Investigation

Selecting the Investigation module on the navigation panel in Intelligence Hub will direct you to the Intelligence Hub > Investigation module on the Threat Command platform.

The Investigation module enables you to perform an in-depth investigation into known or suspicious threat actors, malware, CVEs (common vulnerabilities and exposures), or IOCs (indicators of compromise).

The module presents you with a graphical representation and enrichment information, for example, WHOIS history and passive DNS info, to help you to connect-the-dots between known and potential threats and to correlate between different sets of indicators.

You can see Threat Intelligence data for all indicators as well as Threat Command enriched data for searched indicators in both a graphic and text-only view.

In addition, you can add tags and comments to indicators. You can search for indicators that share a tag, enabling you to group indicators and then locate them together.

To investigate a search term or IOC:

  1. From the main menu, select Intelligence Hub > Investigation.
    In some threats and alerts when an IOC is displayed, you can hover the IOC and a popover is displayed. You can start an investigation directly from there, too.
  2. Select what kind of indicator or user tag to search for:
    • IOC
    • Cyber Term
    • CVE
    • Tag
  3. In the search field, type a valid term.
  4. Click Enter. You can also select a previously searched term from the drop-down list or from History. Alternatively, you can search a term in the IOCs Summary, or by clicking an IOC in any of the places where it’s listed in Threat Command.

The search term must be a valid IOC, an indicator (CVE, threat actor, malware, campaign, domain, URL, IP address, or file hash), or a user tag. Email address investigation is not supported.

Subdomain search

Searching for a subdomain may yield different results than searching for a domain.

Investigation output includes the following sections:

  • The Map shows a graphical representation of the indicator.
  • The Overview panel shows information from Threat Intelligence and basic enrichment data.
  • The Enrichment tabs show further enrichment information.

See how to use the Investigation information in these topics: