Investigating the activity of users, applications, and endpoints across your entire network can be extremely tedious and time-consuming. Blumira Investigate relieves the burden of unguided data analysis by intelligently surfacing hotspots or patterns of activity so you can focus on specific areas of interest to determine if an incident has already started or is likely to occur.
Starting a new investigation
To begin an investigation about a known entity, do the following:
- In the app, navigate to Investigate > New Investigation.
- In the search box, type the value you want to investigate.
- Click Investigate.
Editing the timeframe
To edit the timeframe of an investigation, do either of the following:
- Below the timeline, click one of the quick filter buttons to view only the past day, week, or 30 days.
- On the timeline, drag the slider left or right to change the start and end times of the investigation.
Note: The page refreshes automatically, but it can take a couple of seconds to load the new results.
Filtering the results
To narrow the results of your search and drill down into the data, you can do either of the following:
- Below the timeline chart, you can click to include or exclude User, Endpoint, Traffic, or Application data from the results.
- In the results table, click any of the available filters, then click the check box next to the value or values that you want to include or exclude from the results.
Understanding the data included in investigations
Investigations include up to one year of data by default. Searching or analyzing data older than a year requires using Report Builder.
Investigations do not include the following types of data:
- unparsed logs
- file names
Sharing your investigation results
You can easily share an investigation with members of your Blumira account by copying and pasting the entire URL from your browser's URL bar into a relevant finding's comment box or by sharing it via your preferred communication tool.