We’ve made several small changes to the way you update the status of an investigation or incident to make it easier to use. Now you don’t have to make that agonizing choice between Closed and Resolved at the end of an incident. We removed Resolved because it was not being used. We also added an Unknown option to all the dropdowns (except for Attack timing) for those times when the investigation findings are still unclear. Read on to learn more about it plus other enhancements that’ll simplify your workflow.
Update Status enhancements
We’ve made several small changes to simplify the Update Status drawer. Previously, an incident could be Closed or Resolved. We removed the Resolved status, since it was not being used.
- When you close a security incident, the summary fields (Threat type, Attack timing, etc.) are now required. We’ve added an Unknown option to all the dropdowns (except Attack timing) in case the findings aren’t clear.
- When you close an investigation, the summary fields (Suspected threat type, Suspected attack vector, etc.) are optional. We’ve tried to make that clearer to avoid confusion.
- The Close buttons now specify what you’re closing. You can choose to either Close Investigation or Close Incident.
When you’re updating the status of a Closed investigation or security incident, you’ll see the following changes:
- We changed the name of the Reopen button. It’s now called Update Status.
- Clicking Reopen gives you two options: Edit or Reopen.
- Edit is for situations where you need to change the incident summary or fix a typo in the Closed Reason.
- Reopen is for when you need to reopen an investigation or incident because new related information has come in, or your remediation activities haven’t been successful.
- When you acquire a triage package from FireEye HX via an investigative action, the download file is now in .mans format so you can open it in FireEye’s freeware tool, Redline.
- We’ve added Source IP and Destination IP to the Involved Hosts tab on the alerts detail and investigation, so you can see how these investigations and security incidents are related.
- When you add a timeline event to the investigation, we’re capturing the source and destination IPs you entered on the Involved Hosts tab.
- We changed Expel alert timestamps to ISO format to clarify that these are UTC times. You might still see timestamps with time zones appended to them if your security devices are configured for local time.
- You can now delete Assemblers and security devices from the UI. But out of sight ≠ out of mind.The devices continue to be stored in the database so we don’t lose the alerts generated from the devices.
Other fixes (and a few odds and ends)
- Fixed an issue that caused unhealthy security devices to only display an alert icon, instead of an alert icon plus a description of the problem.
- Fixed a validation issue in the Add User modal. If you create a new user with an email that’s already in use, you’ll be alerted when you click Save.
- Fixed a problem that caused occasional error messages when you tried to view the timeline for an investigation.
- Fixed a display problem that caused security incidents with a Lifecycle status of Unknown to display with the highest severity rating (that is, all the colored dots were filled in).
- Fixed a problem that caused display issues with some IBM QRadar alerts.
- Fixed a text alignment issue in Closed alerts on the Alerts page.
- Fixed an issue that caused alerts to have the status Investigating when they were added to a closed investigation. They now have the correct status of Closed.
- Fixed an issue in hunting investigations where the Data Viewer tab was missing its icon when there was data to view.
- Filtering was broken on the Data Viewer for a brief while. It’s fixed again.
- Fixed some display issues with the File MD5 column of data in the Data Viewer.
- Fixed an intermittent issue that prevented alerts from being added to a closed investigation.