Start and Add to Investigations
You can add alerts, events, search queries, and attachments to existing investigations, or create new investigations from them, as you navigate throughout Secureworks® Taegis™ XDR.
Start a New Investigation From Alerts or Events ⫘
- Select Create New Investigation when viewing any alert or event. (This option may be in the Actions drop-down list.)
Tip
To add multiple alerts or events to an investigation at a time, select them using the checkboxes in the table, then choose Actions→Create New Investigation.
- Give the investigation a title and select a Priority and Type.
- Specify the Key Findings Template as blank or Security Investigation, then select Submit.
- A direct link to the new investigation appears in a notification.
Start an Investigation
Start a New Investigation with All Alerts ⫘
You can add all alerts from the Alerts page or from search results to a new investigation. This is helpful when there are too many results to display in the table, but you want to add them quickly to a new investigation.
Bulk Adding Alerts to a New Investigation
- Select one or more results using the checkboxes.
- Select Actions > Create New Investigation. The Create New Investigation dialog displays.
- Give the investigation a title.
- Choose the Add All Alerts option.
- Select a Priority and Type.
- Specify the Key Findings Template as blank or Security Investigation.
- Select Submit. The investigation is created.
Note
There is a 50k limit for adding alerts to an investigation.
Note
Due to processing time, it may take a few minutes for the alerts to be visible in the investigation.
Start an Investigation with Many Alerts
Create a New Empty Investigation ⫘
A new empty investigation is an investigation with no content.
Create a New Empty Investigation
- From the XDR left-hand side navigation, select Investigations.
- Select + Add New. The Create New Investigation dialog displays.
- Give the investigation a title and select a Priority and Type.
- Specify the Key Findings Template as blank or Security Investigation, then select Submit.
- A direct link to the new investigation appears in a notification, and a new, empty investigation displays in the investigation table.
Add Alerts or Events to an Existing Investigation ⫘
While viewing events and alerts throughout XDR, select Actions → Add to Existing Investigation and choose the existing investigation you want to add the alert or event to.
Tip
To add multiple alerts or events to an investigation at a time, select them using the checkboxes in the table, then choose Actions→Add to Existing Investigation.
Adding to Existing Investigations
Add All Alerts to an Existing Investigation ⫘
You can add all alerts from the Alerts page or from search results to an existing investigation. This is helpful when there are too many results to display in the table, but you want to add them quickly to an investigation.
Bulk Adding Alerts to an Existing Investigation
- Select one or more results using the checkboxes.
- Select Actions > Add to Existing Investigation. The Add Evidence to Investigation dialog displays.
- Select an investigation from the investigation list.
- Choose the Add All Alerts option.
- Select Submit. The alerts are added to the investigation.
Note
There is a 50k limit for adding alerts to an investigation.
Note
Due to processing time, it may take a few minutes for the alerts to be visible in the investigation.
Adding Many Alerts to Existing Investigations
Link a Saved Search to an Investigation ⫘
Linking saved search queries to an investigation adds extra context and facilitates easier hand-offs between analysts, improving the overall investigation workflow. When you do this, the investigation will include a link to the original search query.
Note
Please note that linking saved search queries does not make a copy of the search results. It also does not make a copy of the original alert or event data and does not alter the Secureworks’s data retention policy.
Adding to an Investigation from a Saved Search
- Select Advanced Search from the left-hand side navigation or open the search toolbar and select Advanced Search.
- Select Saved Searches.
- From the Saved Searches panel, select the ellipsis for the desired saved search and choose Add to Investigation.
Tip
You can also choose Create New Investigation to add the search query to a new empty investigation.
- In the Add Evidence to Investigation dialog, select an investigation from the investigation list.
- Select Submit.
Tip
The same search query can be added to multiple investigations.
The Searches section of an investigation displays all linked search queries.
Note
This section displays the search query name, not the search results of that query.
Running a Related Search from an Investigation
Attach Files to an Investigation ⫘
Share files relevant to an investigation by uploading them to an investigation.
Important
When uploading a potentially malicious file, you should embed it within a password-protected ZIP archive with infected as the password.
- Open an investigation.
- Select the Evidence tab and then the Attachments sub-tab.
- Choose Upload File.
- Drag and Drop or select browse to add one or more files.
Note
The max individual file size that can be uploaded is 2 GB.
- Select Close.
Add Investigation Attachment
Note
Files attached to investigations are not subject to the data retention policy nor do they count towards the monthly data cap.