- 25 Sep 2025
- 5 Minutes to read
- PDF
View Investigations
- Updated on 25 Sep 2025
- 5 Minutes to read
- PDF
Use the Investigations page to view all the potential threats Red Canary has identified in your organization. You can drill down into individual Investigations to examine the leads or to review our Threat/non-threatening determination.
The top level page uses five sortable columns of data to summarize the potential threats:
ID - The Investigation ID
Investigative Leads - The total number of leads in the Investigation, with a count showing how many have been reviewed by Red Canary to date
Originating Activity At - The date and time (UTC) for the lead that initiated the Investigation
Last Update - The date and time (UTC) of the most recent update to the Investigation
Resulting Threats - A link to the published Threat (if any) that resulted from the Investigation
Viewing Investigation Details
You can examine the details for an individual Investigation by clicking on the Investigation ID.
A summary at the top of the page describes the Investigation and provides a link to the Threat if one was published.
The Investigation details are presented on four tabs:
Overview Tab
The Overview tab contains relevant information about the scope of the investigation, including affected identities and endpoints.
The Related Identity panel shows summary of the identity, including network addresses and endpoint type. Click on the identity name to view additional details.
The Affected Endpoint panel shows summary of the endpoint, including network addresses and endpoint type. Click on the endpoint name to view additional details. If you have the necessary permissions, you can use the button to contain a Threat directly from the Investigation. See Contain Threats with Network Isolation for more information.
The Investigative Leads panel lists all the leads that comprise the Investigation. Click on the lead name to open the lead in the Investigative Leads tab (see below).
The Detection Analytics panel includes a summary of how Red Canary detected the threat. This includes:
First Party intelligence: Red Canary intelligence based on threat research or previously confirmed threats
Red Canary Behavioral Analytic: Native Red Canary intelligence on known malicious behavior
Third Party intelligence: Intelligence obtained from third parties, including alerts
Targeted Product: Software identified as potentially unwanted
Process Memory Signature: Characteristics and metadata of a running process
The Activity panel timeline indicates when each lead was added to the Investigation or when a Threat was published.
Investigative Leads Tab
The Investigative Leads tab shows the core of our analysis, providing detailed information about potentially threatening activities across the Endpoint, Cloud, and Identity domains. Each lead is an individual activity that our detectors identified as potentially suspicious or malicious.
Within each lead, you can:
View enrichments, such as IP reputation
Inspect process, identity, and cloud metadata
Examine alert correlation details
When we identify a lead as non-threatening, we’ll add a note available explaining how we came to that conclusion. If we get additional data to suggests there’s threatening activity occurring, this designation of “not a threat” may be updated accordingly.
The Resource Context panel provides additional information about threats affecting similar endpoints or identities.
First Time Detections
We also clearly mark the first time a specific activity is identified in your environment using the tag. This provides helpful context around new activity, and plays an important part in our analysis process.
Related Data Tab
The Related Data tab shows the same data as the Related Data (By Query) tab (see below), but grouped by data type.
Related Data (By Query) Tab
The Related Data (By Query) tab shows the results of the second phase of enriching an Investigation, where Red Canary’s analysts run numerous queries against various data sources to find other possibly relevant security data. While there are many queries and enrichments we’re doing beyond what you’ll see here, these Related Data searches return results similar to the queries a SOC analyst would do in their SIEM or other data sources.
Related Data can include:
Other Investigations associated with similar endpoints, identities, or detection analytics
Alerts associated with the same hostname or identity
Note: The related data shows what was available at the time of investigation. You can refresh this data manually using the Refresh button.
Filtering Investigations
In addition to sorting the summary data on the the top level Investigations page, you can also use Search with filters to filter the list.
Using the Search Box
To manually build a filter:
Enter your filter attributes in the Search with filters box. Note that you can click on the example searches in the UI to copy the text as a template.
Press Enter to apply the filter.
Note: Multiple attributes are applied with the AND logical operator, so each attribute further narrows the filter.
For Investigations, the following filter attributes are available:
Attribute Name | Description | Example |
Keywords | Plain keyword filtering (with no attribute specified) works against certain text fields in the Investigation, for example identity and endpoint names. Unlike the defined attributes filters, keywords match on partial values. |
|
ID | Filter by Investigation ID (omit the # character) |
|
Endpoint | Filter by the current hostname, the sensor ID, or the Red Canary ID of the endpoint. |
|
Identity | Filter by the username, UID, or Red Canary ID of the endpoint. |
|
Result | Filter events by the result. Possible values are:
|
|
Last Update | Filter by the date activity was last seen on this investigation. |
|
Originating Activity At | Filter by the date of the originating activity for this Investigation |
|
Reporting Tags | Filter by the "key":"value" reporting tags currently applied to an endpoint. Keys or tags with a space must be wrapped in double quotes, for example |
|
Investigative Lead | Filter by the investigative lead that is associated with an Investigation |
|
Detection Analytic | Filter investigations by detection analytics |
|
Resulting Threats | Filter investigations by resulting threats. The |
|
Dates/Times
Date-based attributes are specified using from..to
syntax, where from
and to
are date-times or ISO 8601 dates. You can omit either from
or to
to filter for unbounded times. For example:
2025-01-01..
matches on or after (>=) the from date..2025-01-01
matches on or before (<= the to date2025-01-01..2025-01-31
matches on or after (>=) the from date and on or before (<=) the to date
Using the Filter Icon
As an alternative to entering attributes manually in the Search with filters box, you can use the UI to create your filter attributes.
Click the filter icon
to show available options.
Use the dropdowns and text boxes to define the filters.
Click Apply Filters to build the filter string and apply it.