Skip to main content

Investigations

The Investigations page provides you with a list of all the investigations that the SOC team has performed or is performing, along with several filtering options and additional information for each investigation.

mdr_investigations_151529_c_en1.png

  1. Company selector: If you are a Partner, you can click it to switch between companies and view the corresponding investigations table. You can select All managed companies or a specific managed company.

    Important

    This selector is not displayed for Customers.

  2. Info button: Clicking it opens the Knowledge Base article relevant to the Investigations page.

  3. Show or hide filters button: Controls the visibility of filtering options for the Investigations table.

  4. Refresh button: Clicking it reloads the Investigations table data.

  5. Investigations table data: Displays data for all open and closed investigations across:

    • The managed companies of the company selected in the company selector

    • All your managed companies, when All managed companies is selected

    Each investigation includes the following information:

    • Case number: The ID of the investigation

    • Detected on: The date and time when the investigation was initiated

    • Status: The investigation status, which can be Open or Closed

    • Category: The investigation type, which might be one of the following:

      • Expected Activity

      • False Positive

      • Active Threat

      • Benign Behavior

      • Malicious Code

      • Poor Security Practice

      • Potentially Unwanted Program

      • Scans

      • Unauthorized System Access

      • Vulnerability Exploitation

      • Security Risk

    • Severity: The severity of the incident resulted from the investigation. It can have one of the following values:

      • Low

      • Medium

      • High

      • Critical

      • No Threat

      • Unknown

    • Detection: The name of the signature on which the investigation is based

    • Entity: The name of the endpoint involved in the investigation (or org when multiple endpoints are affected). The triggering alert may be associated not only with a hostname, but also with a network address or a username.

    • Recommendation: The recommendation issued by the SOC team during the course of the investigation

      Tip

      Clicking a recommendation opens the Recommendations page, where you can view additional details about that item.

    • Company: The name of the company where the threat was detected

      Important

      This column is displayed only when a Partner-type company or the All managed companies option is selected via the company selector. It indicates which managed company each investigation belongs to.

  6. Available filters: The filters can be used to narrow down the list of investigations based on criteria such as Category, Severity, Status, or Detection.

    Important

    The list of investigation categories available for filtering is dynamically generated based on the current database and may vary between environments.

    The search fields allow for the quick finding of investigations by entering keywords from the Case number or Entity. Additionally, investigations can be filtered by a specific time range using the calendar option in the Detected on field.

  7. The pagination bar: This bar allows controlling how many items are displayed per page. You can navigate through pages using the arrows, jump directly to the first or last page, or select a specific page to view.

In this section: