This guide introduces advanced capabilities designed to enhance root cause analysis and streamline investigation workflows in Security Investigator.
The following features are currently available (more to come soon).
Add external reputation data to IP addresses using trusted threat intelligence sources like AbuseIPDB or VirusTotal. Enrichment can be applied manually to individual IPs or automatically to entries in the evidence list, enabling faster triage and deeper contextual analysis.
Compare and correlate events across timeframes using a reference timestamp. This helps measure time offsets between events and key incident moments. A virtual column displays the time difference, which can be used to filter and correlate data more precisely across the query tree.
Quickly navigate to related data by pivoting from any record based on available dimensions. This generates a new query node scoped to a +/- 5-minute window around the selected event, revealing relationships and patterns without manual query construction.
Correlate log records with system performance indicators such as CPU, memory, or network utilization. A dynamic chart displays metric data around the selected log timestamp, helping investigators assess impact and pinpoint root causes with greater precision.