The Investigation module enables you to perform an in-depth investigation into known or suspicious threat actors, malware, CVEs, or indicators of compromise (IOCs).
The module presents you with a graphical representation and enrichment information, for example, WHOIS history and passive DNS info, to help you to connect-the-dots between known and potential threats and to correlate between different sets of indicators.
You can see Threat Intelligence data for all indicators as well as Threat Command enriched data for searched indicators in both a graphic and text-only view.
In addition, you can add tags and comments to indicators. You can search for indicators that share a tag, enabling you to group indicators and then locate them together.
To investigate a search term or IOC:
- From the main menu, select TIP > Investigation.
TIP : In some threats and alerts when an IOC is displayed, you can hover the IOC and a popover is displayed. You can start an investigation dirctly from there, too.
- Select what kind of indicator or user tag to search for:
- In the search field, type a valid term.
- Press Enter.
You can also select a previously searched term from the drop-down list or from History.
Alternatively, you can search a term in the **TIP >**Dashboard or by clicking an IOC in any of the places where it’s listed in Threat Command.
The search term must be a valid IOC, an indicator (CVE, threat actor, malware, campaign, domain, URL, IP address, or file hash), or a user tag. Email address investigation is not supported.
Searching for a subdomain may yield different results than searching for a domain.
The following figure shows search results for the indicator nba.com :
Investigation output is shown in the following sections:
- The Map shows a graphical representation of the indicator.
- The Overview panel shows information from Threat Intelligence and basic enrichment data.
- The Enrichment tabs show further enrichment.
See how to use the Investigation information in these topics: