Investigate and Remediate Threats
Threat detection is only the first step in effective security operations. Once suspicious activity is identified, your team must investigate the context, confirm the severity, and take appropriate action. Security Data Lake provides built-in tools that streamline this process, allowing analysts to transition from detection to response with clarity and efficiency.
This section of the documentation introduces key features that help you collaborate on cases, collect supporting evidence, and define consistent response actions to improve your organization’s security posture.
Investigations
The following feature exclusively pertains to Security Data Lake Security. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.
Investigations provide a structured way to collect and organize evidence—such as dashboards, logs, saved searches, and events—into a single workspace. Analysts can quickly create investigations, associate events, prioritize tasks, and assign ownership to streamline collaboration and accelerate incident analysis.
Investigations also support full workflows like updating statuses, performing bulk actions, and generating AI-powered reports that summarize findings.
Security Data Lake can automatically create a new investigation for each triggered alert or add alerts as evidence to an existing investigation. This integration streamlines incident response by organizing alerts into structured investigations, helping analysts efficiently manage and prioritize security events without manual effort.
Remediation
Once an investigation is underway or an event is confirmed as a security concern, the next step is remediation—taking defined actions to contain, mitigate, or resolve the threat. Security Data Lake offers two complementary features that support consistent remediation workflows.
Event Procedures
The following feature exclusively pertains to Security Data Lake Security. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.
Event Procedures offer a structured, repeatable framework for responding to security events by guiding analysts through predefined, actionable steps—such as running searches, navigating to dashboards, or sending notifications—directly within the Security Data Lake interface, much like an incident response playbook. They support dynamic context with event-based variables, can be reused across multiple rules and detectors, and include role-based access controls to ensure secure, consistent, and efficient remediation.
Note
In Security Data Lake 6.3, Event Procedures has been released as an early access feature for evaluation and feedback purposes, so its design and behavior may change significantly in future releases. To share feedback on your experience with Event Procedures, email [email protected].
Remediation Steps
Remediation steps allow you to document and standardize necessary response actions if suspicious activity is discovered in your environment. These steps can be tailored to your organization and linked directly to investigations or security events. Integrating remediation into the investigation workflow ensures consistent, complete responses and supports audit and compliance efforts by making security actions transparent and repeatable.