The Burndown tab is your entry point to Investigation Workflow—it presents a list of new and in-progress investigations ordered by severity.
This page describes the data and controls on the Burndown tab.
Open the Burndown tab
To open the Burndown tab, click New in the Sumo web app top menu bar, and select Burndown from the list of tab options.
The Burndown tab appears and presents a list of investigations. By default, all New and Open investigations are listed. You can click Burndowns to see a queue of unclaimed investigations, or Assigned to Me to list investigations you are working on.
What’s on the Burndown tab?
The table below describes the information presented for each investigation.
|View||This column appears when All or Assigned to Me is selected. For investigations that are in progress this column contains an eye icon. You can click the icon to view the investigation.
For investigations that have not been claimed, whose status is “New”, this column is empty.
|Created||The date that the investigation was created, which for investigations automatically created by Investigation, is the date of the underlying log event. For investigations that were created from scratch, it is the date that the investigation was created.|
|Severity||The severity of the investigation. For investigations that Investigation Workflow created for an alert event, the severity value comes from the underlying log event.|
|Type||Describes the nature of the problem to investigate, for instance “Malware Detected” or “Failed Password Attempts”. This is determined from the log data.|
|Alert||Contains the Alert factor that Investigation Workflow derived from the underlying log event. If you click a blue link value in the factor, Investigation Workflow assigns the investigation to you, marks its status Open”and moves it out of the Burndown queue.|
|Status||The current status of the investigation. For a list of values, see Investigation Status Values.|
|Assignee||The user to whom the investigation is currently assigned.|
Text colors in the Investigation Workflow UI
The information shown in the Investigation Workflow UI is color-coded to indicate what you’re seeing and what you can do with it.
- Regular—Field names preserved from the original log message are shown in regular black font. Field values can provide context and meaning to what you’re seeing.
- Bold—Values preserved from the original log message are shown in bold. These values provide context that may be required to solve an investigation
- Blue—Link values are shown in blue. You can click a link value to run a query for other factors that contain the same link value. If you want to edit the query before running it, shift-click the link value. For more information, see Modify a pivot query.
Change your view of the Burndown tab
By default, the ∫tab lists investigations whose status is either New or Open and that were created on or after the currently selected date. Investigations are sorted by creation date. You can change what investigations appear in the following ways:
- View unclaimed investigations—Click Burndowns to view a list of investigations that have not yet been claimed. These are investigations whose status is New.
- View investigations assigned to you—Click Assigned to Me to see investigations currently assigned to you.
- View investigations for a different date—To change the time viewed, either click the calendar icon or type directly into the time fields. The Burndown tab displays investigations created starting at the specified time. The left and right arrow buttons at the top left of the page allow you to page forward and backward from that starting time.
- View investigations assigned to a different user—Select a user from the Assignee pulldown.
- View investigations by status—Select a status value from the Status pulldown. For a list of values, see Investigation Status Values.