Investigate an alert to view more detailed information and take any action as required.
You can investigate an alert to gain more information about the cause of the alert, and take any actions required. Hover over an alert and select Investigate to open the alert investigation panel. The following tabs are common to most alerts:
Tab | Description |
---|---|
Alert Overview | A summary of the alert, such as alert details, outstanding tasks, and indicators. Some fields are informational and some are editable. Includes the following sections (depending on the layout):
|
Technical Information | Displays an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc. When you run a playbook, the sections are automatically completed. |
Investigation Tools | Enables you to take action on the alert, such as converting a JSON file to CSV and check if the IP address is in CIDR. |
War Room | A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the alert investigation. Each incident has a unique War Room. For information, see Use the War Room in an investigation. |
Work Plan | A visual representation of the running playbook that is assigned to the incident. For more information, see Use the Work Plan in an investigation. |