Table of Contents | ||||
---|---|---|---|---|
|
...
This is the basic information of your investigation and is located in the left panel of the New investigation screen.
Name mandatory | Enter a name for the investigation. | ||||
---|---|---|---|---|---|
Importance | Choose the importance level of the investigation (Low, Medium, or High). | ||||
Impact | The impact level of the investigation. | ||||
Status | Choose the status of the investigation between Active state, False positive, Closed, Open, or Under review. | ||||
Assigned to | Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list. | ||||
MITRE Tactics | Select the required Mitre ATT&CK tactics. | ||||
MITRE Techniques | Select the required Mitre ATT&CK techniques. | ||||
Details | Enter any details you consider necessary for the investigation. | ||||
Labels | Enter a word and hit the
Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels. | ||||
Keywords | Enter a word and hit the
| ||||
Custom fields | You can add a maximum of 10 custom fields to an investigation by clicking the + icon in this section. You must enter a key and a value for each custom field. |
Anchor | ||||
---|---|---|---|---|
|
Evidence
This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.
...
Comments | Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first. You can easily edit and delete comments by clicking the pencil and - icons. |
---|---|
Detections | If the investigation contains Detection-type alerts, you can check them here. |
Observations | If the investigation contains Observation-type alerts, you can check them here. |
Models | If the investigation contains Model-type alerts, you can check them here. |
Analytics | If the investigation contains Analytics-type alerts, you can check them here. |
Behaviour | |
Related investigations | Manually linked current investigations or investigations opened automatically by flows. |
Queries | Queries obtained from hunting. |
Enrichment | Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers. |
Entities | Entities involved in this investigation. |
Files / Analysis | Upload files to be analyzed in the investigation. In this section, you can find three different tabs:
|
|
All files will be stored in the system so you can use, manage and delete them as required.
| ||
Associations | Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here. |
---|
Anchor | ||||
---|---|---|---|---|
|
...