Login
        Contents x
        View Investigations
        • 25 Sep 2025
        • 5 Minutes to read
        • PDF
        Contents

        View Investigations

        • Updated on 25 Sep 2025
        • 5 Minutes to read
        • PDF
        Article summary

        Use the Investigations page to view all the potential threats Red Canary has identified in your organization. You can drill down into individual Investigations to examine the leads or to review our Threat/non-threatening determination.

        The top level page uses five sortable columns of data to summarize the potential threats:

        • ID - The Investigation ID

        • Investigative Leads - The total number of leads in the Investigation, with a count showing how many have been reviewed by Red Canary to date

        • Originating Activity At - The date and time (UTC) for the lead that initiated the Investigation

        • Last Update - The date and time (UTC) of the most recent update to the Investigation

        • Resources - The identity or endpoint affected by the leads

        • Resulting Threats - A link to the published Threat (if any) that resulted from the Investigation

        Viewing Investigation Details

        You can examine the details for an individual Investigation by clicking on the Investigation ID.

        A summary at the top of the page describes the Investigation and provides a link to the Threat if one was published.

        The Investigation details are presented on four tabs:

        Overview Tab

        The Overview tab contains relevant information about the scope of the investigation, including affected identities and endpoints.

        The Related Identity panel shows summary of the identity, including network addresses and endpoint type. Click on the identity name to view additional details.

        The Affected Endpoint panel shows summary of the endpoint, including network addresses and endpoint type. Click on the endpoint name to view additional details. If you have the necessary permissions, you can use the button to contain a Threat directly from the Investigation. See Contain Threats with Network Isolation for more information.

        The Investigative Leads panel lists all the leads that comprise the Investigation. Click on the lead name to open the lead in the Investigative Leads tab (see below).

        The Detection Analytics panel includes a summary of how Red Canary detected the threat. This includes:

        • First Party intelligence: Red Canary intelligence based on threat research or previously confirmed threats

        • Red Canary Behavioral Analytic: Native Red Canary intelligence on known malicious behavior

        • Third Party intelligence: Intelligence obtained from third parties, including alerts

        • Targeted Product: Software identified as potentially unwanted

        • Process Memory Signature: Characteristics and metadata of a running process

        The Activity panel timeline indicates when each lead was added to the Investigation or when a Threat was published.

        Investigative Leads Tab

        The Investigative Leads tab shows the core of our analysis, providing detailed information about potentially threatening activities across the Endpoint, Cloud, and Identity domains. Each lead is an individual activity that our detectors identified as potentially suspicious or malicious.

        Within each lead, you can:

        • View enrichments, such as IP reputation

        • Inspect process, identity, and cloud metadata

        • Examine alert correlation details

        When we identify a lead as non-threatening, we’ll add a note available explaining how we came to that conclusion. If we get additional data to suggests there’s threatening activity occurring, this designation of “not a threat” may be updated accordingly.

        The Resource Context panel provides additional information about threats affecting similar endpoints or identities.

        First Time Detections
        We also clearly mark the first time a specific activity is identified in your environment using the tag. This provides helpful context around new activity, and plays an important part in our analysis process.

        Related Data Tab

        The Related Data tab shows the same data as the Related Data (By Query) tab (see below), but grouped by data type.

        Related Data (By Query) Tab

        The Related Data (By Query) tab shows the results of the second phase of enriching an Investigation, where Red Canary’s analysts run numerous queries against various data sources to find other possibly relevant security data. While there are many queries and enrichments we’re doing beyond what you’ll see here, these Related Data searches return results similar to the queries a SOC analyst would do in their SIEM or other data sources.

        Related Data can include:

        • Other Investigations associated with similar endpoints, identities, or detection analytics

        • Alerts associated with the same hostname or identity

        Note: The related data shows what was available at the time of investigation. You can refresh this data manually using the Refresh button.

        Filtering Investigations

        In addition to sorting the summary data on the the top level Investigations page, you can also use Search with filters to filter the list.

        Using the Search Box

        To manually build a filter:

        1. Enter your filter attributes in the Search with filters box. Note that you can click on the example searches in the UI to copy the text as a template.

        2. Press Enter to apply the filter.

        Note: Multiple attributes are applied with the AND logical operator, so each attribute further narrows the filter.

        For Investigations, the following filter attributes are available:

        Attribute Name

        Description

        Example

        Keywords

        Plain keyword filtering (with no attribute specified) works against certain text fields in the Investigation, for example identity and endpoint names. Unlike the defined attributes filters, keywords match on partial values.

        admin

        test.user

        ID

        Filter by Investigation ID (omit the # character)

        id:123

        Endpoint

        Filter by the current hostname, the sensor ID, or the Red Canary ID of the endpoint.

        endpoint:admin-pc

        endpoint:2000000001

        endpoint:123

        Identity

        Filter by the username, UID, or Red Canary ID of the endpoint.

        identity:test.user

        identity:S-1-5-3

        identity:123

        Result

        Filter events by the result. Possible values are:

        investigation

        no_threat_observed

        confirmed_threat

        result:no_threat_observed

        Last Update

        Filter by the date activity was last seen on this investigation.

        last_update:2025-09-21..

        Originating Activity At

        Filter by the date of the originating activity for this Investigation

        originating_activity_at:2025-09-21..

        Reporting Tags

        Filter by the "key":"value" reporting tags currently applied to an endpoint. Keys or tags with a space must be wrapped in double quotes, for example "Business Unit"

        endpoint_type:workstation

        "Business Unit":"Headquarters"

        "Business Unit":* (endpoints with this tag)

        "Business Unit":! (endpoints without this tag)

        Investigative Lead

        Filter by the investigative lead that is associated with an Investigation

        investigative_lead:123

        Detection Analytic

        Filter investigations by detection analytics

        detection_analytic:WIN-16HEX-EXE

        Resulting Threats

        Filter investigations by resulting threats. The THREAT- prefix is optional and you can use | to match multiple values.

        resulting_threats:THREAT-123

        resulting_threats:123|456

        Dates/Times
        Date-based attributes are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times. For example:

        • 2025-01-01.. matches on or after (>=) the from date

        • ..2025-01-01 matches on or before (<= the to date

        • 2025-01-01..2025-01-31 matches on or after (>=) the from date and on or before (<=) the to date

        Using the Filter Icon

        As an alternative to entering attributes manually in the Search with filters box, you can use the UI to create your filter attributes.

        1. Click the filter icon to show available options.

        2. Use the dropdowns and text boxes to define the filters.

        3. Click Apply Filters to build the filter string and apply it.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout