time this DLL image file was loaded in the organization. Prof-PC-PN-Plt-PN – This is the first time this process has been executed in this platform. This feature only models processes from - Windows commands, pentest tools, system enumeration, account enumeration and network sniffers. NumDCP-PCHEnum-TC-U-HEnum – An abnormal number of unique host enumeration tools have been executed for this user. Prof-CPM-Resource-O-R – This is the first time an IAM policy of a resource in this directory has been modified in GCP. IAM policies determine the roles and permissions granted to users on a resource. Prof-RegR-Certs-U-RP – This is the first time this user has read this certificate\private key related registry value. NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user. Prof-CPM-Resource-U-R – This is the first time an IAM policy of a resource in this directory has been modified by this user in GCP. IAM policies determine the roles and permissions granted to users on a resource. Prof-PC-PN-DE-PN – This is the first time this process has been executed on this endpoint. This feature only models processes from - Windows commands, pentest tools, system enumeration, account enumeration and network sniffers. Prof-RegA-PP-O-PP – This is the first time this process has performed a registry activity. NumDCP-RegR-RPC-Cert-U-RP – An abnormal number of unique certificates and private keys related registry values have been read by this user. Prof-SA-PN-UD-PN – This is the first time an alert triggered on this process for users in this department. NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user. NumDCP-FRead-EC-SA-FP – An abnormal number of unique files have been read in this storage account for this user. Prof-STC-U-PN – This is the first time a scheduled task has been created and configured to execute this process for this user. Prof-SA-PN-U-PN – This is the first time an alert triggered on this process for this user. Prof-STC-TN-UD-TN – This is the first time a scheduled task with this name has been created for users in this department. Prof-PC-PN-PltU-PN – This is the first time this process has been executed in this platform for this user. This feature only models processes from - Windows commands, pentest tools, system enumeration, account enumeration and network sniffers. Prof-PCroute-NetDisc-U-PN – This is the first time a process execution of 'route.exe' has been observed for this user. Prof-SA-PN-O-PN – This is the first time a security alert triggered on this process for the organization. NumDCP-FUSB-FPC-U-FP – An abnormal number of unique files has been written to peripheral storage devices for this user. Prof-PC-O-Pdir – This is the first time a process execution has been observed from this directory. Prof-STC-TN-O-TN – This is the first time a scheduled task with this name has been created. Prof-WinSC-PP-SN-PP – This is the first time this service was created with this command process path. Prof-PC-PN-Pdir – This is the first time a process execution has been observed from this directory for this process. Pre-built analytics rules for which `scoreUnless` was updated include: Prof-RegW-UAC-O-U – This is the first time this user has modified or created a registry key\value under the UAC configuration key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'. Prof-RegW-U-DetailsLen – An abnormal registry details length has been observed for this user. Fact-RegW-TrustProvider – A trust provider component has been modified via the registry. Prof-RegW-IFEO-O-U – This is the first time this user has modified or created the Image File Execution Options of a process by writing to the registry value 'Debugger' under the key 'HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>'. Prof-RegW-EnvVarPath-O-U – This is the first time this user has modified the PATH environment variable by writing to the registry value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path'. Fact-RegE-SAM –The registry key 'HKLM\SAM' or 'HKLM\SYSTEM' has been exported from the registry. Fact-RegW-RunService – Run Services registry keys have been modified. Prof-RegW-CORPROFILER-O-U – This is the first time this user has modified or created a registry value for an environment variable associated with the COR_PROFILER. Prof-RegW-Services-O-UD – This is the first time users in this department have modified or created a service by writing a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'. Fact-RegE-Certs – Registry values related to certificates and private keys have been exported. Fact-RegW-AppCert – An AppCert DLL registry configuration has been modified or created under the registry key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' Prof-RegW-SafeBoot-O-U – This is the first time this user has modifed the safe mode boot configuration by writing to a registry value/key under the registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal. Prof-RegR-LSA-O-UD – This is the first time users in this department read have read a LSA secret from the registry. Fact-RegW-AppShim – A registry key/value has been created under the Shim database registry key 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom' or 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB Fact-RegW-ChromeExt – A Chrome extension has been installed via the registry. Fact-RegW-OfficeTest – An Office test file has been modified by writing to the registry key HKCU\Software\Microsoft\Office test\Special\Perf. Fact-RegW-SIP – A SIP component has been modified via the registry. Fact-RegE-LSA – The registry key 'HKLM\SECURITY\Policy\Secrets' has been exported from the registry. Fact-RegW-ControlPanel – A control panel item has been registered by writing to a registry key/value under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Fact-RegW-RootCert – A root certificate has been installed via the registry. Prof-RegD-Services-O-UD – This is the first time users in this department have deleted a service by deleting a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'. Prof-RegR-SAM-O-UD – This is the first time users in this department have read a registry value under the SAM registry key. Fact-RegW-GlobalDotName – The registry value GlobalDotName has been created. Fact-RegW-AppInit – An AppInit DLL registry configuration has been modified or created under the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' or 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows' Prof-RegW-AppPaths-O-U – This is the first time this user has modified a registry key\value under the App Paths key '[HKLM/HKCU]\Software\Microsoft\Windows\CurrentVersion\App Paths'. Prof-RegW-FileAssoc-O-U – This is the first time this user has modified a command of a file assocation handler by modifing its registry configuration. Fact-RegW-CodeSigningPolicy – A code signing policy has been modified by writing to the registry key HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing. Fact-RegD-RDPCon – The RDP connection history has been cleared via the registry. Prof-RegW-SilentExitMon-O-U – This is the first time this user has modified or created the silent exit configuration of a process by writing a registry key\value under the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit'. Fact-RegW-EventLogDisabled – The Event Log service has been disabled via the registry. Fact-RegW-Netshell – A NetShell helper DLL has been registered or modified by writing the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh'. Prof-RegA-PP-O-PP – This is the first time this process has performed a registry activity. NumCP-RegD-EC-U – An abnormal number of registry deletion events have been observed for this user. NumCP-RegD-Services-EC-DE – An abnormal number of unique service configurations have been deleted from the registry on this device. NumDCP-RegR-RPC-Cert-U-RP – An abnormal number of unique certificates and private keys related registry values have been read by this user. NumDCP-RegW-RPC-ServicesStop-DE-RP – An abnormal number of unique services have been stoped by modifying the registry on this endpoint. NumCP-RegD-Services-EC-U – An abnormal number of unique service configurations have been deleted from the registry for this user. Prof-RegR-Certs-U-RP – This is the first time this user has read this certificate\private key related registry value. NumDCP-RegW-RPC-ServicesStop-U-RP – An abnormal number of unique services have been stoped by modifying the registry for this user. NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device. Pre-built analytics rules for which `query` was updated include: NumSP-SADLP-Bytes-U-Bytes – An abnormal amount of outgoing bytes have been recorded in DLP alerts for this user. NumCP-DSOW-EC-U – An abnormal number of directory service events have been observed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment. NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user. NumCP-DSOW-EC-UD – An abnormal number of directory service write events have been observed for users in this department. Directory services typically manage various types of objects to organize and administer resources within a network environment. NumCP-DSOW-EC-O – An abnormal number of directory service write events have been observed for the organization. Directory services typically manage various types of objects to organize and administer resources within a network environment. NumDCP-EL-DEC-SE-DE – An abnormal number of unique destination endpoints have been observed in successful endpoint login events from this endpoint. These events may include interactive Window logins and other (interactive or not) OS logins. NumDC-ShA-ShareC-U-DS – An abnormal number of unique network shares have been accessed for this user. NumCP-EMR-EC-DU – An abnormal number of incoming emails have been observed for this user. NumDCP-EL-DEC-U-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for this user. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful. NumCP-PCpwrshell-EC-U – An abnormal number of PowerShell process executions have been observed for this user. NumDCP-EL-DEC-O-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for the organization. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful. NumSP-EMR-Bytes-DU-Bytes – An abnormal amount of bytes have been received in incoming emails for this user. NumDCP-Network-DIPC-SE-DIP – An abnormal number of unique destination IPs have been accessed from this source endpoint. NumCP-FDnld-EC-U – An abnormal amount of file download events have been observed for this user. NumCP-FUpld-EC-O – An abnormal amount of file upload events have been observed for the organization. NumCP-FDnld-EC-O – An abnormal amount of file download events have been observed for the organization. NumCP-FUpld-EC-U – An abnormal amount of file upload events have been observed for this user. NumCP-FUpld-EC-UD – An abnormal amount of file upload events have been observed for users in this department. NumCP-FDnld-EC-UD – An abnormal amount of file download events have been observed for users in this department. NumCP-RegD-EC-U – An abnormal number of registry deletion events have been observed for this user. NumCP-RegD-Services-EC-DE – An abnormal number of unique service configurations have been deleted from the registry on this device. NumDCP-RegR-RPC-Cert-U-RP – An abnormal number of unique certificates and private keys related registry values have been read by this user. NumDCP-RegW-RPC-ServicesStop-DE-RP – An abnormal number of unique services have been stoped by modifying the registry on this endpoint. NumCP-RegD-Services-EC-U – An abnormal number of unique service configurations have been deleted from the registry for this user. NumDCP-RegW-RPC-ServicesStop-U-RP – An abnormal number of unique services have been stoped by modifying the registry for this user. NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device. Pre-built analytics rules for which `trainOnCondition` was updated include: Prof-DllLoad-Dir-O-FD – First DLL image loaded from this folder for the organization. Prof-DllLoad-Dll-O-FN – First DLL image with this name loaded for the organization. Pre-built analytics rules for which `scopeValue` was updated include: NumSP-FRead-FS-B-Bytes – An abnormal amount of file bytes have been read in this bucket for this user. Prof-DllLoad-Ext-PN-FileExt – This is the first time a DLL image file with this extension was loaded for this process. Prof-Network-SEPN-DE – This is the first time this process has accessed this destination endpoint from this source endpoint. Pre-built analytics rules for which `featureValue` and `scopeValue` were updated include: Prof-FWrite-UMWorkerProcess-PN-FN – This is the first time this file was created by the 'umworkerprocess.exe' process. Prof-STC-PP-TN-PP – This is the first time a scheduled task has been created and configured to execute this process for this task name. NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user. Pre-built analytics rules for which `applicable_events` and `actOnCondition` were updated include: Fact-SA-ET-RN – A correlation rule has been triggered Cntx-SA-AC-RSev – Correlation rule severity `description` was updated for the following pre-built analytics rule: Prof-ShA-SE-SN – This is the first time this network share has been accessed from this endpoint. `scopeValue`, `featureValue`, and `trainOnCondition` were updated for the following pre-built analytics rule: Prof-PC-PPN-PPN-PN – First child process for this known parent process. `title`, `description`, and `detectionReason` were updated for the following pre-built analytics rule: Fact-PCecho-EchoP – The 'echo.exe' process has been used to execute a command associated with Meterpreter and Cobalt Strike’s GetSystem system privilege escalation function. Removed obsolete pre-built analytics rules include: Prof-GA-E-UP-SE – This is the first time an activity from this endpoint has been observed for this user on this platform. Cntx-EL-UCrit-APriv – Domain account is privileged: True\False
New Correlation Rule Templates	You can now better detect adversary reconnaissance techniques with new correlation rule templates: Fsutil Peripheral Device Discovery Command – Detects use of the fsutil command to enumerate drives, which may indicate reconnaissance or preparation for data exfiltration. Password Policy Discovery Commands – Detects use of commands used to access information about password policies. System Language Discovery Commands – Detects use of commands used to gather information about the system language of a victim to potentially infer the geographical location of that host. Log Enumeration Commands – Detects the use of commands used to enumerate system and service logs.

Resolved Issues

Attack Surface Insights Resolved Issues

Issue ID	Description
ENG-69014	If you used a Windows operating system, country flags for user entities did not display correctly because the flag icons were based on an emoji library not supported by Windows. The flag rendering library has been updated, and country flags now display correctly.

Search Resolved Issues

ID	Description
ENG-79511	Previously, when search results were exported, the `approxLogTime` field was not included in the export. This issue is resolved so that `approxLogTime` is included in exported results.

Site Collector 2.15: Resolved Issues

Release Number	Description
ENG-67509	Fixed an issue in which the user interface displayed an error—certificate rotation failed, regardless of successful certificate generation.

Site Collector 2.15: Security Vulnerabilities Remediations

The Site Collectors 2.15 (November 2025) release includes remediated security vulnerabilities. For more information about Exabeam’s commitment to remediating vulnerabilities for Site Collector, see the Vulnerability Remediation Policy. Vulnerability Remediation Policy

Known CVE - CVE-2025-11226

Toolkit has been deprecated and is no longer in use hence no security vulnerabilities update is available for that.

The following table lists the CVEs remediated for the Nifi container and their severity.

Critical	High	Medium	Low
Total: 0	Total: 0	Total: 1	Total: 0
–	–	CVE-2025-7425	–

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

November 2025

Attack Surface Insights

Automation Management

Cloud Collectors

Correlation Rules

Dashboards

Note

Log Stream

New-Scale Platform

Search

Site Collectors 2.15

Threat Center

Threat Detection Management

Resolved Issues

Attack Surface Insights Resolved Issues

Search Resolved Issues

Site Collector 2.15: Resolved Issues

Site Collector 2.15: Security Vulnerabilities Remediations