Investigation Actions

Modified on Wed, 16 Aug 2023 at 07:40 AM

When you are working on an Investigation a number of different actions are available to manage your investigation. This article discusses the different actions you can take:

Create
Edit
Notes
- Add
- Edit
- Delete
- Share
Snooze
Close
View Open
View Closed

Tip: If you are new to Investigations you should review Investigations Overview

Create an Investigation

There are multiple methods to create an investigation based on individual alerts, multiple alerts or simply a placeholder to add alerts at a later stage.

To create an investigation based on alert(s):

Select Dashboards from the left hand menu
Select Alert Management
You will now view the Alerts Management dashboard and all Alerts
Select the relevant Alerts by checking the box beside each relevant alert
Select (more options) at the right of the table and select Assign or Create Investigation
You will be presented with the Assign Alerts to Investigation page
Within the Create new Investigation window
Enter a Name for the investigation
Select a Priority
Select a Type
Assign the investigation to yourself or another user of your tenant
Select Create and Assign

To create an empty investigation (no alerts assigned), you can assign alert(s) later:

Select Investigations from the left hand menu
Select Create New
Enter a Name for the investigation
Select a Priority
Select a Type
Assign the investigation to yourself or another user of your tenant
Select Create

To assign alert(s) to the empty investigation:

Select Dashboards from the left hand menu
Select Alert Management
You will now view the Alerts Management dashboard and all Alerts
Select the relevant Alerts by checking the box(es) within the Alert widget
Select the (more options) at the top right of the table and select Assign or Create Investigation
You will be presented with the Assign Alerts to Investigation page
Select Assign to existing Investigation and from the pull down menu select the Investigation name you created.
Select Assign

Edit an Investigation

Select Investigations from the left hand menu
Within the Open Investigations window, select the Investigation you wish to edit
You can:
- Change the Status, Assign to a different user and Priority of the Investigation
If you want to unassign Alerts to the investigation, select the relevant Alert
Click on the (more options) to the right of the alert and select Unassign

Investigation Notes

Using the notes feature you can document findings during an investigation to reflect progress made, conclusions drawn and communicate all information to other users of your Samurai XDR tenant.

Notes are associated within an individual investigation and are added using a WYSIWYG editor. Each note contains the following information:

Time-stamp
- Last updated date and time in the format [yyyy:mm:dd], [hh:mm:ss]
Contributors
- User that created the note represented as an icon with initials of the user
- Users that have modified the note
- Hover over the icon to display the users email address

The WYSIWYG editor provides the following functionality:

Toolbar button	Name	Action
	Code block	Insert code block
	Insert/edit URL	Create or edit a URL link
	Bold	Bold or unbold text
	Italic	Italicize or remove italics
	Underline	Underline or remove underline from text
	Bulleted list	Create or remove a bulleted list
	Numbered list	Create or remove a numbered list
	Table	Create or modify a table
	Character counter	Counter showing number of character used and limit of 5000
	Save / update	Save or update a note
	Share	Copies the URL of the note to share with other users in your tenant
	Open in new window	Opens the note in a new window
	Edit	Allows you to edit and update a saved note
	Delete	Delete the note
	Exit edit mode	Exit note edit mode
	Confirm update	Save and update note

Add Note

Select the relevant Investigation within the Investigations menu.
Click on the Notes icon
You can now add free form text within the field using the WYSIWYG editor
Click to save the Note

Edit Note

Select the relevant Investigation within the Investigations menu.
Click on the Notes icon
Select the relevant Note you wish to edit
Click on (more options) and select (edit)
Once complete click to save or if you wish to forget the update

Delete Note

Select the relevant Investigation within the Investigations menu.
Click on the Notes icon
Select the relevant Note you wish to delete
Click on (more options) and select (delete)

Share Note

Select the relevant Investigation within the Investigations menu.
Click on the Notes icon
Select the relevant Note you wish to delete
Click on (more options) and select (share)
The URL of the note will be copied to your clipboard and can be shared with other users of your tenant

Snooze an Investigation

Select Investigations from the left hand menu
Within the Open Investigations window, select the Investigation you wish to snooze
From the Status drop down menu, select Snooze
You can now Define the snooze period for the Investigation
Select the Duration
Provide a Description for why you are snoozing the investigation
Select Confirm
Within the Open Investigations page you will now see the Status is updated to Snooze

Close an Investigation

Select Investigations from the left hand menu
Within the Open Investigations widget, select the Investigation you wish to snooze
From the Status drop down menu, select Closed
To close the Investigation you should select one of the options presented:
- Security Incident Confirmed
- False-Positive
- True-Positive (from legitimate host)
Provide a reason behind closing the investigation

View Open Investigations

Select Investigations from the left hand menu
View the Open Investigations widget, this will list all investigations that are Open or in Snooze status
You can filter on the Status field for Open investigations

Alternatively you can view the latest Investigations widget within Dashboards > Alert Management

View Closed Investigations

Select Investigations from the left hand menu
View the Closed Investigations widget