When you create or update an investigation, you will be prompted to enter the details of the new investigation or edit the information on the investigation you decided to modify. The information of an investigation is divided into three different categories:
Saving, downloading and closing investigations
Remember to click the Save button at the top right corner of the area after performing any modification in an investigation, or creating a new one.
Once you save an investigation, you can download a report with the investigation contents and close it by clicking the corresponding option next to the Save button.
This is the basic information of your investigation and is located in the left panel of the New investigation screen.
Enter a name for the investigation.
Choose the importance level of the investigation (Low, Medium, or High).
The impact level of the investigation.
Choose the status of the investigation between Active state, False positive, Closed, Open, or Under review.
Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list.
Select the required Mitre ATT&CK tactics.
Select the required Mitre ATT&CK techniques.
Enter any details you consider necessary for the investigation.
Enter a word and hit the ENTER key to add it as a label. You can use labels to filter specific investigations in the Investigation area.
Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels.
Enter a word and hit the ENTER key to add it as a keyword. You can use keywords to filter specific investigations in the Triage and Investigation areas.
This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.
Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.
You can easily edit and delete comments by clicking the pencil and - icons.
If the investigation contains Detection-type alerts, you can check them here.
If the investigation contains Observation-type alerts, you can check them here.
If the investigation contains Model-type alerts, you can check them here.
If the investigation contains Analytics-type alerts, you can check them here.
Manually linked current investigations or investigations opened automatically by flows.
Queries obtained from hunting.
Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.
Entities involved in this investigation.
Files / Analysis
Upload files to be analyzed in the investigation. In this section, you can find three different tabs:
Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here.
Users can check all the modifications or edits made to the investigation, and when they were made. The timeline at the top shows all the alerts involved so that you can compare incidences. You can display or hide any of each type of alerts using the buttons under the timeline. In the bottom area, you can check the events that occurred during the investigation, user comments, and when the alerts were thrown.