ContraForce Release Notes

​

Bug Fixes

• SLA chip no longer sticks on “At Risk” once the target is met. When an incident’s time-to-first-response (or resolution) crossed into At Risk but was then handled in time, the SLA chip kept showing “At Risk”; it now flips to On Track once met. Only a genuine breach stays red.
• Re-onboarding a previously-removed workspace now works cleanly. Removing a pre-onboarded customer workspace could leave the customer’s account record pointing at the deleted workspace, stranding them with no access on the next sign-in. Removing a workspace now cleans up those records, so re-onboarding the same customer provisions them correctly.

​

Improvements

• SLA state changes are now recorded in the incident audit trail. Every SLA tier change (At Risk, Breached, or Met) for both the response and resolution clocks, plus SLA clock pause and resume, now appears as an entry in the incident’s audit tab, so you can see exactly when and how an incident tracked against its SLA.

​

Bug Fixes

• Fixed an issue where a SentinelOne detection module could appear connected while silently failing to pull threats. Configuration problems are now surfaced immediately, and a module cannot be enabled until it is fully configured, closing a hidden detection-coverage gap.

​

New Features

• See the SLA applied to a workspace. Workspace settings now has a read-only SLA tab showing the response and resolution targets configured for that workspace, so customers and service providers can confirm what’s in effect at a glance. The configuration name on an incident’s SLA timeline links straight to it.

​

Bug Fixes

• SLA now tracks on service-provider-managed workspaces. When a service provider assigned an SLA configuration to a customer workspace, that workspace’s incidents weren’t picking it up. Assigned configurations now track correctly, and SLA chips no longer freeze in cross-workspace views.
• Delete Email gamebook runs again. The delete-email response action was failing with “Unable to run the delete email gamebook” because the mail entity wasn’t resolved to the identifier the mailbox provider expected. It now resolves the message and completes the action.
• Command palette shortcut works in the new UI. Ctrl+K (Windows/Linux) and ⌘K (macOS) now open Quick actions in the V2 portal, and the shortcut hint shows the correct key for your OS.
• Consistent incident view from agent history. Clicking an incident in an agent’s Execution History now opens the V2 incident view, matching the rest of the portal.

​

Security

• Hardened email lookups. The delete-email path now guards its mailbox lookup against message-identifier injection.

​

New Features

• Incident SLA tracking. Configure per-workspace response and resolution targets for each severity. The incident inbox gains “Time to First Response” and “MTTR” columns showing a live countdown chip on every row — “SLA 12m left”, “At Risk 5m left”, “Breached 3m over”, or “On Track” once settled. Chips tick down without re-loading and update in real time when any analyst changes status or assignment from any session. The incident detail header carries the same chip alongside a dedicated SLA tab with the configured targets and the running clock. Entering an On Hold or Waiting on Customer status (introduced 2026-05-27) freezes both the response and resolution clocks; resuming continues from where they left off. Available as an opt-in feature — contact your ContraForce contact to enable it on your tenant.

​

New Features

• Security Delivery Agents now read the actual content of phishing emails. Body, headers, embedded URLs, and attachment metadata are fetched automatically using your existing Microsoft 365 Response connection, so the agent can flag social-engineering patterns, sender spoofing, and suspicious links without an analyst opening the message.
• New “On Hold” and “Waiting on Customer” incident statuses. Analysts can pause incidents that are blocked on a vendor RFI, a scheduled change window, or a pending customer reply, instead of leaving them as Active. The new statuses are ContraForce-native and don’t write back to the upstream source.
• Vendor-side status changes now appear in the audit timeline. When an incident is closed or reopened from the Azure portal (or another upstream tool), an attributed audit row is now recorded in ContraForce, so the CF view and the upstream view never silently disagree.
• Per-run agent token breakdown and dollar cost. Every Security Delivery Agent run records its prompt / cached / completion token counts and the USD cost, visible on the per-agent execution history and the agent-center “Recent runs” strip. A row-level “Breakdown” link opens the detailed dialog.

​

Improvements

• Agent token-usage telemetry. Per-run baseline, per-tool-call sizes, and per-turn API usage are now captured so upcoming agent cost optimizations are measurable.

​

Bug Fixes

• Stale Microsoft sessions now silently recover. When a signed-in user’s Microsoft session quietly went stale — token expiry, signing in elsewhere, or a Conditional Access change — the portal was dropping them on a “We couldn’t load your session” error screen and forcing a manual retry. The portal now routes them through interactive re-authentication silently and returns them to where they were, keeping analysts in flow.
• MSP-managed agent configurations now save webhooks correctly. When an MSP managing a customer workspace tried to save an Agent configuration that referenced a webhook on a classification card, the save was failing with “Failed to save agent configuration” and leaving the webhook orphaned. The save now succeeds and the webhook binding is persisted as expected.

​

Improvements

• Dependency refresh for security and reliability. Updated the third-party libraries the platform depends on to pick up the latest bug fixes, security patches, and performance improvements. No visible behavior changes — customers benefit from a more reliable platform with fewer known vulnerabilities.

​

New Features

​

Bug Fixes

​

Bug Fixes

• AI Query Assistant restored. The natural-language KQL generator is working again. Analysts can ask for a query in plain English and get a usable KQL statement back, instead of the silent error the endpoint had been returning.
• Module configuration no longer crashes for un-consented tenants. Self-service onboarded users who hadn’t yet completed Entra admin consent for the ContraForce API were hitting a JSON-parse cascade on the Sentinel, Defender XDR, and Agent Center module configuration pages. The pages now detect the missing consent and surface an actionable “Connect tenant” prompt that walks the admin through the grant flow, so customers can self-unblock without contacting support.

​

New Features

​

Improvements

• Pagination tokens returned from POST /api/v2/incidents/across-workspaces are now opaque to API consumers. Partners continue to round-trip tokens unchanged from response to next request; only the internal token format has changed. A token that has been hand-modified or hand-built is rejected with 400 VALIDATION_ERROR rather than failing further down the stack. See the worked example under Cross-Workspace Endpoints.

​

New Features

• A refreshed visual language built around higher-density, more scannable information.
• Reorganized navigation that surfaces the actions analysts actually reach for.
• Reworked incident, gamebook, agent, SOP, log search, and command pages with consistent layouts and a unified design system.

​

Bug Fixes

• Resolved an intermittent issue that could prevent the v2 incident agent from starting an investigation.

​

Bug Fixes

• GET /workspaces/{workspaceId}/incidents/{source}/{incidentId} now returns the full incident detail (alerts, entities, investigation details, evidence, and the gamebook catalog) by default. Previously the endpoint returned the same lightweight payload as the cross-workspace list, with the richer fields hidden behind an undocumented ?withDetails=true query parameter. Partners integrating from Logic Apps, Power Automate, or any OpenAPI-driven client now get the documented response without needing to know the flag exists.
• Cross-workspace incident requests that target a workspace where the requested incident source is not enabled (for example, asking for a Defender XDR incident on a workspace where only Sentinel is onboarded) now return a clear 404 NOT_FOUND with a message naming the source, instead of an opaque 500 or 502. The same applies when an incident does not exist in the workspace’s underlying tenant — partners receive a 404 they can handle, not an upstream-error response.
• The portal’s incident detail page and gamebook workbench now display a friendly “Incident unavailable” banner with a working breadcrumb when a stale or deleted incident is opened from a saved link, instead of hanging on a loading skeleton.

  ​

  Improvements

• The cross-workspace incidents list (POST /incidents/across-workspaces) now publishes its pagination protocol in the OpenAPI spec. The continuation-token mechanism (isFirstCall, workspacePageTokens on the request, sourcePageTokens and moreIncidentsAvailable on the response) is fully described so partners can build paging loops against a documented contract.

​

Bug Fixes

• The workspace selector in the top navigation now filters the Workspaces page, the Log Search page’s workspace and module selector, and the Agent Center (including the Overview tab and the Recent Runs strip). Previously these pages ignored the selector and continued to show data from every workspace you have access to, which made it hard to focus on a subset of customers.

​

Bug Fixes

• Microsoft Sentinel and Microsoft Defender XDR module setup now accepts administrators whose subscription permissions come from inheritance (management group or tenant root), Entra group membership, or the Contributor and User Access Administrator combination. The form previously rejected these valid permission patterns with a “you must have Owner” message even when the user could fully administer the subscription.
• Fixed a stuck-loading state on the module configuration screens when viewing a workspace owned by a tenant other than your active tenant. The Azure role prerequisite would spin indefinitely; it now resolves immediately so you can see why the module cannot be configured.

​

Portal

• Introduced an in-portal release notes side panel. When new releases ship, a release-notes indicator appears in the top navigation with an unread badge showing how many you have not yet seen. The panel is also reachable from the user-avatar dropdown so you can revisit the release history at any time.

  ​

  Bug Fixes

• Resolved a character-encoding issue that prevented certain punctuation marks from displaying correctly in incident classifications.
• Fixed an issue where Microsoft Defender XDR agent investigation comments could render as broken JSON when the comment payload was larger than Defender’s per-comment character limit. Long agent investigation comments now stitch back together correctly in both the Microsoft Defender XDR portal and the ContraForce incident view.

​

v2 API

• Incident management is now available in the v2 API. Customers integrating ContraForce through the v2 OpenAPI specification can read and update incidents programmatically, alongside the existing v1 endpoints.

​

SOP Knowledge Base

• The SOP upload experience now accepts Microsoft Word (.docx) files. Uploaded Word documents are stored, indexed, and searchable alongside your existing PDF and Markdown SOPs, so you can publish SOPs straight from your Word library without converting them first.

​

Agent Center

• Added a new Models & Quotas panel that shows the AI models powering your Security Delivery Agents, including version, capacity, and live per-region usage with a progress bar — so you can see capacity headroom at a glance.
• Restricted models now display a badge and a direct link to the access-request flow, making it clear which models require additional access and where to ask for it.
• You can now upgrade a deployed agent to a newer model directly from the Agent Center without filing a ticket. The upgrade flow lists the models actually available in your environment, and upgraded agents start using the new model immediately.
• Redesigned the Resources tab with grouped cards organized by resource role, plus a live health chip on each resource (Available, Degraded, Unavailable, or Unknown). When something goes wrong, you can identify the unhealthy resource without leaving the portal.

​

Bug Fixes

• Fixed an issue where Organization Admins could not create workspaces or Security Delivery Agents despite having the correct role assignment.
• Fixed an issue where Microsoft Defender XDR incident comments displayed as fragmented “(N of M)” pieces instead of complete messages.

​

Incident Management

• Comments posted on Microsoft Defender and SentinelOne incidents now show the original author from the source platform, matching the experience already in place for Microsoft Sentinel incidents.

​

Bug Fixes

• Fixed an issue where bulk-closing incidents did not refresh the aggregate counts on the Command Dashboard.
• Fixed an issue where bulk incident updates could silently fail mid-operation, leaving some incidents unchanged.

​

Bug Fixes

• Fixed a security issue where deleted user accounts could retain portal access until the next sign-in cycle.

​

Portal

• Users can now opt into the new UI experience individually from their profile, allowing teams to evaluate the new design at their own pace before broader rollout.
  • Let us know if you’d like to enable the new UI for your team or have any feedback on the design!

​

Bug Fixes

• Improved SentinelOne incident polling reliability and refined threat-handling behavior.

​

Bug Fixes

• Fixed an issue where analysts could lose visibility into an incident after Microsoft Defender merged it with another incident.

​

OmniView

• Introduced the OmniView Metrics Dashboard, surfacing customer health scores, operational and business metrics, and a flagged-accounts view in a single analytics dashboard.
• The Account Overview page has been redesigned with a health-score summary, configured modules, and Security Delivery Agent activity metrics so service providers can assess each account at a glance.

​

Bug Fixes

• Fixed an issue where a user’s organization role could revert to its original value after a User Management sync.
• Fixed an issue where Microsoft Sentinel marketplace scanned sources failed to display when duplicate data source records existed with different casing.
• Fixed an issue where analytic rule queries returned no results when data source ID casing did not match exactly.
• Fixed an issue where Sync Users deactivated service accounts not matching identities in their directory.

​

Incident Management

• The Command Palette now supports searching incidents across all of your workspaces, so you can jump directly to an incident regardless of which workspace it belongs to.

​

API Reference

• Published an actively maintained OpenAPI specification for the v2 ContraForce API, making it easier to generate clients and integrate ContraForce with your own tooling.

​

Agent Center

• Agent creation now validates available GPT quota during setup, surfacing capacity issues before you finish configuring the agent.

​

Bug Fixes

• Fixed an “Agent not found” toast that appeared when OmniView admins loaded executions for a managed account’s agent.

​

Bug Fixes

• Fixed an issue where EventCast webhook configurations were not delivered correctly for MSP tenants.

​

Agent Center

• The SOP Knowledge Base is now integrated directly into agent deployment — agents pick up relevant SOPs as part of the configuration flow, removing the need to attach them as a separate step.

​

Agent Center

• Starter SOP templates are available for new customers, providing ready-made examples that accelerate Security Delivery Agent onboarding.
  • Reach out to your ContraForce contact to get these SOPs for your organization and start customizing them for your team.
• SOPs now persist with full backend support, ensuring uploaded procedures are durably stored and accessible to agents at runtime.

​

REST API

• Customer API Clients are now available. Create and manage API clients with scoped permissions and workspace-level access from a new portal experience that includes a creation wizard, a details page with scope and audit tabs, and a request-log viewer for monitoring usage.

​

Workspace Management

• The subscription picker for the Microsoft Sentinel module and Agent Center configuration now supports searching by subscription ID, making it easier to locate the right subscription in tenants with many subscriptions.

​

Performance Improvements

• Added additional health monitoring across all platform services for improved reliability and faster detection of service disruptions.

​

Bug Fixes

• Fixed an issue where Gamebook orchestration could stall on timer cancellation, leaving Gamebooks stuck in a Running state.

​

User Profile

• You can now set your preferred time zone in your user profile, and the platform will display all dates and times in your local zone.
• Hovering over any date or time displays a tooltip showing the original UTC value, removing ambiguity when collaborating across time zones.

​

Bug Fixes

• Fixed an issue where the incident audit log could fail to render certain entries from the unified incident pipeline.

​

Incident Management

• When you close an incident with a comment, that comment now appears in the Comments tab in addition to the Summary, keeping the full conversation history in one place.

​

Incident Management

• Comments posted by Security Delivery Agents now display with a distinct visual treatment so analysts can quickly distinguish AI-generated comments from human analyst input.
• Incident notification emails now include the source platform in the subject line, making it easier to filter and route alerts.

​

Workspace Management

• Added a read-only Workspace Reader workspace role that gives end customers and auditors view-only access to incidents and reports without permission to make changes.

​

Agent Center

• Security Delivery Agents now support a configurable Should Assign Self option that controls whether an agent automatically assigns itself as the incident owner during processing.

​

Bug Fixes

• Fixed an issue where the workspace name was missing from the Role Assignment view in User Management.
• Improved reliability when removing role assignments so changes apply consistently on the first attempt.

​

Log Search

• Introduced an AI Query Assistant for Advanced Hunting Log Search. Describe what you’re looking for in plain language and the assistant generates the corresponding query for you.

​

Incident Management

• Incident tables and dashboards now auto-refresh, so the data you see stays current without manually refreshing the page.

​

Bug Fixes

• Improved error handling for SentinelOne Gamebook actions so failures surface clearly instead of leaving Gamebooks in an ambiguous state.

​

Agent Center

• Introduced the SOP Knowledge Base — a centralized library of security operating procedures for your Security Delivery Agents. Upload SOPs via drag-and-drop with type selection and metadata, browse and filter them in a dedicated list view, and preview content in a slide-over detail panel.
• Link SOPs to specific agents and update procedures over time with edit, re-upload, and cascade-delete actions. Each agent’s details page now includes an SOP section showing its associated procedures.

​

Workspace Management

• Onboarding role validation now accepts Cloud Application Administrator and Application Administrator in addition to Global Administrator, supporting least-privilege Microsoft Entra ID deployments.

​

Performance Improvements

• Removed the cookie consent banner by switching analytics to session-only storage, simplifying first-load behavior for portal users.

​

Agent Center

• You can now review a complete history of every Security Delivery Agent execution from the Execution History tab on the Agent Details page. Each entry captures the timestamp, trigger source, incident, data source, severity, AI token usage, and outcome — providing full visibility for compliance and troubleshooting.
• The portal now displays a notification when a Security Delivery Agent update is available, so you can update without checking manually.

​

Workspace Management

• Organization Admins can now permanently delete inactive accounts and all associated data, preventing stale accounts from consuming resources or cluttering the platform.

​

Bug Fixes

• Fixed an issue where the Configure and Save button on the agent configuration page was always enabled, even when no changes had been made or the user lacked the required permissions.

​

Bug Fixes

• Fixed an error that prevented non-partner users from loading the multi-workspace incident list.

​

Agent Center

• Security Delivery Agents can now automatically detect and respond to Microsoft Defender for Endpoint incidents without requiring Microsoft Sentinel forwarding. Once configured, ContraForce polls Defender for Endpoint for new incidents and triggers your agent automatically — enabling a fully autonomous response workflow for environments using Defender for Endpoint directly.

​

Bug Fixes

• Fixed an issue where users in tenants with 50 or more Microsoft Entra ID group memberships silently lost real-time incident updates and portal connectivity.

​

Gamebook Improvements

• Reviewers can now Deny a Gamebook queued for approval, removing it from the queue rather than leaving it pending indefinitely.

​

Bug Fixes

• Fixed a permissions issue where users with the Incident Analyst role could submit a Gamebook for approval, but it could execute instead of waiting for review.

​

Bug Fixes

• Fixed a layout issue where incident table filters appeared misaligned on screens under 1800px wide.
• Fixed an issue where the Link Ticket dialog only showed Jira projects A–F (approximately 10 results) and search had no effect, preventing analysts from linking incidents to projects not in the initial list.
• Fixed an issue where Security Delivery Agents failed to update incident status due to a validation error, causing automation rules to not apply correctly.
• Fixed an issue where audit log entries for agent-triggered status changes and owner assignments recorded the incorrect account ID.

​

CMS Updates

• Improved detection rule reliability by fixing issues with multi-table rule deployment.
• Improved several detection rules for better accuracy and fewer false positives.

​

Workspace Management

• You can now delete a pre-onboarded tenant that hasn’t completed setup, simplifying workspace cleanup.
• Workspace tags now display more relevant contextual information, replacing the outdated “Configuration (XDR + SIEM)” label.

​

Gamebook Improvements

• Added a Workspace column to the Gamebook Activity view, making it easier to identify which workspace each Gamebook execution belongs to.

​

Bug Fixes

• Fixed a crash on the incidents list when viewing multiple workspaces caused by a module configuration change.
• Fixed “Last Modification” in Group Management displaying “0 days ago” instead of the actual date.

​

Agent Center

• Improved Security Delivery Agent reliability when investigating workspaces where certain Gamebook extensions are not enabled.

​

Bug Fixes

• Fixed an issue where Gamebooks could get stuck in a pending or running status.
• Fixed visual rendering issues in several portal components.

​

Incident Management

• Added an Assign to me quick-action button to incident details and the incident modal, enabling analysts to claim incidents faster.
• Incident IDs now appear consistently in the breadcrumb, URL, and page header for easier reference and sharing.
• Consolidated workspace filtering — individual table workspace filters have been replaced by the global workspace filter at the top of the page for a cleaner, more consistent experience.

​

Gamebook Improvements

• The Gamebook approval button now displays an informative tooltip explaining why approval is unavailable when prerequisites haven’t been met.

​

Bug Fixes

• Fixed an issue in the Agent Center where pressing Enter during agent creation would prematurely submit the form.
• Fixed a data source usage query failure affecting Google Workspace Reports.

​

Dock Panel Navigation

• The dock panel now opens to the Browse tab by default when expanded, providing faster access to workspaces and navigation.
• The Recent tab now correctly displays workspaces you’ve recently accessed, improving workspace discovery.
• Added a visual indicator to the active dock panel tab, making it easier to see which tab is currently selected.

​

Bug Fixes

• Fixed an issue where the dock panel collapsed when navigating between workspaces.
• Reduced unnecessary re-renders when interacting with dock panel tabs.

​

Incident Details Redesign

• The incident details experience has been redesigned with improved entity organization, clearer section navigation, and faster load times.
• Entity lists in incident details now show enriched context directly in the list view.
• Incident tabs have been reordered to show Comments first, followed by Audit, improving the workflow for analysts reviewing incident activity.

​

Data Source Activity Monitoring

• Data source activity charts now update in real-time, giving administrators immediate visibility into ingestion health without refreshing.
• Added a new “Last Seen” indicator to quickly identify stale or disconnected data sources.

​

Agent Center

• Improved agent investigation messaging — when an agent investigation takes longer than expected, the notification now indicates that the agent will continue working in the background rather than showing a timeout error.

​

Bug Fixes

• Fixed time zone display issues in incident timestamps.
• Resolved entity context panel occasionally not loading for certain entity types.
• Fixed an issue where the Agent Center failed to display available agent updates.
• Removed an inaccurate tooltip from the Log Search run button.

​

Agent Deployment

• Simplified agent deployment with a new guided wizard that validates Azure prerequisites before provisioning.
• Added deployment status notifications so administrators know when agents are ready.

​

Filter Persistence

• Filters across the Command dashboard, Incidents, and Gamebooks pages now persist across sessions, reducing repetitive filter configuration.

​

Bug Fixes

• Fixed agent configuration page not loading when no agents were deployed.
• Resolved intermittent failures when saving notification preferences.
• Fixed Gamebook Activity filter not correctly displaying queued Gamebooks.

​

Platform Performance

• Optimized incident list queries, reducing load times by up to 40% for high-volume workspaces.
• Improved caching for workspace metadata, reducing redundant API calls during navigation.
• The Incidents page now defaults to a 3-hour time filter instead of 24 hours, improving initial load times for high-volume workspaces.

​

Gamebook Execution

• Gamebook execution logs now stream in real-time, providing immediate feedback during manual and automated runs.

​

Bug Fixes

• Fixed memory leak in the incident polling service.
• Resolved rare race condition causing duplicate incident entries in the UI.
• Fixed an issue where pre-onboarding a new workspace did not correctly assign owner access to the administrator.
• Fixed an issue where administrators could not access agent configuration from the Agent Center.

​

Workspace Manager

• Added tooltips to the CMS and Settings icons in the Workspace Manager, matching the tooltip pattern used elsewhere in the portal.

​

Bug Fixes

• Fixed an issue where workspace group membership changes were not reflected until page refresh.
• Resolved CMS rule deployment failures for workspaces with special characters in their names.
• Fixed entity search returning incomplete results for IP addresses.
• Corrected tooltip alignment issues in the Command dashboard widgets.
• Fixed entity context menu in the Gamebooks workbench requiring a second click to show available actions.
• Fixed an error when viewing the Alert Rule tab for incidents from Microsoft Defender for Endpoint and other non-Sentinel sources.
• Fixed incident closure failing for Microsoft Defender for Endpoint incidents.
• Fixed the Configure and save button remaining clickable after completing Microsoft Sentinel configuration.

​

Content Management System (CMS) Migration

• Analytical rules, security content, and CMS capabilities are now fully integrated into the IRIS platform, delivering a unified experience for managing detection rules and security content without switching between tools.

​

Platform Upgrade to .NET 10

• The platform has been upgraded to .NET 10, improving performance, security, and long-term supportability across all services.

​

Agent Center Enhancements

• Administrators can now update agent container images directly from the Agent Center, reducing operational overhead when deploying new agent versions.
• Agent efficacy improvements: agents now have access to sign-in logs, directory logs, device timelines, and related incidents as investigation tools — enabling richer, more accurate automated investigations.
• Default AI model capacity increased to 150K tokens per minute, improving agent throughput for high-volume environments.

​

Gamebook Fixes

• Resolved an issue where the gamebook approval button was not functioning correctly in the incident detail modal.

​

Notification Settings

• Users can now toggle severity-based notifications without requiring recipients to be configured first, simplifying initial notification setup.

​

Filtering Experience

• Filters across the portal now persist as you navigate between pages, eliminating the need to re-apply filters repeatedly.

​

Bug Fixes

• Fixed an issue where API error responses with empty bodies caused client-side errors.
• Fixed null reference errors when agents array was uninitialized.
• Resolved issues with SentinelOne and Azure response module configuration logic.
• Fixed security rule detail page errors.

​

Command 2.0 Dashboard

• The Command page has been redesigned with a new dashboard layout featuring at-a-glance operational metrics, giving security teams immediate visibility into their security posture.

​

New Dashboard Widgets

• Incident Tracker Overview — Track open, in-progress, and resolved incidents across all workspaces in a single view.
• Closed Incident Rule Trends — Understand which detection rules are driving the most resolved incidents over time.
• Workspace Closed Incident Trends — Compare incident resolution performance across workspaces.
• Gamebook Activity Widget — Monitor active gamebook executions and their current status in real time.
• Gamebook History Widget — Review past gamebook runs with outcomes and timing for post-incident analysis.

​

Agent Deployment Improvements

• Added support for selecting preferred AI models in the Agent Center.
• Continued support for standard agent deployment alongside newer deployment options for existing customers.

​

CrowdStrike Integration Enhancements

• Incident descriptions from CrowdStrike are now automatically generated with richer context.
• CrowdStrike incident comments are now fetched from audit logs, providing a complete conversation history within IRIS.

​

SentinelOne Integration Enhancements

• Added support for SentinelOne threat classifications (verdicts), giving analysts clearer disposition information.
• Fixed incident description formatting for SentinelOne incidents.

​

Bug Fixes

• Fixed workspace filter not resetting to “All Workspaces” correctly.
• Resolved inaccurate time filtering for the 24-hour filter option.
• Fixed custom time filter unable to change from an existing custom selection.
• Fixed duplicate rule entity mapping errors.

​

Audit Trail System

• A comprehensive audit trail is now available for incident updates, entity investigations, and status changes. Security teams can review a full history of who did what and when — critical for compliance and post-incident review.
• Audit logs for user sign-in and directory events are now queryable within the platform.

​

Agent Improvements for General Availability

• Agents now automatically trigger investigations on new incidents, reducing mean-time-to-respond without manual intervention.
• Real-time gamebook status updates are now streamed to the UI — no more refreshing to see investigation progress.
• Gamebook execution results are now visible directly on the Gamebook page.
• Agent response flow improved with better error handling and detailed comments when issues occur.
• Prevented duplicate agent investigations on the same incident.
• Agent UI refined for general availability readiness.

​

Workspace Group Management

• Group member details, including member lists, are now visible in the group viewing slider within workspace settings.

​

Data Source Activity

• The data source activity graph has been enhanced for better readability and alignment.

​

Bug Fixes

• Fixed time filter refresh behavior on the incidents page.
• Fixed agent response button remaining active when agent is not properly configured.
• Fixed Defender incident comment creation for comments exceeding 1,000 characters.
• Resolved incorrect log search results for Microsoft Defender data sources.
• Fixed data source query results mapping to use column names instead of index positions, improving reliability.

​

Ticketing Orchestrator

• Introduced a new ticketing orchestration layer that improves reliability and consistency when creating and managing tickets across integrated ticketing systems (Jira, ServiceNow, Autotask).

​

Agent Flow Optimization

• The agent investigation and response flow has been optimized for performance, with improved classification mapping and enriched logging for better troubleshooting.

​

Time Filter Improvements

• Time filters throughout the portal now correctly display in local time instead of UTC, and the refresh behavior has been improved.

​

Bug Fixes

• Fixed ticket creation for Microsoft Defender incidents in Autotask.
• Resolved entity context menu appearing for non-Microsoft sourced incidents.

​

CMS 3.0 Release

• The Content Management System has been finalized with an updated user interface, improved rule details pages, and refined commenting capabilities for security content collaboration.

​

Notification System

• A new notification settings system allows workspace administrators to configure alert recipients, severity thresholds, and notification preferences per workspace — ensuring the right people are notified about the right events.
• Notification recipients can be added and removed directly from workspace settings.

​

Agent Center

• A redesigned Agent Center creation experience with step validation, an Azure region picker for selecting agent resource locations, and an improved configuration details view.
• Agent deployment reliability has been significantly increased with improved error handling and processing time.

​

Feature Flag Cleanup

• Gamebooks 2.0 and Workspace Management features are now generally available — feature flags have been removed, making these capabilities available to all users by default.

​

Bug Fixes

• Fixed deployment table routing when switching workspaces.
• Fixed notification delivery issues identified during QA.
• Resolved IAM management component flag check issues.