June 2026

The New-Scale Security Operations Platform includes the following addressed features and new features for June 2026.

Attack Surface Insights

Feature	Description
Attack Surface Insights Rules Condition Tests	To ensure Attack Surface Insights rules edit the correct entities of interest, you can now preview the entities with which the rule condition matches. When you create or edit an Attack Surface Insights rule, you can now click Test Conditions to preview up to five entities that match the rule conditions:
Username and Email Linking	To ensure user identities are correctly unified under a single entity, Attack Surface Insights now links identities to context when the username and the email_address attributes have the same exact value. Example In an event, Attack Surface Insights identifies the `username` attribute [email protected]. In context, it finds `email_address` attribute [email protected]. Because both the `username` and `email_address` attributes have the same exact value, [email protected], Attack Surface Insights links this identity to the context record. If the context record is already linked to an existing entity, the identity becomes an account under the existing entity.
Context Update Frequency Enhancement	To ensure entities are updated with the latest and most accurate information from context, Attack Surface Insights queries context for updates if Attack Surface Insights hasn't looked up the attribute in your context tables in the last 12 hours. Note Attack Surface Insights continues to query context only when an event containing an identifying attribute value is created.
Optional Username Prefix Linking Configuration	To reduce duplicate and orphan entities if the user identity data in your environment is inconsistent or incomplete, you can now configure your Attack Surface Insights instance so that usernames with identical prefixes but different domains are linked. To enable this configuration for your environment, contact Exabeam Support.

Automation Management

Feature	Description
Pre-Built Merge Phishing Detection Engine Cases Playbook	To streamline your Threat Center investigations on reported phishing emails, the new pre-built Merge Phishing Detection Engine cases playbook automatically merges cases containing phishing rule detections with the same email subject over a 14-day period. The playbook merges cases in a 14-day period that starts after a case containing phishing rule detections with a unique email subject is first created. During this period, all newly created cases with the same email subject are merged into the oldest case in the 14-day period. After 14 days, a new case with that email subject initiates a new 14-day merging period. The pre-built Merge Phishing Detection Engine cases playbook is disabled by default. To activate the playbook, you must enable the playbook, then order it at the top of the list of playbooks.

Feature

Description

Pre-Built Merge Phishing Detection Engine Cases Playbook

To streamline your Threat Center investigations on reported phishing emails, the new pre-built Merge Phishing Detection Engine cases playbook automatically merges cases containing phishing rule detections with the same email subject over a 14-day period.

The playbook merges cases in a 14-day period that starts after a case containing phishing rule detections with a unique email subject is first created. During this period, all newly created cases with the same email subject are merged into the oldest case in the 14-day period. After 14 days, a new case with that email subject initiates a new 14-day merging period.

The pre-built Merge Phishing Detection Engine cases playbook is disabled by default. To activate the playbook, you must enable the playbook, then order it at the top of the list of playbooks.

Cloud Collectors

Feature	Description
Phishing Email Inbox Cloud Collector	The Phishing Email Inbox Cloud Collector is now available as part of Cloud Collectors to facilitate monitoring of Phishing mailbox for Phishing email threats and ingestion of specific metadata and logs specific metadata and information such as sender and recipient addresses, subject lines, originating IP addresses, and attachment details such as file names.
Early Access Collectors
OneLogin Cloud Collector	The OneLogin Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of OneLogin events. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
OpenAI Cloud Collector	The OpenAI Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of data from your from your Open AI platform. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.
REST API Context Collector	The REST API Context Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of context data from REST API endpoints from a broad range of vendors and products. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Context Management

Feature	Description
REST API Context Tables	Context Management now supports custom context tables based on REST API cloud collectors. In the Cloud Collector service, the available REST API collectors have been expanded to include both log and context sources. The REST API Context collector simplifies integration with custom REST API context sources, independent of any pre-built, vendor-specific cloud collector or external development. On the Context Management side, the new REST API context tables process data ingested by the corresponding REST API Context Cloud Collector. These context tables do not map, by default, to a set of specific context attributes. Instead, you have full flexibility to customize the attribute mapping for any of the source attributes returned by the API response in the collector. The REST API context table onboarding via cloud collector is available as part of the Early Access program. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide. For more information about REST API data collection, see the following references: REST API Context Tables in the Context Management Guide. Configure the REST API Context Cloud Collector in the Get Started with Collector Onboarding Guide.

Feature

Description

REST API Context Tables

Context Management now supports custom context tables based on REST API cloud collectors. In the Cloud Collector service, the available REST API collectors have been expanded to include both log and context sources. The REST API Context collector simplifies integration with custom REST API context sources, independent of any pre-built, vendor-specific cloud collector or external development.

On the Context Management side, the new REST API context tables process data ingested by the corresponding REST API Context Cloud Collector. These context tables do not map, by default, to a set of specific context attributes. Instead, you have full flexibility to customize the attribute mapping for any of the source attributes returned by the API response in the collector.

The REST API context table onboarding via cloud collector is available as part of the Early Access program. The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.

For more information about REST API data collection, see the following references:

REST API Context Tables in the Context Management Guide.
Configure the REST API Context Cloud Collector in the Get Started with Collector Onboarding Guide.

Correlation Rules

Feature	Description
Exabeam Nova Rule Creator	You can now quickly create and edit correlation rules using Exabeam Nova. You can now describe the correlation rule you want to create or the changes you want to make using natural language, and Exabeam Nova Rule Creator will draft a correlation rule according to your description. You can also ask Exabeam Nova Rule Creator other questions about correlation rules; for example, what a group-by field, granular suppression, or correlation rule evaluation delay is. After reviewing the drafted correlation rule and ensuring it meets your requirements, you click Create Rule to create the correlation rule or save the changes.
Updated Correlation Rule Templates	Because the Defense Evasion tactic has been deprecated and the new Stealth and Defense Impairment tactics were introduced in MITRE ATT&CK^® v19, 77 correlation rule templates were updated to align with the new ATT&CK framework: Correlation rule templates now mapped to the Stealth tactic include: Large amount of badge access failures to different doors for this badge id File hidden using 'chflags' Base64 encoded data with PowerShell in the command line Process executed from an ADS Remote compiled HTML file executed using 'hh.exe' Direct access to a drive granted using PowerShell DLL executed using 'odbcconf.exe' 'Show hidden' feature disabled through registry Windows hidden file creation using 'attrib.exe' Remote HTA file executed using 'mshta.exe' HTA file executed using 'mshta.exe' Windows event viewer cleared using PowerShell AWS root login without MFA File hidden using 'setfile' User hidden from the login screen through the registry Large number of user switch events observed on this endpoint for this user Bit job creation Audit log has been cleared Bitsadmin remote download Windows event viewer cleared using Windows event viewer utility Bitsadmin persistency setup with setnotifycmdline Remote MSI file executed using 'msiexec.exe' Bitsadmin remote download with powershell Disable history collection in Unix PowerShell command history disabled Base64 executable file stored in the registry Windows event viewer cleared using WMI File system utility journal was deleted using 'fsutil.exe' Bitsadmin remote download with powershell via the command line Bitsadmin persistent task executed Correlation rule templates now mapped to the Defense Impairment tactic include: Windows Defender service stopped using the service console AWS logging trail was deleted GCP logging bucket deleted AWS CloudWatch log stream deleted Security logging and monitoring failures Syslogd Windows Defender service disabled using the 'DisableAntiSpyware' registry value Directory ownership changed using 'takeown.exe' Microsoft Defender firewall disabled through the registry using the registry command tool Disable Windows Defender ETW through the registry Azure diagnostic settings deleted Windows Defender service stopped Sysmon driver was unloaded using the minifilter management console Windows Defender service disabled using the service console 'Show hidden' feature disabled through registry Azure event hub deleted IIS HTTP logging was disabled Security log disabled by creating the 'MiniNt' registry key ETW modified using 'logman.exe' ETW removed using PowerShell Sysmon service was stopped GCP log sink deleted Microsoft Defender firewall disabled using PowerShell Scheduled task distribution using a GPO File permissions granted using 'icacls.exe' Sysmon service was stopped using the service console SUSEFireWall2 disabled Security log disabled by creating the 'MiniNt' registry key using the registry command tool Microsoft Defender firewall disabled using 'netsh.exe' Windows Defender service disabled Sysmon was uninstalled Windows event viewer audit policy reverted to default state using the audit policy CLI Windows event viewer disabled using Windows event viewer utility AWS CloudTrail disabled CrowdStrike Falcon uninstallation process was initiated Windows event viewer service stopped using the service console Disable windows crash dumps through the registry AWS CloudWatch log group deleted Security log size reduced through the registry using the registry command tool Windows event viewer service disabled using the service console Disable .Net ETW through the registry Disable windows crash dumps through the registry using the registry command tool ETW session disabled through the autorlogger registry path UFW disabled Microsoft Defender firewall disabled through the registry Windows event viewer service stopped Disable .Net ETW through the registry using the registry command tool Disable Windows Defender ETW through the registry using the registry command tool The correlation rule template, desktopimgdownldr utility used to download a remote file, is now mapped to the Command and Control tactic.

Feature

Description

Exabeam Nova Rule Creator

You can now quickly create and edit correlation rules using Exabeam Nova.

You can now describe the correlation rule you want to create or the changes you want to make using natural language, and Exabeam Nova Rule Creator will draft a correlation rule according to your description.

You can also ask Exabeam Nova Rule Creator other questions about correlation rules; for example, what a group-by field, granular suppression, or correlation rule evaluation delay is.

The draft of a correlation rule created by Exabeam Nova Rule Creator.

After reviewing the drafted correlation rule and ensuring it meets your requirements, you click Create Rule to create the correlation rule or save the changes.

Updated Correlation Rule Templates

Because the Defense Evasion tactic has been deprecated and the new Stealth and Defense Impairment tactics were introduced in MITRE ATT&CK^® v19, 77 correlation rule templates were updated to align with the new ATT&CK framework:

Correlation rule templates now mapped to the Stealth tactic include:

Large amount of badge access failures to different doors for this badge id
File hidden using 'chflags'
Base64 encoded data with PowerShell in the command line
Process executed from an ADS
Remote compiled HTML file executed using 'hh.exe'
Direct access to a drive granted using PowerShell
DLL executed using 'odbcconf.exe'
'Show hidden' feature disabled through registry
Windows hidden file creation using 'attrib.exe'
Remote HTA file executed using 'mshta.exe'
HTA file executed using 'mshta.exe'
Windows event viewer cleared using PowerShell
AWS root login without MFA
File hidden using 'setfile'
User hidden from the login screen through the registry
Large number of user switch events observed on this endpoint for this user
Bit job creation
Audit log has been cleared
Bitsadmin remote download
Windows event viewer cleared using Windows event viewer utility
Bitsadmin persistency setup with setnotifycmdline
Remote MSI file executed using 'msiexec.exe'
Bitsadmin remote download with powershell
Disable history collection in Unix
PowerShell command history disabled
Base64 executable file stored in the registry
Windows event viewer cleared using WMI
File system utility journal was deleted using 'fsutil.exe'
Bitsadmin remote download with powershell via the command line
Bitsadmin persistent task executed

Correlation rule templates now mapped to the Defense Impairment tactic include:

Windows Defender service stopped using the service console
AWS logging trail was deleted
GCP logging bucket deleted
AWS CloudWatch log stream deleted
Security logging and monitoring failures Syslogd
Windows Defender service disabled using the 'DisableAntiSpyware' registry value
Directory ownership changed using 'takeown.exe'
Microsoft Defender firewall disabled through the registry using the registry command tool
Disable Windows Defender ETW through the registry
Azure diagnostic settings deleted
Windows Defender service stopped
Sysmon driver was unloaded using the minifilter management console
Windows Defender service disabled using the service console
'Show hidden' feature disabled through registry
Azure event hub deleted
IIS HTTP logging was disabled
Security log disabled by creating the 'MiniNt' registry key
ETW modified using 'logman.exe'
ETW removed using PowerShell
Sysmon service was stopped
GCP log sink deleted
Microsoft Defender firewall disabled using PowerShell
Scheduled task distribution using a GPO
File permissions granted using 'icacls.exe'
Sysmon service was stopped using the service console
SUSEFireWall2 disabled
Security log disabled by creating the 'MiniNt' registry key using the registry command tool
Microsoft Defender firewall disabled using 'netsh.exe'
Windows Defender service disabled
Sysmon was uninstalled
Windows event viewer audit policy reverted to default state using the audit policy CLI
Windows event viewer disabled using Windows event viewer utility
AWS CloudTrail disabled
CrowdStrike Falcon uninstallation process was initiated
Windows event viewer service stopped using the service console
Disable windows crash dumps through the registry
AWS CloudWatch log group deleted
Security log size reduced through the registry using the registry command tool
Windows event viewer service disabled using the service console
Disable .Net ETW through the registry
Disable windows crash dumps through the registry using the registry command tool
ETW session disabled through the autorlogger registry path
UFW disabled
Microsoft Defender firewall disabled through the registry
Windows event viewer service stopped
Disable .Net ETW through the registry using the registry command tool
Disable Windows Defender ETW through the registry using the registry command tool

The correlation rule template, desktopimgdownldr utility used to download a remote file, is now mapped to the Command and Control tactic.

Dashboards

Feature	Description
Expanded Visualization Chart Options	New options have been added to the visualization creation process that provide greater flexibility for configuring chart displays. These options enhance readability by letting you control the visual scale, data positioning, missing dates, and result limits in the chart display. The following options are available, depending on the chart type: Series Positioning – Configures how data is displayed along the x-axis. Settings include: Grouped, Stacked, Stacked Percentage. Applicable to bar and column charts. Scale Type – Controls how data is displayed along the x-axis and y-axis to improve readability, especially when there is a wide difference between the smallest and largest data values. Settings include: Linear, Logarithmic. Applicable to bar, column, line, and area charts. Missing Date – Configures how dates with missing data are handled in the chart display. Settings include: Linear Interpolation, Line to Zero, Line Breaks. Applicable to line and area charts. Results Count – Controls how many results are displayed in the chart, which can improve data readability. Settings include: Adapt to Fit, Limit to. Applicable to bar, column, line, and area charts. For more information, see Create a Visualization Using the Basic Method in the Dashboards Guide. In addition to the expanded chart options, the Create a Custom Visualization window has been enhanced to open with a default set of attributes already populated: Field = `user`, Metric = `count`, and Chart Type = `bar chart`.

Feature

Description

Expanded Visualization Chart Options

New options have been added to the visualization creation process that provide greater flexibility for configuring chart displays. These options enhance readability by letting you control the visual scale, data positioning, missing dates, and result limits in the chart display. The following options are available, depending on the chart type:

Series Positioning – Configures how data is displayed along the x-axis. Settings include: Grouped, Stacked, Stacked Percentage. Applicable to bar and column charts.
Scale Type – Controls how data is displayed along the x-axis and y-axis to improve readability, especially when there is a wide difference between the smallest and largest data values. Settings include: Linear, Logarithmic. Applicable to bar, column, line, and area charts.
Missing Date – Configures how dates with missing data are handled in the chart display. Settings include: Linear Interpolation, Line to Zero, Line Breaks. Applicable to line and area charts.
Results Count – Controls how many results are displayed in the chart, which can improve data readability. Settings include: Adapt to Fit, Limit to. Applicable to bar, column, line, and area charts.

For more information, see Create a Visualization Using the Basic Method in the Dashboards Guide.

In addition to the expanded chart options, the Create a Custom Visualization window has been enhanced to open with a default set of attributes already populated: Field = user, Metric = count, and Chart Type = bar chart.

Log Stream

Feature

Description

Updated Audit Log Support for Log Stream

Audit log coverage has been updated for Log Stream activity and operation types in the New-Scale Security Operations Platform. Information about the following event and platform enrichment logs can be accessed via the query builder in Basic Search:

event-enricher-create
event-enricher-delete
event-enricher-disable
event-enricher-enable
event-enricher-force-update
event-enricher-import

event-enricher-modify
event-enricher-reorder
platform-event-enricher-disable
platform-event-enricher-enable
platform-event-enricher-update

For more information, see Log Stream in Audit Logs in the Log Stream Guide.

Enhanced Calibration Tier and Field Coverage Information

The view of parser information has been improved in Log Stream, both on the Parsers Overview tab and in the detailed views of individual parsers. These improvements expand the information available and increase the intuitive readability of the information. For example:

On the Parsers Overview tab, new graphs have been added to show overview information for the last 24 hours. The new Tier Distribution graph shows what percentage of all your parsers have been assigned to each calibration tier. The Parsed vs. Unparsed graph shows what percentage of logs ingested in the last 24 hours have been successfully parsed versus what percentage have not been parsed. You can toggle the display between these two graphs.
For more information, see Parser Calibration Tiers in the Log Stream Guide.
In the parser list on the Parser Overview tab, and on Parser Detail tabs, the display of calibration tier information has been clarified. To distinguish more clearly between the Calibration Tier value and other health and status information, a new calibration tier icon has been introduced. The icon changes visually based on which tier is represented.

Improved Regex Syntax Validation

Certain aspects of the way that Regex syntax is validated have been improved to ensure more accurate data extraction. These improvement include the following updates:

Added support for exa-regex syntax in extraction previews – The exa_regex syntax is useful in two scenarios. It can be used to extract a substring of a value rather than an entire value. It can also be used in to extract values in a hybrid parser that contains both native JSON (JSON Xpath) and regular expression (exa_regex) field definitions. In either case, values extracted based on exa_regex syntax can now be viewed and highlighted in the Log Stream extraction preview screens. This improved support for exa-regex syntax removes the need to export a parser definition, manually edit it, and then import it back into Log Stream.
Added support for $.. syntax in extraction previews – A $.. syntax expression represents a recursive approach that searches for repeatable matches at any depth in the JSON structure. These expressions successfully extract data but with an error that prevented the data from being viewed properly in the extraction previews. This improved support in the Log Stream UI allows $.. expressions to be parsed and viewed successfully.
Resolved discrepancies in handling expression syntax – Several small differences in the way the Log Stream UI and server-side engines process JSON and regex syntax have been synchronized for consistency. These improvements are in the processing logic that validates the syntax and not in the availability of specific types of expression syntax.

New-Scale Platform

Feature	Description
Exabeam MCP Server Enhancements	The Exabeam MCP Server now supports additional functionality, including the ability to: Get threat summaries Get context table records Get a list of context tables Get correlation rule details Get a list of correlation rules Get a list of analytics/detection management rules Get threat timeline for a case Get threat timeline for an alert Get use case score Get MITRE ATT&CK coverage score For more information, and to learn how to connect to the server, see Connect to Exabeam MCP Server in the New-Scale Security Operations Platform Administration Guide.
Global Search Enhancements	The ability to search by ip_address and full_name is now available in Global Search. For more information, see Navigation Center in the New-Scale Security Operations Platform Administration Guide.

Feature

Description

Exabeam MCP Server Enhancements

The Exabeam MCP Server now supports additional functionality, including the ability to:

Get threat summaries
Get context table records
Get a list of context tables
Get correlation rule details
Get a list of correlation rules
Get a list of analytics/detection management rules
Get threat timeline for a case
Get threat timeline for an alert
Get use case score
Get MITRE ATT&CK coverage score

For more information, and to learn how to connect to the server, see Connect to Exabeam MCP Server in the New-Scale Security Operations Platform Administration Guide.

Global Search Enhancements

The ability to search by ip_address and full_name is now available in Global Search.

For more information, see Navigation Center in the New-Scale Security Operations Platform Administration Guide.

Outcomes Navigator

Feature	Description
Satisfied Analytics Rule Calculation Enhancement	To more accurately determine whether an analytics rule is satisfied, Outcomes Navigator now queries Search to verify if an analytics rule has triggered in the last 30 days. To determine whether an analytics rule is satisfied, Outcomes Navigator typically evaluates whether all required fields were actively parsed in the past 30 days. If a rule remains unsatisfied after this standard check, Outcomes Navigator now uses a fallback check: Outcomes Navigator queries events in Search where `activity_type` is `rule-trigger` and compares the returned rule IDs to the analytics rule ID. If the analytics rule is present in the search results, Outcomes Navigator marks the analytics rule as satisfied; otherwise, the analytics rule remains unsatisfied.

Feature

Description

Satisfied Analytics Rule Calculation Enhancement

To more accurately determine whether an analytics rule is satisfied, Outcomes Navigator now queries Search to verify if an analytics rule has triggered in the last 30 days.

To determine whether an analytics rule is satisfied, Outcomes Navigator typically evaluates whether all required fields were actively parsed in the past 30 days. If a rule remains unsatisfied after this standard check, Outcomes Navigator now uses a fallback check: Outcomes Navigator queries events in Search where activity_type is rule-trigger and compares the returned rule IDs to the analytics rule ID. If the analytics rule is present in the search results, Outcomes Navigator marks the analytics rule as satisfied; otherwise, the analytics rule remains unsatisfied.

Search

Feature	Description
Increased Range for Display of Results in all Views	In all results viewing modes, Timeline, List, and Table, the number of event results that can be displayed has been increased from 500 to 5,000. This increased data retrieval provides greater visibility and context for the search results. Note The Summary panel is still limited to showing 500 results. However, a View full results option is available from the summary details for each field, so you can opt to view the full set of results for the selected field.
Continuous Scrolling in the Timeline View of Results	In the Timeline view of search results, the scrolling behavior has been enhanced so you can scroll continuously through the results without the need to page down through multiple individually-loading pages. For more information, see Timeline View of Search Results in the Search Guide.
Expanded Date Range for Queries in the Timeline View	Early Access Opportunity An early access opportunity is available to expand the supported date range for viewing search results in the Timeline view from 7 days to 31 days. If you would like to take advantage of this early access opportunity, email the following group: [email protected].

Feature

Description

Increased Range for Display of Results in all Views

In all results viewing modes, Timeline, List, and Table, the number of event results that can be displayed has been increased from 500 to 5,000. This increased data retrieval provides greater visibility and context for the search results.

Note

The Summary panel is still limited to showing 500 results. However, a View full results option is available from the summary details for each field, so you can opt to view the full set of results for the selected field.

Continuous Scrolling in the Timeline View of Results

In the Timeline view of search results, the scrolling behavior has been enhanced so you can scroll continuously through the results without the need to page down through multiple individually-loading pages.

For more information, see Timeline View of Search Results in the Search Guide.

Expanded Date Range for Queries in the Timeline View

Early Access Opportunity

An early access opportunity is available to expand the supported date range for viewing search results in the Timeline view from 7 days to 31 days.

If you would like to take advantage of this early access opportunity, email the following group: [email protected].

Service Health and Consumption

Feature	Description
New Role Based Access Control (RBAC) Permissions for the App Config tab in Service Health and Consumption	The App Config tab within Service Health and Consumption dashboard enables users to manage health alert notifications and operational thresholds globally. To prevent unauthorized or accidental modifications by low-privilege users, now a dedicated App Config permission is introduced within the Roles UI. This new restriction follows the standard platform pattern of offering Read, Write, and Delete access levels. By navigating to Settings > Users on the New-Scale Security Operations Platform, you can assign distinct App Config visibility and edit capabilities based on user roles. While Administrator role holds full Read, Write, and Delete permissions, the Security Engineer role has read-only access and the Analyst role is restricted from viewing and editing the tab entirely.

Feature

Description

New Role Based Access Control (RBAC) Permissions for the App Config tab in Service Health and Consumption

The App Config tab within Service Health and Consumption dashboard enables users to manage health alert notifications and operational thresholds globally. To prevent unauthorized or accidental modifications by low-privilege users, now a dedicated App Config permission is introduced within the Roles UI. This new restriction follows the standard platform pattern of offering Read, Write, and Delete access levels.

By navigating to Settings > Users on the New-Scale Security Operations Platform, you can assign distinct App Config visibility and edit capabilities based on user roles. While Administrator role holds full Read, Write, and Delete permissions, the Security Engineer role has read-only access and the Analyst role is restricted from viewing and editing the tab entirely.

Site Collectors 2.20

Feature	Description
Direct Access Agent (DAA) Windows Collector	The Direct Access Agent (DAA) Windows Event Log Collector is now available to collect logs natively from your Windows server and push the logs to New-Scale Security Operations Platform, along with further enhancements.
Deprecation of Log Sources Tab from Site Collectors	The Log Sources tab in Site Collectors will be deprecated in August 2026. Ensure that you migrate your configuration to the Log Sources application to continue monitoring silent log sources across the New-Scale Security Operations Platform.
Enhancements for Site Collector Notifications	Site Collector now provides error notifications about missed logs and inactive collectors via Service Health and Consumption dashboard. This helps in efficient monitoring, prompt issue identification and resolution, and timely log collection.
Enhancements to Heartbeat Monitoring	The monitoring heartbeat has been redesigned to address performance and accuracy issues caused by high log volumes and inefficient per-event processing, which led to high CPU usage and system slowdowns. The redesign prevents loss of history entries and ensures accurate log counts and byte calculations in reports.
NiFi Upgrade	Upgraded Apache NiFi to version 2.9.0.
Support Package download for DAA Collector via User Interface	The Direct Access Agent (DAA) Windows Event Log Collector now supports support Package generation directly from the user interface similar to the functionality available in Site Collectors.

Threat Center

Feature

Description

Phishing Rule Detections

You can now investigate reported phishing emails in Threat Center as detections.

A new cloud collector, the Phishing Email Inbox cloud collector, ingests suspicious emails from a dedicated phishing mailbox. Then, the new Phishing Detection Engine creates an event for each reported email and a phishing rule detection.

Phishing rule detections are assigned a static rarity score of 50.

In the first 24 hours a phishing rule detection is created, they are grouped into cases by the pre-built Phishing Rule detection grouping rule, if enabled. After the first 24 hours, the pre-built Merge Phishing Detection Engine Cases playbook merges related cases over a 14-day period, if enabled.

For cases that contain phishing rule detections, you can now view a new Email Evidence section in the Overview tab. In this section, you can:

The Email Evidence window under the Overview tab of a case.

Securely view information about the emails, like the sender, recipient, email subject, email body, received time, IP address, hostname, and attachment names.
Download the emails for detailed forensic analysis.
Search for a specific email by recipient and email subject.

Like other detections, you can view phishing detections in chronological order in the Threat Timeline.

A phishing rule detection in the Threat Timeline of a case.

Pre-Built Phishing Rule Detection Grouping Rule

The new pre-built Phishing Rule detection grouping rule groups phishing rule detections with the same email subject under the same case.

The Phishing Rule detection grouping rule is disabled by default. To activate the detection grouping rule, you must enable the rule, then order it at the top of the list of detection grouping rules.

Increased Watchlist Limit

To monitor a wider variety of entities of interest, you can now create up to 40 watchlists.

Watchlists are displayed in pages of eight. After you've reached the limit of 40 watchlists, the ability to add a watchlist is disabled.

Watchlist Reordering

To organize and customize your view of watchlists, you can now reorder watchlists.

To reorder a watchlist, drag and drop the watchlist to a new position in the list.

Watchlist Entity Display Enhancements

To quickly understand entities at a glance, you can now view entity information directly in a watchlist.

For an entity in a watchlist, you can now immediately view:

To navigate to these cases or alerts, you can now click on the corresponding icon.

You can now also quickly navigate to a timeline of all events associated with the entity in Search by clicking Two circles connected by two curved lines with a right angle in the center. .

Threat Detection Management

Feature

Description

Exabeam Nova Rule Creator

You can now quickly create and edit analytics rules using Exabeam Nova.

You can now describe the analytics rule you want to create or the changes you want to make using natural language, and Exabeam Nova Rule Creator will draft an analytics rule according to your description.

You can also ask Exabeam Nova Rule Creator other questions about Threat Detection Management and analytics rules; for example, what the different analytics rule types are, or what an analytics rule field does.

The draft of an analytics rule created by Exabeam Nova Rule Creator.

After reviewing the drafted analytics rule and ensuring it meets your requirements, you click Create Rule to create the analytics rule or save the changes.

Increased Enabled Exclusion Limit

To more precisely tune analytics rules, you can now enable up to 250 exclusions.

The Rule Exclusions card on the Analytics Rules tab.

Exclusion Creation Limits

To ensure the analytics engine runs smoothly, you can now create:

Up to 25 exclusions that apply to all analytics rules
Up to 25 exclusions per specific analytics rule family
Up to 25 exclusions per specific analytics rule

You can track your progress toward these limits when you create or edit an exclusion, under Scope.

New Early Access Pre-Built Analytics Rules

New pre-built analytics rules are now released as part of an early access program before becoming generally available. Analytics rules in early access have [Early Access] in their names.

You can now better detect abnormal cloud application activity with the following early access pre-built analytics rules:

Prof-ACG-App-Plt-App – This is the first time this application got consent in this platform.
Prof-ACG-Perm-Plt-Perm – This is the first time a consent granted with these permissions to applications in this platform.
Prof-ACG-Perm-UDPlt-Perm – This is the first time a consent granted with these permissions to applications by users in this department.
Prof-ACG-Perm-UPlt-Perm – This is the first time a consent granted with these permissions to applications by this user.
NumSP-MItemRead-NMS-U-NA – An abnormal number of emails have been read by this user.
Prof-MFPermMod-U-O-U – This is the first time a mailbox folder permission was modified by this user for the organization.

You can now detect when AI agents have been downloaded or installed with the following early access pre-built analytics rules:

Cntx-PC-Critical-AIA – Process is a known AI agent: True\False
Cntx-PC-Critical-AIF – Process is a known AI development framework: True\False
Cntx-PC-Critical-Parent-AIA – Parent process is a known AI agent: True\False
Cntx-PC-Critical-Parent-AIF – Parent process is a known AI development framework: True\False
Fact-Web-AIA-LargeDownload – A large inbound byte transfer was observed from a download-related domain categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.
NumSP-Web-Bytes-AIA-U-DownloadBytesIn – An abnormal inbound byte volume was observed for this user from download-related domains categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.
Prof-PC-AIT-SE-BREW-Agent – This is the first time a Brew package of an AI agent has been installed on this endpoint.
Prof-PC-AIT-SE-CURL-Agent – This is the first time an AI agent has been installed using CURL on this endpoint.
Prof-PC-AIT-SE-CURL-Framework – This is the first time an AI development framework has been installed using CURL on this endpoint.
Prof-PC-AIT-SE-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned on this endpoint.
Prof-PC-AIT-SE-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned on this endpoint.
Prof-PC-AIT-SE-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed on this endpoint.
Prof-PC-AIT-SE-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed on this endpoint.
Prof-PC-AIT-SE-PIP-Agent – This is the first time a Python package of an AI agent has been installed on this endpoint.
Prof-PC-AIT-SE-PIP-Framework – This is the first time a Python package of an AI development framework has been installed on this endpoint.
Prof-PC-AIT-U-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by this user.
Prof-PC-AIT-U-CURL-Agent – This is the first time an AI agent has been installed using CURL by this user.
Prof-PC-AIT-U-CURL-Framework – This is the first time an AI development framework has been installed using CURL by this user.
Prof-PC-AIT-U-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by this user.
Prof-PC-AIT-U-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by this user.
Prof-PC-AIT-U-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by this user.
Prof-PC-AIT-U-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by this user.
Prof-PC-AIT-U-PIP-Agent – This is the first time a Python package of an AI agent has been installed by this user.
Prof-PC-AIT-U-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by this user.
Prof-PC-AIT-UD-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by users in this department.
Prof-PC-AIT-UD-CURL-Agent – This is the first time an AI agent has been installed using CURL by users in this department.
Prof-PC-AIT-UD-CURL-Framework – This is the first time an AI development framework has been installed using CURL by users in this department.
Prof-PC-AIT-UD-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by users in this department.
Prof-PC-AIT-UD-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by users in this department.
Prof-PC-AIT-UD-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by users in this department.
Prof-PC-AIT-UD-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by users in this department.
Prof-PC-AIT-UD-PIP-Agent – This is the first time a Python package of an AI agent has been installed by users in this department.
Prof-PC-AIT-UD-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by users in this department.
Prof-Web-AIA-O-WebDomain – This is the first outbound HTTP session to this AI, ML, Generative AI, or LLM application web domain in the organization.

To more accurately detect abnormal AI agent activity and to replace four obsolete pre-built analytics rules, the following early access pre-built analytics rules were created:

Fact-AI-Del – An AI agent has been deleted by a user.
NumSP-AI-TS-U-Tokens – An abnormal sum of tokens in successful AI requests and responses has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
NumSP-AI-TS-UO-Tokens – An abnormal sum of tokens in successful AI requests and responses has been observed for the organization and has been attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-T-O-Tokens – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-T-U-Tokens – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

You can now detect suspicious OpenClaw agent activity with the following early access pre-built analytics rules:

Prof-Fwrite-U-DE-U-OpenClaw – This is the first time this user has created or modified a file in the folder ~/.openclaw on this endpoint
Prof-Network-OpenClawWebSocket-DE-SE – This is the first time a successful connection to port 18789 has been observed from this source endpoint to this destination endpoint. The port 18789 is the default port of OpenClaw WebSocket Gateway.
Prof-Network-Country-DEDP-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to this endpoint with this port.
Prof-Network-Country-DP-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to the organization with this port.
Prof-Network-Country-O-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to the organization.

You can now detect abnormal tool calls with the following early access pre-built analytics rules:

NumCP-AI-TC-O-SIP – An abnormal amount of tool calls have been observed for the organization by this source IP.
NumCP-AI-TC-O-U – An abnormal amount of tool calls have been observed for the organization by this user.
NumCP-AI-TC-U – An abnormal amount of tool calls have been observed for this user.

You can now detect third-party AI alerts with the following early access pre-built analytics rules:

Fact-SA-AITPA-HR – A high-risk misuse of AI has been detected by a third-party vendor.
NumCP-SA-TP-AC-DLP-U – An abnormal number of DLP violations via AI have been observed for this user.
NumCP-SA-TP-AC-DLP-UO – An abnormal number of of DLP violations via AI for the organization have been performed by this user.
NumCP-SA-TP-AC-U – An abnormal number of AI third-party alerts have been observed for this user.
NumCP-SA-TP-AC-UO – An abnormal number of of AI third-party alerts for the organization have been performed by this user.

You can now better detect model context protocol (MCP) permission abuse and high-confidence API control-plane activity with the following early access pre-built analytics rule:

Prof-Git-MCP-O-U – This is the first time this user has accessed an MCP-related GitHub repository using a token.

Updated and Removed Pre-Built Analytics Rules

You can now better detect AI misuse, unauthorized access and authentication, suspicious command and process executions, defense evasion tactics, abnormal data and network activity, and system configuration tampering with updated and removed pre-built analytics rules.

To better detect abnormal AI agent activity and AI misuse, and ensure Unix command names are processed consistently, trainOnCondition was updated for the following pre-built analytics rules:

Prof-PC-PN-DE-PN – This is the first time this process has been executed on this endpoint. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-Plt-PN – This is the first time this process has been executed in this platform. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltSZ-PN – This is the first time this process has been executed in this platform from this network zone. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltU-PN – This is the first time this process has been executed in this platform for this user. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltUD-PN – This is the first time this process has been executed in this platform for users in this department. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PPN-PPN-PN – This is the first time this child process has been observed for this matured parent process.

To prevent over-triggering on first-time observations and to establish a good baseline, minimumTrainingPeriodInDays was added to the following pre-built analytics rules:

Prof-AI-AC-O-PLT – This is the first time a user in the organization has created an AI agent with this platform.
Prof-AI-AC-PLT-UD – This is the first time a user in this department has created an AI agent with this platform.
Prof-AI-PI-O-U-Exec – This is the first time an AI request that attempts to cause the agent to execute a command or a script has been sent by this user.
Prof-SA-AN-U-AN – This is the first time this security alert triggered for this user.
Prof-RA-U-Plt-U – This is the first time a role has been assigned by this user on this platform.
Prof-AI-AS-Plt-U – This is the first time this user has shared an AI agent on this platform.
Prof-AI-TI-O-TN – This is the first time this AI agent tool has been invoked.
Prof-AI-TI-U-TN – This is the first time this AI agent tool has been invoked by this user.
Prof-AI-AC-PLT-U – This is the first time this user has created an AI agent with this platform.

To fix an issue where events were incorrectly associated with unrelated entities in Threat Center and Search, query was updated for the following pre-built analytics rules:

NumCP-PC-CritCmdC-O – An abnormal number of critical command executions have been observed for the organization.
NumCP-FUpld-EC-UD – An abnormal amount of file upload events have been observed for users in this department.
NumCP-PC-KextloadCmdC-U – An abnormal number of 'kextload' (Kernel Extension Load) process executions have been observed for this user.
NumDCP-EL-UC-O-U-SE – An abnormal number of unique user names have been observed in endpoint logins for the organization per source endpoint. These events may include both failed and successful communications.
NumSP-Network-BytesToExtIP-Failed-SE-Bytes – An abnormal amount of bytes have failed to be sent in communication that initiated from this endpoint to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.
NumCP-PC-ChmodCount-U – An abnormal number of 'chmod' (Change Mode) process executions have been observed for this user.
NumCP-ELF-EC-U-DE – An abnormal number of failed endpoint logins to this endpoint have been observed for this user.
NumSP-DNSReq-Bytes-O-Bytes – An abnormal amount of bytes were sent in DNS queries from endpoints in the organization.
NumCP-PC-InsmodCmdC-U – An abnormal number of 'insmod' (Install Module) process executions have been observed for this user.
NumCP-EMS-EC-U-Id – An abnormal number of outgoing emails have been observed for this user.
NumCP-SEPwrshell-CmdInvC-O-InvC – An abnormal number of PowerShell command invocations have been observed for the organization.
NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device.
NumDCP-AL-UC-Plt-U-SE – An abnormal number of unique user names have been observed in application logins to this platform per source endpoint. These events may include both failed and successful communications.
NumCP-FUpld-EC-U – An abnormal amount of file upload events have been observed for this user.
NumCP-FDel-UnixLogFilesC-U – An abnormal number of log files have been deleted by this user in Unix systems.
NumDCP-PCCEnum-TC-U-CEnum – An abnormal number of unique credential enumeration tools have been executed for this user.
NumDCP-SA-ANC-U-AN – An abnormal number of unique alerts have triggered for this user.
NumDC-ShA-ShareC-U-DS – An abnormal number of unique network shares have been accessed for this user.
NumDCP-EL-UC-DESE-U – An abnormal number of unique user names have been observed in endpoint logins for destination endpoint and source endpoint. These events may include both failed and successful communications.
NumCP-AI-CSC-UPLT – An abnormal number of AI conversations have been successfully shared by this user on this platform.
NumCP-DNSResp-NXC-SE-NX – An abnormal number of DNS queries to NX domains from this endpoint have been observed.
NumDCP-Network-DPC-SEDE-DP – An abnormal number of unique target ports have been observed in internal communication that initiated by this endpoint to this destination endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.
NumCP-PCpwrshell-EC-O – An abnormal number of PowerShell process executions have been observed for the organization.
NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed on this endpoint.
NumCP-EMR-EC-DU – An abnormal number of incoming emails have been observed for this user.
NumCP-AI-MC-U – An abnormal amount of AI agent modifications have been observed for a user.
NumCP-MPermMod-EC-U – An abnormal number of mailbox permission modifications have been observed for this user.
NumCP-PwdChkout-EC-UD-SC – An abnormal number of password retrievals have been observed for users in this department.
NumDCP-Login-DZC-U-DZ – An abnormal number of unique destination network zones have been observed in login events for this user. These events may include both failed and successful logins.
NumDCP-EL-DEC-SE-DE – An abnormal number of unique destination endpoints have been observed in successful endpoint login events from this endpoint. These events may include interactive Window logins and other (interactive or not) OS logins.
NumDCP-FDel-U-DE – An abnormal number of unique remote destination endpoints have been observed in file deletion events on this endpoint for this user.
NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user.
NumDCP-GA-OpC-UPlt-FOp – An abnormal number of unique failed operations have been observed in this platform for this user.
NumCP-RegD-Services-EC-U – An abnormal number of unique service configurations have been deleted from the registry for this user.
NumDCP-Login-DZC-UD-DZ – An abnormal number of unique destination network zones have been observed in login events for users in this department. These events may include both failed and successful logins.
NumCP-DL-EC-UPlt – An abnormal number of kernel module or drivers have been loaded for this user.
NumDCP-Network-DIPC-U-DIP-Fail – An abnormal number of unique target IPs have been observed in failed internal communications by this user. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.
NumCP-ELF-EC-U-RDP – An abnormal number of failed RDP (remote desktop protocol) logins to this endpoint have been observed for this user.
NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user.
NumDCP-VPNln-UC-O-U-SE – An abnormal number of unique user names have been observed in VPN login for the organization per source endpoint. These events may include both failed and successful communications.
NumCP-PwdChkout-EC-U-SC – An abnormal number of password retrievals have been observed for this user.
NumCP-PC-DirSearchCount-U – An abnormal number of unix file search process executions have been observed for this user.
NumCP-RegD-Services-EC-DE – An abnormal number of unique service configurations have been deleted from the registry on this device.
NumDCP-RegR-RPC-Cert-U-RP – An abnormal number of unique certificates and private keys related registry values have been read by this user.
NumSP-FRead-FS-UP-Bytes – An abnormal amount of file bytes have been read in this platform for this user.
NumDCP-WebF-WebDomC-U-WebDom – An abnormal number of unique domains have been observed in failed HTTP events for this user.
NumCP-ELF-EC-U-DZ – An abnormal number of failed logins to endpoints in this network zone have been observed for this user.
NumCP-ELF-EC-U-SE – An abnormal number of failed endpoint logins from this endpoint have been observed for this user.
NumCP-FDnld-EC-UD – An abnormal amount of file download events have been observed for users in this department.
NumDCP-EL-DEC-U-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for this user. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.
NumCP-EScrn-EC-U – An abnormal number of screenshot events have been observed for this user.
NumDCP-Network-DIPC-SE-DIP-Fail – An abnormal number of unique target IPs have been observed in failed internal communications that initiated by this endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.
NumCP-AI-U-Guardrail-Block – An abnormal amount of AI guardrail violations have been observed for a user.
NumCP-DNSResp-NXC-O-NX – An abnormal number of DNS queries to NX domains have been observed for the organization.
NumDCP-FWrite-EC-U-FP – An abnormal number of unique files have been written for this user.
NumSP-Web-Bytes-UD-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for users in this department.
NumDCP-EL-UC-SE-U – An abnormal number of unique user names have been observed in endpoint logins from this endpoint. These events may include both failed and successful communications.
NumCP-AppAuthF-EC-U – An abnormal number of application authentication failures have been observed for this user.
NumDCP-EL-UC-DE-U-SE – An abnormal number of unique user names have been observed in endpoint logins to this endpoint per source endpoint. These events may include both failed and successful communications.
NumDCP-PwdChkout-SVC-U-SV – An abnormal number of unique safes have been observed in passwords retrieval events for this user.
NumDCP-EL-DEC-O-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for the organization. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.
NumCP-AI-QC-UO – An abnormal number of successful AI requests for the organization have been performed by this user. AI requests may consist of one or more prompts.
NumDCP-CA-DAC-U-Disks – An abnormal number of volumes were attached to instances by this user. These events may include both failed and successful attachments.
NumSP-EMS-Bytes-U-Bytes – An abnormal amount of bytes have been sent in outgoing emails for this user.
NumDCP-ELF-SEC-DE-SE – An abnormal number of unique endpoints have been observed failing to log into this endpoint.
NumCP-AI-QC-U – An abnormal number of successful AI requests for the organization have been performed by this user. AI requests may consist of one or more prompts.
NumCP-PCpwrshell-EC-UD – An abnormal number of PowerShell process executions have been observed for users in this department.
NumSP-Web-Bytes-U-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for this user.
NumCP-PCpwrshell-EC-U – An abnormal number of PowerShell process executions have been observed for this user.
NumDCP-FC-EC-U-FP – An abnormal number of unique files have been copied in this platform for this user.
NumCP-VPNlnF-EC-O-U-30Days – An abnormal number of failed VPN logins have been observed for the organization by this user in 30 days.
NumDCP-PLA-LocC-U-LocDoor – An abnormal number of unique doors have been observed in physical access events for this user.
NumCP-Auth-MfaEC-U – An abnormal number of Multi-Factor Authentication (MFA) authentication events for this user have been observed. These events may include both failed and successful authentications to an MFA service.
NumDCP-Network-DIPC-O-DIP-U-Fail – An abnormal number of unique target IPs have been observed in failed internal communications for the organization per user. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.
NumCP-WebF-EC-U-Id – An abnormal number of error responses to an HTTP requests have been observed for this user.
NumCP-DSOW-EC-O – An abnormal number of directory service write events have been observed for the organization. Directory services typically manage various types of objects to organize and administer resources within a network environment.
NumDCP-EA-TgsEC-UD-Sn – An abnormal number of Ticket Granting Services (TGS) were observed for users in this department. In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain. This event is notable since it may indicate use of stolen credentials.
NumDC-Git-RepoC-U-Object – An abnormal number of unique repository endpoints where secrets are generally stored, which may indicate unauthorized enumeration or insider reconnaissance activity. Repository name is parsed into the object field which is being counted here.
NumDCP-FWrite-AuditRule-U-DE – An abnormal number of unique endpoints where this user modified the audit.rules file in Unix system.
NumSP-Web-AIA-U-AILLMBytesOut – An abnormal volume of outbound data to AI/LLM web applications has been observed for this user.
NumDCP-Auth-TgsEC-U-Sn – An abnormal number of Ticket Granting Services (TGS) were observed for this user. In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain. This event is notable since it may indicate use of stolen credentials.
NumDCP-SADLP-ProtoC-U-Proto – An abnormal number of unique protocols have been observed in DLP alerts for this user.
NumSP-EMR-Bytes-DU-Bytes – An abnormal amount of bytes have been received in incoming emails for this user.
NumCP-VPNlnF-EC-U-30Days – An abnormal number of vpn login failures have been observed for this user in 30 days.
NumCP-AppLF-EC-U – An abnormal number of application login failures have been observed for this user.
NumDCP-FRead-FS-U-DE – An abnormal number of unique destination endpoints have been observed in file read events for this user.
NumDCP-SA-ANC-SE-AN – An abnormal number of unique alerts have triggered from this endpoint.
NumSP-Web-Bytes-O-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for the organization.
NumDCP-Network-DIPC-O-DIP-SE-Fail – An abnormal number of unique target IPs have been observed in failed internal communications for the organization per initiated endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.
NumCP-PrivUse-EC-U-APC – An abnormal number of administrative privilege access events have been observed for this user.
NumCP-Web-AIA-U-AILLMSessionCount – An abnormal number of AI/LLM web sessions has been observed for this user.
NumCP-PC-InsmodCmdC-DE – An abnormal number of 'insmod' (Install Module) process executions have been observed on this endpoint.
NumCP-DL-EC-SE – An abnormal number of kernel module or drivers have been loaded on this endpoint.
NumCP-PC-ChownCount-U – An abnormal number of 'chown' (Change Owner) process executions have been observed for this user.
NumCP-Git-EC-U – An abnormal amount of GitHub API access events have been observed for this user.
NumSP-Network-BytesToExtIP-SE-Bytes – An abnormal amount of bytes have been sent in communication that initiated from this endpoint to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.
NumDCP-RegW-RPC-ServicesStop-U-RP – An abnormal number of unique services have been stopped by modifying the registry for this user.
NumDCP-PCHEnum-TC-U-HEnum – An abnormal number of unique host enumeration tools have been executed for this user.
NumCP-AI-CDC-UPLT – An abnormal number of AI conversations have been successfully deleted by this user on this platform.
NumSP-FRead-FS-SA-Bytes – An abnormal amount of file bytes have been read in this storage account for this user.
NumSP-FUSB-Bytes-U-Bytes – An abnormal amount of file bytes have been written to peripheral storage devices for this user.
NumCP-VPNlnF-EC-O-U-1Day – An abnormal number of failed VPN logins have been observed for the organization by this user in a day.
NumSP-Network-BytesToExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in communication that initiated in this network zone to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.
NumSP-DNSReq-Bytes-SZ-Bytes – An abnormal amount of bytes were sent in DNS queries from this network zone.
NumCP-SEPwrshell-WebReq-O-WebReq – An abnormal number of PowerShell web requests have been observed for the organization.
NumSP-VPNOut-Bytes-U-Bytes – An abnormal amount of bytes have been uploaded in VPN session for this user.
NumCP-FDnld-EC-O – An abnormal amount of file download events have been observed for the organization.
NumSP-Network-BytesFromExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in externally initiated communication to this network zone. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.
NumDCP-FRead-EC-SA-FP – An abnormal number of unique files have been read in this storage account for this user.
NumCP-RegD-EC-U – An abnormal number of registry deletion events have been observed for this user.
NumCP-DSOW-EC-U – An abnormal number of directory service events have been observed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.
NumDCP-SA-ANC-UD-AN – An abnormal number of unique alerts have triggered for users in this department.
NumSP-DBQ-RS-U-RS – An abnormal database query response size has been observed for this user. These events may include both failed and successful queries.
NumCP-PwdChkout-EC-O-SC – An abnormal number of password retrievals have been observed for the organization.
NumCP-FUpld-EC-O – An abnormal amount of file upload events have been observed for the organization.
NumCP-DB-DBOpC-U – An abnormal number of database operation events were observed for this user - this can include both unique and non-unique operations. A database operation consists of any action in a database query (i.e. SELECT, DROP, UPDATE, etc...). These events may include both failed and successful operations.
NumDCP-FUSB-FPC-U-FP – An abnormal number of unique files has been written to peripheral storage devices for this user.
NumSP-Web-Bytes-U-BytesStorageIn – An abnormal amount of bytes have been downloaded from file sharing websites for this user.
NumDCP-RegW-RPC-ServicesStop-DE-RP – An abnormal number of unique services have been stopped by modifying the registry on this endpoint.
NumCP-RuleDel-EC-U – An abnormal number of security rules deletion events have been observed for this user.
NumDCP-PLA-LocC-U-LocCity – An abnormal number of unique cities have been observed in physical access events for this user.
NumCP-PC-SudoCount-U – An abnormal number of 'sudo' (Superuser Do) process executions have been observed for this user.
NumCP-UPwdMod-O – An abnormal amount of password reset events were observed for this user.
NumCP-PC-ModprobeCmdC-U – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed for this user.
NumSP-Web-Bytes-U-BytesInPost – An abnormal amount of bytes have been uploaded to the web with POST requests for this user.
NumCP-FDel-EC-U – An abnormal number of file deletion events have been observed for this user.
NumDCP-EL-UC-DE-UUnknown – An abnormal number of unique unknown user names have been observed in failed logins to this endopoint.
NumDC-RA-U-RAC – An abnormal number of role-assume requests have been observed for this user. These events can include both successful and failed assumed roles.
NumDCP-VPNln-UC-SE-U – An abnormal number of unique user names have been observed in VPN login from this endpoint. These events may include both failed and successful communications.
NumCP-VPNlnF-EC-U – An abnormal number of vpn login failures have been observed for this user.
NumSP-DNSReq-Bytes-SE-Bytes – An abnormal amount of bytes were sent in DNS queries from this endpoint.
NumCP-FDnld-EC-U – An abnormal amount of file download events have been observed for this user.
NumDCP-AL-UC-PltSE-U – An abnormal number of unique user names have been observed in application logins to this platform from this endpoint. These events may include both failed and successful communications.
NumSP-SADLP-Bytes-U-Bytes – An abnormal amount of outgoing bytes have been recorded in DLP alerts for this user.
NumSP-FRead-FS-B-Bytes – An abnormal amount of file bytes have been read in this bucket for this user.
NumCP-DSOW-EC-UD – An abnormal number of directory service write events have been observed for users in this department. Directory services typically manage various types of objects to organize and administer resources within a network environment.
NumDCP-EL-UC-DE-U – An abnormal number of unique user names have been observed in logins to this endpoint. These events may include both failed and successful logins.

To better reflect the potential risk associated with these activities, severity was updated to Medium for the following pre-built analytics rules:

Prof-PC-PN-DE-PN – This is the first time this process has been executed on this endpoint. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-Plt-PN – This is the first time this process has been executed in this platform. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltSZ-PN – This is the first time this process has been executed in this platform from this network zone. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltU-PN – This is the first time this process has been executed in this platform for this user. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.
Prof-PC-PN-PltUD-PN – This is the first time this process has been executed in this platform for users in this department. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

To detect successful AI agent tool calls and requests, applicable_events was updated for the following pre-built analytics rules:

Prof-AI-TI-O-TN – This is the first time this AI agent tool has been invoked.
Prof-AI-TI-U-TN – This is the first time this AI agent tool has been invoked by this user.

To track blocked or failed events instead of allowed traffic, actOnCondition was updated for the following pre-built analytics rule:

Fact-Web-AIA-U-BlockedAILLM – An HTTP communication attempt involving an AI application (e.g., ChatGPT, GitHub Copilot) has been blocked. This may indicate shadow AI usage, attempted policy evasion, or early stage data leak behavior.

To more clearly describe the analytics rule trigger, detectionReason was updated for the following pre-built analytics rule:

Prof-SA-AN-U-AN – This is the first time this security alert triggered for this user.

To ensure that legitimate system processes running from any \windows\system32 path are correctly excluded, actOnCondition was updated for the following pre-built analytics rule:

Fact-FRead-Lssas – A process has directly read from the memory space of 'lsass.exe'.

To prevent duplicate events from triggering the same analytics rule twice, supressThreshold and supressScope were updated for the following pre-built analytics rule:

Fact-LogCl-LogClear-AT – An audit log has been cleared.

To reduce false-positive triggers, anomalyThreshold and minOrderOfMagnitude were updated for the following pre-built analytics rule:

NumCP-AppLF-EC-U – An abnormal number of application login failures have been observed for this user.

To map pre-built analytics rules to the Modify Cloud Compute Infrastructure technique under the Defense Evasion tactic, mitre was updated for the following pre-built analytics rule:

Prof-CA-DA-O-U – This is the first time this user has successfully attached a volume to an instance.
NumDCP-CA-DAC-U-Disks – An abnormal number of volumes were attached to instances by this user. These events may include both failed and successful attachments.

To more accurately detect when an email is sent or forwarded to external domains, actOnCondition was updated for the following pre-built analytics rule:

Fact-EMRC-FwR-ExtDom – An inbox rule has been configured to forward emails to an email address that's in a different domain than the rule's creator.

To map pre-built analytics rules to compliance controls so you can assess your control coverage in Outcomes Navigator, compliance was updated for the following pre-built analytics rules:

Cntx-PC-ECrit-CS-DE – Destination endpoint is critical or a Domain Controller: True\False
Prof-FS-T-U-IT – This is the first time an item shared of this type (file, folder, etc) has been observed for this user.
Cntx-PC-ECrit-Server-DE – Destination endpoint is a server: True\False
Fact-UI-UOO – A user outside the organization was invited to this platform.
NumDCP-EL-UC-DE-UUnknown – An abnormal number of unique unknown user names have been observed in failed logins to this endopoint.
Cntx-PC-ECrit-Server-SE – Source endpoint is a server: True\False
NumCP-AI-CSC-UPLT – An abnormal number of AI conversations have been successfully shared by this user on this platform.
NumDCP-EL-UC-DE-U – An abnormal number of unique user names have been observed in logins to this endpoint. These events may include both failed and successful logins.
NumDCP-FC-EC-U-FP – An abnormal number of unique files have been copied in this platform for this user.
Prof-GCreate-U-O-UD – This is the first time for users in this department to create a group for the organization.
Cntx-SA-Ecrit-SE – Source endpoint is critical: True\False
Prof-GCreate-U-O-U – This is the first time for this user to create a group for the organization.
NumCP-AI-CDC-UPLT – An abnormal number of AI conversations have been successfully deleted by this user on this platform.
Cntx-PC-ECrit-CS-SE – Source endpoint is critical or a Domain Controller: True\False
Cntx-SA-Ecrit-DE – Destination endpoint is critical: True\False

To correct a typo, description was updated for the following pre-built analytics rules:

NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed on this endpoint.
NumCP-PC-ModprobeCmdC-U – An abnormal number of 'modprobe' (Module Probe, a kernel module management tool) process executions have been observed for this user.
Prof-PC-U-O-U-Modprobe – This is the first time a process execution of a 'modprobe' (Module Probe, a kernel module management tool) command has been observed for this user.
Prof-PC-E-O-SE-Modprobe – This is the first time a process execution of a 'modprobe' (Module Probe, a kernel module management tool) command has been observed on this endpoint.
NumDCP-EL-UC-DE-UUnknown – An abnormal number of unique unknown user names have been observed in failed logins to this endopoint.

To correct a typo, title and detectionReason were updated for the following pre-built analytics rules:

NumCP-Web-MethodDelC-SIP – An abnormal number of HTTP requests to an internal resource with the method DELETE by this IP have been observed. Probably detects resources deletion.
NumCP-Web-MethodDelC-WebDom – An abnormal number of HTTP requests to an internal resource with the method DELETE have been observed for this domain. Probably detects resources deletion.

To standardize quotation marks, title, description, and detectionReason were updated for the following pre-built analytics rules:

Fact-PC-Setfile-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection.
Fact-PC-Chflags-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection.

To standardize quotation marks, title and detectionReason were updated for the following pre-built analytics rule:

Fact-PC-LoginHookFile – Adversaries may use a Login Hook to establish persistence executed upon user logon. The plist can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout.

To correct a typo and standardize quotation marks, title, description, and detectionReason were updated for the following pre-built analytics rule:

Fact-Fwrite-HiddenFile – Creating a file that starts with ".". File that starts with "." is a hidden file. An attacker can create hidden file to evade detection.

To more accurately detect abnormal AI agent activity, four obsolete pre-built analytics rules were replaced by four new early access pre-built analytics rules and subsequently removed:

NumSP-AI-TS-UO-QLength – An abnormal sum of tokens in successful AI requests has been observed for the organization and attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-T-U-QLength – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.
Prof-AI-T-O-QLength – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters.
NumSP-AI-TS-U-QLength – An abnormal sum of tokens in successful AI requests has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Table of ContentsTable of Contents

June 2026

Attack Surface Insights

Example

Note

Automation Management

Cloud Collectors

Context Management

Correlation Rules

Dashboards

Log Stream

New-Scale Platform

Outcomes Navigator

Search

Note

Service Health and Consumption

Site Collectors 2.20

Threat Center

Threat Detection Management

Resolved Issues