Document toolboxDocument toolbox

Investigations

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: May 14, 2021
4 min read

We have already talked about the importance of the sources and the alerts. Both are the base for the Security Operations app, but once we start using the interface, the alerts triage and the threat hunting are the main actions to do, and all these actions are related to the investigations.

Investigations are the base for knowledge sharing in the Security Operations application. Users will create an investigation when something strange is detected on the Overview Dashboard, or in the Triage or Hunting areas, and then can perform a deeper investigation around the problem or simply write the first impressions and assign the investigation to a specialist in this kind of threat.

Click this icon  in the top navigation bar to access the Investigations area.

Create a new investigation or add information to an existing one

You can create new investigations or add new information to existing ones in three different ways:

  • In the Investigations area, clicking the yellow + icon. In this case, you can only create investigations from scratch.
  • In the Triage area, after filtering alerts, you can click the Add to investigation button next to each group of alerts to create an investigation related to those alerts. All the elements you add to an investigation in this way will be added to the Investigation list, which you can access by clicking the paper clip icon at the top right corner of the application. Learn more about the Investigation list.

          

  • In the Hunting area, click the Add to investigation button after performing a search. In this case, elements will be also added to the Investigation list. Learn more about this in the Threat Hunting article.

          

Filter investigations

You can use the filters at the top of the Investigations area to filter specific investigations.

  1. First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range. 

    You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.

    After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.

  2. Then, set the conditions you want to filter by. These are the available options:

    Importance

    Choose the importance of the filtered investigations (Low, Medium and/or High).

    Investigation name

    Filter investigations by name.

    Assigned to

    Select the user(s) assigned to the investigation(s).

    Entity / Filter value

    Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.

    Status

    Select the status of the investigations (Active state, Closed, False positive, Open and/or Under review).

  3. You can also select the Advanced Filters button to filter by the following criteria:

    Labels

    Enter the labels you want to filter by.

    Keywords

    Enter the keywords you want to filter by.

    ATT&CK Tactic

    Filter by one or several ATT&CK Tactics.

  4. Click Filter.

After applying the filter, the investigations that match the specified criteria will be listed below. You can access and edit their details by clicking their names. 

Manage filters

You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.

Default filter

If you access the Investigation area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours. 

Save a filter

Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon  to access your saved filters.

Mark a filter as favorite

Click this icon  and select the heart next to the icon you want to mark as favorite. Note that you can only mark one filter as favorite.

If you start defining a new filter or start defining a new filter, you can click Reset filters to  to set your favorite filter.

Delete a filter

Click this icon  and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.