We're excited to share this month's release, bringing SQL-powered detection flexibility, new security content for Linux environments and user behavior analysis, and expanded integration coverage across 11 new data sources.
What's New
SQL Custom Detectors
You can now create custom detectors using SQL directly in the portal UI. This brings the full power of API-level detection logic into a guided workflow, no coding required. The feature supports two modes:
Auto (Continuous mode) - Hunters manages the time windows and runs your queries only on new data as it arrives
Scheduled (Cron mode) - You control the exact time ranges using trigger variables, perfect for periodic scans
You can start from a SQL query in the Search page or go straight to New Custom Detector. All detectors run against your raw data tables for maximum flexibility. There's also a mandatory "Validate & Test" step to make sure everything works before you deploy.
Security Content Updates
New Detector: Linux Potential Brute Force Authentication Attempt
Linux systems typically log authentication activity through the auditd data source. This includes USER_AUTH events that record every login attempt and whether it succeeded or failed. Our new detector analyzes these events to spot anomalous spikes in failed authentication attempts coming from the same source IP within a short time window.
The detector uses a time-series approach to highlight patterns that look like password guessing, credential stuffing, or automated attack behavior targeting Linux accounts. This addresses one of the most common attack vectors in cloud server environments and on-premise infrastructure.
New Enrichments:
User Agent History per User - Retrieves all user agents this person has used within the investigation time window. You get a usage history grid showing first/last seen timestamps, usage counts, and derived attributes like browser, OS, and device family.
User Agent Prevalence per Organization - Gives you organization-wide statistics for the user agent tied to this lead. This includes total usage count, number of distinct users who've used it, and when it was first and last observed. These metrics help you figure out if a user agent is common across your org, rare, or newly observed.
HTTP Requests (by Agent ID) - Analyzes EDR HTTP request events from the endpoint during your investigation timeframe. You get detailed network telemetry including contacted domains, HTTP hosts, full URLs, remote IP addresses, destination ports, and which process initiated each request. This gives you broad visibility into all outbound web activity from the device.
HTTP Requests (by Process) - Filters the same EDR network telemetry but focuses on just one process (filtered by both agent and process ID). This lets you zoom in on the external communications from a specific process, which is useful when you need to assess whether a particular process did something suspicious or anomalous.
Integration Updates
Action Required:
CrowdStrike Incidents - This integration was retired on March 9, 2026. You'll need to migrate to the CrowdStrike Alerts integration (
crowdstrike_alerts) to avoid any service interruptions.Microsoft Message Trace - Microsoft announced that the legacy Message Trace APIs will be turned off in April 2026. We've already implemented support for the new Microsoft Graph API endpoint (expected to enter public preview in late 2025), so the transition will be seamless for all customers.
New Integrations (11 releases):
Barracuda Incident Response Logs (S3 integration)
Upwind Security Detections (Puller integration, S3 was already supported)
Upwind Stories (both S3 and API integrations)
Forescout Appliances Logs (S3 integration)
Fortinet FortiManager (S3 integration)
Palo Alto Strata Logging Service (S3 integration with Snappy decompression support)
Cisco IOS (S3 integration)
Veeam Backup and Replication logs (S3 ingestion)
Microsoft 365 Message Trace (new Microsoft Graph API endpoints)
Halcyon (S3 ingestion)
VMWare Horizon VDI (S3 ingestion)
Nutanix HCI (S3 ingestion)