 Role Availability
|
 Read-Only
|
Investigator |
Analyst
|
 Manager
|
This section displays the alarms, events, and files associated with the investigation.
Important: You can link up to 100 alarms and 100 events to each investigation.
You can click an alarm or an event to go to the alarm or event.
The asset name includes the 
icon if the asset is not in the system, or the 
icon if the asset has been added to the system.
Click the icon to access the following options. Your access to these options may vary based on your user role. See Role-Based Access Control (RBAC) in USM Anywhere for more information:
- Add to current filter: Use this option to add the asset name as a search filter. See Searching Events for more information.
- Find in events: Use this option to execute a search of the asset name in the Events page. See Searching Events for more information.
- Look up in OTX: This option searches the IP address of the source asset in the LevelBlue LevelBlue Labs Open Threat Exchange® (OTX™) page. See Using OTX in USM Anywhere for more information.
- Add asset to system: Use this option to create the asset in the system. See Adding Assets for more information.
Click the icon to access the following options. Your access to these options may vary based on your user role. See Role-Based Access Control (RBAC) in USM Anywhere for more information:
- Add to Current Filter: Use this option to add the asset name as a search filter. See Searching Events for more information.
- Find in Events: Use this option to execute a search of the asset name in the Events page. See Searching Events for more information.
- Look up in OTX: This option searches the IP address of the asset in the OTX page. See Using OTX in USM Anywhere for more information.
- Full Details: See Viewing Assets Details for more information.
- Assign Credentials: See Managing Credentials in USM Anywhere for more information.
- Authenticated Scan: Authenticated scans are performed from inside the machine using a user account with appropriate privileges. This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Authenticated Asset Scans for more information.
- Scan with BlueApp: This option enables you to run an asset scan through an BlueApp. See Running Asset Scans Using a BlueApp for more information.
- Configuration Issues: An identified configuration of deployed software or features of software that is in use, which is known to be insecure. This option opens the Asset Details page. The Configuration Issues tab is selected in the page. See Viewing Assets Details for more information.
- Vulnerabilities: This option opens the Asset Details page. The Vulnerabilities tab is selected in the page. See Viewing Assets Details for more information.
- Alarms: This option opens the Asset Details page. The Alarms tab is selected in the page. See Viewing Assets Details for more information.
- Events: Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. This option opens the Asset Details page. The Events tab is selected in the page. See Viewing Assets Details for more information.
Link an alarm to an investigation
- Go to Activity > Alarms.
- Search for the alarm you want to add to the investigation and select it. See Searching Alarms for more information.
-
Click the
icon and select an investigation. You can also create a new one. See Creating a New Investigation for more information.
- Click Save.
Link several alarms to an investigation
- Go to Activity > Alarms.
- Search for the alarms you want to add to the investigation and select them. See Searching Alarms for more information.
-
Click Add to Investigation and select an investigation. You can also create a new one. See Creating a New Investigation for more information.
- Click Save.
Link an event to an investigation
- Go to Activity > Events.
- Search for the event that you want to add to the investigation and select it. See Searching Events for assistance.
-
Click the
icon and select an investigation. You can also create a new one. See Creating a New Investigation for more information.
- Click Save.
Remove a link from an investigation
- Go to Investigations.
- Click the title of an investigation to display its details.
-
In the Evidence section, locate the alarm or the event that you want to remove from the investigation and click the
icon.
- In the confirmation dialog box, click Remove.
Remove a link from alarms or events
- Go to Activity > Alarms or Activity > Events depending on if you want to remove an alarm or an event.
- Locate the alarm or event that you want to remove from the investigation and select it. See Searching Events for assistance.
- Click the icon located in the Investigation field.
- Select the investigation from which you want to remove the link.
-
Click Unlink From Investigation.
- In the confirmation dialog box, click Unlink.
Add a file to an investigation
When adding a file to an investigation, keep in mind these points:
- There is a maximum file size of 24 MB.
- There is a maximum number of five attachments per investigation.
To add a file to an investigation
- Go to Investigations.
- Click the title of an investigation to display its details.
-
In the Evidence section, click Select the file from your desktop or drop your file in the section.
- Select the file and click Open.
The file displays in the list.
Feedback