Configuring Threat Investigator

You can configure IBM Security Threat Investigator to automatically investigate cases. When Threat Investigator is enabled, it regularly checks for new cases.

Before you begin

Review Roles and permissions for Threat Investigator.

About this task

A case must have one or more supported artifacts to investigate.
Attention: Non-routable IP addresses (for example and are not supported for investigation.
Supported artifacts include the following:
  • IP Address
  • Port
  • Network CIDR Range
  • MAC Address
  • DNS Name
  • URL
  • URL Referrer
  • Email Attachment
  • Name
  • Email Sender
  • Email Recipient
  • Malware MD5 Hash
  • Malware SHA-1 Hash
  • Malware SHA-256 Hash
  • User Account
  • Registry Key
  • Process Name
  • File Name
  • File Path
  • Observed Data*
Important: *Observed Data must come from Data Explorer search results. If you manually attach an item as Observed Data, it is not supported.

If artifacts are attached after the initial investigation, Threat Investigator rechecks the cases that were checked (for up to 24 hours) the next time it runs an investigation. For up to 24 hours after the first check, Threat Investigator rechecks if the user ID that configured the app had no access to the case at the time it was originally checked for automatic investigation.


  1. From the homepage, go to Menu > Application Settings > Threat Investigator.
  2. Click Configuration.
  3. Set the Enable automatic case investigation to On to automatically investigate cases.
  4. In the Retention policy box, specify the number of days investigations should be retained. The default value is 90 days. If you want to disable automatic deletion of investigation data, set the value to 0 (zero). All of your investigation data is stored indefinitely.
  5. Click Exclude data sources to select data sources that are to be excluded from investigations. By default all configured data sources are used for data mining during the investigation.
    Tip: If there are data sources that you don't want to be queried for automatic investigations, you can add them to the exclude list and they will be excluded from investigation data mining.
  6. Click Confirm.
  7. Click Save.