Table of Contents | ||||
---|---|---|---|---|
|
...
Name mandatory | Enter a name for the investigation. | ||||
---|---|---|---|---|---|
Importance | Choose the importance level of the investigation (Low, Medium, or High). | ||||
Impact | The impact level of the investigation. | ||||
Status | Choose the status of the investigation between Active state, False positive, Closed, Open, or Under review. | ||||
Assigned to | Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list. | ||||
MITRE Tactics | Select the required Mitre ATT&CK tactics. | ||||
MITRE Techniques | Select the required Mitre ATT&CK techniques. | ||||
Details | Enter any details you consider necessary for the investigation. | ||||
Labels | Enter a word and hit the
Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels. | ||||
Keywords | Enter a word and hit the
| ||||
Custom fields | You can add a maximum of 10 custom fields to an investigation by clicking the + icon in this section. You must enter a key and a value for each custom field. |
Anchor | ||||
---|---|---|---|---|
|
Evidence
...
Comments | Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first. You can easily edit and delete comments by clicking the pencil and - icons. |
---|---|
Detections | If the investigation contains Detection-type alerts, you can check them here. |
Observations | If the investigation contains Observation-type alerts, you can check them here. |
Models | If the investigation contains Model-type alerts, you can check them here. |
Analytics | If the investigation contains Analytics-type alerts, you can check them here. |
Related investigations | Manually linked current investigations or investigations opened automatically by flows. |
Queries | Queries obtained from hunting. |
Enrichment | Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers. |
Entities | Entities involved in this investigation. |
Files / Analysis | Upload files to be analyzed in the investigation. In this section, you can find three different tabs:
|
Associations | Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here. |
...