Document toolboxDocument toolbox

Investigation parameters

Overview

When you create or update an investigation, you will be prompted to enter the details of the new investigation or edit the information on the investigation you decided to modify. The information of an investigation is divided into three different categories:

Saving, downloading and closing investigations

Remember to click the Save button at the top right corner of the area after performing any modification in an investigation, or creating a new one.

Once you save an investigation, you can download a report with the investigation contents and close it by clicking the corresponding option next to the Save button.

Details

This is the basic information of your investigation and is located in the left panel of the New investigation screen.

Name mandatory

Enter a name for the investigation.

Importance

Choose the importance level of the investigation (Low, Medium, or High).

Impact

The impact level of the investigation.

Status

Choose the status of the investigation between Active state, False positive, Closed, Open, or Under review.

Assigned to

Choose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list.

MITRE Tactics

Select the required Mitre ATT&CK tactics.

MITRE Techniques

Select the required Mitre ATT&CK techniques.

Details

Enter any details you consider necessary for the investigation.

Labels

Enter a word and hit the ENTER key to add it as a label. You can use labels to filter specific investigations in the Investigation area. 

Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels.

Keywords

Enter a word and hit the ENTER key to add it as a keyword. You can use keywords to filter specific investigations in the Triage and Investigation areas. 

Custom fields

You can add a maximum of 10 custom fields to an investigation by clicking the + icon in this section. You must enter a key and a value for each custom field.

Evidence

This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.

Comments

Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.

You can easily edit and delete comments by clicking the pencil and - icons.

Detections

If the investigation contains Detection-type alerts, you can check them here.

Observations

If the investigation contains Observation-type alerts, you can check them here.

Models

If the investigation contains Model-type alerts, you can check them here.

Analytics

If the investigation contains Analytics-type alerts, you can check them here.

Behaviour

 

Related investigations

Manually linked current investigations or investigations opened automatically by flows.

Queries

Queries obtained from hunting.

Enrichment

Enrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.

Entities

Entities involved in this investigation.

Files / Analysis

Upload files to be analyzed in the investigation. In this section, you can find three different tabs:

  • Sandbox file analysis - Upload Sandbox files to be analyzed.

  • Sandbox S3 artifact analysis - Upload and analyze Sandboz SR artifacts to be added to the investigation. Choose the required artifacts from the list and click Upload.

  • Memory dump analysis - Upload memory files to be analyzed. When you select a memory file to be uploaded, you must choose the command(s) to be run, a memory profile, and the desired output format. You can check all the available commands, profiles, and output formats by clicking the Info button. Once you're done, click Upload. Note that this process might take some time and that only raw physical memory files are supported with Windows memory profiles at this time. 

All files will be stored in the system so you can use, manage and delete them as required.

PCAP files

When you upload a file to an investigation, you will be able to choose the method you want to analyze it with. However, you won’t be able to choose the method for PCAP files.

Associations

Click this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here.

Investigation timeline

Users can check all the modifications or edits made to the investigation, and when they were made. The timeline at the top shows all the alerts involved so that you can compare incidences. You can display or hide any of each type of alerts using the buttons under the timeline. In the bottom area, you can check the events that occurred during the investigation, user comments, and when the alerts were thrown.