The Investigation Canvas enables you to visually map an incident, its elements, and progression path, combining analyst intelligence with machine learning.
To access the investigation canvas, click Canvas from the incident you want to investigate. The incident appears on the canvas display. In the Add entity to canvas section, DBot provides suggested indicators and incidents that might be connected or relevant to the current incident for you to add to the canvas.
Searches are server side searches.
The incidents are calculated according to the related incidents algorithm, which are based on several factors:
Common incident custom fields
You can add the incidents by dragging and dropping the incident onto the canvas.
The indicators are determined according to the following factors (in this order):
Indicators with a malicious verdict from the original incident (the incident that initiated the investigation).
Indicators that are shared between incidents that you added to the canvas.
The malicious ratio, which is the ratio between the indicators that appear in incidents with a malicious verdict, compared to the total number of incidents in Cortex XSOAR.
You can add the indicators by dragging and dropping the indicators onto the canvas.
You can Edit Dbot Incident and Indicator Suggestions in the Entity Library.
You can do the following:
Auto Populate the Canvas with related incidents, suspicious URLs and so on by using machine learning.
The closer an entity appears to the center, the more closely related it is to the investigated incident.
View an incident and indicator: view details of incident and indicator, including various actions in the Dbot Suggestions: Quick View Window.
Connect incidents: connect each incident by linking each incident and use comments on entity connections to communicate important information with team members by adding notes to connectors between entities.
Dynamic Connections: when you rearrange entities on the canvas, the connections dynamically move with the entities. Connections that are dotted lines indicate that the indicator is part of the investigation, or two incidents are defined as related incidents. These connections are dynamic, which means if one entity is an IP address and you add that IP address to the allow list after it was added to the canvas, the dotted-lined connection is automatically removed.
Capture the Canvas as an image: capture and study the incident by clicking Export to PNG.