Updated Investigation page

Hi Team,

The new IDR Investigation view is really good and priority option would really helpful.

Now, I have small issue here where we are not able to see the alert notes icon. If this icon or notes option is visible in investigation page, it will really more helpful for everyone.

Previously, from the investigation page we can easily identify whether the notes are updated or not. Also based on the notes count we can understood that incident followup information has been updated. But this option is not available in this new view. Now, we have open each and every investigation to ensure the notes are update or not which make more time consume.

Kindly have a look into this and help us…

Also, the same request again, please include export option from investigation GUI which makes easy to finish the report works. Hopefully this has been requested by most of the people and we all are waiting for this update.

1 Like

I agree on these points!

I’m also now missing the option to filter all incidents that are not assigned to any Admin at the moment - that was previously a great way for me to follow up if my team had missed some incidents.

/Richard

1 Like

Well the filtering for the alert type also isn’t there anymore. Users need to open the specific investigation just to know which alert type it is. A tedious manual work especially for those group that records data on what alert type is frequently occurring within.

1 Like

Hi everyone!

I’m the Lead Product Manager for the Investigation pages and love hearing all of your great feedback. It is super helpful for me and the team. A couple things on the above. We are looking to bring back an indicator of notes on the investigation management page as well as the alert type filter! Both of these are actively being worked on by the teams right now.

As for the filtering on “Unassigned”, this is the first time we are hearing this feedback but your use case makes total sense to me. Let me bring this back to the team as well.

Thank you again for taking the time to share your thoughts here!
Maura

2 Likes

Please add back the UI to clearly communicate if notes have been applied to an investigation.

Can Rapid7 also consider creating the ability to add notes to an investigation, without having to access the investigation itself. While viewing all open investigations, the blue chevron located to the far right could reveal a Notes section, and grant someone the ability to add notes from that added UI as well.

Hi John,

Yes, we are bringing that back to the UI. Our UX and engineering teams are digging into it right now.

Also, that is a great idea of adding notes right from the investigation management page. We will explore that as an option as well.

Thank you for the feedback!
Maura

Related to the new Investigations page, we appear to have lost the ability to create UBA exceptions directly from the investigation. In fact, after several hours of searching, we appear to have lost that ability altogether. We can still delete UBA exceptions, but I can’t find an obvious way of addingthem.

Hi Bill,

UBA exceptions are still available, depending on the alert type (not all UBA alerts have exception options)

You should see the option when closing a rule as Modify and Close

Screen Shot 2021-12-06 at 4.16.27 PM

Then you can select a detection rule modification option.

Screen Shot 2021-12-06 at 4.16.34 PM

Thanks David. Like everything else with this update, the option’s still there, it just takes a few more clicks to get to it. I’m really split on this update. Visually, it’s quite striking, but everything takes longer with it.

2 Likes

Yes, it should be possible to “Modify and Close” as well as “Close all investigations of type in this date range” right from the Investigation page (the overview where you can see all the filtered events) instead of only at the Investigation Detail page. The way it was before worked faster and more intiutive, just as Bill said. When I had several similar investigations I just checked on them on the investigation page and closed them and didn’t even check the Investigation Detail page because there was no need for this. Closing, mass closing & modifying now takes a bit longer than before for me.

Would it be possible to have those options also at the Investigation page instead of only at the Investigation Detail page?

Hey Robert and Bill -

The option to close investigations with modifications or allowlists from the investigation management page is being worked on by the team right now so you should see these options come back shortly.

Appreciate the feedback!

Maura

2 Likes

Hi Maura, that’s great news, thank you!

Update: Modify and Close is back, yey! :wink:

2 Likes

The most annoying thing about the Investigations redesign, is that I can no longer see if there are notes applied to the individual investigation from the Investigations menu. I am forced to view the individual investigation itself, to see if there are any notes applied by analysts and to view those notes.

Additionally, it would be helpful to have the ability to add notes to an investigation, directly from the Investigation dashboard view.

Hi John,

We are working to add the notes count back into investigation management right now so keep an eye out for it!

Additionally, we are also exploring the idea of adding notes directly from the management view though this is not actively being worked on by engineering quite yet.