Manage an investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Manage an investigation by adding collections, managing alerts, adjusting the timeline, analyzing assets and artifacts.

Forensic investigations streamlines your incident response, data collection, threat hunting and analysis of your endpoint. By using the Forensic Investigation, you can find the source and scope of the attack and to determine what, if any, data was accessed. It provides a single location for grouping, tracking, and analyzing all forensic data collections.

Forensic Investigations enables you to do the following:

  • View any alerts triggered during data ingested as part of the investigation.

  • Tag relevant evidence for inclusion for the Investigation Timeline.

  • Export collected data for long-term retention.

  • Set user permissions that can be assigned to investigations allowing you to restrict access to the Investigation page including the Investigation Timeline and collection details.

The Forensic Investigation fields shows information relating to the investigation.




Name of the investigation.


Present status of the investigation:

  • Open

  • Close pending: After selecting close, the investigation status changes to close pending. It takes 24 hours until officially removed from the investigations repository. This gives the users a chance to revert back if necessary.

Evidence collections

Number of completed collections from the total collections.

New alerts

Total count of alerts for the collection where the Resolution Status=New.

Total alerts

Total number of alerts for data collected in the investigation

You can click the link to open the investigation on the Alerts tab.


Timestamp of when the investigation was created.