View Investigations
    • 25 Sep 2025
    • 5 Minutes to read
    • PDF

    View Investigations

    • PDF

    Article summary

    Use the Investigations page to view all the potential threats Red Canary has identified in your organization. You can drill down into individual Investigations to examine the leads or to review our Threat/non-threatening determination.

    The top level page uses five sortable columns of data to summarize the potential threats:

    • ID - The Investigation ID

    • Investigative Leads - The total number of leads in the Investigation, with a count showing how many have been reviewed by Red Canary to date

    • Originating Activity At - The date and time (UTC) for the lead that initiated the Investigation

    • Last Update - The date and time (UTC) of the most recent update to the Investigation

    • Resources - The identity or endpoint affected by the leads

    • Resulting Threats - A link to the published Threat (if any) that resulted from the Investigation

    Viewing Investigation Details

    You can examine the details for an individual Investigation by clicking on the Investigation ID.

    A summary at the top of the page describes the Investigation and provides a link to the Threat if one was published.

    The Investigation details are presented on four tabs:

    Overview Tab

    The Overview tab contains relevant information about the scope of the investigation, including affected identities and endpoints.

    The Related Identity panel shows summary of the identity, including network addresses and endpoint type. Click on the identity name to view additional details.

    The Affected Endpoint panel shows summary of the endpoint, including network addresses and endpoint type. Click on the endpoint name to view additional details. If you have the necessary permissions, you can use the button to contain a Threat directly from the Investigation. See Contain Threats with Network Isolation for more information.

    The Investigative Leads panel lists all the leads that comprise the Investigation. Click on the lead name to open the lead in the Investigative Leads tab (see below).

    The Detection Analytics panel includes a summary of how Red Canary detected the threat. This includes:

    • First Party intelligence: Red Canary intelligence based on threat research or previously confirmed threats

    • Red Canary Behavioral Analytic: Native Red Canary intelligence on known malicious behavior

    • Third Party intelligence: Intelligence obtained from third parties, including alerts

    • Targeted Product: Software identified as potentially unwanted

    • Process Memory Signature: Characteristics and metadata of a running process

    The Activity panel timeline indicates when each lead was added to the Investigation or when a Threat was published.

    Investigative Leads Tab

    The Investigative Leads tab shows the core of our analysis, providing detailed information about potentially threatening activities across the Endpoint, Cloud, and Identity domains. Each lead is an individual activity that our detectors identified as potentially suspicious or malicious.

    Within each lead, you can:

    • View enrichments, such as IP reputation

    • Inspect process, identity, and cloud metadata

    • Examine alert correlation details

    When we identify a lead as non-threatening, we’ll add a note available explaining how we came to that conclusion. If we get additional data to suggests there’s threatening activity occurring, this designation of “not a threat” may be updated accordingly.

    The Resource Context panel provides additional information about threats affecting similar endpoints or identities.

    First Time Detections
    We also clearly mark the first time a specific activity is identified in your environment using the tag. This provides helpful context around new activity, and plays an important part in our analysis process.

    Related Data Tab

    The Related Data tab shows the same data as the Related Data (By Query) tab (see below), but grouped by data type.

    Related Data (By Query) Tab

    The Related Data (By Query) tab shows the results of the second phase of enriching an Investigation, where Red Canary’s analysts run numerous queries against various data sources to find other possibly relevant security data. While there are many queries and enrichments we’re doing beyond what you’ll see here, these Related Data searches return results similar to the queries a SOC analyst would do in their SIEM or other data sources.

    Related Data can include:

    • Other Investigations associated with similar endpoints, identities, or detection analytics

    • Alerts associated with the same hostname or identity

    Note: The related data shows what was available at the time of investigation. You can refresh this data manually using the Refresh button.

    Filtering Investigations

    In addition to sorting the summary data on the the top level Investigations page, you can also use Search with filters to filter the list.

    Using the Search Box

    To manually build a filter:

    1. Enter your filter attributes in the Search with filters box. Note that you can click on the example searches in the UI to copy the text as a template.

    2. Press Enter to apply the filter.

    Note: Multiple attributes are applied with the AND logical operator, so each attribute further narrows the filter.

    For Investigations, the following filter attributes are available:

    Attribute Name

    Description

    Example

    Keywords

    Plain keyword filtering (with no attribute specified) works against certain text fields in the Investigation, for example identity and endpoint names. Unlike the defined attributes filters, keywords match on partial values.

    admin

    test.user

    ID

    Filter by Investigation ID (omit the # character)

    id:123

    Endpoint

    Filter by the current hostname, the sensor ID, or the Red Canary ID of the endpoint.

    endpoint:admin-pc

    endpoint:2000000001

    endpoint:123

    Identity

    Filter by the username, UID, or Red Canary ID of the endpoint.

    identity:test.user

    identity:S-1-5-3

    identity:123

    Result

    Filter events by the result. Possible values are:

    investigation

    no_threat_observed

    confirmed_threat

    result:no_threat_observed

    Last Update

    Filter by the date activity was last seen on this investigation.

    last_update:2025-09-21..

    Originating Activity At

    Filter by the date of the originating activity for this Investigation

    originating_activity_at:2025-09-21..

    Reporting Tags

    Filter by the "key":"value" reporting tags currently applied to an endpoint. Keys or tags with a space must be wrapped in double quotes, for example "Business Unit"

    endpoint_type:workstation

    "Business Unit":"Headquarters"

    "Business Unit":* (endpoints with this tag)

    "Business Unit":! (endpoints without this tag)

    Investigative Lead

    Filter by the investigative lead that is associated with an Investigation

    investigative_lead:123

    Detection Analytic

    Filter investigations by detection analytics

    detection_analytic:WIN-16HEX-EXE

    Resulting Threats

    Filter investigations by resulting threats. The THREAT- prefix is optional and you can use | to match multiple values.

    resulting_threats:THREAT-123

    resulting_threats:123|456

    Dates/Times
    Date-based attributes are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times. For example:

    • 2025-01-01.. matches on or after (>=) the from date

    • ..2025-01-01 matches on or before (<= the to date

    • 2025-01-01..2025-01-31 matches on or after (>=) the from date and on or before (<=) the to date

    Using the Filter Icon

    As an alternative to entering attributes manually in the Search with filters box, you can use the UI to create your filter attributes.

    1. Click the filter icon to show available options.

    2. Use the dropdowns and text boxes to define the filters.

    3. Click Apply Filters to build the filter string and apply it.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.