Versions Compared

Old Version 7

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel3
typeflat

...

Comments

Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.

You can easily edit and delete comments by clicking the pencil and - icons.

Detections

If the investigation contains Detection-type alerts, you can check them here.

Observations

If the investigation contains Observation-type alerts, you can check them here.

Models

If the investigation contains Model-type alerts, you can check them here.

Analytics

If the investigation contains Analytics-type alerts, you can check them here.

Behaviour

Related investigations

Manually linked current investigations or investigations opened automatically by flows.

Queries

Queries obtained from hunting.

Enrichment

Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.

Entities

Entities involved in this investigation.

Files / Analysis

Upload files to be analyzed in the investigation. In this section, you can find three different tabs:

  • Sandbox file analysis - Upload Sandbox files to be analyzed.

  • Sandbox S3 artifact analysis - Upload and analyze Sandboz SR artifacts to be added to the investigation. Choose the required artifacts from the list and click Upload.

  • Memory dump analysis - Upload memory files to be analyzed. When you select a memory file to be uploaded, you must choose the command(s) to be run, a memory profile, and the desired output format. You can check all the available commands, profiles, and output formats by clicking the Info button. Once you're done, click Upload. Note that this process might take some time and that only raw physical memory files are supported with Windows memory profiles at this time. 

All files will be stored in the system so you can use, manage and delete them as required.

Note

PCAP files

When you upload a file to an investigation, you will be able to choose the method you want to analyze it with. However, you won’t be able to choose the method for PCAP files.

Associations

Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here.

...