Before creating a new investigation or updating an old one with elements added from the Triage and Hunting areas, there is always an intermediate step. All the elements that you add to an investigation from those areas go to the Investigation list, where you can review and manage all the alerts and entities before defining the investigation.
To access the Investigation list, just click the paper clip icon that you can find at the top right corner of the application. The number next to the icon indicates the current number of alerts, entities, and queries in the list.
Using the Investigation list, you can review all the elements added from the Triage and Hunting areas together, and check if any other evidence is needed before finally creating or updating an investigation. Before defining the investigation, you can delete the alerts or entities that you don't need by clicking the trash bin icon next to them. You can also click the Clean button to delete all the elements in the bucket.
You can also add enrichments to entities before opening an investigation. To do it, click the + button at the bottom of each alert, choose the entities you want to enrich, and select the required enrichments. The application will suggest you some enrichments for the selected entities, but you can mark the ones you need. Finally, click Run enrichment to add them.
To delete an enrichment from an entity, click it, select the - icon that appears, and click OK in the confirmation dialog window.
Create or update an investigation
Once you have all the required elements in the bucket, you can create a new investigation or update an existing one. To decide it, use the toggle at the right part of the bucket window.
- With the toggle in the New investigation position, just click the Create investigation button. You will be redirected to the investigation parameters window, where you can set all the details of the new investigation. Learn more about these settings in Investigation parameters.
- With the toggle in the Add to investigation position, choose the investigation to be updated from the dropdown list and click Add to investigation. You will be redirected to the investigation parameters window. Change any parameter if required and save it. Learn more about these settings in Investigation parameters.