September 2025

The New-Scale Security Operations Platform includes the following addressed features and new features for September 2025.

Automation Management

Feature	Description
Automation Agent Image Version 1.532.1 Upgrade	The automation agent image is now upgraded to version 1.532.1. With the upgrade: If a playbook contains actions using an automation agent that is not running, the playbook is automatically stopped after one minute. You can now quickly identify the health and availability of an automation agent when selecting automation agents for an action. A green dot indicates that an automation agent is running; a red dot indicates that an automation agent is not running. To take advantage of this upgrade, download the upgraded automation agent image using the following command: docker pull us-docker.pkg.dev/exa-cloud-utils/public/exabeam-automation-agent:2.0 When you create and run a container using the environment variables for your automation agent, use the following updated command: docker run --env-file ./agentworkerconfig.env us-docker.pkg.dev/exa-cloud-utils/public/exabeam-automation-agent:2.0

Feature

Description

Automation Agent Image Version 1.532.1 Upgrade

The automation agent image is now upgraded to version 1.532.1. With the upgrade:

If a playbook contains actions using an automation agent that is not running, the playbook is automatically stopped after one minute.
You can now quickly identify the health and availability of an automation agent when selecting automation agents for an action. A green dot indicates that an automation agent is running; a red dot indicates that an automation agent is not running.

To take advantage of this upgrade, download the upgraded automation agent image using the following command:

docker pull us-docker.pkg.dev/exa-cloud-utils/public/exabeam-automation-agent:2.0

When you create and run a container using the environment variables for your automation agent, use the following updated command:

docker run --env-file ./agentworkerconfig.env us-docker.pkg.dev/exa-cloud-utils/public/exabeam-automation-agent:2.0

Cloud Collectors

Feature	Description
GCP Cloud Logging Cloud Collector	The GCP Cloud Logging Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of logs from Google Cloud services.
GCP Security Command Center Cloud Collector	The GCP Security Command Center Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of logs from GCP Security Command Center.
Progress ShareFile Cloud Collector	The Progress ShareFile Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of logs from the ShareFile endpoints: AccessChange, SharesSend, Activity, and SharesRequest.
Early Access Collectors
Cylance Protect (now Arctic Wolf) Cloud Collector	The Cylance Protect (now Arctic Wolf) Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of logs from the following data sources: Memory Protection, to collect threats related to memory vulnerabilities, Threats, to collect threat detection alerts and related information, or both. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Salesforce EventLog Cloud Collector	The Salesforce EventLog Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of various event types from Salesforce cloud. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Snowflake Cloud Collector	The Snowflake Cloud Collector is now available as part of Cloud Collectors Early Access program, to facilitate ingestion of data from data sources Login History, Others, and Query History. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Correlation Rules

Feature	Description
Standalone Case Creation from Correlation Rules	To quickly identify Threat Center cases created as the outcome of a correlation rule, you can now create a standalone case containing the correlation rule detection using a detection grouping rule. Detection grouping rules can now group correlation rule detections into a case by the correlation rule group by field. For Threat Center to create standalones case for correlation rule detections, you must create a detection grouping rule with specific conditions and actions, and the detection grouping rule must be ordered first in the list of detection grouping rules.
New and Updated Correlation Rule Templates	You can now better detect suspicious logins, exploitation of the Log4Shell vulnerability, suspicious use of system utilities, data exfiltration, firewall tampering, and common web application attacks with new correlation rule templates: Failed logins for a large number of users from this endpoint – Failed logins have been observed to 10 or more different users from this endpoint in 10 minutes. An email subject associated with CVE-2021-44228 was observed – An email activity containing an email subject with JNDI strings related to CVE-2021-44228 has been observed. Port forwarding configured using 'netsh.exe' – Port forwarding has been configured using the Network Shell command line utility. DLL executed using 'odbcconf.exe' – The Open Database Connectivity configuration utility ('odbcconfig.exe') has been used to register and execute an arbitrary DLL. HTA file executed using 'mshta.exe' – The Microsoft HTML Applications ('mshta.exe') utility has been used to execute an HTML application script file ('.hta'). Web activity associated with CVE-2021-44228 was observed – Web activity containing a URL, user agent, mime or referrer with JNDI strings related to CVE-2021-44228 has been observed. A process associated with CVE-2021-44228 was executed – A process execution with JNDI command line strings related to CVE-2021-44228 has been observed. SUSEFireWall2 disabled – The SUSEFireWall2 firewall script has been stopped. This enables potentially malicious network communications to be allowed into and out of the endpoint. Exchange mailbox exported using PowerShell – An exchange mailbox has been exported using a PowerShell script. PowerCat downloaded using PowerShell – The PowerCat tool has been downloaded using a PowerShell script. Insecure design remote JMX access – Monitor for application behavior that exposes sensitive functionality without proper controls, such as debug endpoints or unprotected admin interfaces. Cross-site Scripting – Monitor for web requests containing suspicious input patterns which may indicate cross-site scripting attempts Directory traversal – Identify requests attempting to access unauthorized directories using traversal sequences SQL injection – Detect inbound HTTP requests that suggest SQL injection activity Software and data integrity failures web root – Detect unauthorized changes to critical files, unsigned software updates, or tampering with CI/CD pipelines. Failed logins for a large number of users to this endpoint – Failed logins have been observed for 10 or more different users to this endpoint in 10 minutes. Service Stop – Monitors for the stopping of services, which could indicate attempts to disrupt system operations or evade detection. Ransom Note Dropped – Detects the creation of ransom notes indicative of internal system defacement by attackers. Removed obsolete correlation rule templates include: Sysmon driver was unloaded – The Sysmon driver has been unloaded. This causes Sysmon to stop auditing logs which could be used by attackers to evade detection. Bruteforce: Large amount of failed logins to this endpoint for this user – This user has failed to login to this endpoint 10 or more times in 1 minute. Fields have been modified in an additional 189 correlation rule templates.

Feature

Description

Standalone Case Creation from Correlation Rules

To quickly identify Threat Center cases created as the outcome of a correlation rule, you can now create a standalone case containing the correlation rule detection using a detection grouping rule. Detection grouping rules can now group correlation rule detections into a case by the correlation rule group by field.

For Threat Center to create standalones case for correlation rule detections, you must create a detection grouping rule with specific conditions and actions, and the detection grouping rule must be ordered first in the list of detection grouping rules.

The configuration of a detection grouping rule that creates a standalone case for correlation rule detections.

New and Updated Correlation Rule Templates

You can now better detect suspicious logins, exploitation of the Log4Shell vulnerability, suspicious use of system utilities, data exfiltration, firewall tampering, and common web application attacks with new correlation rule templates:

Failed logins for a large number of users from this endpoint – Failed logins have been observed to 10 or more different users from this endpoint in 10 minutes.
An email subject associated with CVE-2021-44228 was observed – An email activity containing an email subject with JNDI strings related to CVE-2021-44228 has been observed.
Port forwarding configured using 'netsh.exe' – Port forwarding has been configured using the Network Shell command line utility.
DLL executed using 'odbcconf.exe' – The Open Database Connectivity configuration utility ('odbcconfig.exe') has been used to register and execute an arbitrary DLL.
HTA file executed using 'mshta.exe' – The Microsoft HTML Applications ('mshta.exe') utility has been used to execute an HTML application script file ('.hta').
Web activity associated with CVE-2021-44228 was observed – Web activity containing a URL, user agent, mime or referrer with JNDI strings related to CVE-2021-44228 has been observed.
A process associated with CVE-2021-44228 was executed – A process execution with JNDI command line strings related to CVE-2021-44228 has been observed.
SUSEFireWall2 disabled – The SUSEFireWall2 firewall script has been stopped. This enables potentially malicious network communications to be allowed into and out of the endpoint.
Exchange mailbox exported using PowerShell – An exchange mailbox has been exported using a PowerShell script.
PowerCat downloaded using PowerShell – The PowerCat tool has been downloaded using a PowerShell script.
Insecure design remote JMX access – Monitor for application behavior that exposes sensitive functionality without proper controls, such as debug endpoints or unprotected admin interfaces.
Cross-site Scripting – Monitor for web requests containing suspicious input patterns which may indicate cross-site scripting attempts
Directory traversal – Identify requests attempting to access unauthorized directories using traversal sequences
SQL injection – Detect inbound HTTP requests that suggest SQL injection activity
Software and data integrity failures web root – Detect unauthorized changes to critical files, unsigned software updates, or tampering with CI/CD pipelines.
Failed logins for a large number of users to this endpoint – Failed logins have been observed for 10 or more different users to this endpoint in 10 minutes.
Service Stop – Monitors for the stopping of services, which could indicate attempts to disrupt system operations or evade detection.
Ransom Note Dropped – Detects the creation of ransom notes indicative of internal system defacement by attackers.

Removed obsolete correlation rule templates include:

Sysmon driver was unloaded – The Sysmon driver has been unloaded. This causes Sysmon to stop auditing logs which could be used by attackers to evade detection.
Bruteforce: Large amount of failed logins to this endpoint for this user – This user has failed to login to this endpoint 10 or more times in 1 minute.

Fields have been modified in an additional 189 correlation rule templates.

Log Sources

Feature	Description
Support for Silent Log Source Detection —from 30 Minutes of Inactivity	You can now proactively detect silent log sources before they impact operations, using the Silent Monitoring Threshold feature. You can now set the Warn After Silent For duration from 30 minutes to 72 hours to automatically detect inactivity. When a log source goes silent beyond your defined window, you are instantly notified—helping you maintain visibility and control.

Outcomes Navigator

Feature

Description

Peer Comparison

To get a better sense of how your security posture compares to that of other organizations, you can now benchmark your coverage against industry peers.

Under the MITRE ATT&CK Coverage and Use Case Coverage tabs, select the organizations against which you're comparing coverage by industry and organization size:

Under the overall coverage score charts, you can compare your overall coverage score against the average overall coverage score of other organizations:

The Use Case Coverage Score chart with peer comparison.

For a specific MITRE ATT&CK^® technique^[a] or use case, you can also use the Coverage Over Time chart to compare your coverage score for a specific technique or use case against the average coverage score of other organizations, using the same criteria for organizations you defined in the overall coverage score:

The Coverage Over Time chart with peer comparison.

To view the relative change in the coverage score over the last month for organizations types you selected, hover over a point in the line chart:

The Use Case Coverage Score chart showing the popover that appears when you hover over a point in the line.

Information about the relative change in the average Use Case Coverage Score compared to the previous period for the peer comparison organizations that appears when you hover a point in the Coverage Over Time chart.

^[a]MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.

Search

Feature

Description

Support for Sort Order in Exported Search Results

The sort order selector is now available when exporting search results. It includes options to sort chronologically to show the most recent or the oldest results. For more information, see Export Search Results in the Search Guide.

Associated Events for Detections in the Timeline View

Search has been updated to support the display of all events associated with a detection in the Timeline view. A detection event can be triggered by multiple events and, to keep the display of results in the Timeline view simple and uncluttered, the detection is shown only on the row of the latest chronological event that triggered it. Now, a new Show Associated Events option in the detection box lets you expand a full list of all the events associated with the detection.

The list of associated events expands below the original event row and you can interact with the listed events in all the ways you can interact with other events. Alternately, you can opt to open the expanded set of associated events in a new Search tab.

For more information, see Detections in the Timeline in the Search Guide.

Site Collectors 2.13

Feature	Description
Upgradation to NiFi 2.5	Based on the vulnerability remediation policy, the version of Apache NiFi is upgraded to the latest available version 2.5 for enhanced performance, security, stability, and integration capabilities.
Enhanced Template Update Process	The updated templates now improve how agent collectors receive the latest changes, making the update process more reliable and efficient. The template types include: Windows, Windows File, Linux File, Archive Windows, and Archive Linux. To avoid errors and improve stability during bulk operations, limits on quantity and frequency of updates are added. This solution ensures smooth, time-distributed delivery of actions, prevents system overload, and maintains full control over throttling.

Feature

Description

Upgradation to NiFi 2.5

Based on the vulnerability remediation policy, the version of Apache NiFi is upgraded to the latest available version 2.5 for enhanced performance, security, stability, and integration capabilities.

Enhanced Template Update Process

The updated templates now improve how agent collectors receive the latest changes, making the update process more reliable and efficient. The template types include: Windows, Windows File, Linux File, Archive Windows, and Archive Linux. To avoid errors and improve stability during bulk operations, limits on quantity and frequency of updates are added. This solution ensures smooth, time-distributed delivery of actions, prevents system overload, and maintains full control over throttling.

Threat Center

Feature	Description
Analytics Rules Severity	To manually tune Threat Center case or alert risk scores, you can now adjust the severity of analytics rules. Analytics rule severity is now one of the business factors Threat Center uses when calculating a case or alert risk score. Each severity, from low to critical, has a corresponding weight that reduces or increases the risk score. The none severity doesn't affect risk scoring and can be used to test the analytics rule. When Threat Center calculates a risk score, it considers the highest severity of all analytics rule associated with detections grouped under the case or alert. You can assign an analytics rule the following severities: None – Analytics rule is not used in risk scoring. Used for testing the analytics rule. Low – Reduces risk score. Medium – Doesn't adjust the risk score. High – Increases risk score. Critical – Significantly increases risk score. Analytics rule severity doesn't affect risk scores for existing cases and alerts. To revise risk scores for existing cases and alerts, ensure that you re-train the analytics engine on past events.
Standalone Case Creation from Correlation Rules	To quickly identify Threat Center cases created as the outcome of a correlation rule, you can now create a standalone case containing the correlation rule detection using a detection grouping rule. Detection grouping rules can now group correlation rule detections into a case by the correlation rule group by field. For Threat Center to create standalones case for correlation rule detections, you must create a detection grouping rule with specific conditions and actions, and the detection grouping rule must be ordered first in the list of detection grouping rules.
Case Opened in New Tab	To keep the case or alert list easily accessible while working on cases or alerts, you can now right-click on a case or alert and open it in a new browser tab.
Increased Case Notes Character Limit	To ensure you can communicate everything you want to with case notes, you can now add up to 10,000 characters in a single note.
Increase Custom Case Closed Reason Character Limit	To ensure you can communicate everything you want to when entering a custom case closed reason, you can now add up to 10,000 characters in a custom case closed reason.
Increased Attachment Size Limit	To ensure you can attach important evidence to a case, you can now attach a file of up to 15 MB.

Threat Detection Management

Feature	Description
Custom Analytics Rule Builder	You can now create a custom analytics rule directly in Threat Detection Management with a point-and-click interface. The guided experience walks you through each step so you can easily create and edit analytics rules. After you create a custom analytics rule, you can also edit and delete it.
Analytics Rules Severity	To manually tune Threat Center case or alert risk scores, you can now adjust the severity of analytics rules. Analytics rule severity is now one of the business factors Threat Center uses when calculating a case or alert risk score. Each severity, from low to critical, has a corresponding weight that reduces or increases the risk score. The none severity doesn't affect risk scoring and can be used to test the analytics rule. When Threat Center calculates a risk score, it considers the highest severity of all analytics rule associated with detections grouped under the case or alert. You can assign an analytics rule the following severities: None – Analytics rule is not used in risk scoring. Used for testing the analytics rule. Low – Reduces risk score. Medium – Doesn't adjust the risk score. High – Increases risk score. Critical – Significantly increases risk score. Analytics rule severity doesn't affect risk scores for existing cases and alerts. To revise risk scores for existing cases and alerts, ensure that you re-train the analytics engine on past events. When Exabeam delivers updates to pre-built analytics rules, the severity you assign to the pre-built analytics rule persists.
Standalone Case Creation from Correlation Rules	To quickly identify Threat Center cases created as the outcome of a correlation rule, you can now create a standalone case containing the correlation rule detection using a detection grouping rule. Detection grouping rules can now group correlation rule detections into a case by the correlation rule group by field. For Threat Center to create standalones case for correlation rule detections, you must create a detection grouping rule with specific conditions and actions, and the detection grouping rule must be ordered first in the list of detection grouping rules.
New and Updated Pre-Built Analytics Rules	You can now better detect lateral movement, privilege escalation, suspicious command execution, unauthorized access, and data exfiltration with new pre-built analytics rules: Prof-Network-ERDP-DE-SE – First successfull RDP connection from this source endpoint to this destination endpoint Prof-FA-FDir-DE-NTDSDir – First NTDS access from this folder on this endpoint Prof-PC-CmdArgs-InstallUtil-O-DLLParam – First execution of 'installutil.exe' with this DLL file parameter Prof-PC-CmdArgs-InstallUtil-O-EXEParam – First execution of 'installutil.exe' with this EXE file parameter Prof-PC-CmdArgs-Msbuild-O-CsprojParam – First execution of 'msbuild.exe' to build this C# project Prof-PC-CmdArgs-Msbuild-O-XMLParam – First execution of 'msbuild.exe' to build a project with this xml file Cntx-PC-Critical-Parent-CritWindows – Parent process is a known critical Windows command: True\False Prof-PC-CmdArgs-Regsvr32-O-SCTParam – First execution of 'regsvr32.exe' with the this SCT file parameter Prof-ShA-SZ-SN – First successful access to this network share from this network zone Fact-Web-ShellUserAgent – HTTP communication was attempted using a shell user-agent Fact-PC-TsconRDPRedirection – RDP traffic redirected using 'tscon.exe' Prof-PC-E-NetUserAdd-O-DE – First user creation using 'net.exe' on this endpoint Prof-PC-E-NetUserAdd-O-DZ – First user creation using 'net.exe' on this network zone Prof-GA-PrivU-PltOp-PrivU – First successful platform operation from a non-privileged user Fact-UModify-UACPreAuthDisable – UAC pre-authentication was disabled for a user account Fact-EA-KerberosNotPreAuth – A user logged on via Kerberos authentication with preauthentication 0 NumSP-SADLP-Bytes-U-Bytes – An abnormal amount of outgoing bytes have been recorded in DLP alerts for this user Prof-EW-DCShadow-SE-O-SE – First failed MFA authentication with this failure reason for this user Prof-DS-A-UDSOT-A – First directory service activity on this directory service object class for this user Prof-PC-PN-DE-PN – First execution of this process on this endpoint Prof-Network-SEPN-DE – First access to this destination endpoint for this process from this source endpoint Prof-SA-PN-U-PN – First alert trigger on this process for this user Prof-SA-PN-O-PN – First security alert trigger on this process for the organization Prof-SA-PN-UD-PN – First alert trigger on this process for users in this department Cntx-FA-ECrit-CS – Destination endpoint is critical: True\\False Prof-MFA-MFADevice-U-MFADevice – First MFA authentication using this device for this user Prof-MFA-FailureReason-U-FailureReason – First failed MFA authentication with this failure reason for this user Prof-MFA-AuthMethod-U-AuthMethod – First MFA authentication with this authentication method for this user Prof-EL-AP-U-AP – First remote Windows login or access with this authentication package for this user Fact-SEPwrshell-EnumNetworkAdapter – A PowerShell script enumerated network adapters using wmi objects Removed obsolete pre-built analytics rules include: Prof-PC-PN-SE-PN – First execution of this process from this endpoint Prof-SADLP-PN-U-PN – First DLP alert trigger on this process for this user Prof-SADLP-PN-O-PN – First DLP alert trigger on this process for the organization Prof-SADLP-PN-UD-PN – First DLP alert trigger on this process for users in this department
New and Updated Correlation Rule Templates	You can now better detect suspicious logins, exploitation of the Log4Shell vulnerability, suspicious use of system utilities, data exfiltration, firewall tampering, and common web application attacks with new correlation rule templates: Failed logins for a large number of users from this endpoint – Failed logins have been observed to 10 or more different users from this endpoint in 10 minutes. An email subject associated with CVE-2021-44228 was observed – An email activity containing an email subject with JNDI strings related to CVE-2021-44228 has been observed. Port forwarding configured using 'netsh.exe' – Port forwarding has been configured using the Network Shell command line utility. DLL executed using 'odbcconf.exe' – The Open Database Connectivity configuration utility ('odbcconfig.exe') has been used to register and execute an arbitrary DLL. HTA file executed using 'mshta.exe' – The Microsoft HTML Applications ('mshta.exe') utility has been used to execute an HTML application script file ('.hta'). Web activity associated with CVE-2021-44228 was observed – Web activity containing a URL, user agent, mime or referrer with JNDI strings related to CVE-2021-44228 has been observed. A process associated with CVE-2021-44228 was executed – A process execution with JNDI command line strings related to CVE-2021-44228 has been observed. SUSEFireWall2 disabled – The SUSEFireWall2 firewall script has been stopped. This enables potentially malicious network communications to be allowed into and out of the endpoint. Exchange mailbox exported using PowerShell – An exchange mailbox has been exported using a PowerShell script. PowerCat downloaded using PowerShell – The PowerCat tool has been downloaded using a PowerShell script. Insecure design remote JMX access – Monitor for application behavior that exposes sensitive functionality without proper controls, such as debug endpoints or unprotected admin interfaces. Cross-site Scripting – Monitor for web requests containing suspicious input patterns which may indicate cross-site scripting attempts Directory traversal – Identify requests attempting to access unauthorized directories using traversal sequences SQL injection – Detect inbound HTTP requests that suggest SQL injection activity Software and data integrity failures web root – Detect unauthorized changes to critical files, unsigned software updates, or tampering with CI/CD pipelines. Failed logins for a large number of users to this endpoint – Failed logins have been observed for 10 or more different users to this endpoint in 10 minutes. Service Stop – Monitors for the stopping of services, which could indicate attempts to disrupt system operations or evade detection. Ransom Note Dropped – Detects the creation of ransom notes indicative of internal system defacement by attackers. Removed obsolete correlation rule templates include: Sysmon driver was unloaded – The Sysmon driver has been unloaded. This causes Sysmon to stop auditing logs which could be used by attackers to evade detection. Bruteforce: Large amount of failed logins to this endpoint for this user – This user has failed to login to this endpoint 10 or more times in 1 minute. Fields have been modified in an additional 189 correlation rule templates.
Analytics Engine Custom Fields Support	To tailor detection logic to specific use cases, the analytics engine can now evaluate and trigger on custom event fields. You can now use custom event fields in analytics rule expressions.
Automated Sigma Rule Conversion	You can now easily convert Sigma rules to Exabeam analytics rules with Uncoder.io, a free, open-source marketplace for detection and investigation engineering. Uncoder.io uses artificial intelligence to automate the conversion of any Sigma and third-party SIEM rule in its comprehensive library of threat hunting content into Exabeam analytics rules.

Resolved Issues

Site Collector 2.13: Security Vulnerabilities Remediations

The Site Collectors 2.13 (September 2025) release includes remediated security vulnerabilities. For more information about Exabeam’s commitment to remediating vulnerabilities for Site Collector, see the Vulnerability Remediation Policy.Vulnerability Remediation Policy

There are no open known CVEs in any container image (Nifi). Toolkit has been deprecated and is no longer in use hence no security vulnerabilities update is available for that.

The following table lists the CVEs remediated for the Nifi container and their severity.

Critical	High	Medium	Low
Total: 0	Total: 0	Total: 8	Total: 1
–	–	CVE-2025-6069 CVE-2025-8194 CVE-2025-8534 CVE-2025-8851 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170	CVE-2025-8176

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

September 2025

Automation Management

Cloud Collectors

Correlation Rules

Log Sources

Outcomes Navigator

Search

Site Collectors 2.13

Threat Center

Threat Detection Management

Resolved Issues

Site Collector 2.13: Security Vulnerabilities Remediations