Start an investigation
To start an investigation:
- Go to Detections > Triage Rules. The Detections Rules page opens.
- Click a rule to open the Details page.
- Click Start Investigation. The Add Query to Investigation dialog opens.
Query Name Enter a name for the query. Search Query Enter the query string. Last 7 Days Click to set the data range to Last Hour, Last 24 Hours, Last 7 days, Last 30 days, Last 60 days or last 90 days. Sort by timestamp Select Ascending or Descending. Retrieve up to Click to set the number of rows retrieved (100, 500, 1000, or 10,000). Create a New Investigation Click to create a new investigation. Add to Existing Investigation The Choose Investigation dropdown is displayed. Select an investigation from the list. Run a Private Query
Select this option to add a query to an adhoc search.
Investigation Name Enter a name for the new investigation. Description
Enter a short description of the new investigation.
Choose Investigation
- Click Add Query.