Investigate
In an intelligence-driven incident response, a piece of disseminated information may be the starting point for a security team to investigate the impact of a known piece of malware. The Cisco XDR Investigate feature is used to search suspicious indicators of compromise (IOCs) such as emails, log messages, domains, URLs, and IPs, and extract observables for enrichment.
Cisco XDR reaches out to all of the configured sources (configured modules) and finds the disposition for each observable, and then displays the details in the investigation results. Once an asset has been identified, you can immediately direct attention to it to gain contextual knowledge of exactly which observable(s) the asset has communicated with.
Choose Investigate in the navigation menu to begin an investigation.
Start an Investigation
To start an investigation, enter IOCs into the New Investigation panel in the upper portion of the page and then click Investigate to begin the enrichment of observables. You can enter text, or copy and paste directly into the panel (up to 2,000 characters). Click the tooltip for a quick view of the types of searchable content.
Once the extraction is complete, the results of the investigation are displayed in the Relations Graph, with the observable sightings shown on the Sightings Timeline. Additional details are available in the Events, Assets and Observables, and Indicators panels.
For more information, see the Investigation Results help topic.
View Saved Investigations
The Saved Investigations panel displays a list of all the investigations that have been manually saved. A saved investigation is a snapshot at the moment in time when the investigation was originally executed and is used to keep a record for yourself or for others. Saved investigations are available to everyone in your organization; they are not private to individual users.
You can search, view, share, download, and delete saved investigations.
Click View All in the lower left corner of the panel to open the Saved Investigations page and view all the investigations that have been saved. See Saved Investigations for more information.