Page Comparison

Enter a name for the investigation.

Choose the importance level of the investigation (Low, Medium, or High).

The impact level of the investigation.

Choose the status of the investigation between Active state, False positive, Closed, Open, or Under review.

Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list.

Select the required Mitre ATT&CK tactics.

Select the required Mitre ATT&CK techniques.

Enter any details you consider necessary for the investigation.

Enter a word and hit the

Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels.

Enter a word and hit the

You can add a maximum of 10 custom fields to an investigation by clicking the + icon in this section. You must enter a key and a value for each custom field.

Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.

You can easily edit and delete comments by clicking the pencil and - icons.

If the investigation contains Detection-type alerts, you can check them here.

If the investigation contains Observation-type alerts, you can check them here.

If the investigation contains Model-type alerts, you can check them here.

If the investigation contains Analytics-type alerts, you can check them here.

Manually linked current investigations or investigations opened automatically by flows.

Queries obtained from hunting.

Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.

Entities involved in this investigation.

Upload files to be analyzed in the investigation. In this section, you can find three different tabs:

• Sandbox file analysis - Upload Sandbox files to be analyzed.

• Sandbox S3 artifact analysis - Upload and analyze Sandboz SR artifacts to be added to the investigation. Choose the required artifacts from the list and click Upload.

• Memory

• dump analysis - Upload memory files to be analyzed. When you select a memory file to be uploaded, you must choose the command(s) to be run, a memory profile, and the desired output format. You can check all the available commands, profiles, and output formats by clicking the Info button. Once you're done, click Upload. Note that this process might take some time and that only raw physical memory files are supported with Windows memory profiles at this time. 

All files will be stored in the system so you can use, manage and delete them as required.

Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here.