This section displays the alarms, events, and files associated with the investigation.
Important: You can link up to 100 alarms and 100 events to each investigation.
You can click an alarm or an event to go to the alarm or event.
The asset name includes the icon if the asset is not in the system, or the
icon if the asset has been added to the system.
Click the icon to access these options:
- Add to current filter: Use this option to add the asset name as a search filter. See Searching Events for more information.
- Find in events: Use this option to execute a search of the asset name in the Events page. See Searching Events for more information.
- Add asset to system: Use this option to create the asset in the system. See Adding Assets for more information.
- Look up in OTX: This option searches the IP address of the source asset in the AT&T Cybersecurity Alien Labs Open Threat Exchange® (OTX™) page. See Using OTX in USM Anywhere for more information.
Click the icon to access these options:
- Add to current filter: Use this option to add the asset name as a search filter. See Searching Events for more information.
- Find in events: Use this option to execute a search of the asset name in the Events page. See Searching Events for more information.
- Look up in OTX: This option searches the IP address of the asset in the AT&T Cybersecurity Alien Labs Open Threat Exchange® (OTX™) page. See Using OTX in USM Anywhere for more information.
- Full Details: See Viewing Assets Details for more information.
- Configure Asset: See Editing Assets for more information.
- Configure Asset Group: See Configuring an Asset Group for more information.
- Delete Asset: See Deleting the Assets for more information.
- Delete Asset Group: See Deleting an Asset Group for more information.
- Scan: This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Asset Scans for more information.
- Assign Credentials: See Managing Credentials in USM Anywhere for more information.
- Authenticated ScanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges.: This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Authenticated Asset Scans for more information.
- Configuration IssuesAn identified configuration of software that is deployed, or features of software that is in use, which is known to be insecure.: This option goes to the Asset Details page. The Configuration Issues tab is selected in the page. See Viewing Assets Details for more information.
- Vulnerabilities: This option goes to the Asset Details page. The Vulnerabilities tab is selected in the page. See Viewing Assets Details for more information.
- Alarms: This option goes to the Asset Details page. The Alarms tab is selected in the page. See Viewing Assets Details for more information.
- EventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall.: This option goes to the Asset Details page. The Events tab is selected in the page. See Viewing Assets Details for more information.

- Go to Activity > Alarms.
- Search for the alarms you want to add to the investigation and select them. See Searching Alarms for assistance.
- Click the
icon and select an investigation. You can also create a new one. See Creating New Investigation for more information.
- Click Save.

- Go to Activity > Events.
- Search for the event that you want to add to the investigation and select it. See Searching Events for assistance.
- Click the
icon and select an investigation. You can also create a new one. See Creating New Investigation for more information.
- Click Save.

- Go to Investigations.
- Locate the investigation in the Investigations list and select it.
- In the Evidence section, locate the alarm or the event that you want to remove from the investigation and click the
icon.
- In the confirmation dialog box, click Remove.

- Go to Activity > Alarms or Activity > Events depending on if you want to remove an alarm or an event.
- Locate the alarm or event that you want to remove from the investigation and select it. See Searching Events for assistance.
- Click the
icon located in the Investigation field.
- Select the investigation you want to remove the link.
- Click Unlink From Investigation.
- In the confirmation dialog box, click Unlink.

When adding a file to an investigation, keep in mind these points:
- There is a maximum file size of 24 MB.
- There is a maximum number of five attachments per investigation.
To add a file to an investigation
- Go to Investigations.
- Locate the investigation in the Investigations list and select it.
- In the Evidence section, click Select the file from your desktop.
- Select the file and click Open.
The file displays in the list.