All about alerts

It’s May. Do you know where your alerts are? Cause we do. From our new Alerts Ticker in Workbench to the beautification of our Alerts Analysis dashboard, knowing what’s going on with your alerts – and why – has never been easier.

Highlights

New Alerts Ticker added to Workbench

We’ve added a new feature to Workbench that lets you see your alerts count without having to navigate to an alert-specific page in Workbench. Now, you can keep tabs on your alerts count no matter what screen you’re on.

Lots of improvements to our Alerts Analysis dashboard

As in, a lot. We’ve spent a healthy dose of time working on improvements to the Alert Analysis dashboard to help improve its understandability and readability. First, we’ve added a percentage comparison that will calculate activity changes based on the time filter you’ve selected. This feature will indicate whether your counts have increased, decreased or remained the same in comparison to the selected period of time.

You may also have noticed the labels for “Investigations” and “Security Incidents” have been changed to “Investigations from alerts” and “Incidents from alerts,” We made this change to better communicate what events are influencing numbers in these counts. We’ve also added descriptions below the funnel to explain why the sum of numbers shown in alerts from individual vendor tech may not add up neatly to the numbers in the funnel. Some of our other changes to the dashboard include minor tweaks to graph verbiage, formatting and behavior to make it easier to interpret information being displayed in graphs.

Verify Action now available

To make life easier, we’ve introduced a new feature called “Verify Action.” With “Verify Action,” analysts and our gloriously inquisitive bot RuxieTM will prompt you to “Verify” activities when new investigative actions are created. You’ll get a Slack or email (or both) notification request to verify activity that will then prompt you to provide a thumbs up or down about whether or not an activity was expected in an investigative action. Ready to get started? All you need to do is make sure you have notifications turned on for when an action is assigned to you or your organization.

Improved display of images in investigative actions

Previously, when images were uploaded to Workbench as part of investigative actions you had to download them to see them. Now, images uploaded for investigative actions will display right in the Workbench UI so you can view them without downloading.

Other enhancements

  • Alerts opened from the investigative Timeline tab will now open in a new browser tab, making it easier to share the alert link and continue reviewing the investigation.
  • We added a CSV export feature to the Timeline tab on investigations/incidents which allows users to export timeline events into a CSV file.
  • We introduced a one-click file upload feature for investigative actions.
  • We added a timestamp to remediation actions to provide details on who created the action, when the action was created, when the last update was made, and who the last update was made by.
  • We added an Azure Active Directory integration to Workbench so users with Azure Active Directory can use the single sign-on feature.
  • We added the evidence dump view of alert details to the Alerts list view.
  • We added warnings to remediation actions that indicate when an action might involve a high risk change or user.
  • We made changes to suppress “Investigative Action Complete” email notifications for actions that are completed by Ruxie. Now, you won’t get spammed with tons of emails that don’t offer much value.
  • When investigations are closed, Workbench will now take the close reason and add it as a comment on the Investigative Actions tab of the investigation.
  • Workbench now prevents users from adding additional usernames, emails, and hostnames to existing remediation actions. This improvement will increase the likelihood of remediation action updates getting noticed.

Other fixes (plus a few odds and ends)

  • We fixed an issue that caused display failure for certain file evidence in the Alert Detail view.
  • We fixed an issue that filtered out Ruxie actions on the Actions tab of the Activity page and the Situation Report dashboard.
  • When remediation actions and findings are complete, we expect the incident pie charts to indicate this by displaying a green “completed” status. Instead, these pie charts displayed as white when they were complete. This issue has now been fixed.
  • Ruxie actions will no longer display on the Actions tab if they are not associated with an investigation/incident.
  • We fixed an issue that disabled updating organization level notification preferences in Workbench.
  • We added error messaging around updating notification preferences to better communicate when an update has failed.