Skip to main content

New Investigation Page

The New Investigation page within the Investigations interface enables you to run queries on available data with desired filters for a specific timeframe.

Investigations interface on the New Investigation page

To generate a new investigation report, configure the filters as desired and set the timeframe. See the Filters Section topic for additional information.

Then click Run Query. The report data is displayed in the sections below the Filters section. See the Investigation Reports topic for additional information.

NOTE: If you run a query without applying filters, the report sections display all activity by all users for the designated timeframe, which is set by default to Last Hour.

The report generated by a New Investigation can be exported. The Schedule Export option is not available from the New Investigation page. See the Export Report topic for additional information.

The Save option allows you to save your configured filters to run the investigation again later.

Save an Investigation

To retain filter configuration after running a query and confirming the desired report data is displayed, follow the steps to save an investigation.

NOTE: This option is available only to users with the Administrator or the Response Managers roles.

Step 1 – On the New Investigation page, click Save in the upper right corner. The Save Investigation window opens.

saveinvestigation

Step 2 – Enter a unique, descriptive name for this investigation in the Name field.

Step 3 – Enter a report description in the Description field.

Step 4 – From the Folder drop-down menu, select the location where the investigation will be saved. The My Investigations folder is the default for custom investigations.

Step 5 – Select a user role from the Owner drop-down menu. All users assigned this role would own this investigation and they will be able to modify the report.

Step 6 – In the Access box, type to search the user role you want to give access of this investigation. A list of user roles matching the search string is displayed. Select a single or multiple user roles. All users belonging to the selected role(s) can view the report.

Step 7 – Click Save. The Save Investigation window closes.

The investigation is saved to the selected folder, and the folder expands in the navigation pane to display the saved item. Users can open this folder from the navigation pane to access the investigation. They can run the investigation, schedule exports, or add subscriptions.

See the Investigation Options topic for additional information.

Investigations Interface

The Investigation interface allows administrators to investigate all data available to the application through a series of customizable filters. These investigations can be saved so they can be run ad hoc at a later time. Investigations can also be "saved as a threat" which enables investigation criteria to function as a threat detection mechanism that will be monitored by Threat Manager like out-of-the-box threats.

Click Investigate in the application header bar to open the Investigations interface.

Investigations interface

The Investigations interface contains the following pages:

  • New Investigation – Enables you to run queries on available data with desired filters for a specific timeframe. See the New Investigation Page topic for additional information.
  • Favorites – Provides a list of saved queries the logged in user has tagged as a Favorite. See the Favorites Page topic for additional information.
  • Audit and Compliance – Provides a list of saved out-of-the-box investigations with applied filters for commonly used Audit and Compliance activity reports. See the Audit and Compliance Page topic for additional information.
  • Predefined Investigations – Provides a list of saved out-of-the-box investigations with applied filters for Applications, Computers, Groups, iNetOrgPerson, Roles and User activity reports. See the Predefined Investigations Page topic for additional information.
  • My Investigations – Provides a list of saved investigations created by the application users. See the My Investigations Page topic for additional information.
  • Subscriptions and Exports – Provides a list of investigations that are either subscribed to or scheduled for export. See the Subscriptions and Exports Page topic for additional information.

Every investigation has the same options at the top of the page. See the Investigation Options topic for additional information.

Every report generated by an investigation query displays the same type of information. See the Investigation Reports topic for additional information.

Search for Saved Investigations

The Investigations interface includes a search field in the navigation pane to find saved investigations by name.

Investigations Search showing matching results

Type in the search box. As you type, a drop-down will populate with saved investigations containing matches.