When unusual activity triggers an alert, Investigations are opened automatically. Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Threats. Investigations poll for updates in real-time, so any new alerts or notable behaviors will automatically show up on the Investigations timeline.

InsightIDR allows you to start Investigations into the incident. Learn how to Create and Manage Investigations.

You can Add Data to Investigations such as logs or forensics job data to an investigation to contextualize it, or you can configure Scheduled Forensics when you need to preemptively investigate a user or asset.

Investigation Timeline

Below the graph is the list of investigations with additional details. Click into an Investigation to see all available details about it, including the users and assets involved.