Investigative actions are now editable (so there’s no excuse for typos)

From views to device login credentials, we’ve got a bunch of new investigative action items in our October 6 release.


  • When you view investigative actions, you can opt to see all actions in chronological order (rather than grouped by type) by selecting All actions from the filter dropdown and unchecking the Group by type checkbox. Actions are ordered by the date they were created, with the most recent first.
  • Investigative actions now display a full timestamp in addition to the relative time in (parentheses).
  • In the Add Security Device modal, you now have the option to provide the username and password for the device console login. Providing login credentials speeds up the investigation in situations when Expel analysts need to go directly to the device to gather more evidence.
  • When you create a manual investigative action, you can now assign different analysts to “acquire” tasks and the “analyze” tasks. When the first analyst has uploaded the evidence, the action will automatically be reassigned to the second analyst.
  • Investigative actions are now editable. So there’s no excuse for typos any more.
  • In the Alert Details > Pivots tab, you can now filter similar alerts with the same source IP or destination IP. (Rejoice!)


  • We fixed a UI glitch in which investigative actions with no parameters displayed an info icon with an empty popup (because there were no parameters, duh).
  • Fixed a formatting issue that caused the colored Lifecycle dots to wrap when a security incident had more than one remediation action.
  • We also fixed a problem with the Add User modal that prevented it from being reopened after it was closed via the X icon (rather than the Close button). You can open and close this modal as often as you like now. Whee!
  • For a brief while, the Name column was missing from the security devices table. This is fixed.
  • We fixed a usability issue in the Involved Hosts tab of the alert detail where the sort column was not apparent until the table was resorted. (If you aren’t aware, the green horizontal bar under the column head indicates the sort column.)
  • We removed the checkboxes from the security devices table, since we don’t have any bulk actions on security devices. If you find a need for a bulk action on security devices, just let us know.
  • Checkboxes have been removed from the Resilience Recommendations lists since there are no bulk actions on these recommendations. While we were at it we also fixed a few styling and alignment issues in the UI (if you can find ‘em we’ll be impressed)..
  • We fixed an issue that resulted in the Tuning tab displaying a hover state and a wrong cursor icon when there were 0 tuning alerts.
  • We resolved a problem that caused assigned actions to appear on the Activity dashboard as if they were unassigned and to display a wrong assignment icon on refresh.