New features

• Alert instances from the Alert details view are now labeled when they are part of an investigation through a highlighted icon.
  
  

  Open

  

• Alerts now have an additional action called Run Query. 

• Alerts also has another action called Search Raw Data.

• Alert statuses available from SecOps are now identical to the core platform alert states.

• Tactic and Techniques are now collected into the evidence bucket as analysts triage alerts.
  
  

  Open

  

• Analysts can now ungroup alerts in the triage view, allowing them to see all the Security Operations alerts in a single list view, sorted in chronological order.

• Alerts that are included as part of an investigation now have the extra data included within the investigation view. The extra data is minimized by default but can be expanded by an analyst for reference.
  
  

Improvements

• The labels and keywords have a new UI component added to be consistent across all locations.

• Huge performance improvement in loading the triage view when grouped by alert type.

• Several changes in the UI/UX to adapt to small screens and improve the usability for users across different machines.

• Backend performance improvements for assigning large groups of alerts to a user within triage.  

• The first version of the Sigma Rule to Devo Alert Converter was contributed to the Sigma Rule repository on Github: GitHub - SigmaHQ/sigma: Main Sigma Rule Repository