Working an investigation

Cases unify correlated alerts, evidence, notes, handoffs and the decision trail.

Last updated 3/19/2026

An investigation is the unit of analyst work. It collects every signal that supports — or contradicts — a hypothesis about an incident.

What lives on a case

  • Linked alerts and the verdict that promoted them
  • Timeline events (correlations, evidence collection, analyst actions)
  • Analyst notes (internal SOC visibility by default)
  • Handoffs between analysts with summary, open questions and recommended next steps
  • Recommended response actions and their approval state
  • Generated briefs and compliance evidence references

Collaboration

Each investigation surfaces a collaboration panel for notes, assignments and handoffs. The activity stream shows decision changes, status changes, assignments and approvals — every entry is timestamped with the actor's name.

Closing a case

Closing requires a decision (true positive, false positive, duplicate, expected) and a short justification. The closed-case record is immutable.

Related articles