Investigation Workflow
Filter and prioritize
From the Command Dashboard, use filters to surface the highest-priority incidents. Sort by severity (High → Low) and focus on New status incidents first.
Assign the incident
Click the incident to open it. Click Assign and select the analyst who will own the investigation. Assignment creates accountability and prevents duplicate work.
Review the incident summary
The incident detail view shows the alert title, severity, affected entities, MITRE ATT&CK mapping, and a timeline of related events.
Explore the Entity Context Graph
Open the Workbench to visualize all affected entities — users, devices, IPs, files, and URLs — and their relationships.
Check Entity Insights
Click on any entity to view Entity Insights — sign-in logs, device timelines, threat intelligence enrichment, and correlated incidents.
Respond with Gamebooks
If response is needed, build and run a Gamebook directly from the Workbench. Select actions per entity and execute with one click.
Classify and close
Once investigation and response are complete, classify the incident with the appropriate determination and close it.
Tips for Efficient Investigation
- Start with the Entity Context Graph — it immediately shows you the blast radius
- Check for related incidents — Entity Insights will show other incidents involving the same entities
- Use Gamebooks for response — don’t switch to separate consoles for containment actions
- Document your findings — add comments to the incident for audit trail purposes