Multi-Record Signal Changes​
To improve the usability of the Signals user interface, we've changed the way that records are displayed on Signals generated by multi-record (Threshold, Chain, and Aggregation) Rules. Instead of attaching a sample set of records to the Signal and then providing a Queried Record tab to manually search for additional records, all records that were part of the Signal will be displayed in the UI. (As a result, the Queried Records tab has been removed from the UI.)
Behind the scenes, we will attach the first record directly to the Signal (in the API and sec_signal index, this is listed in the allRecords section). In the UI, the other records will be gathered via an automatic background log search. (In the API and shortly in the sec_signal index, any involved Entities - up to a maximum of 100 - will be included in a new involvedEntities section.)
In addition, the number of attached records has been removed from the Signals list view, since it will now always be 1.
This change will also bring an enhancement for Outlier Rule Signals. Previously those Signals would only show a single record, but with this change they will also show all related records as well.
This change has no effect on the Rules themselves; they will continue to operate as before.
Automation Service Audit Logging​
The Automation Service has been updated to include support for Audit Logging. Events like updates to integrations and playbook execution will now be automatically logged to the standard Sumo Logic Audit Logging indices.
For full details, see the Cloud SOAR documentation (the Automation Service will log a subset of those events).
Bug Fixes​
- In some cases, Insights would appear to be open after they had been closed/resolved.