AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

New text fields for manual investigative actions provide documentation capability

Sep 22, 2017

As the title suggests, manual investigative actions now include text fields to capture the Reason for the action, the Outcome of the action, and the Closed reason (if the action won’t be performed). The outcome is required before completing the action.These changes help document the investigation and make our process more transparent. Also, the Manual > Other investigative action is gone and replaced by a free text field where you can create a custom action and give it any name you like.

If you’re creating a manual investigative action, you can select from the list, or type your own customer action name. (Hint: Until we have a proper commenting feature, this is a great way to add a comment to the investigation.)

 

We’ve made the Reason field required, because we want to capture the rati onale behind each step of the investigation.

The Outcome field is also required, so that we’re capturing the results of the investigative action. This line of inquiry might have resolved the issue, turned up new investigative leads, or been a dead end—no matter the outcome, that’s useful data.

More new

  • We’ve added a new Tuning tab to the Alerts page so you can see the work that Expel is doing to improve the signal-to-noise ratio. Alerts show up in this tab if we are seeing them for the first time or if we are testing a new Expel correlation rule.

Fixes

  • Fixed: Closed and completed investigative actions now show the correct timestamp, instead of all showing “a few seconds ago.”
  • Fixed: Uploading a file to an investigative action appeared to be successful in the UI, but actually the backend was dropping the file. You may now upload with abandon.
  • Fixed: Unable to close an incident when lifecycle stage Action on Target was selected.
  • Fixed: Customers were briefly able to see an All Customers dropdown in the UI—just the dropdown, not any data from other customers. This has been removed.
  • Fixed: Actions were not showing up in the Activity page > Actions tab.
  • Fixed: In some situations, the Medium severity tab on the alerts page was showing the wrong alerts.
  • Fixed: It was possible to create a new user without assigning that user to a customer.
  • Fixed: Inconsistent formatting in the modals for the investigation timeline, specifically the header font size and button color.
  • Fixed: The Involved Hosts tab of the alert details now surfaces all related source and destination IPs at the investigation level, so analysts can add alerts to existing investigations.
Back To Top