Skip to main content
Sumo Logic

Investigation Tab

The Investigation tab presents the factors for an investigation and the history of the actions that have been taken on the investigation.  

This page describes the information and controls on the Investigation tab.

Open the Investigation tab

You open the Investigation tab for from the Burndown tab:

  • To open a unclaimed investigation click any blue link value in the Alert column for a New  investigation.
  • To open an investigation that is in progress, click the eye icon in the View column for an Open investigation.open-viewer.png

The Investigation tab opens.

viewer-annotated.png

Header fields

The table below describes each of the options in the header section of the Investigation tab labeled (1) in the screenshot above.

Field or Icon Description
Opened The date that the Investigation was claimed from the Burndown Queue.
Type Describes the nature of the problem to investigate, for instance “Malware Detected” or “Failed Password Attempts”. This is determined from the log data. 
Severity The severity of the investigation. For investigations that Investigation Workflow created for an alert event, the severity value is comes from the underlying log event.
Description
 
Blank by default. Click the pencil icon to provide a description. 
Assignee The user to whom the Investigation is currently assigned. Click the pencil icon to assign the Investigation to another user. 
Status The current status of the investigation. For a list of status values, see Investigation Status Values.

Query results 

This main pane of the Investigation tab, labeled (2) in the screenshot above, displays query results: factors that match the current pivot query. 

The top of the results area is shown below:

results-header.png

  • Paging controls. Use the forward and backwards controls to page forward and backwards through the query results.
  • Current time range. Shows the time range for the current pivot.
  • Link value. The link value for the current pivot (the link value you previously clicked.)
  • Actions. Displays a menu of actions you can perform on the currently selected events (factor, detail or raw).
    • Add to Investigation. Add the selected events to the current pivot as an evidence detail.
    • Add to Notes. Append the text of the selected factors, details, or raw events to the Notes.
    • View Detail. View the detail form of the selected events.
    • View Raw. View the raw form of the selected events.
  • Filter icon. You can limit the display to only those factors that contain a specific string of characters. Click on the funnel button and type in any string. Factors that do not contain that string will be hidden.
  • Columns. This option allows you to control which columns appear in the results table.
    • Time. Adds one or two timestamps in a column on the left-hand side of the factors. The timestamps reflect the earliest and latest events aggregated in that factor.
    • Count. Adds the count of events aggregated in that factor. 
    • Links. Adds one or more link values in the next column. These show the link values used in the query that retrieved those events. In complex pivots it can sometimes be useful to understand why each factor is being shown and how it’s related to the link value you pivoted on.
    • Source. Adds the name of the source log format(s) for each factor in a column on the right-hand side of factors. In complex pivots, it can sometimes be useful to understand the sensor or device that created an event.

Factors that match the current pivot are listed by factor type, such as Investigation, Alerts, Endpoint. The results of a query are the events whose duration overlaps the query range and that match the pivot query. For more information see Queries are chained by default.

If a pivot query includes more than one link value then all of the events that contain the link value are returned. The results will return the Alert factor for the log event that triggered the alert.

factor-columns.png
 
The table below describes the columns that appear for each factor.

Column Description
Time The date and time that event occurred. If there are multiple events with the same factor—in which case the value in the Count column will be greater than 1—this column shows the time range during which the events occurred. A timer range will also be shown for events that contain a start and end time. 

Dates and times in the query results are presented in the UTC time zone. 
Count The number of events that have the factor shown in the Factor column.
Event A factor that matches the current pivot query. 
Links The link values used in the query that retrieved those events. In complex pivots it can be useful to understand why each factor is being shown and how it’s related to the link value you pivoted on.
Source The name of the source log format(s) for the factor. In complex pivots, it can be useful to understand the sensor or device that created an event.

View raw event or event detail

The Event column on the Investigation tab presents the event in factor format. The factor view presents selected name-value pairs extracted from the event that identify the purpose and meaning of the event, as described in Factors are derived from an event dictionary.

When you mouse over a factor, a plus sign icon appears. 

factor-format-plus-icon.png

When you click the icon, the event display area expands to show the Details view. The screenshot below is the Details view of the factor shown above. The Details view presents all the name-value pairs that Investigation Workflow derived from the raw message, as described in Log data is transformed into an event dictionary.

event-format-options.png

You can click Raw to display the raw message or messages.

event-format-options-raw.png

Investigation status and history

The right side of the Investigation tab presents the history of the investigation:  recent status changes, investigation details, pivot history, and attached evidence and notes.

investigation-history.png
The table below describes the content of the investigation history pane.

Control or Content Description
Pivot button (1) You can use the pivot pulldown to change the contents of the investigation and history pane. You can select Notes to see information added to notes, Reports to see reports that have been generated, and Summary to view an investigation summary.
New pivot Icon (2)  Click the plus sign (+) to create a pivot query from scratch, as described on Create a Pivot from Scratch
Current status (3)  The most recent status change for the investigation, the timerange of the current pivot, and the current pivot query.
Status history (4) The status changes that have been made to the investigation.
Investigation details and factor (5)  The dates that the investigation was created and opened, its current status, and the alert factor for the investigation.