April 2026

The New-Scale Security Operations Platform includes the following addressed features and new features for April 2026.

Attack Surface Insights

Feature

Description

Device Risk Trend Chart

To understand the history of a device entity and identify trends in its level of risk, you can now view a history of the cases and alerts associated with a device entity using the Device Risk Trend chart.

When you minimize the Device Risk Trend chart, you can view the number of open cases and alerts created over a specified period:

For additional details about the open cases and alerts, you can click <#> cases and <#> alerts.

When you expand the Device Risk Trend chart, you can view a line chart of a the device entity's risk score over time:

Expanded Device Risk Trend line chart depicting a device entity risk score over the last 3 months.

For additional details about the case or alert with the highest risk score on a given day, you can hover over a point on the chart.

User Entity Security Criticality Details

You can now better understand how the security criticality of a user entity is determined in user entity details.

When you click on the value of Security Criticality, you can now view all accounts associated with the user entity and their security criticality. If the security criticality is not assigned by an Attack Surface insights rule, the highest security criticality among all accounts is used as the security criticality for the entity.

The details of a user entity showing more information about security criticality.

If the security criticality is assigned by an Attack Surface Insights rule, you can identify the Attack Surface Insights rule by hovering over attacksurfaceinsights-users-userdetails-securitycriticalitydetails-rulesassigningcriticality-icon.png :

The details of a user entity showing the Attack Surface Insights rule that assigned the security criticality.

Cloud Collectors

Feature	Description
Early Access Collectors
PingOne Identity Cloud Collector	The PingOne Identity Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of audit log events that include user-related activities, poll subscription, and system configuration changes. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
Workday Cloud Collector	The Workday Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of user activity logs from the Workday API to identify which specific users are making requests and the nature of the interactions being performed. The cloud collectors also tracks the total volume of these requests with relevant event metadata, including details such as IP addresses and device types. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Feature

Description

Early Access Collectors

PingOne Identity Cloud Collector

The PingOne Identity Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of audit log events that include user-related activities, poll subscription, and system configuration changes.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Workday Cloud Collector

The Workday Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of user activity logs from the Workday API to identify which specific users are making requests and the nature of the interactions being performed. The cloud collectors also tracks the total volume of these requests with relevant event metadata, including details such as IP addresses and device types.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Correlation Rules

Feature	Description
Sequences Trigger on First Match with Group by Field	You can now have sequences satisfied on the first match of a subset of events. When you create a sequence and select Trigger on first match, you can now also toggle Group by Field on and select fields by which to group events.

Feature

Description

Sequences Trigger on First Match with Group by Field

You can now have sequences satisfied on the first match of a subset of events.

When you create a sequence and select Trigger on first match, you can now also toggle Group by Field on and select fields by which to group events.

A sequence in a correlation rule with Trigger on first match selected and Group by Field toggled on.

New-Scale Platform

Feature	Description
Exabeam MCP Server	Exabeam now offers a way to connect AI tools to an Exabeam Model Context Protocol (MCP) Server. With this connection, you can use your tool of choice to aid in discovering, retrieving, and acting on Exabeam data. For more information, and to learn how to connect to the server, see Connect to Exabeam MCP Server in the New-Scale Security Operations Platform Administration Guide.

Feature

Description

Exabeam MCP Server

Exabeam now offers a way to connect AI tools to an Exabeam Model Context Protocol (MCP) Server. With this connection, you can use your tool of choice to aid in discovering, retrieving, and acting on Exabeam data.

For more information, and to learn how to connect to the server, see Connect to Exabeam MCP Server in the New-Scale Security Operations Platform Administration Guide.

Search

Feature	Description
Support for Device Entity Search	The entity viewing functionality in the Search application has been expanded to include searching for device entities. Previously, only user entities were available for search. With this enhancement, you can now search for device entities using a single identifier, without the need to correlate manually between hostnames, IP addresses, or MAC addresses. A new Device Entity option has been added to the Basic search mode, so you can easily search for device entities. You can also use the Advanced search mode. When search results include events associated with parsed entity fields, navigate to the Entities tab in the Details panel to view device entity information. The Entities tab provides multiple ways to explore the device entities that might indicate security risks or anomalous behavior associated with the events in your search results: When the Entities tab is displayed in the Details panel, it lists each device entity associated with a specific event in your search results. For each entity listed in the Entities tab, you can opt to view the Device Entity Details panel, which displays entity information that is stored in the Attack Surface Insights application. This option provides access to extensive device entity information without leaving the Search application results. For more information about what the Entity Details panel shows and how to use it, see View Entity Details in the Attack Surface Insights Guide. For each entity listed in the Entities tab, you can use the Device Entity Timeline option to open a new Search window that automatically populates and runs a search for activities related to the selected entity. This option pivots to a new Search window so you can drill down on the behavior of specific entities without closing the results you're already exploring. For more information about all of these Entities tab capabilities, see Entity Details in the Search Guide.

Feature

Description

Support for Device Entity Search

The entity viewing functionality in the Search application has been expanded to include searching for device entities. Previously, only user entities were available for search. With this enhancement, you can now search for device entities using a single identifier, without the need to correlate manually between hostnames, IP addresses, or MAC addresses. A new Device Entity option has been added to the Basic search mode, so you can easily search for device entities. You can also use the Advanced search mode.

When search results include events associated with parsed entity fields, navigate to the Entities tab in the Details panel to view device entity information. The Entities tab provides multiple ways to explore the device entities that might indicate security risks or anomalous behavior associated with the events in your search results:

When the Entities tab is displayed in the Details panel, it lists each device entity associated with a specific event in your search results.
For each entity listed in the Entities tab, you can opt to view the Device Entity Details panel, which displays entity information that is stored in the Attack Surface Insights application. This option provides access to extensive device entity information without leaving the Search application results. For more information about what the Entity Details panel shows and how to use it, see View Entity Details in the Attack Surface Insights Guide.
For each entity listed in the Entities tab, you can use the Device Entity Timeline option to open a new Search window that automatically populates and runs a search for activities related to the selected entity. This option pivots to a new Search window so you can drill down on the behavior of specific entities without closing the results you're already exploring.

For more information about all of these Entities tab capabilities, see Entity Details in the Search Guide.

Threat Center

Feature

Description

Attachment Safety Controls

You can now better avoid executing malicious files attached to cases with enhancements to case attachments:

When you download an attachment, a warning reminds you to verify that you trust the source and are following your organization's security policies before opening the file.
You can now upload .exe files only if it's compressed into a ZIP file. If you try to directly upload an .exe file, you now receive an error.
In the Attachments tab, you're now reminded that attachments are uploaded by users and are not scanned for malware.

Case Closed Supporting Reason Configuration

For more flexibility on what information is required to close cases, you can now configure Threat Center so the case closed supporting reason is mandatory or optional.

In Threat Center settings, you can now toggle Require supporting reason on or off.

threatcenter-april2026releasenotes-caseclosedsupportingreason.png

If you toggle the setting on, the case closed supporting reason is mandatory. If you toggle the setting off, the case closed supporting reason is optional.

It may take up to one minute for a change in the setting to apply to your environment.

The setting extends to Automation Management playbooks and API calls. If the case closed supporting reason is mandatory, any playbook or API call that changes the case stage to Closed must provide a supporting reason.

By default, the case closed supporting reason is optional.

Threat Detection Management

Feature	Description
Correlation Rule Sequences Trigger on First Match with Group by Field	You can now have correlation rule sequences satisfied on the first match of a subset of events. When you create a sequence and select Trigger on first match, you can now also toggle Group by Field on and select fields by which to group events.
New and Updated Pre-Built Analytics Rules	You can now better detect abnormal AI agent activity, unauthorized RDP access, credential-based attacks, reconnaissance, and various anomalous first-time activities with new and updated pre-built analytics rules. You can now better detect abnormal AI agent activity in your environment with the following new pre-built analytics rules: Prof-RC-Perm-Plt-Perm – This is the first time a role has been created with these permissions on this platform. Prof-AI-TI-UTN-FN – This is the first time this AI agent tool function has been invoked by this user. You can now detect when a user is denied access to Remote Desktop and logs Windows Event ID 4825 with the following new pre-built analytics rule: Fact-EL-UnauthorizedWindowsRDP – An unauthorized user has attempted and failed a Remote Desktop Protocol (RDP) login to a Windows endpoint. You can now detect port and password sweeps with the following new pre-built analytics rules: NumCP-VPNlnF-EC-O-U-1Day – An abnormal number of failed VPN logins have been observed for the organization by this user in a day. NumCP-VPNlnF-EC-O-U-30Days –An abnormal number of failed VPN logins have been observed for the organization by this user in 30 days. NumCP-VPNlnF-EC-U-30Days – An abnormal number of vpn login failures have been observed for this user in 30 days. Prof-VPNIn-SC-O-SC – This is the first time a user attempted to log into a VPN from this country. These events may include both failed and successful logins. NumDCP-Network-DIPC-SE-DIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications from this endpoint. NumDCP-Network-DIPC-O-DIP-SE-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per endpoint. NumDCP-Network-DIPC-O-DIP-SIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per source IP. NumDCP-Network-DIPC-O-DIP-U-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per user. NumDCP-Network-DIPC-O-DIP-SE – An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per source endpoint. These events may include both failed and successful communications. NumDCP-Network-DIPC-O-DIP-SIP - An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per source IP. These events may include both failed and successful communications. NumDCP-Network-DIPC-O-DIP-U – An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per user. These events may include both failed and successful communications. NumDCP-Network-DIPC-U-DIP – An abnormal number of unique destination IPs have been observed in internal connection attempts by this user. These events may include both failed and successful communications. NumDCP-Network-DIPC-U-DIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications by this user. NumDCP-Network-DIPC-DP-DIP – An abnormal number of unique destination IPs have been observed in internal communications to this port. These events may include both failed and successful communications. NumDCP-Network-DIPC-DP-DIP-SE – An abnormal number of unique destination IPs have been observed in internal communications to this port per source endpoint. These events may include both failed and successful communications. NumDCP-Network-DIPC-DP-DIP-SIP – An abnormal number of unique destination IPs have been observed in internal communications to this port per source IP. These events may include both failed and successful communications. NumDCP-VPNln-UC-O-U-SIP – An abnormal number of unique user names have been observed in VPN login for the organization per source IP. These events may include both failed and successful communications. NumDCP-VPNln-UC-O-U-SE – An abnormal number of unique user names have been observed in VPN login for the organization per source endpoint. These events may include both failed and successful communications. NumDCP-VPNln-UC-SE-U – An abnormal number of unique user names have been observed in VPN login from this endpoint. These events may include both failed and successful communications. NumDCP-AL-UC-Plt-U-SIP – An abnormal number of unique user names have been observed in application logins to this platform per source IP. These events may include both failed and successful communications. NumDCP-AL-UC-Plt-U-SE – An abnormal number of unique user names have been observed in application logins to this platform per source endpoint. These events may include both failed and successful communications. NumDCP-AL-UC-PltSE-U – An abnormal number of unique user names have been observed in application logins to this platform from this endpoint. These events may include both failed and successful communications. NumDCP-EL-UC-O-U-SE – An abnormal number of unique user names have been observed in endpoint logins for the organization per source endpoint. These events may include both failed and successful communications. NumDCP-EL-UC-SE-U – An abnormal number of unique user names have been observed in endpoint logins from this endpoint. These events may include both failed and successful communications. NumDCP-EL-UC-DE-U-SE – An abnormal number of unique user names have been observed in endpoint logins to this endpoint per source endpoint. These events may include both failed and successful communications. NumDCP-EL-UC-DESE-U – An abnormal number of unique user names have been observed in endpoint logins for destination endpoint and source endpoint. These events may include both failed and successful communications. To improve analytics rule data processing efficiency, `trainOnCondition` was updated for the following pre-built analytics rules: Prof-GA-Country-DZ-SCountry – This is the first time an activity has been observed from this country to this network zone, determined by geolocation lookup. Prof-GA-Country-O-DCountry – This is the first time an activity has been observed to this country, determined by geolocation lookup. Prof-GA-Country-O-SCountry – This is the first time an activity has been observed from this country, determined by geolocation lookup. Prof-GA-Country-SZ-DCountry – This is the first time an activity has been observed to this country for this network zone, determined by geolocation lookup. Prof-GA-Country-U-SCountry – This is the first time an activity has been observed from this country for this user, determined by geolocation lookup. Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform. Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more. Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user. Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department. To improve analytics rule data processing efficiency, `actOnCondition` was updated for the following pre-built analytics rule: Cntx-Network-DPClass – Destination port class To improve analytics rule data processing efficiency, `trainOnCondition` and `actOnCondition`was updated for the following pre-built analytics rules: Fact-ELF-SA – A service account failed to log into an endpoint using an interactive Windows logon type. A service account is a user account that belongs to an application rather than an end user. Cntx-Network-Protocol – Network protocol To prevent pre-built analytics rules from over-triggering on first-time observations and ensure they establish a good baseline, `minimumTrainingPeriodInDays` was added to the following pre-built analytics rules: Prof-DS-E-U-SE – This is the first time this user performed an activity on a directory service object from this endpoint. Prof-GA-Country-DZ-SCountry – This is the first time an activity has been observed from this country to this network zone, determined by geolocation lookup. Prof-GA-Country-SZ-DCountry – This is the first time an activity has been observed to this country for this network zone, determined by geolocation lookup. Prof-GA-Country-U-SCountry – This is the first time an activity has been observed from this country for this user, determined by geolocation lookup. Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform. Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more. Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user. Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department. Prof-PrivUse-E-U-SE – This is the first time a Windows privileged has been used and invoked from this endpoint for this user. Prof-SA-E-U-SE – This is the first time a security alert triggered from this endpoint for this user. Prof-USB-E-U-SE – This is the first time a peripheral device activity has been observed from this endpoint for this user. Prof-VPNIn-E-U-SE – This is the first time this user attempted to log into a VPN from this endpoint. These events may include both failed and successful logins. Prof-WinSC-E-U-DE – This is the first time a service creation has been observed on this endpoint for this user. To map analytics rules to compliance frameworks so Outcomes Navigator can calculate compliance framework coverage, `compliance` was updated for the following pre-built analytics rules: Prof-UCreate-U-Plt-U – This is the first time this user has created a user account on this platform. Prof-AI-AC-O-UD – This is the first time a user in this department has created an AI agent. Prof-GCreate-U-P-UD – This is the first time users in this department have created a group on this platform. Prof-AI-AC-O-U – This is the first time this user has created an AI agent. Prof-GCreate-U-P-U – This is the first time this user has created a group on this platform. Fact-PC-OpenClawInstall – OpenClaw has been installed using the command line tool 'curl'. There is nothing inherently malicious about OpenClaw, however, by default it uses insecure practices and may expose significant security flaws. Prof-AI-PI-O-U-Exec – This is the first time an AI request that attempts to cause the agent to execute a command or a script has been sent by this user. NumCP-AI-QC-UO – An abnormal number of successful AI requests for the organization have been performed by this user. AI requests may consist of one or more prompts. Prof-AI-T-U-QLength – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters. Prof-AI-AC-O-PLT – This is the first time a user in the organization has created an AI agent with this platform. Fact-AI-PI-Base64 – An AI request with a base64 string has been sent. While not inherently malicious, Base64 encoding in an AI request may indicate prompt obfuscation. NumSP-AI-TS-UO-QLength – An abnormal sum of tokens in successful AI requests has been observed for the organization and attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters. Prof-RA-U-Plt-U – This is the first time a role has been assigned by this user on this platform. Prof-AI-T-O-QLength – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters. Prof-AI-AC-O-AT – This is the first time a user in the organization has created an AI agent. NumCP-AI-QC-WID – An abnormal number of successful AI requests has been observed for this workspace. AI requests may consist of one or more prompts. Prof-RA-R-UPlt-RN – This is the first time this user has assigned this role on this platform. Prof-AI-AS-Plt-U – This is the first time this user has shared an AI agent on this platform. Prof-AI-AC-PLT-UD – This is the first time a user in this department has created an AI agent with this platform. NumCP-AI-MC-U – An abnormal amount of AI agent modifications have been observed for a user. Prof-RA-R-UDPlt-RN – This is the first time this role was assigned by users in this department on this platform. NumCP-AI-QC-U – An abnormal number of successful AI requests have been performed by this user. AI requests consist of one or more prompts. Fact-AI-PI-ShowSystemPrompt – An AI request attempting to display the AI system prompt has been sent. Fact-AI-PI-IgnoreInsruct – An AI request attempting to cause the agent to ignore instructions has been sent. Prof-UCreate-U-Plt-UD – This is the first time users in this department have created a user account on this platform. Prof-RA-R-Plt-RN – This is the first time this role was assigned on this platform. NumSP-AI-TS-U-QLength – An abnormal sum of tokens in successful AI requests has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters. Prof-AI-AC-PLT-U – This is the first time this user has created an AI agent with this platform. Prof-AI-TI-O-TN – This is the first time this AI agent tool has been invoked. Prof-AI-TI-U-TN – This is the first time this AI agent tool has been invoked by this user. To query events more accurately, `query` was updated for the following pre-built analytics rules: NumCP-SEPwrshell-WebReq-O-WebReq – An abnormal number of PowerShell web requests have been observed for the organization. NumCP-PC-InsmodCmdC-DE – An abnormal number of 'insmod' (Install Module) process executions have been observed on this endpoint. NumCP-PC-CritCmdC-O – An abnormal number of critical command executions have been observed for the organization. NumCP-PC-DirSearchCount-U – An abnormal number of unix file search process executions have been observed for this user. NumSP-Network-BytesToExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in communication to an external IP from this network zone. NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module managment tool) process executions have been observed on this endpoint. NumCP-EScrn-EC-U – An abnormal number of screenshot events have been observed for this user. NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user. NumCP-Git-EC-U – An abnormal amount of GitHub API access events have been observed for this user. NumCP-PwdChkout-EC-U-SC – An abnormal number of password retrievals have been observed for this user. NumDCP-SA-ANC-UD-AN – An abnormal number of unique alerts have triggered for users in this department. NumCP-Web-AIA-U-AILLMSessionCount – An abnormal number of AI/LLM web sessions has been observed for this user. NumCP-WebF-EC-U-Id – An abnormal number of error responses to an HTTP requests have been observed for this user. NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device. NumCP-WebF-EC-WebDomain – An abnormal number of error responses to an HTTP requests to an internal resources have been observed for this domain. To improve overall detection quality, `actOnCondition` was updated for the following pre-built analytics rule: Fact-PC-OpenClawInstall – OpenClaw has been installed using the command line tool 'curl'. There is nothing inherently malicious about OpenClaw, however, by default it uses insecure practices and may expose significant security flaws. To improve overall detection quality, `applicable_events` was updated for the following pre-built analytics rule: Fact-PCpwrshell-HidExec – The PowerShell process has been executed with a hidden or non-interactive console window. This sigma rule is authored by Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml To improve overall detection quality, `query` and `detectionReason` were updated for the following pre-built analytics rule: NumCP-FDel-UnixLogFilesC-U – An abnormal number of log files have been deleted by this user in Unix systems. To improve overall detection quality, `applicable_events` and `trainonCondition` were updated for the following pre-built analytics rule: Prof-PCnet-U-O-U-user – This is the first time local user accounts have been enumerated using 'net.exe' for this user. Because the context table Credentials Dumping Tools was renamed Credentials Dumping Processes, `value` was updated for the following pre-built analytics rules: Cntx-PC-Critical-Parent-Dump – Parent process is a known credential dumping tool: True\False Cntx-PC-Critical-Dump – Process is a known credential dumping tool: True\False Because the following pre-built analytics rules, which were intended to detect abnormal activity, were triggering more frequently than intended, they have been removed for further evaluation: NumSP-Network-BytesToExtIP-SEDP-Bytes – An abnormal amount of bytes have been sent using SSH, Telnet, SMTP, DNS, FTP, HTTP or HTTPS protocols in communication to an external IP from this endpoint to this port. Prof-GA-E-U-SE – This is the first time an activity from this endpoint has been observed for this user. Prof-Network-E-SEPN-DE – This is the first time this process has accessed this destination endpoint from this source endpoint. Prof-Network-Port-DE-DP – This is the first time an internal connection to this port to this endpoint has been observed for the organization. Prof-Network-Port-DZ-DP – This is the first time an internal connection to this port to this zone has been observed for the organization. Prof-Network-Port-SE-DP – This is the first time an internal connection to this port from this endpoint has been observed for the organization. Prof-Network-ToExtIP-SE-DP – This is the first time a successful connection to an external IP to this port has been observed for this endpoint. Prof-Network-ToExtIP-SZ-DP – This is the first time a successful connection to an external IP to this port has been observed for this zone. To remove references to the removed pre-built analytics rules, `scoreUnless` was updated for the following pre-built analytics rules: Prof-PrivUse-E-U-SE – This is the first time a Windows privileged has been used and invoked from this endpoint for this user. Prof-DS-E-U-SE – This is the first time this user performed an activity on a directory service object from this endpoint. Prof-WinSC-E-U-DE – This is the first time a service creation has been observed on this endpoint for this user. Prof-PwdChkout-E-U-SE – This is the first time this user retrieved a password from this endpoint. Prof-USB-E-U-SE – This is the first time a peripheral device activity has been observed from this endpoint for this user. Prof-SA-E-U-SE – This is the first time a security alert triggered from this endpoint for this user. Prof-VPNIn-E-U-SE – This is the first time this user attempted to log into a VPN from this endpoint. These events may include both failed and successful logins.

Feature

Description

Correlation Rule Sequences Trigger on First Match with Group by Field

You can now have correlation rule sequences satisfied on the first match of a subset of events.

When you create a sequence and select Trigger on first match, you can now also toggle Group by Field on and select fields by which to group events.

New and Updated Pre-Built Analytics Rules

You can now better detect abnormal AI agent activity, unauthorized RDP access, credential-based attacks, reconnaissance, and various anomalous first-time activities with new and updated pre-built analytics rules.

You can now better detect abnormal AI agent activity in your environment with the following new pre-built analytics rules:

Prof-RC-Perm-Plt-Perm – This is the first time a role has been created with these permissions on this platform.
Prof-AI-TI-UTN-FN – This is the first time this AI agent tool function has been invoked by this user.

You can now detect when a user is denied access to Remote Desktop and logs Windows Event ID 4825 with the following new pre-built analytics rule:

Fact-EL-UnauthorizedWindowsRDP – An unauthorized user has attempted and failed a Remote Desktop Protocol (RDP) login to a Windows endpoint.

You can now detect port and password sweeps with the following new pre-built analytics rules:

NumCP-VPNlnF-EC-O-U-1Day – An abnormal number of failed VPN logins have been observed for the organization by this user in a day.
NumCP-VPNlnF-EC-O-U-30Days –An abnormal number of failed VPN logins have been observed for the organization by this user in 30 days.
NumCP-VPNlnF-EC-U-30Days – An abnormal number of vpn login failures have been observed for this user in 30 days.
Prof-VPNIn-SC-O-SC – This is the first time a user attempted to log into a VPN from this country. These events may include both failed and successful logins.
NumDCP-Network-DIPC-SE-DIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications from this endpoint.
NumDCP-Network-DIPC-O-DIP-SE-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per endpoint.
NumDCP-Network-DIPC-O-DIP-SIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per source IP.
NumDCP-Network-DIPC-O-DIP-U-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications for the organization per user.
NumDCP-Network-DIPC-O-DIP-SE – An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per source endpoint. These events may include both failed and successful communications.
NumDCP-Network-DIPC-O-DIP-SIP - An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per source IP. These events may include both failed and successful communications.
NumDCP-Network-DIPC-O-DIP-U – An abnormal number of unique destination IPs have been observed in internal connection attempts for the organization per user. These events may include both failed and successful communications.
NumDCP-Network-DIPC-U-DIP – An abnormal number of unique destination IPs have been observed in internal connection attempts by this user. These events may include both failed and successful communications.
NumDCP-Network-DIPC-U-DIP-Fail – An abnormal number of unique destination IPs have been observed in failed internal communications by this user.
NumDCP-Network-DIPC-DP-DIP – An abnormal number of unique destination IPs have been observed in internal communications to this port. These events may include both failed and successful communications.
NumDCP-Network-DIPC-DP-DIP-SE – An abnormal number of unique destination IPs have been observed in internal communications to this port per source endpoint. These events may include both failed and successful communications.
NumDCP-Network-DIPC-DP-DIP-SIP – An abnormal number of unique destination IPs have been observed in internal communications to this port per source IP. These events may include both failed and successful communications.
NumDCP-VPNln-UC-O-U-SIP – An abnormal number of unique user names have been observed in VPN login for the organization per source IP. These events may include both failed and successful communications.
NumDCP-VPNln-UC-O-U-SE – An abnormal number of unique user names have been observed in VPN login for the organization per source endpoint. These events may include both failed and successful communications.
NumDCP-VPNln-UC-SE-U – An abnormal number of unique user names have been observed in VPN login from this endpoint. These events may include both failed and successful communications.
NumDCP-AL-UC-Plt-U-SIP – An abnormal number of unique user names have been observed in application logins to this platform per source IP. These events may include both failed and successful communications.
NumDCP-AL-UC-Plt-U-SE – An abnormal number of unique user names have been observed in application logins to this platform per source endpoint. These events may include both failed and successful communications.
NumDCP-AL-UC-PltSE-U – An abnormal number of unique user names have been observed in application logins to this platform from this endpoint. These events may include both failed and successful communications.
NumDCP-EL-UC-O-U-SE – An abnormal number of unique user names have been observed in endpoint logins for the organization per source endpoint. These events may include both failed and successful communications.
NumDCP-EL-UC-SE-U – An abnormal number of unique user names have been observed in endpoint logins from this endpoint. These events may include both failed and successful communications.
NumDCP-EL-UC-DE-U-SE – An abnormal number of unique user names have been observed in endpoint logins to this endpoint per source endpoint. These events may include both failed and successful communications.
NumDCP-EL-UC-DESE-U – An abnormal number of unique user names have been observed in endpoint logins for destination endpoint and source endpoint. These events may include both failed and successful communications.

To improve analytics rule data processing efficiency, trainOnCondition was updated for the following pre-built analytics rules:

Prof-GA-Country-DZ-SCountry – This is the first time an activity has been observed from this country to this network zone, determined by geolocation lookup.
Prof-GA-Country-O-DCountry – This is the first time an activity has been observed to this country, determined by geolocation lookup.
Prof-GA-Country-O-SCountry – This is the first time an activity has been observed from this country, determined by geolocation lookup.
Prof-GA-Country-SZ-DCountry – This is the first time an activity has been observed to this country for this network zone, determined by geolocation lookup.
Prof-GA-Country-U-SCountry – This is the first time an activity has been observed from this country for this user, determined by geolocation lookup.
Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform.
Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more.
Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user.
Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department.

To improve analytics rule data processing efficiency, actOnCondition was updated for the following pre-built analytics rule:

Cntx-Network-DPClass – Destination port class

To improve analytics rule data processing efficiency, trainOnCondition and actOnConditionwas updated for the following pre-built analytics rules:

Fact-ELF-SA – A service account failed to log into an endpoint using an interactive Windows logon type. A service account is a user account that belongs to an application rather than an end user.
Cntx-Network-Protocol – Network protocol

To prevent pre-built analytics rules from over-triggering on first-time observations and ensure they establish a good baseline, minimumTrainingPeriodInDays was added to the following pre-built analytics rules:

Prof-DS-E-U-SE – This is the first time this user performed an activity on a directory service object from this endpoint.
Prof-GA-Country-DZ-SCountry – This is the first time an activity has been observed from this country to this network zone, determined by geolocation lookup.
Prof-GA-Country-SZ-DCountry – This is the first time an activity has been observed to this country for this network zone, determined by geolocation lookup.
Prof-GA-Country-U-SCountry – This is the first time an activity has been observed from this country for this user, determined by geolocation lookup.
Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform.
Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more.
Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user.
Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department.
Prof-PrivUse-E-U-SE – This is the first time a Windows privileged has been used and invoked from this endpoint for this user.
Prof-SA-E-U-SE – This is the first time a security alert triggered from this endpoint for this user.
Prof-USB-E-U-SE – This is the first time a peripheral device activity has been observed from this endpoint for this user.
Prof-VPNIn-E-U-SE – This is the first time this user attempted to log into a VPN from this endpoint. These events may include both failed and successful logins.
Prof-WinSC-E-U-DE – This is the first time a service creation has been observed on this endpoint for this user.

To map analytics rules to compliance frameworks so Outcomes Navigator can calculate compliance framework coverage, compliance was updated for the following pre-built analytics rules:

Prof-UCreate-U-Plt-U – This is the first time this user has created a user account on this platform.
Prof-AI-AC-O-UD – This is the first time a user in this department has created an AI agent.
Prof-GCreate-U-P-UD – This is the first time users in this department have created a group on this platform.
Prof-AI-AC-O-U – This is the first time this user has created an AI agent.
Prof-GCreate-U-P-U – This is the first time this user has created a group on this platform.
Fact-PC-OpenClawInstall – OpenClaw has been installed using the command line tool 'curl'. There is nothing inherently malicious about OpenClaw, however, by default it uses insecure practices and may expose significant security flaws.
Prof-AI-PI-O-U-Exec – This is the first time an AI request that attempts to cause the agent to execute a command or a script has been sent by this user.
NumCP-AI-QC-UO – An abnormal number of successful AI requests for the organization have been performed by this user. AI requests may consist of one or more prompts.
Prof-AI-T-U-QLength – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-AC-O-PLT – This is the first time a user in the organization has created an AI agent with this platform.
Fact-AI-PI-Base64 – An AI request with a base64 string has been sent. While not inherently malicious, Base64 encoding in an AI request may indicate prompt obfuscation.
NumSP-AI-TS-UO-QLength – An abnormal sum of tokens in successful AI requests has been observed for the organization and attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-RA-U-Plt-U – This is the first time a role has been assigned by this user on this platform.
Prof-AI-T-O-QLength – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-AC-O-AT – This is the first time a user in the organization has created an AI agent.
NumCP-AI-QC-WID – An abnormal number of successful AI requests has been observed for this workspace. AI requests may consist of one or more prompts.
Prof-RA-R-UPlt-RN – This is the first time this user has assigned this role on this platform.
Prof-AI-AS-Plt-U – This is the first time this user has shared an AI agent on this platform.
Prof-AI-AC-PLT-UD – This is the first time a user in this department has created an AI agent with this platform.
NumCP-AI-MC-U – An abnormal amount of AI agent modifications have been observed for a user.
Prof-RA-R-UDPlt-RN – This is the first time this role was assigned by users in this department on this platform.
NumCP-AI-QC-U – An abnormal number of successful AI requests have been performed by this user. AI requests consist of one or more prompts.
Fact-AI-PI-ShowSystemPrompt – An AI request attempting to display the AI system prompt has been sent.
Fact-AI-PI-IgnoreInsruct – An AI request attempting to cause the agent to ignore instructions has been sent.
Prof-UCreate-U-Plt-UD – This is the first time users in this department have created a user account on this platform.
Prof-RA-R-Plt-RN – This is the first time this role was assigned on this platform.
NumSP-AI-TS-U-QLength – An abnormal sum of tokens in successful AI requests has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-AC-PLT-U – This is the first time this user has created an AI agent with this platform.
Prof-AI-TI-O-TN – This is the first time this AI agent tool has been invoked.
Prof-AI-TI-U-TN – This is the first time this AI agent tool has been invoked by this user.

To query events more accurately, query was updated for the following pre-built analytics rules:

NumCP-SEPwrshell-WebReq-O-WebReq – An abnormal number of PowerShell web requests have been observed for the organization.
NumCP-PC-InsmodCmdC-DE – An abnormal number of 'insmod' (Install Module) process executions have been observed on this endpoint.
NumCP-PC-CritCmdC-O – An abnormal number of critical command executions have been observed for the organization.
NumCP-PC-DirSearchCount-U – An abnormal number of unix file search process executions have been observed for this user.
NumSP-Network-BytesToExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in communication to an external IP from this network zone.
NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module managment tool) process executions have been observed on this endpoint.
NumCP-EScrn-EC-U – An abnormal number of screenshot events have been observed for this user.
NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user.
NumCP-Git-EC-U – An abnormal amount of GitHub API access events have been observed for this user.
NumCP-PwdChkout-EC-U-SC – An abnormal number of password retrievals have been observed for this user.
NumDCP-SA-ANC-UD-AN – An abnormal number of unique alerts have triggered for users in this department.
NumCP-Web-AIA-U-AILLMSessionCount – An abnormal number of AI/LLM web sessions has been observed for this user.
NumCP-WebF-EC-U-Id – An abnormal number of error responses to an HTTP requests have been observed for this user.
NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device.
NumCP-WebF-EC-WebDomain – An abnormal number of error responses to an HTTP requests to an internal resources have been observed for this domain.

To improve overall detection quality, actOnCondition was updated for the following pre-built analytics rule:

Fact-PC-OpenClawInstall – OpenClaw has been installed using the command line tool 'curl'. There is nothing inherently malicious about OpenClaw, however, by default it uses insecure practices and may expose significant security flaws.

To improve overall detection quality, applicable_events was updated for the following pre-built analytics rule:

Fact-PCpwrshell-HidExec – The PowerShell process has been executed with a hidden or non-interactive console window. This sigma rule is authored by Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml

To improve overall detection quality, query and detectionReason were updated for the following pre-built analytics rule:

NumCP-FDel-UnixLogFilesC-U – An abnormal number of log files have been deleted by this user in Unix systems.

To improve overall detection quality, applicable_events and trainonCondition were updated for the following pre-built analytics rule:

Prof-PCnet-U-O-U-user – This is the first time local user accounts have been enumerated using 'net.exe' for this user.

Because the context table Credentials Dumping Tools was renamed Credentials Dumping Processes, value was updated for the following pre-built analytics rules:

Cntx-PC-Critical-Parent-Dump – Parent process is a known credential dumping tool: True\False
Cntx-PC-Critical-Dump – Process is a known credential dumping tool: True\False

Because the following pre-built analytics rules, which were intended to detect abnormal activity, were triggering more frequently than intended, they have been removed for further evaluation:

NumSP-Network-BytesToExtIP-SEDP-Bytes – An abnormal amount of bytes have been sent using SSH, Telnet, SMTP, DNS, FTP, HTTP or HTTPS protocols in communication to an external IP from this endpoint to this port.
Prof-GA-E-U-SE – This is the first time an activity from this endpoint has been observed for this user.
Prof-Network-E-SEPN-DE – This is the first time this process has accessed this destination endpoint from this source endpoint.
Prof-Network-Port-DE-DP – This is the first time an internal connection to this port to this endpoint has been observed for the organization.
Prof-Network-Port-DZ-DP – This is the first time an internal connection to this port to this zone has been observed for the organization.
Prof-Network-Port-SE-DP – This is the first time an internal connection to this port from this endpoint has been observed for the organization.
Prof-Network-ToExtIP-SE-DP – This is the first time a successful connection to an external IP to this port has been observed for this endpoint.
Prof-Network-ToExtIP-SZ-DP – This is the first time a successful connection to an external IP to this port has been observed for this zone.

To remove references to the removed pre-built analytics rules, scoreUnless was updated for the following pre-built analytics rules:

Prof-PrivUse-E-U-SE – This is the first time a Windows privileged has been used and invoked from this endpoint for this user.
Prof-DS-E-U-SE – This is the first time this user performed an activity on a directory service object from this endpoint.
Prof-WinSC-E-U-DE – This is the first time a service creation has been observed on this endpoint for this user.
Prof-PwdChkout-E-U-SE – This is the first time this user retrieved a password from this endpoint.
Prof-USB-E-U-SE – This is the first time a peripheral device activity has been observed from this endpoint for this user.
Prof-SA-E-U-SE – This is the first time a security alert triggered from this endpoint for this user.
Prof-VPNIn-E-U-SE – This is the first time this user attempted to log into a VPN from this endpoint. These events may include both failed and successful logins.

Resolved Issues

There are no new resolved issues to report in this release.

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

April 2026

Attack Surface Insights

Cloud Collectors

Correlation Rules

New-Scale Platform

Search

Threat Center

Threat Detection Management

Resolved Issues