Skip to main content
Sumo Logic

Factor Types, Link Value Types, and Investigation Status Values

Definitions of factor and link value types, and investigation status values.

This page is a reference to factor types, link value types, and investigation status values.

Factor types

The table below describes the types of factors that Investigation Workflow derives from events.

Factor Type Description
Alert Information about events that describe an incident such as correlation events from a SIEM, an alarm from a network monitoring service, or an alert from a device.
Application Information about events that describe interactions with application services on the network. such as database requests or web requests.
Endpoint Information about events that identify particular devices or describe changes to those devices such as DHCPack (which binds a MAC address to an IP address), reboot, software install, or storage attachment.
Identity Information about events that reveal which users were associated with authentication events, such as VPN, Radius, OpenID, and OAuth events.
Investigation If more than one investigation contains queries for the same data close to the same times, investigations other than the current one that contain these same queries appear in this section. This is useful to see if a particular link value is causing multiple alerts, or to see if other analysts are investigating the same link values.
Network Information about events that describe the transmission of data across the network such as network translation and firewall transit.
Operational Information about events related to a host, app, or user but not tied to a specific transaction such os OS reboots.
Threat Information about suspected threats such as external databases (emergingthreats.net, and so on), or suspicious behavior flagged by IDS threat detection (PAN firewall), UBA, or other devices.

Link value types

These are the supported link values types: 

  • IP address
  • Host Name
  • MAC Address
  • File
  • URL
  • Hash
  • User
  • Registry Key
  • Network 
  • Pivot
  • Geo Location 

Investigation status values

At each point throughout the investigation workflow an Investigation has a status. Each status is defined in the table below. The Following Statuses column lists the next status values that an investigation can have.

Status Description Following Statuses
New Investigation has not been opened. Open, Closed, Duplicate, Dropped
Open Investigation has been opened and is in progress. Closed, Escalated, Shelved, Duplicate, Dropped
Escalated Investigation has been escalated to a higher support tier. Closed, Shelved, Duplicate, Dropped
Shelved Investigation is stalled or is missing important information. Open, Escalated, Closed, Duplicate, Dropped
Closed   Investigation has been resolved and is closed. Reopened
Reopened Investigation was closed, but has been reopened. Closed, Escalated, Shelved, Dropped
Duplicate Investigation is a duplicate of another investigation. Reopened
Dropped Investigation was dropped or abandoned. Reopened