Viewing investigation results

You can view details about an offense and see the results of your investigation from the Watson Investigations page in QRadar® Advisor with Watson™.

About this task

The Watson Investigations page in QRadar Advisor with Watson shows all offenses that are in the process of being investigated or completed the analysis.

Note: To configure offenses for automatic investigation, see Investigating offenses automatically.

Procedure

  1. On the Watson Investigations page, you can:
    • Check the status of an investigation
    • Sort the table by evaluation priority, ID, source, suspicious observables, domain, last investigation, and status
    • Select the check boxes of the investigations that you want to reinvestigate
    • Select the check boxes of the investigations that you want to permanently delete
    • Select the check boxes of the investigations that you want to export analysis results from to STIX, CSV, or reference sets
    The following example shows the Watson Investigations page 2.6.0 version of the light theme UI. To see an example of the dark theme UI, see What's new in the QRadar Advisor with Watson app.
    Watson investigations page light theme UI
  2. Click an offense to see key findings for the selected offense including the number and types of observables found. For the selected offense, you can:
    • Click Reinvestigate to investigate the offense again. Each investigation counts against your daily quota.
    • Click Graph Relationships to view results of the investigation on the relationship graph.
    • Compare the original investigation with subsequent reinvestigations.
    • Filter on the observable table to view only observables with the selected criteria.
    • View the observable trend and hover to see the trend calendar.
    • Review Watson's evaluation of the offense priority and choose whether you agree, disagree, or are not sure. Tip: The more offenses you evaluate, the better the model will become at learning your environment.
    • Hover over the MITRE ATT&CK Tactics & Techniques chain of events to view details for each stage of the attack including related observables and the confidence level. Click Show Rules to view related rules and a link to more information.
    • View the Offense Disposition Analysis chart.
    • View insights discovered about the offense.
    • View investigations related to the offense to see shared attributes of multiple offenses.
    • View the offense summary and click View details to see source details in QRadar.

Example

The following example shows the light theme UI for QRadar Advisor with Watson 2.6.0.
Watson investigation Offense page with light theme UI
The following example shows the dark theme UI for Advisor with Watson 2.6.0 and QRadar Analyst Workflow 1.2.0.
Watson investigations Offense page with dark theme UI