Manage an investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Manage an investigation by adding collections, managing alerts, adjusting the timeline, analyzing assets and artifacts.

Investigations are comprised of one or more data collections from endpoints within an environment. Grouping all of the collections within a single location allows you to focus on the endpoints relevant to your investigation. There are two types of collections to choose from when searching for data:

  • Hunt collections enable you to search for a specific activity across a large number of hosts. It provides more details about where something occurred. Such examples would be, finding which endpoints ran a piece of malware, which users accessed a particular file, or which endpoints were accessed by a specific user.

  • Triage collections enable you to collect detailed information about specific activities that occurred on an endpoint. The triage functionality is configurable and supports the collection of all the currently supported forensic artifacts, user-defined file paths, a full file listing for all of the connected drives, full event logs, and registry hives. The amount of data collected during a triage can be large, so triages are limited to ten or fewer endpoints per collection.

On the Forensic Investigation page, you can create a new investigation or you can edit an existing one.

The Forensic Investigations table gives you an overview of important information of the ongoing investigations. If you click on the highlighted name of the investigation, you're directed right to the Investigation page. From here, you can add or monitor collections, manage timelines or just review key assets & artifacts.

From an investigation page, click the UTC Timezone to configure the timezone and timestamp format. Refer to Select Timezone for information on setting up your timezone.

If you right-click on the investigation, you can edit or close the investigation.


When you close an investigation, it waits 24 hours before deleting any collections associated with that investigation. During that timeframe, you have the option to cancel the close investigation action.

When editing an investigation, you can change the name, description and add or remove users from the permissions list. For information on users, see User permissions.