Investigations
We have already talked about the importance of the sources and the alerts. Both are the base for the Security Operations app, but once we start using the interface, the alerts triage and the threat hunting are the main actions to do, and all these actions are related to the investigations.
Investigations are the base for knowledge sharing in the Security Operations application. Users will create an investigation when something strange is detected on the Overview Dashboard, or in the Triage or Hunting areas, and then can perform a deeper investigation around the problem or simply write the first impressions and assign the investigation to a specialist in this kind of threat.
Click this icon in the top navigation bar to access the Investigations area.
Create a new investigation or add information to an existing one
You can create new investigations or add new information to existing ones in three different ways:
- In the Investigations area, clicking the yellow + icon. In this case, you can only create investigations from scratch.
- In the Triage area, after filtering alerts, you can click the Add to investigation button next to each group of alerts to create an investigation related to those alerts. All the elements you add to an investigation in this way will be added to the Evidence Bucket, which you can access by clicking the paper clip icon at the top right corner of the application. Learn more about the Evidence Bucket below.
- In the Hunting area, click the Add to investigation button after performing a search. In this case, elements will be also added to the Evidence Bucket. Learn more about this in the Threat Hunting article.
Evidence Bucket
Before creating a new investigation or updating an old one with elements added from the Triage and Hunting areas, there is always an intermediate step. All the elements that you add to an investigation from those areas go to the Evidence Bucket, where you can review and manage all the alerts and entities before defining the investigation. To access the Evidence Bucket, just click the paper clip icon that you can find at the top right corner of the application. The number next to the icon indicates the current number of alert, entities and queries in the bucket.
Using the Evidence Bucket, you can review all the elements added from the Triage and Hunting areas together, and check if any other evidence is needed before finally creating or updating an investigation. Before defining the investigation, you can delete the alerts or entities that you don't need by clicking the trash bin icon next to them. You can also click the Clean button to delete all the elements in the bucket.
You can also add enrichments to entities before opening an investigation. To do it, click the + button at the bottom of each alert, choose the entities you want to enrich, and select the required enrichments. The application will suggest you some enrichments for the selected entities, but you can mark the ones you need. Finally, click Run enrichment to add them.
To delete an enrichment from an entity, click it, select the - icon that appears, and click OK in the confirmation dialog window.
Once you have all the required elements in the bucket, you can create a new investigation or update ane existing one. To decide it, use the toggle at the right part of the bucket window.
- With the toggle in the New investigation position, just click the Create investigation button. You will be redirected to the investigation parameters window, where you can set all the details of the new investigation. Learn more about these settings below.
- With the toggle in the Add to investigation position, choose the investigation to be updated from the dropdown list and click Add to investigation. You will be redirected to the investigation parameters window. Change any parameter if required and save it. Learn more about these settings below.
Investigation parameters
In all the cases, you will be prompted to enter the details of the new investigation or edit the information on the investigation you decided to modify. The information of an investigation is divided into three different categories:
Savinf, downloading and closing investigations
Remember to click the Save button at the top right corner of the area after performing any modification in an investigation, or creating a new one.
You can download a report with the investigation contents and close it by clicking the ellipsis icon next to the Save button.
Details
This is the basic information of your investigation and is located in the left panel of the New investigation screen.
| Name | Enter a name for the investigation. |
|---|---|
| Importance | Choose the importance level of the investigation (Low, Medium or High). |
| Impact | Impact level of the investigation. |
| Status | Choose the status of the investigation between Active state, False positive, Closed, Open or Under review. |
| Assigned to | Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list. |
| MITRE Tactics | Select the required Mitre ATT&CK tactics. |
| MITRE Techniques | Select the required Mitre ATT&CK techniques. |
| Details | Enter any details you consider necessary for the investigation. |
| Labels | Enter a word and hit the ENTER key to add it as a label. You can use labels to filter specific investigations in the Investigation area. Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels. |
| Keywords | Enter a word and hit the ENTER key to add it as a keyword. You can use keywords to filter specific investigations in the Triage and Investigation areas. |
Evidence
This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.
| Comments | Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first. You can easily edit and delete comments by clicking the pencil and - icons. |
|---|---|
| Detections | If the investigation contains Detection-type alerts, you can check them here. |
| Observations | If the investigation contains Observationon-type alerts, you can check them here. |
| Models | If the investigation contains Model-type alerts, you can check them here. |
| Analytics | If the investigation contains Analytics-type alerts, you can check them here. |
| Related investigations | Manually linked current investigations or investigations opened automatically by flows. |
| Queries | Queries obtained from hunting. |
| Enrichment | Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers. |
| Entities | Entities involved in this investigation. |
| Associations | Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here. |
Investigation Timeline
Users can check all the modifications or edits made to the investigation, and when they were made. The timeline at the top shows all the alerts involved so that you can compare incidences. You can display or hide any of each type of alerts using the buttons under the timeline. In the bottom area, you can check the events that occurred during the investigation, user comments, and when the alerts were thrown.
Filter investigations
You can use the filters at the top of the Investigations area to filter specific investigations.
First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range.
You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.
After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.
Then, set the conditions you want to filter by. These are the available options:
Importance
Choose the importance of the filtered investigation (Low, Medium and/or High).
Investigation name
Filter investigations by name.
Assigned to
Select the user who was assigned the investigation.
Entity / Filter value Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.
Status Select the status of the investigations (Active state, Closed, False positive, Open and/or Under review). You can also select the Advanced Filters button to filter by the following criteria:
Labels
Enter the labels you want to filter by.
Keywords
Enter the keywords you want to filter by.
ATT&CK Tactic
Filter by one or several ATT&CK Tactics.
- Click Filter.
After applying the filter, the investigations that match the specified criteria will be listed below. You can access and edit their details by clicking their names.
Manage filters
You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.
Default filter
If you access the Investigation area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours.
Save a filter
Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon
to access your saved filters.
Mark a filter as favorite
Click this icon and select the heart next to the icon you want to mark as favorite. Note that you can only mark one filter as favorite.
If you start defining a new filter or start defining a new filter, you can click Reset filters to ❤ to set your favorite filter.
Delete a filter
Click this icon and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.