Overview
Investigating the activity of users, applications, and endpoints across your entire network can be extremely tedious and time-consuming. Blumira Investigate relieves the burden of unguided data analysis by intelligently correlating data points and surfacing hotspots of activity so you can focus on specific areas of interest to determine if an incident has already started, how far-reaching it is, and where remediation is needed.
Starting a new investigation
You can start an investigation either from a keyword search in the New Investigation window (Investigate > New Investigation) or from the evidence table included within a specific finding (Reporting > Findings).
To investigate a known entity, including users (usernames or email addresses), IP addresses, ports, or applications, do the following:
- Navigate to Investigate > New Investigation.
- In the search box, type the value you want to investigate.
- Click Submit.
To investigate data from a finding's evidence, do the following:
- In a finding's detail screen, click Details to expand and view the evidence.
- In the evidence table, click the cell of data you want to investigate.
- In the menu that appears, click Investigate in new window.
Editing the timeframe
To edit the timeframe of an investigation, do the following:
- In the Time Range menu, click one of the time range options or click Custom.
- In the Select Date Range window, edit the dates and times for the search.
- Click OK.
Filtering the results and viewing logs
To narrow the results of your search and drill down into the data, you can do any of the following:
- Beside the timeline chart, click User Events, System Events, or Traffic Events to include or exclude those data from the results.
- In the results table, click any available data filter, then click the check box next to the values you want to include or exclude from the results.
- In the results table, click a cell to open an action menu, then do one of the following:
- Select either Include or Exclude to update the filters for the table.
- Click View Logs to run a query in Report Builder and view the related logs, which may include additional fields that are not available in the investigation results.
Tip: To continue drilling into the data, you may need to adjust the time range and filters in Report Builder. See additional guidance in Using the Report Builder.
Understanding the data included in investigations
Investigations include data from most log types collected by Blumira, but some integrations are not yet available in the database used for investigations. More log types will be added over time, yet some integrations collect logs that will remain unparsed and, therefore, are excluded from investigative searches.
Investigations do not include the following types of data:
- unparsed logs
- commands
- file names
Sharing your investigation results
You can easily share an investigation with members of your Blumira account by copying and pasting the entire URL from your browser's URL bar into a relevant finding's comment box or by sharing it via your preferred communication tool.