Security Investigator concepts

  • Latest
  • Concept

Understand essential concepts and key terms for the Security Investigator app.

Case

A case is an investigation scenario that you can create to start investigating security incidents and perform threat hunting.

Once you create a case (in Security Investigator Security Investigator, select Add Case), you can build, rename, or delete it; switch between cases (all your changes are automatically saved); share it with others.

You can create an unlimited number of investigation scenarios.

You can create a maximum of 100 nodes per case.

The maximum size of a case is 1 GB.

  • You can check the number of nodes and size of a case on the Security Investigator Security Investigator home page. Each case card contains information about the case size and number of queries.

    info about size and number of queries

Query tree

The query tree is a visual representation of your investigation history, designed to help you efficiently manage your query activities.

You can quickly

  • Navigate through your query history
  • Revisit executed query results
  • Enhance and run queries
  • Keep track of your investigation steps

query tree

How it works

A query tree is composed of:

Root node

The initial node created in the query tree when you execute your first DQL query.

Query node

Each time you modify and execute a DQL query, a new query node is added to the tree. A string of query nodes forms a query branch.

Query branch

A visual representation of your investigation path. It's made up of a string of query nodes. If you navigate to a previous query and then modify and execute it, a new query branch with a new query node is created from the respective query.

Despite any modification in the query tree, the following elements are always preserved:

  • The integrity of the previously existing queries and results
  • The relations among queries
  • The context of the investigation

If you modify your query to a point where no further analysis is possible, you can navigate back in the tree to your last working query and continue your investigation from there. This creates a new branch in the query tree.

For details about how to use the query tree, see Manage the query tree.

Evidence list

Evidence lists are relevant fragments from logs and IP addresses saved for later use.

evidence lists

Once you add evidence to the evidence lists, you can build filters for your query.

For details about how to manage evidence, see Manage evidence.

Reference time

Reference time adds the time perspective to keep track of the relative time between events you’re analyzing and the time when an incident occurred.

For details, see Define reference time.

Log pivoting

Log pivoting enables instant navigation and analysis of interconnected log data from any record across available dimensions, saving time on manual query creation and accelerating investigations.

For details, see Pivot results.