When unusual activity triggers an alert, investigations are opened automatically. Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Threats. As long as an investigation remains open, any new alerts or notable behaviors that are related to the type of alert that triggered the investigation and have the same key will be added to the existing investigation, rather than create a new investigation. For more information about alert keys, see Investigations created by alerts.

You can also manually create an investigation in response to an incident. Learn how to Create and Manage Investigations.

You can Add Data to Investigations such as logs or forensics job data to an investigation to contextualize it, or you can configure Scheduled Forensics when you need to preemptively investigate a user or asset.

Investigation Timeline

Below the graph is the list of investigations with additional details. Click into an investigation to see all available details about it, including the users and assets involved.