What is an investigation?
An investigation enables a Samurai XDR application user to aggregate related alerts together for further analysis to assess a potential threat.
What type of investigations are available?
- An investigation based on specific security alert(s) identified within the alerts widget.
- Specific security alerts (e.g Critical severity with High confidence) which require Incident Response - this investigation type would typically be given a Critical or High priority and assigned to relevant users within your tenant to action.
- Threat hunting is a proactive effort that applies an hypothesis or is based on Indicators of Compromise (IOC's) to discover suspicious activity or areas of risk. You can begin an investigation based on specific alerts generated within your tenant and start to investigate further.
What actions can I take within an investigation?
Each investigation has a lifecycle with stages based on the current state of the investigation e.g. open, closed, snooze. When creating an investigation you can set a priority, assign/unassign to users within your tenant, as well as update the status depending on what action needs to be taken. A 'how to' guide for all actions can be found at Investigations.