Manage evidence

Overview

During your investigation, you can save relevant fragments from logs and IP addresses as evidence for later use in the Evidence lists section. With the evidence lists, you can build filters for your query. For details, see Filter by evidence.

evidence lists

Add evidence

You can add

There are two ways to add evidence, manually and via query results.

There is no limitation on the number of items (strings or IPs) you can add to a list in your evidence list.

Add manually

  1. In the Evidence lists section, select More actions next to the evidence list where you want to add your evidence.

  2. Select Add Add evidence. You can enter evidence directly or upload it from a file in TXT or CSV format.

    add evidence from the evidence list section

Add via query results

  1. In the query results table, right-click on a field or on a selected portion of a field.
  2. In the Add to evidence list section, select where you want to add the evidence.

For example, to add an IP address to an IP evidence list, right-click on an ip_address field or select the IP address from a string-type field with your mouse.

add an IP address to an IP evidence list from the content field

You can also add multiple items at once to an evidence list or create a new list from the selection.

Create custom lists

You can create custom evidence lists from the Evidence lists section and from the query results table.

There is no limitation on the number of lists you can create.

From the evidence lists

  1. Select Add.

    create new evidence list

  2. Select the evidence type, enter the details, then select Confirm.

From the results table

  1. Right-click on a field.

  2. In the Add to evidence list section, select Add New evidence list.

    create list from the query results table

  3. Select the evidence type, enter the details, then select Confirm.

Download evidence lists

You can download evidence lists in any of the supported formats (STIX 2.0 or CSV).

  1. In Evidence lists, select More actions next to the evidence list you want to download.

  2. Select Download as, then select the desired format.

    download evidence list

Delete evidence

You can delete items in your evidence list individually or in bulk.

  1. In the Evidence lists section, select More actions next to the evidence list where you want to delete evidence.

  2. Select Manage Manage.

  3. Select the items you want to delete.

  4. Select Delete Delete.

delete IPs

Rename and delete lists

In Evidence lists you can

  • Rename preset and custom evidence lists

    1. Select More actions next to the evidence list that you want to rename.
    2. Select Rename Rename.

  • Delete custom lists

    1. Select More actions next to the evidence list that you want to delete.
    2. Select Delete Delete.

Related topics