Investigate

To start an investigation, enter IOCs into the New Investigation panel in the upper portion of the page and then click Investigate to begin the enrichment of observables. You can enter text, or copy and paste directly into the panel (up to 2,000 characters). Click the tooltip for a quick view of the types of searchable content.

Note: If you navigate away from the New Investigation panel while editing, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the New Investigation panel and continue with your edits or click Undo or Use draft to remove or restore the draft content.

Once the extraction is complete, the results of the investigation are displayed in the Relations Graph, with the volume of events shown on the Timeline. Additional details are available in the Events, Assets and Observables, and Indicators panels.

For more information, see the Investigation Results help topic.

The Saved Investigations panel displays a list of all the investigations that have been manually saved. A saved investigation is a snapshot at the moment in time when the investigation was originally executed and is used to keep a record for yourself or for others. Saved investigations are available to everyone in your organization; they are not private to individual users.

You can search, view, share, download, and delete saved investigations.

Click View All in the lower left corner of the panel to open the Saved Investigations page and view all the investigations that have been saved. See Saved Investigations for more information.