We’ve released two features to improve log search functionality and detection rule organization.

Visual Query Builder – Beta Release

The new query builder interface, currently a beta release, provides a visual alternative to writing raw query syntax. Users can switch between text and visual modes without losing query fidelity.

Capabilities:

• Dynamic switching between visual and text representations of the same query.
• Support for all existing query operators and functions.
• Auto-complete for query fields, values, and functions to streamline building queries.
• Easy visualization generation: bar charts, line charts, and pie charts.

The visual interface maintains feature parity with text queries while exposing query structure through a composable UI. This allows teams to build complex queries incrementally and share them across skill levels.

Detection Rule Organization with MITRE Tags

Detection rules now support a tagging system with built-in MITRE ATT&CK classification support. Users can also add custom tags to organize rules according to their own schema, which can be helpful as teams’ detection rules lists grow in size from dozens to hundreds.

Tags are propagated in the detection alert messages sent to event sink destinations. Thus, users’ SOAR tools can leverage MITRE tags and custom tags when they receive a Scanner alert and route it to the appropriate response workflow.

Users can also query the _detections index in Scanner using tags as a  facet filter or as an aggregation value, allowing them to compute statistics on which MITRE tactics and techniques are appearing in their alerts the most.