Fortinet black logo

Investigations

Copy Link
Copy Doc ID 37385887-1beb-11ec-8c53-00505692583a:987524
Download PDF

Investigations

Investigations collate alert and event information into a single timeline of activity.

Creating or Adding to Investigations

To add to an existing investigation, click on the Create or add to existing investigation dropdown on any alert or event details quick view. A dropdown will appear, listing any currently open investigations that have been created in the system, to create a new one - just type in a new then either hit the enter key or the select the Create button.

Add to existing view:

Create a new Investigation view:

Once this data has been added to the investigation, the system automatically redirects you to the new investigation.

Using Investigations

Investigations have the following options:

  • Owners: Investigations have an owner. If you want to transfer the ownership to someone else, you can change the owner by selecting the dropdown, and choosing a new owner.
  • Status: You can update the status of an investigation to Reported, No action, or Open.

You can also choose to Delete or Close investigations at any point. Once an investigation is Closed you can choose to Reopen to record more data against it in the future.

Investigation Timeline

The investigation provides you with a merged timeline of activity for your collated information - be it policy alerts, AI anomalies or indeed raw event logs. Selecting an individual timeline card will reveal the Quick View allowing you to see all information collected.

You can also add notes to your investigation ensuring additional context and commentary are recorded for an analyst.

Investigations

Investigations collate alert and event information into a single timeline of activity.

Creating or Adding to Investigations

To add to an existing investigation, click on the Create or add to existing investigation dropdown on any alert or event details quick view. A dropdown will appear, listing any currently open investigations that have been created in the system, to create a new one - just type in a new then either hit the enter key or the select the Create button.

Add to existing view:

Create a new Investigation view:

Once this data has been added to the investigation, the system automatically redirects you to the new investigation.

Using Investigations

Investigations have the following options:

  • Owners: Investigations have an owner. If you want to transfer the ownership to someone else, you can change the owner by selecting the dropdown, and choosing a new owner.
  • Status: You can update the status of an investigation to Reported, No action, or Open.

You can also choose to Delete or Close investigations at any point. Once an investigation is Closed you can choose to Reopen to record more data against it in the future.

Investigation Timeline

The investigation provides you with a merged timeline of activity for your collated information - be it policy alerts, AI anomalies or indeed raw event logs. Selecting an individual timeline card will reveal the Quick View allowing you to see all information collected.

You can also add notes to your investigation ensuring additional context and commentary are recorded for an analyst.