We have already talked about the importance of the sources and the alerts. Both are the base for the Security Operations app, but once we start using the interface, the alerts triage and the threat hunting are the main actions to do, and all these actions are related to the investigations.
Investigations are the base for knowledge sharing in the Security Operations application. Users will create an investigation when something strange is detected on the Overview Dashboard, or in the Triage or Hunting areas, and then can perform a deeper investigation around the problem or simply write the first impressions and assign the investigation to a specialist in this kind of threat.
Click this iconin the top navigation bar to access the Investigations area.
Create a new investigation or add information to an existing one
You can create new investigations or add new information to existing ones in three different ways:
- In the Investigations area, clicking the yellow + icon. In this case, you can only create investigations from scratch.
- In the Triage area, after filtering alerts, you can click the + icon next to each group of alerts to create an investigation related to those alerts. Learn more about this in Triaging alerts.
- In the Hunting area, clicking the Add to investigation button after performing a search. Learn more about this in the Threat Hunting article.
In the Triage and Hunting areas, a dialog will appear and the user has to choose between starting a new investigation or adding the information to an existing one using the toggle button that appears in the window.
If you create a new investigation, add the required alerts/entities (in the Triage area) or queries (in the Hunting area) and click Create investigation.
If you add new information to an existing investigation, you must also select the required investigation from the dropdown list, and click Add to investigation.
In all the cases, you will be prompted to enter the details of the new investigation or edit the information of the investigation you decided to modify. The information of an investigation is divided into three different categories:
Remember to click the Save button after performing any modification in an investigation, or save a new one.
This is the basic information of your investigation and is located in the left panel of the New investigation screen.
|Name||Enter a name for the investigation.|
|Importance||Choose the importance level of the investigation (Low, Medium or High).|
Choose the status of the investigation between Active state, False positive, Closed, Open or Under review.
|User||Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list.|
|ATT&CK Behavior||Select the required Mitre ATT&CK tactic.|
|Details||Enter any details you consider necessary for the investigation.|
Enter a word and hit the ENTER key to add it as a label. You can use labels to filter specific investigations in the Investigation area.
Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels.
Enter a word and hit the ENTER key to add it as a keyword. You can use keywords to filter specific investigations in the Triage and Investigation areas.
This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.
Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.
You can easily edit and delete comments by clicking the pencil and - icons.
If the investigation contains Detection-type alerts, you can check them here.
If the investigation contains Observationon-type alerts, you can check them here.
|Models||If the investigation contains Model-type alerts, you can check them here.|
If the investigation contains Analytics-type alerts, you can check them here.
|Related investigations||Manually linked current investigations or investigations opened automatically by flows.|
|Queries||Queries obtained from hunting.|
|Enrichment||Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.|
|Entities||Entities involved in this investigation.|
|Association||Associations of each entity involved in the investigation.|
|Timelines||Record of all activities related to this investigation from the very moment of creating it.|
|Files / Analysis|
Files uploaded to the investigation. It is possible to upload any file to complement an investigation. All files are analyzed with Viper Sandbox or VirusTotal before being uploaded, and PCAP files are also analyzed to extract all internal connections.
This is only considered as extra information and does not trigger any action. Users can decide how to store this information in the settings than can be accessed from the Overview Dashboard. Learn more here
Users can check all the modifications or edits made to the investigation, and when they were made.
Click the Save button to create the investigation.
You can use the filters at the top of the Investigations area to filter specific investigations.
After accessing the Investigations area, set the conditions you want to filter by. These are the available options:
From / To
Select the time range of the filtered investigations.
Choose the importance of the filtered investigation (Low, Medium and/or High).
Filter investigations by name.
Select the user who was assigned the investigation.
Status Select the status of the investigations (Active state, Closed, False positive, Open and/or Under review).
You can also select the Advanced Filters button to filter by labels, keywords and MITRE tactics or techniques.
- Click Filter.
After applying the filter, the investigations that match the specified criteria will be listed below. You can access and edit their details by clicking their names.
You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.
If you access the Investigation area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours.
Save a filter
Select the required criteria and click the save icon. Enter a name for the filter in the window that appears and click OK to save it. Click this icon to access your saved filters.
Mark a filter as favorite
Click this iconand select the heart next to the icon you want to mark as favorite. Note that you can only mark one filter as favorite.
If you start defining a new filter or start defining a new filter, you can click Reset filters to ❤ to set your favorite filter.
Delete a filter
Click this iconand select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.