What is an investigation?
An investigation enables a Samurai XDR application user to aggregate related alerts together for further analysis to assess a potential threat.
What type of investigations are available?
- Alert Investigation
- This type of investigation is based on specific security alerts that have been highlighted within the alerts widget.
- Incident Response
- Specific security alerts (e.g Critical severity with High confidence) may require Incident Response - this investigation type would typically be given a Critical or High priority and assigned to relevant users within your tenant to action.
- Threat Hunting
- Threat hunting is a proactive effort that applies an hypothesis to discover suspicious activity or areas of risk. You can begin an investigation based on specific alerts generated within your tenant and start to investigate further.
What actions can I take within an investigation?
Each investigation has a lifecycle with stages based on the current state of the investigation e.g. open, closed, snooze. When creating an investigation you can set a priority, assign/unassign to users within your tenant, as well as update the status depending on what action needs to be taken. A 'how to' guide for all actions can be found at Investigations.