Security Investigator concepts

  • Latest Dynatrace
  • Concept
  • Published May 21, 2025

Understand essential concepts and key terms for the Security Investigator app.

Case

A case is an investigation scenario that you can create to start investigating security incidents and perform threat hunting.

Once you create a case (in Security Investigator Security Investigator, select Add Case), you can build, rename, or delete it; switch between cases (all your changes are automatically saved); share it with others.

You can create an unlimited number of investigation scenarios.

You can create a maximum of 100 nodes per case.

The maximum size of a case is 1 GB.

  • You can check the number of nodes and size of a case on the Security Investigator Security Investigator home page. Each case card contains information about the case size and number of queries.

    info about size and number of queries

Query tree

The query tree is a visual representation of your investigation history, designed to help you efficiently manage your query activities.

You can quickly

  • Navigate through your query history
  • Revisit executed query results
  • Enhance and run queries
  • Keep track of your investigation steps

query tree

How it works

A query tree is composed of:

Root node

The initial node created in the query tree when you execute your first DQL query.

Query node

Each time you modify and execute a DQL query, a new query node is added to the tree. A string of query nodes forms a query branch.

Query branch

A visual representation of your investigation path. It's made up of a string of query nodes. If you navigate to a previous query and then modify and execute it, a new query branch with a new query node is created from the respective query.

Despite any modification in the query tree, the following elements are always preserved:

  • The integrity of the previously existing queries and results
  • The relations among queries
  • The context of the investigation

If you modify your query to a point where no further analysis is possible, you can navigate back in the tree to your last working query and continue your investigation from there. This creates a new branch in the query tree.

For details about how to use the query tree, see Manage the query tree.

Evidence list

Evidence lists are relevant fragments from logs and IP addresses saved for later use.

evidence lists

Once you add evidence to the evidence lists, you can build filters for your query.

For details about how to manage evidence, see Manage evidence.

Reference time

Reference time adds the time perspective to keep track of the relative time between events you’re analyzing and the time when an incident occurred.

For details, see Define reference time.

Log pivoting

Log pivoting enables instant navigation and analysis of interconnected log data from any record across available dimensions, saving time on manual query creation and accelerating investigations.

For details, see Pivot results.

IP enrichment

IP enrichment adds external reputation data to IP addresses using trusted threat intelligence sources such as AbuseIPDB or VirusTotal. This provides additional context for faster triage and helps assess the relevance of IPs during investigations.

For details, see Enrich IP addresses.

Performance metrics correlation

Performance metrics correlation enables investigators to view system-level indicators—such as CPU, memory, or network usage—alongside log data. This helps identify whether performance anomalies align with security events and supports more precise root cause analysis.

For details, see Correlate logs with performance metrics.

Related tags
Threat Observability