Skip to main content


The Investigations page provides you a list of all the Investigations that the SOC team has performed, along with several filtering options and additional information for each investigation.

  • Case number - the ID of the investigation.


    Click any case number to display additional information about the event.

  • Detected on - timestamp of when the investigation was initiated.

  • Category - the type of the investigation.

    • Expected Activity

    • False Positive

    • Malicious Code

    • Poor Security Practice

    • Potentially Unwanted Program

    • Scans

    • Unauthorized System Access

    • Vulnerability Exploitation

  • Severity - the severity of the incident, as resulted from an investigation. The severity of an incident can have one of these values:

    • Low

    • Medium

    • High

    • No threat

    • Unknown

  • Detection - the name of the signature on which the investigation is based.

  • Entity - the name of the endpoint involved (or org for multiple endpoints). The triggering alert may no longer be associated only with a hostname. It can also be with a network address or a username.

  • Company - the name of the company where the threat was detected.