Create a new investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-10-14
Category
Administrator Guide
Abstract

Learn how to create a forensics investigation. This includes adding a collection, exporting the data collection, managing alerts and key assets & artifacts.

Create a forensics investigation that includes all the relevant forensics data. This includes adding collections (hunts and triages), exporting the data collections, managing alerts and evaluating key assets & artifacts.

  1. Select Incident ResponseInvestigationForensicsForensic Investigations.

  2. Click New Investigation.

  3. In the Create New Investigation wizard, enter a name and description (optional) for the investigation.

  4. In the Permissions table, select the users to whom you want to grant access to the investigation data.

    Note

    To set up user permissions, you must have Scope-Based Access Control (SBAC) enabled.

    Refer to User permissions for detailed information on permissions.

  5. Click Save to save the investigation in the Forensic Investigations table or click Save & Start A Collection to start the process of adding collections.

  6. In the New Collection widget, select Triage or Hunt.

  7. The investigation is saved to the Forensic investigations table.

  8. Click UTC Timezone to configure the timezone and timestamp format. Refer to Configure server settings for information on setting up your timezone.Configure server settings