Investigations and alerts

Roses are red, violets are blue. We’ve been working hard on some cool new updates and want to share them with you!


Easily access findings when an incident has been downgraded to an investigation

Now, when a user downgrades an incident to an investigation, the user will be required to select a downgrade reason and document why the incident is being downgraded. Once the user clicks the “Save” button, a new action is created that shows the incident was downgraded to an investigation. This action displays the downgrade reason, and links users back to the Findings page, where they can access findings and remediation actions.

More value added to the Alerts Analysis Dashboard

A new “Totals” view of the Alerts Analysis Dashboard will help you better understand the value of your security devices. The “Which technologies led to the most incidents?” section now shows a count of all devices that generated alerts for a given time range, and further breaks down which devices lead to the most incidents. To get more information on how many incidents and what percent these devices contributed to, simply hover over the graphs.

Improved process of manually creating investigations and incidents

Creating manual investigations and incidents has never been easier with our latest updates. With the first enhancement, we added a button to create manual investigations and incidents to the Dashboards page. Now, you’ll no longer have to navigate to the Activity page if you want to spin up a manual investigation or incident. Additionally, we added drag and drop functionality to the modal in order to make the file upload process much easier. But as the instructional text states – no folders, please!

Other Enhancements

  • Filtering an investigative action assignment is now even more streamlined. We’ve enhanced the “Assigned to organization” filter to include all investigative actions that are assigned to your org and users at your org, as well as adding a “Hide Ruxie” filter to exclude all investigative actions assigned to Ruxie.
  • The Alerts grid now displays an “Investigation” column which links to the investigation that the alert is associated with.
  • We’ve added an informative tooltip on the “Most frequent Expel alerts” section of the Alert Analysis Dashboard to better communicate the meaning of the represented alerts.
  • We’ve added an assignment badge to investigations and incidents to help you easily identify the lead investigator.
  • We’ve enabled the “Add Comment” feature on Workbench’s mobile site, so users can easily and conveniently post on investigation details.
  • Now, when a user creates an automatic investigative action, Workbench will display the vendor device and the device name in order to help distinguish between intended devices.
  • When users update org level notification preferences, Workbench will now reflect those changes without requiring the page to be refreshed.
  • Workbench will now display the investigation short name under the “Related investigations” section of the “Involved Hosts” tab located on the Alerts list page.

Other fixes (and a few odds and ends)

  • Upon downgrading an incident to an investigation, when users would close that investigation, the “Incident downgraded to investigation” action would be duplicated. We’ve fixed this bug, and the action is no longer created unexpectedly.
  • The org level notification preferences table displayed a “not configured yet” tag for notification preferences that were properly configured. This didn’t impact delivery of notifications, but did cause confusion for users in Workbench, so we’ve fixed this issue.
  • To our multi-org users, this bug fix is for you. We noticed that org admins were allowed to change the primary org for users that didn’t belong to their primary org. This behavior was unintentional and has been fixed.
  • We’ve made several fixes and enhancements to your numbers on the Alerts Analysis Dashboard to help you make better sense of your Workbench data. One of our changes improved the consistency between Expel alert counts represented by improving the logic of how these alerts are categorized, counted, and displayed on the dashboard. We’ve also fixed issues that threw off the counts of investigations and incidents on the dashboard.
  • When navigating to Workbench for the first time or after clearing cookies, the login page would not display the option to log in with SSO. This issue has been fixed.