Investigations is now available for customers who wish to opt-in. If you were previously enrolled in the XDR – Detection and Investigation EAP, you should see Investigations in the Threat Analysis Center and there is no action on your part to enable this feature.
In the EAP release, users will be able to create new investigations, add multiple detections to a single investigation and add their analysis/notes. Users who have full admin privileges to both endpoint and server will be able to access the investigations page.
Once a new investigation has been created, users will have the ability to utilize traditional case management features such as assigning a priority, changing the status, adding assignees and documenting their analysis.
Users are able to group together multiple detections they wish to investigate and act upon in a single space. This provides a space for analysis to document their findings and to collaborate with others. Users can add and remove detections in an investigation without navigating outside to the detections list by selecting the Actions button.
By selecting Add Detections, it will take you through a wizard that will allow you to filter the full list of detections and add your desired detections into the investigation you were previously on.
Once the detections have been added to the case, they will not disappear unless a user removes them or expires after 30 days when the investigation is closed. You will have the ability to perform data pivots from within the investigation just like you are able to in the detections page.
Below the Detection List, we have provided an Investigations Notes section for users to record their findings and have pre-populated a best practice template to guide the user on what to look out for. Users can choose to use our pre-populated template or remove it and write their own.
Make sure to stay tuned as more features will be coming in January!