Investigations

## What You’ll See Here

Investigations by priority Tabs showing Dropzone’s recommendation on what to review first:
- Urgent
- Notable
- Informational
These priority levels can be influenced using Custom Strategies.
Not yet processed investigation status
- Queued Alerts that have been ingested by Dropzone and are waiting to be investigated.
  - This stage is used when there are already 10 investigations running at once (the current system limit).
- Running Alerts that are currently being investigated by your Dropzone analyst.
- Stopped Alerts that have been ingested but not investigated by Dropzone for a variety of reasons, such as exceeding thresholds set in System Info or encountering an error.
  - To investigate these alerts, click Stopped and then Retry.
  - Stopped alerts do not count against your license.
  Best practice: Want to know when an investigation is stopped? Work with your Dropzone team member to set up a notification Response Action.
- Below investigation priority are filters and a search bar allowing you to narrow the view only to investigations you want to see Filters are of the following types
- Review Status - Dropzone learns by reviewing investigations. This will show you how many you have reviewed.
- Conclusion - The goal of Dropzone is to provide accurate conclusions. Fine tuning will allow you to influence how this happens.
- Insight Tag - Insights about the content of the investigation added by the analyst during an investigation
- Alert Type
- MITRE Tactic
- Attach Surface
- Source
Dropzone will save your last session upon exit. This means you will be able to continue your work where you left off instead of having to add filters every time.
List of Alerts meeting filter criteria Below the filters are all alerts matching the search criteria that have been specified. The summary of alerts shows important information about the alerts including the date/time, the title, entities involved, source of the alert, initial Conclusion, and priority.
- Alert Title - The Alert Title is a link that will open the detailed view of the investigation.
- Conclusion - This can be changed directly from the summary page by clicking the dropdown. This works just like changing the conclusion from the detail page.
- Priority - This can be changed directly from the summary page by clicking the dropdown. This works just like changing the conclusion from the detail page.

You can **bulk edit** Conclusion and Priority status by selecting multiple items (Checking the box to the left of the alert) which will pop up an option to update all rows that have been selected at the same time.</div>

Full investigation write-ups
- Click into any investigation to see the detailed view:
  - The overall Summary
  - Detailed investigative context in Findings
  - Supporting artifacts in the Evidence Locker
  - Recommended Remediations (for Malicious, Suspicious, and Inconclusive alerts only)
  - A Notes section for team collaboration
  - A Changelog showing the full investigation lifecycle from ingestion to approval
Best practice: Check out our guides on how to review an investigation and leave context memory.

PreviousFleet Dashboard (if applicable)NextChat

Last updated 22 days ago

Was this helpful?