Incydr console release notes

Overview

This page lists new Incydr features, updates, and bug fixes for the browser-based Incydr console.

For agent release notes, see:

• Insider risk agent release notes
• Incydr browser extension release notes
• Backup agent release notes

April 2026

Features

New metadata fields for file events

April 6, 2026

Incydr file events now include additional metadata to provide even more context for user activity.

• A new Blocked browser or app launch event type captures when a web browser or other application (as configured in your Block browsers and apps preventative control setting) was blocked from opening on a user's endpoint. 
• For removable media events, a new Removable media file system field returns the file system type of the drive (for example, exFAT or NTFS).
• A new Process > Full command field includes the text of the CLI command run by the user (minus their credentials) for file events where data was moved via a file transfer tool, such as SFTP, SCP, FTP, and cURL.
• The Response controls section includes a new Temporarily allow pop-up  field to indicate whether the user was prompted to provide justification for the blocked activity. 
• The Response controls > User justification metadata now provides more context when a user does not provide a justification in the temporary allow dialog. New values include: 
  • No response: The user did not interact with the dialog at all.

  • Dismissed without justification: The user clicked Close or Cancel before selecting a reason.

Updates

April 9, 2026

• Added Agent logs requested and Agent logs downloaded event types to the Audit Log to show when an administrator requests and downloads agent logs.
• Incydr Flows are now available in Australia (AU1), Singapore (SG1), and South Africa (ZA1).

April 6, 2026

• Email notifications for Incydr alerts, Instructor lessons, and account takeover alerts are now sent from noreply@product-notifications.mimecast.com. Previously, these emails were sent from @code42.com addresses.
  • To ensure uninterrupted alert and lesson delivery, update your email systems, rules, and automations to allow messages from noreply@product-notifications.mimecast.com.
  • Incydr Gov (US3) environments are not affected and continue receiving emails from @code42.com addresses.

March 2026

Features

Block uploads to specific destinations

March 24, 2026

A new Block destinations preventative control enables you to prevent users from exfiltrating files to specific destinations. This helps you better protect sensitive data from being sent to untrusted destinations.

By identifying high-risk destinations—such as unsanctioned AI, cloud storage, and file conversion tools—you can prevent users from sending files to these untrusted destinations, while still allowing collaboration with trusted tools. 

Like all preventative controls, blocked destinations can be defined globally for all users or only for a specific watchlist.

Available with insider risk agent version 2.7.0 and later.

Preview exfiltrated files without downloading

March 13, 2026

You can now preview exfiltrated files directly from the event details, in addition to downloading them. Supported file types to preview include .pdf, .jpg, .jpeg, .png, and .txt. Previewing files can help you speed up investigations and reduces exposure by limiting the need to store local copies of sensitive files.

Investigate alerts more quickly and efficiently with the new Mihra AI agent

March 12, 2026

Limited early access

Incydr now includes a built-in AI agent to help you streamline alert triage. The Mihra investigation agent analyzes the risk indicators, event metadata, and user context for an alert, and then delivers an AI-generated assessment of the alert activity, including recommended next steps. The Mihra investigation agent reduces the time spent manually investigating alerts, while simultaneously providing rich context for your investigations.

If you are interested in participating in the limited early access release, contact your account team.

SAP SuccessFactors watchlist integration

March 12, 2026

A new integration with SAP SuccessFactors enables you to automatically add users to the Incydr Departing Employee watchlist based on their departure date in SuccessFactors. You can also optionally add users to the New Hire watchlist based on their hire date. This reduces manual effort and helps ensure your policies for monitoring higher risk users are automatically applied to new and departing employees.

To get started, see SAP SuccessFactors watchlist integration with Incydr.

Updates

March 30, 2026

• The Google Drive data connection now detects when a user sends a file from Google Drive as an email attachment.
  • A new Sent from Corporate Google Drive risk indicator automatically applies a risk score to these events and enables you to generate alerts when files are emailed to untrusted locations. 
  • To find these events in Forensic Search, filter by the Emailed event action or the Sent from corporate Google Drive risk indicator.

March 24, 2026

• The Incydr browser extension for Firefox has moved from early access to general availability. Updates include support for blocking private browsing, Linux compatibility, and numerous other performance improvements and bug fixes.

Known issues

March 3, 2026

• Due to a recent change implemented by Google, the Google Drive data connection for Incydr is no longer notified by Google when file permission changes are inherited from a parent folder. As a result, Incydr file events for inherited permission changes may be delayed or may not be captured at all. 

February 2026

Updates

February 5, 2026

• Alert status options now include a new Closed - Benign selection for alerts where activity detection was accurate but did not present a valid risk, such as personal or legitimate business activity. This enables more granular tracking to separate true false positives (where detection was incorrect) from cases where detection is correct but no risk exists.

January 2026

Features

Block uploads of files acquired from high-value sources

January 13, 2026

A new Block sources preventative control enables you to prevent users from exfiltrating files acquired from specific, high-value sources. This helps you better protect sensitive data from being sent to untrusted destinations.

By identifying your most important locations—such as source code repositories, project file servers, and SaaS applications—you can prevent users from sending files obtained from these locations to untrusted destinations, while still allowing collaboration with trusted tools. 

Like all preventative controls, blocked sources can be defined globally for all users or only for a specific watchlist.

Available with insider risk agent version 2.6.0 and later.

Paste contents detection

January 13, 2026

Paste events now include the actual content pasted to untrusted destinations, enabling you to better assess the data exfiltration risk of a specific event.

Available with insider risk agent version 2.6.0 and later.

Automatically send Instructor lessons when users are added to watchlists

January 13, 2026

Instructor now supports automatically sending lessons when users are added to watchlists. This enables you to proactively educate users about security policies and reduce risks before they occur, instead of only sending lessons after risky activity is detected.

For example, when a user is added to the departing employee watchlist, you can now automatically send a lesson explaining the differences between company and personal data to proactively inform users about your policies and expectations for users leaving the company.

To add an Instructor lesson to a watchlist:

1. Go to User Activity > Watchlists and select a watchlist.
2. From Watchlist settings > Instructor lesson, select Add.
3. Select a lesson and the delivery method, then click Save.

Updates

January 30, 2026

• FedRAMP environments with an Incydr email data connection now have the option to capture email attachment contents. By default, the Collect email attachments setting is Off for FedRAMP environments. To change this setting, go to Administration > Integrations > Data Connections > Settings.

January 6, 2026

• Reactivating a user now automatically also reactivates any insider risk agents that were deactivated as a result of the user deactivation. This helps reduce monitoring gaps and manual intervention when users are temporarily or accidentally deactivated. (Previously, agents needed to be manually reactivated after the user was reactivated).

January 5, 2026

• In the User Profile > Agents section, the hostname is now a clickable link to the agent details page.

Previous release notes

For release notes prior to January 2026, see Previous version release notes.