Configuring Threat Investigator
You can configure IBM Security Threat Investigator to automatically investigate cases. When Threat Investigator is enabled, it regularly checks for new cases.
Before you begin
About this task
A case must have one or more supported artifacts to investigate.
Attention: Non-routable IP addresses (for example 127.0.0.1 and 0.0.0.0) are not supported for
investigation.
Supported artifacts include the following:
- IP Address
- Port
- Network CIDR Range
- MAC Address
- DNS Name
- URL
- URL Referrer
- Email Attachment
- Name
- Email Sender
- Email Recipient
- Malware MD5 Hash
- Malware SHA-1 Hash
- Malware SHA-256 Hash
- User Account
- Registry Key
- Process Name
- File Name
- File Path
- Observed Data*
Important: *Observed Data must come from Data Explorer search results. If you
manually attach an item as Observed Data, it is not supported.
If artifacts are attached after the initial investigation, Threat Investigator rechecks the cases that were checked (for up to 24 hours) the next time it runs an investigation. For up to 24 hours after the first check, Threat Investigator rechecks if the user ID that configured the app had no access to the case at the time it was originally checked for automatic investigation.