Skip to main content

Threat Detection ManagementThreat Detection Management Release Notes

Threat Detection Management Features Introduced in 2025

March 2025

The following features were introduced in Threat Detection Management in March 2025:

Feature

Description

Incompatible Analytics Rule Disablement

To ensure the analytics engine runs normally, the analytics engine monitors rule training and evaluation processes and prevents you from enabling analytics rules that are incompatible with your data or are highly likely to generate false positive results.

Under the Compatability, column, these analytics rules are marked as Incompatible.

February 2025

The following features were introduced in Threat Detection Management in February 2025:

Feature

Description

Correlation Rules Stopped and Testing Statuses

You can now better understand the state of a correlation rule with two new statuses: Stopped and Testing.

The Stopped status indicates that the rule has triggered more than 50 times in five minutes and has automatically been disabled.

The Testing status indicates that the rule is enabled in test mode and its outcomes are suppressed.

A correlation rule with Testing status.

You can also filter correlation rules by the new statuses.

The Status filters for correlation rules.

Apply Analytics Rule Changes Without Training

Correlation Rules Select Outcomes Enhancement

When you create or edit a correlation rule, the step to Select Outcomes now clearly explains what happens when a rule triggers and the possible outcomes:

  • Designating outcomes for a correlation rule is optional.

  • An event is created every time a correlation rule triggers, even in test mode. If a correlation rule triggers and isn't in test mode, the activity type of the event is rule-trigger. If a correlation rule triggers in test mode, the activity type of the event is rule-trigger-test.

  • If you have a license that supports Threat Center, Threat Center may also create an alert when a correlation rule triggers, depending on whether the correlation rule is in test mode. If the correlation rule triggers and isn't in test mode, Threat Center creates an alert. if the correlation rule triggers and is in test mode, Threat Center doesn't create an alert.

Correlation Rule Details Severity Enhancement

When you view correlation rule details, you can now more quickly identify the correlation rule severity:

The details of a correlation rule showing critical severity and a static risk score of 90.

  • The severity value is now positioned first in its section.

  • The severity is now color-coded according to its value: Critical, High, Medium, or Low.

  • If the correlation rule is assigned a static risk score, the risk score is displayed alongside the severity.

Correlation Rule Evaluation Delay Explanation

When you create or edit a correlation rule, the step to configure a rule evaluation delay now clearly explains what correlation rule evaluation delay is and that correlation rules are delayed from evaluating events for seven minutes by default.

The option to edit the rule evaluation delay and an explanation of what rule evaluation delay is: Consider adjusting the rule evaluation delay if the rule relies heavily on the timely arrival of events and late-arriving events can significantly effect its accuracy.
The modal to edit the rule evaluation delay with information about checking the Log Delay dashboard to help determine the appropriate rule evaluation delay value.

Correlation Rule Description Enhancements

You can now add more information to a correlation rule with descriptions.

When you create or edit a correlation rule, you can now add a description about the correlation rule.

The Review & Save step of creating or editing a correlation rule, with the Rule Description field highlighted with a red rectangle.

This description appears in the list of correlation rules and correlation rule details.

A correlation rule in the list with the rule description highlighted with a red rectangle.
Details of a correlation rule with the rule description highlighted in a red rectangle.

If you use a correlation rule template, the correlation rule template description is automatically reused as the description of your new correlation rule.

Correlation Rule Triggered Value to Search Navigation

To view all events related to a correlation rule, you can now navigate to Search using a link next to the number times a rule has been triggered. The query automatically entered in Search is rules.rule: "<rule name>".

The link appears in the list of correlation rules:

A correlation rule in the list with its link to Search highlighted with a red rectangle.

The link also appears when you view the correlation rule details:

Correlation rule details with the link to Search highlighted with a red rectangle.

Correlation Rule Email Notification Address Change

Email notifications sent as a correlation rule outcome are now sent from [email protected].

To ensure any rules for filtering emails or creating third-party tickets work properly, ensure they use the new email address.

New Region Support for the UK

Support for Threat Detection Management now extends to the UK region. You can now access and use Threat Detection Management in the UK.

January 2025

The following features were introduced in Threat Detection Management in January 2025:

Feature

Description

Introducing Threat Detection Management

Welcome to Threat Detection Management, the the hub on New-Scale Security Operations Platform for the rules you use to detect threats. It centralizes all rules, including both correlation and analytics, and both pre-built and custom, so you can ensure you're surfacing what's important to your organization in one place.

Threat Detection Management is supported with a New-Scale SIEM, New-Scale Analytics, or New-Scale Fusion license.

To get started with Threat Detection Management, view the Threat Detection Management documentation.

Threat Center Outcomes Exclusions for Test Mode

To ensure you investigate and triage only real threats in Threat Center, correlation rules in test mode no longer create Threat Center cases or alerts. Events created from a triggered correlation rules in test mode have the activity type rule-trigger-test.