Incydr console release notes

Overview

This page lists new Incydr features, updates, and bug fixes for the browser-based Incydr console.

For agent release notes, see:

• Insider risk agent release notes
• Incydr browser extension release notes
• Backup agent release notes

January 2026

Updates

January 6, 2026

• Reactivating a user now automatically also reactivates any insider risk agents that were deactivated as a result of the user deactivation. This helps reduce monitoring gaps and manual intervention when users are temporarily or accidentally deactivated. (Previously, agents needed to be manually reactivated after the user was reactivated).

January 5, 2026

• In the User Profile > Agents section, the hostname is now a clickable link to the agent details page. 

December 2025

Features

SharePoint monitoring added to OneDrive data connection

December 15, 2025

Incydr now supports monitoring and detection of file activity within Microsoft SharePoint, in addition to the existing OneDrive integration. This greatly improves visibility into file activity throughout your Microsoft environment. For example, you can now:

• Receive Incydr alerts when users create public anonymous links from SharePoint sites
• Monitor file movement outside your organization via SharePoint
• Create saved searches for SharePoint-specific events in Forensic Search
• Add SharePoint events to your Risk Scenarios dashboard

In addition:

• The Microsoft OneDrive for Business data connection is renamed Microsoft 365 - OneDrive and SharePoint.
• SharePoint monitoring is already enabled for all existing OneDrive data connections. No additional configuration is required.
• SharePoint activity is now visible throughout Incydr everywhere OneDrive activity is displayed, including dashboards, alerts, and Forensic Search.

New MCP server for Incydr

December 8, 2025

The new Mimecast Incydr Model Context Protocol (MCP) server enables you to more easily integrate Incydr with your own AI tools and agentic workflows. This integration supports natural language querying of Incydr events and alerts, helping you to more quickly investigate and respond to insider risks in your environment. The MCP server integrates seamlessly with AI tools such as Claude Desktop, Claude Code, MCP for Windows, and more.

For complete details and setup instructions, see Mimecast Incydr MCP server.

Updates

December 18, 2025

• Incydr's AI-powered destination classification for exfiltrated files now includes web search capabilities to identify and categorize unknown destinations in real time. This enables Incydr to better categorize newer destinations, industry-specific tools, and emerging platforms unique to your environment that do not match pre-defined categorization rules. As a result, there are fewer events with "uncategorized" destinations. This reduces the time you spend manually researching unfamiliar destinations, and helps you to more quickly evaluate the potential risk of these events.

December 15, 2025

• Content Inspection now detects South Africa identification (ID) numbers. This update helps you more easily identify and prevent the malicious or accidental exposure of sensitive South African information.
  • There is also a new risk indicator for South Africa ID numbers. Like all risk indicators, it automatically applies a risk score and enables you to generate alerts for file events where South Africa ID numbers are identified in files sent to untrusted locations.
  • For a complete list of risk indicators and associated risk scores, sign in to the Incydr console and select Risk Settings > File risk indicators > Personally Identifiable Information.

December 9, 2025

• Preventative control settings are now visible to users with the Insider Risk Read Only role. This enables you to grant an auditor permission to review the preventative controls settings, but not change them.
• Watchlists now include the option to show 25 or 50 items on the page. Previously, the page size was limited to 10.
• The Incydr console now provides a simpler way to re-assign an agent to a new user. (Previously, agent re-registration required using the Incydr console command-line interface.) Re-assigning a new user helps troubleshoot and correct agent registration issues where the wrong user is detected. To re-assign a user:
  1. Go to Administration > Environment > Agents.
  2. Select an agent.
  3. From the agent details, select Actions > Reassign user and enter a new username. 

December 3, 2025

• The Incydr Event Data Export integration now supports export configurations for up to 5 different AWS accounts. Previously, data exports were limited to a single destination account. This update enables more flexible configuration options for ingesting Incydr event data.

November 2025

Features

Enhanced alert settings to reduce unwanted notifications

November 5, 2025

Incydr Alert settings now offer four new customizable destination criteria to help you control which activity generates alerts:

• Printer name

• Removable media serial number

• Remote hostname

• Email recipients

With these additions, you can now specify which printers, removable media, hostnames, and email recipients to exclude from alerts. Customizing these settings can significantly reduce alert volume and help you focus on higher-risk events. To manage your alert settings, go to Alerts > Manage Rules > Alert settings.

Stopping alerts does not stop Incydr from capturing the activity. You can still search for it in Forensic Search with the Activity tier filter set to Informational.

Global preventative controls

November 3, 2025

You can now apply Incydr preventative controls globally to all users, eliminating the need to configure a watchlist first. 

This update simplifies the management of preventative controls by enabling you to more easily apply them across your entire environment. For example, you can now block removable media for all users without the additional step of creating a watchlist. However, watchlist preventative controls are still available for applying more targeted response controls.

To manage global preventative controls, sign in to the Incydr console and navigate to User Activity > Preventative Controls.

Updates

November 26, 2025

• Files downloaded from Incydr cloud data connections (Google Drive, OneDrive, and Box) to untrusted destinations now appear in Forensic Search results. Previously, download events from these sources were only visible for endpoints monitored by Incydr. Now, all download events are visible, providing a more complete view of cloud storage activity in your environment.

November 7, 2025

• Agent registration issues in the Incydr console now include a new Deactivated user issue type. This makes it easier to troubleshoot and identify when an agent cannot register because the username associated with the agent is deactivated.

October 2025

Features

Account takeover detection

Early access

October 28, 2025

Account takeover (ATO) detection introduces new capabilities to detect and respond to account compromise risks. By monitoring signals from Mimecast Advanced Email Security and Microsoft Entra ID Protection, the Account takeover feature detects and alerts you about risk signals, including outbound malware, outbound phishing, and anomalous authentication and login activity.

These signals may indicate that an email account monitored by Mimecast has been compromised by an unauthorized external party. Mimecast Incydr provides detailed metadata about all account takeover activity, enabling you to quickly triage alerts, contain threats, and investigate events to determine the appropriate response.

To get started, sign in to the Mimecast Administration Console (AdCon) and navigate to Analysis and Response > Overview. Locate the Account Takeover section, then click View Account Takeover for more details.

Included in Mimecast Critical, Advanced, and Premium email security packages.

Updates

October 6, 2025

Incydr now leverages AI to automatically classify file exfiltration destinations that don't match existing categorization rules. This greatly reduces the number of events with "uncategorized" destinations, helping you to more quickly evaluate the potential risk of these events.

Values classified by AI appear in new Destination category (AI) and Destination name (AI) fields. Additionally, a new AI description field provides an AI-generated summary of the destination.

If the destination matches Incydr's pre-defined categorization rules, theses new AI fields are hidden and the destination details appear in the existing Destination category and Destination name fields. Forensic Search filters and file event CSV exports, however, now contain both sets of destination fields.

September 2025

Updates

September 8, 2025

• Cases are now limited to 150,000 total file events for all cases in your organization. This update is in addition to the existing limit of 10,000 events for each individual case.

July 2025

Features

Incydr browser extension for Firefox (early access)

July 30, 2025

The Incydr browser extension is now available for Firefox as an early-access release. The extension works alongside the insider risk agent to improve browser activity monitoring and to enforce preventative controls. This enables you to leverage the same insider risk detection and response capabilities in Firefox as the existing Chrome and Edge extensions. 

For more details, including deployment instructions, see Deploy the Incydr browser extension.

Watchlist exclusions for groups and departments

July 16, 2025

Watchlists now support exclusions for groups and departments synced with Incydr from an external provisioning provider (such as SCIM or Active Directory). This update enables more flexible and granular management of watchlist membership and preventative control enforcement. (Previously, groups and departments could only be selected for inclusion, not exclusion.)

For example, if you want to prevent everyone in your engineering department from using removable media except a group of QA users whose work involves legitimate use of removable media, you can now:

• Enable the Block removable media mounting preventative control for a watchlist.
• Include the entire engineering department on the watchlist.
• Exclude the QA group from the watchlist.

To add a group or department watchlist exclusion:

1. Go to User Activity > Watchlists.
2. Select a watchlist.
3. In the watchlist details, go to Watchlist settings > Users and click the edit icon. (For watchlists with no users defined yet, click Add.)
4. Select the Excluded tab, then click Add for a department or group.

Simplified user detection script configuration in deployment policies

July 15, 2025

Deployment policies now support a simplified experience for configuring user detection scripts. You can now select a detection method directly from the Incydr console, eliminating the need to manually copy and paste custom script code.

The custom script option is still available if you prefer to supply your own script, as well as to support all existing scripts deployed before July 15, 2025. 

To get started, go to Administration > Agent Management > Deployment and create a new deployment policy.

Updates

July 31, 2025

• A new Export button on the Trust recommendations tab enables you to easily export and download a .csv file with the list of trust recommendations.

July 28, 2025

• Bubble charts are now available as a new visualization option for risk scenario details, in addition to the existing pie charts. This offers a more dynamic way to analyze patterns and relationships within your environment. To view a bubble chart, click the View details icon for a scenario, then select Chart type > Bubble.

July 18, 2025

• Alert settings now include a Preview activity that matches this criteria link to show you recent file events that match the alert setting. Reviewing the results can help you decide whether to generate alerts for the specified activity or not.

July 3, 2025

• Forensic Search now includes the option to select all values within each risk indicator sub-category. For example, within Risk > Risk Indicator > AI Tools, select All AI Tools at the top of the list to add all items to your search. This makes it easier to perform complex searches, especially for categories with many possible values, such as AI Tools, Cloud storage uploads, and Email domains.

Bug fixes

July 3, 2025

• On the Administration > Environment > Users page, fixed an issue where the Installed agent count column was missing in some environments.

June 2025

Features

New alert tuning options to reduce unwanted notifications

June 23, 2025

A new Alerts setting enables you to reduce alerts by customizing which activity generates notifications. For example, you now have the option to exclude Likely personal activity destinations from alert notifications. This reduces alerts for activity unlikely to pose an exfiltration risk, such as files sent to personal e-commerce, entertainment, health, insurance, and financial destinations.

• Settings are reflected in a new Activity tier metadata field visible on all events.
• Events matching your Don't alert preference are categorized as Informational in Forensic Search, but do not generate alert notifications or appear on dashboards.

To get started, go to Alerts > Manage Rules > Alert settings.

Custom risk indicators for classification tags

June 13, 2025

You can now create custom risk indicators for any Microsoft Information Protection (MIP) or Purview classification tag in your environment. This provides greater flexibility to tailor risk detection unique to your organization.

Like all risk indicators, a risk score is automatically applied to events matching your custom-defined tags. You can also generate alerts for this activity.

To get started, sign in to the Incydr console and go to Risk settings > File risk indicators > Custom classification and sensitivity labels.

New risk indicator highlights screen captures

June 6, 2025

A new Screen capture risk indicator detects when a user exfiltrates a screenshot image or screen recording video. This helps you identify when potentially sensitive internal information is captured via common screen recording tools and sent to untrusted destinations. Like all risk indicators, a risk score is automatically applied to the event, and you can also generate alerts for this activity.

Updates

June 25, 2025

• The data connection status history now provides more detailed and comprehensive information about the history of the connection. This makes it easier to quickly review the status over time, enabling better troubleshooting and monitoring. 

June 18, 2025

• You can now add a user to a watchlist and add events to a case directly from the Alerts action menu. This update expands your ability to take actions from within an alert, simplifying workflows and improving efficiency. The reorganized menu structure also better aligns with the existing Risks not covered by alerts experience, and more clearly distinguishes between built-in Incydr actions and optional Incydr Flow actions.

June 3, 2024

• The Agents list page in the Incydr console now supports selecting multiple agents at once to perform bulk activation and deactivation actions. This makes it easier to manage agents in your environment. (Previously, bulk actions were only supported via the Incydr API.)
  
• Incydr no longer reports events for Incydr cloud storage data connections when file contents are modified. These events were generated when the cloud service detected a new file version (indicating the contents were modified). Because these events do not represent a risk of file exfiltration, they were removed to simplify search results and help you focus on higher-risk events.

Bug fixes

June 4, 2025

• For watchlists configured to include a department synced from an external provisioning provider, fixed a rare issue where some users in that department may have been unexpectedly removed from the watchlist.

June 2, 2025

• Fixed an issue where some users were not removed from watchlist membership when they moved from a department included in the watchlist to a department not included in the watchlist.

May 2025

Features

Simplified data export from Incydr to SIEMs and other external tools (early access)

May 12, 2025

A new integration in the Incydr console enables you to configure external tools to ingest Incydr event data from AWS S3. Data available for export and ingest includes:

• Audit log activity
• Alerts
• File events and all associated metadata

This addition simplifies the process of exporting Incydr event data, providing a streamlined solution for integrating with SIEMs that support ingesting log data from AWS S3.

To get started, sign in to the Incydr console and go to Administration > Integrations > Event Data Export. To view the detailed schema of exported fields, see Event Data Export in the Developer Portal.

New risk indicator highlights data shared with personal accounts

May 8, 2025

A new Likely user's personal account risk indicator detects when a user sends or shares files from their corporate email or cloud service to their personal account. The sender and recipient addresses are evaluated for similarity, and if they are a close match, the risk indicator is applied.

• For example, a file sent from johnsmith@corp.example.com to jsmith@example.com likely indicates the user sent an attachment to their personal email. When combined with other risk indicators on the event, this detail can provide valuable context for better identifying insider risks.
• Like all risk indicators, a risk score is automatically applied to the event, and you can also generate alerts for this activity.
• Applies to email and cloud sharing events monitored by an Incydr data connection.

Updates

May 27, 2025

• The Incydr SDK now supports downloading the contents of exfiltrated files. See the Developer Portal for complete details.

May 6, 2025

• Improvements to destination categorization:
  • Added over 100 new destination names across all destination categories. This reduces the number of file events categorized as Other destination.
  • Added 20 new risk indicators for AI tools, personal email, cloud storage, and more. These new risk indicators help you better identify risk by listing the specific destination for upload and paste activity.

April 2025

Features

Content inspection support for UK and Canadian PII

April 29, 2025

Content Inspection now detects Personally Identifiable Information (PII) specific to the United Kingdom and Canada. This update helps you more easily identify and prevent the malicious or accidental exposure of sensitive regional information such as UK and Canadian passport numbers.

There are also new risk indicators to support these new detection types. Like all risk indicators, they automatically apply a risk score and enable you to generate alerts for file events where UK or Canadian PII is identified in files sent to untrusted locations.

For a complete list of the new risk indicators and associated risk scores, sign in to the Incydr console and select Risk Settings > File risk indicators > Personally Identifiable Information.

Risk Scenarios dashboard updates

April 25, 2025

The Risk Scenarios dashboard completed the early access phase and is now generally available. This release includes several exciting new updates:

• The dashboard now includes 10 additional pre-defined scenarios (for a total of 14).
• You can now add your own custom risk scenarios to increase visibility of the use cases and risks that are most important in your environment. Any saved search can be displayed as a custom tile on the dashboard. Learn more.

Forensic Search chart enhancements

April 22, 2025

The Forensic Search Charts tab includes two new capabilities to make it easier to analyze and share event data insights:

• A new Table chart type, which displays event counts grouped by the attribute you select.
• A new option to export data from any chart type to a CSV file.

Content inspection support for custom regex pattern matching

April 21, 2025

Custom file content risk indicators now support regex patterns, in addition to plain text string matches. Creating risk indicators based on regex enables you to:

• Generate alerts for files matching custom-defined patterns of sensitive content.
• Define more flexible and precise rules for detecting sensitive content, such as patterns for account numbers, internal codes, or other custom identifiers.
• Better tailor custom risk indicators to your unique environment, improving your ability to detect and respond to data exfiltration risks.

More granular trusted domain settings

April 15, 2025

Trusted domain settings now enable you to specify which destinations to trust when the signed-in username includes a trusted domain. This helps highlight activity from trusted email addresses at untrusted destinations.

Requires the Incydr browser extension.

Incydr Flow for CrowdStrike watchlist management

April 11, 2025

A new Incydr Flow integrates with CrowdStrike to create the Falcon Detection Watchlist in Incydr. Users flagged by Crowdstrike with high-severity detections are automatically added to the watchlist. This enables you to create alerts and apply preventative controls in Incydr based on high-risk activity identified by Crowdstike.

International language support for Instructor video lessons

April 1, 2025

Instructor lessons are now available in 18 languages. From within the Vimeo player, users can select from the following languages:

• Arabic
• Chinese (Simplified)
• Czech
• Danish
• Dutch
• English
• Finnish
• French
• German
• Indonesian
• Italian
• Japanese
• Polish
• Portuguese
• Russian
• Spanish
• Swedish
• Turkish

Updates

April 25, 2025

• The Trusted activities list now includes a new Trusted source type filter. This enables you to quickly identify all items categorized as a high-value source.
  
  

April 17, 2025

• API client details now display the Last modified date, in addition to the Date created. This makes it easier to track when secrets were last updated, which can help you manage secret rotation.

April 4, 2025

• Adding a OneDrive data connection in a Microsoft GCC High environment now supports the option to Inventory monitored drives.

Bug fixes

April 10, 2025

• Fixed an issue where Microsoft Information Protection (MIP) tags were not captured for file events monitored by Incydr data connections. As a result, some events were missing Classification and sensitivity labels risk indicators and did not generate alerts based on those risk indicators.

March 2025

Features

Detect sensitive credentials in exfiltrated source code files

March 5, 2025

Content inspection now detects tokens and credentials in exfiltrated source code files. This helps you more easily identify and prevent malicious or accidental exposure of sensitive credentials (for example, SAML tokens and AWS session keys).

There are also new risk indicators to support these new detection types. Like all risk indicators, they automatically apply a risk score and enable you to generate alerts for file events where credentials are identified in source code files sent to untrusted locations.

For a complete list of the new risk indicators and associated risk scores, sign in to the Incydr console and select Risk Settings > File risk indicators > Credentials and tokens.

Updates

March 19, 2025

• A new setting enables you to configure the frequency of Directory Sync Notification emails. To update the email frequency:
  1. Go to Administration > Integrations > Identity Management.
  2. Click Settings, then choose how often you want to receive emails:
     • Daily
     • Only when there are directory sync errors
     • Never

March 18, 2025

• In the file event metadata, the Destination Names for iCloud and Zoho email have been updated from iCloud and Zoho to iCloud Mail and Zoho Mail. This helps differentiate email and cloud storage activity at these destinations. 
  
  If you have Saved Searches that use the iCloud or Zoho destination names without specifying the destination category, this update may cause you to see fewer search results. To continue including email activity, add the new iCloud Mail and Zoho Mail destination names to your search query.

March 14, 2025

• In Forensic Search, the User section now includes SCIM Group and Department attributes for users provisioned via SCIM. These are also available as search filters.
  

February 2025

Features

Customize preventative control messaging by watchlist

February 14, 2025

Preventive controls settings now support unique end-user messaging for each watchlist. This enables you to provide context-specific guidance to users on different watchlists. For example, when users try to upload files to an untrusted destination, departing employees can now receive a different message than new hires.

To edit end-user messaging:

1. Go to User Activity > Watchlists and select a watchlist.
2. Next to Preventative controls, click the edit icon.
3. Select Advanced settings > End user messaging.
4. Click the edit icon to update a message.
   • Select the Global tab to edit the default message for all watchlists without a custom message.
   • Select the watchlist name tab to edit the message for only this watchlist.

Expanded detection and alerting options for exfiltration to AI destinations

February 14, 2025

New AI-focused risk indicators identify when corporate data is sent to a wider range of AI tools:

• There are 30 new risk indicators for specific AI tool destinations, including Microsoft Copilot, GitHub Copilot, Atlassian Loom, You.com, Grammarly, Adobe Firefly, and many more.
• An additional Other AI Tool risk indicator dynamically identifies exfiltration to AI tools that don't have their own dedicated risk indicator.
• By highlighting upload and paste activity to many additional AI destinations, you gain better visibility into the broader risk landscape of corporate data exfiltration to AI tools.
• Like all risk indicators, the new risk indicators automatically apply a risk score and enable you to generate alerts for file events where users upload or paste data to these AI tools.

For a complete list of the new risk indicators and associated risk scores, sign in to the Incydr console and select Risk Settings > Destination risk indicators > AI Tools.

Risk Scenarios dashboard (early access)

February 10, 2025

The new Risk Scenarios dashboard highlights common risk situations and important use cases to help you more quickly discover and investigate risky activity. Scenarios include sending corporate data to AI tools, personal cloud destinations, external devices, and personal email.

To get started, sign in to the Incydr console and select Dashboards > Risk Scenarios.

Forensic Search filter groups enable "OR" logic in search queries

February 5, 2025

Forensic Search now includes support for optional filter groups, enabling you to craft more advanced and flexible search queries. With filter groups, you can now use "OR" logic to combine multiple criteria in a single query, giving you more control over search results.

To get started, go to Forensic Search > Search and click Add filter block.

Updates

February 28, 2025

• In Forensic Search, the maximum page size increased from 100 to 1,000. This makes it easier to bulk select hundreds of events at once and add them to a case. To change the page size, scroll to the bottom of the search results and select a new Rows per page value.

February 26, 2025

• The Agents page now highlights macOS agents with missing full disk access or accessibility permissions. This makes it easier to identify macOS devices in your environment that need attention to ensure they capture Incydr data.
  

February 20, 2025

• The early access version of the Trends dashboard is now the default, generally available view. The Trends dashboard provides an informative view of activity and trends over time for key risk indicators. The legacy view remains available via a link at the bottom of the page.

February 14, 2025

• Added many new destination risk indicators across all destination categories. The new risk indicators help you better identify risk by listing the specific destination for upload and paste activity. This greatly reduces the number of file events categorized as Other destination.

February 10, 2025

• Incydr data connections to OneDrive and Office 365 now support Microsoft GCC High environments.

January 2025

Features

Better visibility into file contents of email attachments 

January 13, 2025

Incydr now captures the contents of email attachments for both Office 365 and Gmail email data connections. Previously, file events for exfiltrated attachments only included metadata, but now the full file contents are captured. This helps you better identify when sensitive information is sent to untrusted locations.

To change the default setting and disable the collection of email attachments, go to Administration > Integrations > Data Connections, select Settings, then set Collect email attachments to No.

Updates

January 28, 2025

• Added a new risk indicator to highlight DeepSeek AI activity. This risk indicator automatically applies a risk score to file events when users upload files or paste data to DeepSeek AI. It also enables you to generate alerts for DeepSeek AI activity.

January 13, 2025

• Added a new Instructor lesson to remind users to use secure links when sharing files via Slack instead of uploading files directly. The new lesson title is Slack: Use secure links to share files. Like all lessons, it can be sent manually to users, or sent automatically in response to behavior that triggers an alert.

January 3, 2025

• Agent filters in the Incydr console now include the option to filter devices by operating system.

Bug fixes

January 8, 2025

• In environments licensed for the backup add-on, fixed an issue in the Incydr console where insider risk agents could incorrectly appear in a list of backup agents. This was a display issue only; no backup or restore activity occurred via the insider risk agent.

Previous release notes

For release notes prior to January 2025, see Previous version release notes.