Create a new investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to create a forensics investigation. This includes adding a collection, exporting the data collection, managing alerts and key assets & artifacts.

Create a forensics investigation that includes all the relevant forensics data. This includes adding collections (hunts and triages), exporting the data collections, managing alerts and evaluating key assets & artifacts.

  1. Select Incident ResponseInvestigationForensicsForensics Investigations.

  2. Click New Investigation.

  3. Enter a unique name and optional description for the investigation.

  4. In the Permissions table, select the users that can access the investigation data.


    To set up user permissions, you must have Scope-Based Access Control (SBAC) enabled.

    Refer to User permissions for detailed information on permissions.

  5. Click Save to save the investigation in the Forensics Investigations table or click Save & Start A Collection to start the process of adding collections.

  6. In the New Collection widget, select Triage or Hunt.

  7. The investigation is saved to the forensic investigation table.

  8. Click UTC Timezone to configure the timezone and timestamp format. Refer to Select Timezone for information on setting up your timezone.