Investigating cases with IBM Security Threat Investigator

IBM® Security Threat Investigator automatically analyzes and investigates cases to help you make more informed decisions.

Threat Investigator shows potential threats and the assets that are impacted, helping you determine the criticality of exposure, how many systems are at risk, and the level of remediation effort required. By viewing the timeline of threats within your organization, you can better understand dwell times and the stage of the threat.

How Threat Investigator works

Threat Investigator works with Case Management to find cases that warrant an investigation and automatically starts investigating. The investigation fetches the findings and artifacts that are attached to the case and then starts data mining. The data mining process collects all relevant events, flows, alerts, logs, and other data from all connected data sources and correlates and analyzes them to identify suspicious and malicious activity and gathers evidence for the case. After Threat Investigator completes several rounds of data mining and analysis, it generates a timeline of the incident that shows what the attack is, how and where it started, how it progressed and what assets are impacted. Threat Investigator identifies MITRE ATT&CK tactics and techniques and a MITRE ATT&CK chain graph of the incident. It also generates a set of recommended response actions based on investigation findings to speed up the remediation of the incident.

For more information about Case Management, see Managing cybersecurity cases.

Figure 1. Threat Investigator workflow diagram
Threat Investigator Workflow Diagram