October 2025

The New-Scale Security Operations Platform includes the following addressed features and new features for October 2025.

Cloud Collectors

Feature	Description
Salesforce EventLog Cloud Collector	The Salesforce EventLog Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of various event types from Salesforce cloud.
Snowflake Cloud Collector	The Snowflake Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of data from data sources Login History, Others, and Query History.
Early Access Collectors
Broadcom Carbon Black Cloud Collector	The Broadcom Carbon Black Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of Alerts, Events, and Audit Logs from the storage bucket used by the data forwarder. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Support for Importing and Exporting Configuration Settings for the REST API Cloud Collector	The REST API Cloud Collector now supports importing and exporting configuration settings. You can import the configuration details in JSON format while configuring a new collector instance and export the configuration details in JOSN format to use it later for backup, replication, or integration.

Log Stream

Feature	Description
Host to IP Enrichment	Host to IP enrichment ensures that hostnames and IP addresses can be mapped to each other in order to enrich events with whichever of those fields is missing in the raw log. The system uses a dynamic host-IP mapping table to store those associations. Incoming logs are evaluated to determine if they meet the conditions necessary for host to IP enrichment. By default, host to IP enrichment takes place if the log includes one of a specific set of activity types. For more information about this type of enrichment, see Host to IP Enrichment in the Log Stream Guide. Note Early Access Opportunity An early access opportunity is available to customize the host to IP enrichment functionality. You may want to take advantage of this opportunity for either of the following reasons: You find that the default enrichment condition is providing inaccurate host to IP mapping. The early access feature provides a different set of enrichment conditions that could result in more accurate mapping. You want to limit host to IP enrichment to specific scenarios. You can work with Exabeam to develop a custom condition for deciding which logs to enrich. Instead of using the default set of activity types listed above, you can condition the enrichment to be implemented on a more limited set of activity types, in combination with specific outcomes, vendors, or other fields. If you would like to take advantage of this early access customization, email the following group: [email protected].

Feature

Description

Host to IP Enrichment

Host to IP enrichment ensures that hostnames and IP addresses can be mapped to each other in order to enrich events with whichever of those fields is missing in the raw log. The system uses a dynamic host-IP mapping table to store those associations. Incoming logs are evaluated to determine if they meet the conditions necessary for host to IP enrichment. By default, host to IP enrichment takes place if the log includes one of a specific set of activity types.

For more information about this type of enrichment, see Host to IP Enrichment in the Log Stream Guide.

Note

Early Access Opportunity

An early access opportunity is available to customize the host to IP enrichment functionality. You may want to take advantage of this opportunity for either of the following reasons:

You find that the default enrichment condition is providing inaccurate host to IP mapping. The early access feature provides a different set of enrichment conditions that could result in more accurate mapping.
You want to limit host to IP enrichment to specific scenarios. You can work with Exabeam to develop a custom condition for deciding which logs to enrich. Instead of using the default set of activity types listed above, you can condition the enrichment to be implemented on a more limited set of activity types, in combination with specific outcomes, vendors, or other fields.

If you would like to take advantage of this early access customization, email the following group: [email protected].

New-Scale Platform

Feature

Description

Improved Panel to View Permissions Assigned to a User Role

A new panel has been implemented to facilitate easier viewing of all the permissions assigned to a given user role in the New-Scale Security Operations Platform Settings. If the list of permissions is long, you can use the Search field to quickly locate a specific permission. Alternately, you can filter the list by types of permissions.

For custom user roles, Edit and Delete options are conveniently available from the permissions panel. You can use them to edit or delete the existing custom role.

For more information, see View Permissions in a User Role.

Duplicate Roles

To aid in faster role creation, you can now duplicate an existing role and modify it to make it easier to create new roles.

UI and API Restriction by IP

A new IP-Based Access page has been added to the New-Scale Security Operations Platform Settings. On the new page, you can manage UI and public API access to New-Scale functionality on the basis of IP addresses. You can add new IP addresses, either individually or in ranges, to create an allowed list of access and restrictions. You can also edit access for IP addresses already on the list or delete IP addresses from the list.

For more information, see Manage Access by IP Addresses.

Outcomes Navigator

Feature	Description
Unsupported Status for `session-end` Advanced Analytics Rules	To improve the accuracy of coverage calculations, Advanced Analytics whose rule expressions include `session-end` events are now excluded from coverage calculations and are now marked as Unsupported.

Search

Feature

Description

Entity Details Information Available from Search Results

A new Entities tab is now available in the Details panel for viewing user entity information when search results return events associated with parsed user entity fields. This new tab provides multiple ways to explore the user entities that may be associated with security risks or anomalous behavior associated with the events in your search results:

When the Entities tab is displayed in the Details panel, it lists each user entity associated with a specific event in your search results.
For each entity listed in the Entities tab, you can opt to view the User Entity Details panel, which displays entity information that is stored in the Attack Surface Insights application. This option provides access to extensive user entity information without leaving the Search application results. For more information about what the Entity Details panel shows and how to use it, see View Entity Details in the Attack Surface Insights Guide.
For each entity listed in the Entities tab, you can use the User Entity Timeline option to open a new Search window that automatically populates and runs a search for activities related to the selected entity. This option pivots to a new Search window so you can drill down on the behavior of specific entities without closing the results you're already exploring.

For more information about all of these Entities tab capabilities, see Entity Details in the Search Guide.

Expanded Context Table Information Displayed in Search Results

More context table information is now visible in search results when a field value is extracted from a context table record. To enhance the way context information is presented in search results, some new formats are in use:

In the List and Timeline views of search results, where parsed fields are displayed for an event, a field whose value is extracted from a context table record is shown with a new icon () and in a purple chip. The chip includes the context table name, the column, and the extracted value.
In the Parsed Fields list of an Event tab in the Details panel, even more information is available about the context table that a field value was extracted from. Using an expanded table, values are included from other columns in the same record of the context table. An arrow points to the specific column the value was extracted from.

For more information, see Context Tables in Search in the Search Guide.

Site Collectors 2.14

Feature	Description
Enhancements for the MySQL Collector	You can now enable SSL option while configuring the MySQL collector to establish a secure connection between MySQL collector and the MySQL server.

Threat Center

Feature	Description
Comments for All Predefined Case Closed Reasons	To add more context to case closures, you can now enter a comment for all predefined case closed reasons.

Threat Detection Management

Feature	Description
Increased Analytics Rule Description Character Limit	To ensure you can communicate everything you want with the analytics rule description, you can now add up to 1,024 characters in the description when using the analytics rule builder.
Analytics Rule Configuration Enhancements	To simplify and improve the consistency of analytics rule configuration, several analytics rule fields and the analytics rule builder experience have been enhanced. For factFeature rules: `actOnCondition` is now mandatory when creating a rule using JSON. `trainOnCondition` is now mandatory and must always be `"true"` when creating a rule using JSON. When creating a rule using the analytics rule builder, `trainOnCondition` is set to true by default and is no longer configurable. `value` is now optional. For numericCountProfiledFeature, numericDistinctCountProfiledFeature, and numericSumProfiledFeature rules, the Count per field is now optional in the analytics rule builder.
New and Updated Pre-Built Analytics Rules	You can now better detect registry manipulations, anomalous user and endpoint activity, and suspicious network data transfers with new and updated pre-built analytics rules. New pre-built analytics rules include: NumDCP-RegW-RPC-ServicesStop-U-RP – Abnormal number of unique services was stopped by modifying the registry for this user NumDCP-RegW-RPC-ServicesStop-DE-RP – Abnormal number of unique services was stopped by modifying the registry on this endpoint Fact-RegW-GlobalDotName – The registry value GlobalDotName was created NumCP-RegD-EC-U – Abnormal number of registry deletion events for this user NumCP-RegD-EC-DE – Abnormal number of registry deletion events on this endpoint NumCP-RegD-Services-EC-U – Abnormal number of unique service configurations deleted from the registry for this user NumCP-RegD-Services-EC-DE – Abnormal number of unique service configurations deleted from the registry on this endpoint Prof-RegD-Services-O-U – First deletion of a service registry configuration for this user Prof-RegD-Services-O-UD – First deletion of a service registry configuration for users in this department Prof-RegA-PP-O-PP – First registry activity for this process Fact-RegD-RDPCon – The RDP connection history was cleared via the registry Fact-RegE-SAM – The SAM key was exported from the registry Fact-RegE-LSA – The LSA secrets key was exported from the registry Fact-RegE-Certs – System certificate keys were exported from the registry Prof-RegR-SAM-O-U – First SAM registry value read for this user Prof-RegR-SAM-O-UD – First SAM registry value read for this users in this department Prof-RegR-LSA-O-U – First registry LSA secret read for this user Prof-RegR-LSA-O-UD – First registry LSA secret read for users in this department Prof-RegR-Certs-U-RP – First read of this certificate\private key registry value for this user NumDCP-RegR-RPC-Cert-U-RP – Abnormal number of unique certificates\private keys registry values read for this user Fact-RegW-AppCert – An AppCert DLL was registered or modified via registry Fact-RegW-AppInit – An AppInit DLL was registered or modified via registry Fact-RegW-AppShim – A Shim database was installed via the registry Fact-RegW-ChromeExt – A Chrome extension was installed via the registry Fact-RegW-CodeSigningPolicy – A code signing policy was modified via the registry Fact-RegW-ControlPanel – A Control Panel item was registered via the registry Prof-RegW-UAC-O-U – First modification of the UAC registry configuration for this user Prof-RegW-AppPaths-O-U – First modification of the App Paths registry configuration for this user Prof-RegW-Services-O-U – First modification or creation of a service via the registry for this user Prof-RegW-Services-O-UD – First modification or creation of a service via the registry for users in this department Prof-RegW-IFEO-O-U – First modification of the Image File Execution Options registry configuration for this user Prof-RegW-SilentExitMon-O-U –First modification of the SilentProcessExit registry configuration for this user Prof-RegW-EnvVarPath-O-U – First modification of the PATH environment variable in the registry for this user Prof-RegW-CORPROFILER-O-U – First modification of a COR_PROFILER environment variable in the registry for this user Prof-RegW-SafeBoot-O-U – First modification of the safe mode registry configuration for this user Prof-RegW-FileAssoc-O-U – First modification of a file assocation handler command's registry configuration for this user Prof-RegW-COM-O-CLSID – First modification of this COM class registry path for the organization Prof-RegW-COM-U-CLSID – First modification of this COM class registry path for this user Fact-RegW-EventLogDisabled – The Event Log service was disabled via the registry Fact-RegW-Netshell – A NetShell helper DLL was registered or modified via registry Fact-RegW-OfficeTest – An Office test file was modified via the registry Fact-RegW-RootCert – A root certificate was installed via the registry Fact-RegW-RunService – Run Services registry keys were modified Fact-RegW-SIP – A SIP component was modified via the registry Fact-RegW-TrustProvider – A trust provider component was modified via the registry Prof-RegW-U-DetailsLen – Abnormal registry details length for this user Pre-built analytics rules for which `trainOnCondition` was updated include: Prof-GA-PrivU-PltOp-PrivU – First successful platform operation from a non-privileged user Prof-GA-Country-O-DCountry – First activity to this country for the organization Prof-GA-Country-U-SCountry – First activity from this country for this user Prof-EL-E-U-SE – First endpoint login event from this endpoint for this user Prof-GA-Country-O-SCountry – First activity from this country for the organization Prof-GA-E-Plt-SZ – First activity from this network zone for this platform Prof-GA-E-UP-SE – First activity from this endpoint on this platform for this user Prof-GA-Op-Plt-Op – First operation for this platform Prof-GA-Plt-U-Plt – First activity on this platform for this user Prof-GA-Plt-UD-Plt – First activity on this platform for users in this department Prof-GA-RGN-O-RGN – First cloud region for the organization Prof-Web-WebDom-O-Tld – First HTTP communication to this top level domain for the organization `scopeValue` and `applicable_events` were updated for the following pre-built analytics rule: NumSP-Network-BytesOut-SEDP-Bytes – Abnormal amount of bytes sent using SSH, Telnet, SMTP, DNS, FTP, HTTP or HTTPS protocols in outbound communication from this endpoint to this port

Feature

Description

Increased Analytics Rule Description Character Limit

To ensure you can communicate everything you want with the analytics rule description, you can now add up to 1,024 characters in the description when using the analytics rule builder.

Analytics Rule Configuration Enhancements

To simplify and improve the consistency of analytics rule configuration, several analytics rule fields and the analytics rule builder experience have been enhanced.

For factFeature rules:

actOnCondition is now mandatory when creating a rule using JSON.
trainOnCondition is now mandatory and must always be "true" when creating a rule using JSON. When creating a rule using the analytics rule builder, trainOnCondition is set to true by default and is no longer configurable.
value is now optional.

For numericCountProfiledFeature, numericDistinctCountProfiledFeature, and numericSumProfiledFeature rules, the Count per field is now optional in the analytics rule builder.

The Count Per field in the analytics rule builder.

New and Updated Pre-Built Analytics Rules

You can now better detect registry manipulations, anomalous user and endpoint activity, and suspicious network data transfers with new and updated pre-built analytics rules.

New pre-built analytics rules include:

NumDCP-RegW-RPC-ServicesStop-U-RP – Abnormal number of unique services was stopped by modifying the registry for this user
NumDCP-RegW-RPC-ServicesStop-DE-RP – Abnormal number of unique services was stopped by modifying the registry on this endpoint
Fact-RegW-GlobalDotName – The registry value GlobalDotName was created
NumCP-RegD-EC-U – Abnormal number of registry deletion events for this user
NumCP-RegD-EC-DE – Abnormal number of registry deletion events on this endpoint
NumCP-RegD-Services-EC-U – Abnormal number of unique service configurations deleted from the registry for this user
NumCP-RegD-Services-EC-DE – Abnormal number of unique service configurations deleted from the registry on this endpoint
Prof-RegD-Services-O-U – First deletion of a service registry configuration for this user
Prof-RegD-Services-O-UD – First deletion of a service registry configuration for users in this department
Prof-RegA-PP-O-PP – First registry activity for this process
Fact-RegD-RDPCon – The RDP connection history was cleared via the registry
Fact-RegE-SAM – The SAM key was exported from the registry
Fact-RegE-LSA – The LSA secrets key was exported from the registry
Fact-RegE-Certs – System certificate keys were exported from the registry
Prof-RegR-SAM-O-U – First SAM registry value read for this user
Prof-RegR-SAM-O-UD – First SAM registry value read for this users in this department
Prof-RegR-LSA-O-U – First registry LSA secret read for this user
Prof-RegR-LSA-O-UD – First registry LSA secret read for users in this department
Prof-RegR-Certs-U-RP – First read of this certificate\private key registry value for this user
NumDCP-RegR-RPC-Cert-U-RP – Abnormal number of unique certificates\private keys registry values read for this user
Fact-RegW-AppCert – An AppCert DLL was registered or modified via registry
Fact-RegW-AppInit – An AppInit DLL was registered or modified via registry
Fact-RegW-AppShim – A Shim database was installed via the registry
Fact-RegW-ChromeExt – A Chrome extension was installed via the registry
Fact-RegW-CodeSigningPolicy – A code signing policy was modified via the registry
Fact-RegW-ControlPanel – A Control Panel item was registered via the registry
Prof-RegW-UAC-O-U – First modification of the UAC registry configuration for this user
Prof-RegW-AppPaths-O-U – First modification of the App Paths registry configuration for this user
Prof-RegW-Services-O-U – First modification or creation of a service via the registry for this user
Prof-RegW-Services-O-UD – First modification or creation of a service via the registry for users in this department
Prof-RegW-IFEO-O-U – First modification of the Image File Execution Options registry configuration for this user
Prof-RegW-SilentExitMon-O-U –First modification of the SilentProcessExit registry configuration for this user
Prof-RegW-EnvVarPath-O-U – First modification of the PATH environment variable in the registry for this user
Prof-RegW-CORPROFILER-O-U – First modification of a COR_PROFILER environment variable in the registry for this user
Prof-RegW-SafeBoot-O-U – First modification of the safe mode registry configuration for this user
Prof-RegW-FileAssoc-O-U – First modification of a file assocation handler command's registry configuration for this user
Prof-RegW-COM-O-CLSID – First modification of this COM class registry path for the organization
Prof-RegW-COM-U-CLSID – First modification of this COM class registry path for this user
Fact-RegW-EventLogDisabled – The Event Log service was disabled via the registry
Fact-RegW-Netshell – A NetShell helper DLL was registered or modified via registry
Fact-RegW-OfficeTest – An Office test file was modified via the registry
Fact-RegW-RootCert – A root certificate was installed via the registry
Fact-RegW-RunService – Run Services registry keys were modified
Fact-RegW-SIP – A SIP component was modified via the registry
Fact-RegW-TrustProvider – A trust provider component was modified via the registry
Prof-RegW-U-DetailsLen – Abnormal registry details length for this user

Pre-built analytics rules for which trainOnCondition was updated include:

Prof-GA-PrivU-PltOp-PrivU – First successful platform operation from a non-privileged user
Prof-GA-Country-O-DCountry – First activity to this country for the organization
Prof-GA-Country-U-SCountry – First activity from this country for this user
Prof-EL-E-U-SE – First endpoint login event from this endpoint for this user
Prof-GA-Country-O-SCountry – First activity from this country for the organization
Prof-GA-E-Plt-SZ – First activity from this network zone for this platform
Prof-GA-E-UP-SE – First activity from this endpoint on this platform for this user
Prof-GA-Op-Plt-Op – First operation for this platform
Prof-GA-Plt-U-Plt – First activity on this platform for this user
Prof-GA-Plt-UD-Plt – First activity on this platform for users in this department
Prof-GA-RGN-O-RGN – First cloud region for the organization
Prof-Web-WebDom-O-Tld – First HTTP communication to this top level domain for the organization

scopeValue and applicable_events were updated for the following pre-built analytics rule:

NumSP-Network-BytesOut-SEDP-Bytes – Abnormal amount of bytes sent using SSH, Telnet, SMTP, DNS, FTP, HTTP or HTTPS protocols in outbound communication from this endpoint to this port

Resolved Issues

Site Collector 2.14: Security Vulnerabilities Remediations

The Site Collectors 2.14 (October 2025) release includes remediated security vulnerabilities. For more information about Exabeam’s commitment to remediating vulnerabilities for Site Collector, see the Vulnerability Remediation Policy.Vulnerability Remediation Policy

There are no open known CVEs in any container image (Nifi). Toolkit has been deprecated and is no longer in use hence no security vulnerabilities update is available for that.

The following table lists the CVEs remediated for the Nifi container and their severity.

Critical	High	Medium	Low
Total: 0	Total: 1	Total: 5	Total: 2
–	CVE-2025-9900 –	CVE-2023-45803 CVE-2024-3651 CVE-2025-7709 CVE-2025-8058 CVE-2025-9230	CVE-2025-6297 CVE-2025-9165

Critical

High

Medium

Low

Total: 0

Total: 1

Total: 5

Total: 2

–

CVE-2025-9900

–

CVE-2023-45803
CVE-2024-3651
CVE-2025-7709
CVE-2025-8058
CVE-2025-9230

CVE-2025-6297
CVE-2025-9165

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

October 2025

Cloud Collectors

Cloud Collectors

Log Stream

Note

New-Scale Platform

Outcomes Navigator

Search

Site Collectors 2.14

Threat Center

Threat Detection Management

Resolved Issues

Site Collector 2.14: Security Vulnerabilities Remediations