Viewing threat investigation details

Threat Investigator automatically investigates cases based on supported artifacts. You can view the status of the investigation and the results of the investigation's data mining and reinvestigate cases. You can view the investigation details including the attack graph, the MITRE ATT&CK chain, and recommended response actions.

From the Cases page, click the Threat Investigation tab and then click the ID or Name of the case in the table to gain further insight for individual investigations and view recommended response actions.

On the Threat Investigation tab, you can view the Attack timeline and details, the Attack graph, the MITRE ATT&CK matrix, and the Network graph for the investigation. By default, timestamps are shown in local time.

You can take the following actions:
  • Export the results of an investigation to a PDF or text file report. Click Export and select PDF or Text.
  • Save the evidence and tasks to the case. Click Save all to select and save important evidence and related tasks for long-term storage, auditing, and tracking. Click Save flagged to save any findings you flagged. You can adjust the selection of findings, artifacts, and tasks that you want to save to the case.
On the Attack timeline, you can view information and details related to the activities that triggered the attack. You can take the following actions:
  • Click View details within the timeline to see supporting data and any relevant references.
  • Click the Flag icon to mark the activity as flagged. After it is flagged, you can click Save flagged to save the evidence and tasks to the case.
  • Click Save to save evidence and tasks associated with the particular finding to the case.
  • Click Remove to permanently delete the finding. Removed finding cannot be recovered.
  • View the event and flow information that is associated with the investigation and expand the events and flows entries in the attack timeline. Event and flow information shows any activity that did not match a rule and does not have malicious IoCs but is relevant to the incident and precedes or follows a suspicious activity.
The Investigation details panel shows investigation results, recommendations, and triggers. On the Investigation details panel, you can complete the following actions:
  • Click the Results tab to view a summary of potential finding and artifacts, view how many findings and artifacts are already saved to the case, view the types of findings and tactics that were identified, and reinvestigate the case to discover additional findings.
  • View the Recommended response tasks and determine if any action is required for you to quickly close the case. You can save the task and its associated findings to the case, remove the recommended task, and view more details. For more information, see Recommended responses.
  • Click the Triggers tab to view the artifacts that triggered the investigation.
From the context switcher, you can select from the following icons:
  • Attack graph. View the MITRE ATT&CK chain to see where the attack started and how it progressed. Click the tactic to see supporting data and any relevant references such as MITRE techniques, Threat Intelligence Insights, and information related to events, flows, assets, network traffic, users, processes, parent processes, domains, data sources, STIX data, and references.
  • MITRE ATT&CK. View the activity of the incident within the phases of the MITRE ATT&CK framework in the MITRE ATT&CK matrix. Click a technique to open the side panel and view the finding information and learn more from the MITRE ATT&CK website.
  • Network graph. View the network graph to see visualize the network activity.
  • Investigation record. View a list of event and threat intelligence queries run during the investigation, which support the investigation results. Investigation record also shows which queries returned results and which did not, and provides statistics on the number of events obtained from queries and used in the investigation.
Example: Threat Investigator investigation details page showing the Attack timeline
Threat Investigation tab