Investigations
This document displays the functions on Incident Responder > Investigation. Users will learn how to handle Investigations and carry out Incident Response processes.
You can find the investigations that have already been initiated on Incident Responder > Investigation. The table below provides a detailed explanation of the functions on this page.
Investigation name
The name of the initiated Investigation.
Trigger
Indicates the initialization status of the Investigation. (E.g., Manual Investigation, Auto Investigation)
Status
The status information of the investigation. (E.g., Finished, Expired or Running)
Date Created
The date when the investigation was started.
Expiry Date
The date when the investigation was completed.
User Status
A summary on how many users the investigation was completed and on how many it was not.
Progress
This is the completion status of the investigation as a percentage. When it is completed, it is displayed as "Completed".
Action
Investigation details are available here. The investigation can be stopped with the “Stop Action ■” button.

How to Start an Investigation?

Auto Investigation

Click on Incident Responder > Investigation menu to access Auto Investigation and report details.
If the analysis result of an email in the Reported Emails is determined as malicious or phishing, an automatic investigation is launched to search for the email within all users’ inboxes. The administrator will then decide what to do with the next steps.
Auto Investigation starts automatically by default as a result of a malicious email analysis.
When an Auto investigation or Manual investigation is started, platform admins are informed about the details of the process via email.

Starting a Manual Investigation

Click the Incident Responder > Investigation menu to start Manual Investigation and access the report details.
With the Manual Investigation feature, platform administrators can detect suspicious emails within their employees' email boxes using the criteria in the table below. After detecting these suspicious emails, it is possible to delete the relevant emails from the users' email boxes or send a warning message to the users in order to prevent damage.
When the New button on the page is clicked to start a new Investigation, the Start New Manual Investigation window appears on the screen and you can start Manual Investigation by filling in the information in the table below.
Investigation Name
The Investigation name is set and only visible to the administrator. If not changed, the name investigation will be the creation date by default
Target Users
The user(s) you will start the investigation with are determined from this field.
With the All Users option, Investigation is started for all target users.
With the User Group option, Investigation is started by selecting specific target user groups.
With Specific Users, investigation is started on specific target users
Search Criteria
Define the criteria for investigation. Emails matching any of the criteria will be found.
Email Date Range
It is the date range information that emails will be scanned.
Select Sources
You can specify the source(s) for the investigation.
Duration
You can determine how long the initiated investigation will be active.
Action
As a result of the investigation, an action can be defined when the relevant email is detected. Warning labels can be sent to emails found with the Notify user only option. The message to be sent can be determined from the "Message" field. Using the Move to trash option emails found can be moved to the Trash.
With the Delete email option, emails found can be permanently deleted.
To start an Investigation you need one of the integrations in the Mail Configuration menu or you need the Phishing Reporter Desktop plugin installed.

Investigation Detail Page

We will explain the Details function in the Action menu on Incident Responder > Investigation. By clicking the Details button, you can access the details of an Investigation already initiated.
After completing the steps of the Manual Investigation initialization process, you will be directed to the “Investigation Details” page. You can view the investigation details from this area. Widgets and mail details are displayed here.
Information summarizing the Investigation process can be viewed from the Widgets section.
The details are outlined in the table below.
Investigation Status
There are 3 different investigation statuses: 1- Running status: It means that the Investigation that has been started is continuing. 2- Finished status: It means that the investigation is completed for all users within a certain period of time. 3- Expire status: It means that the time set for investigation has expired.
Users (Could not be scanned)
The number or status of users where Investigation cannot be done for any reason.
Scanned Users
The information on how many users the Investigation was launched in total.
Emails Scanned
The information on how many emails Investigation was launched and scanned.
Duplicate
It allows an easy way to copy and recreate the investigation criteria.
On the left side of the Investigation Details page, you can see which folder contained the detected emails that met the search parameters. The table below includes a description of each folder's purpose.
Expiry Time
Indicates in which interval the investigation will run and on what date it will end.
Found Users
The information and progress on which users the investigation was carried out and how many user inboxes were searched can be viewed in detail.
Folders
Under the Folders field, there are Inbox, Junk, Draft, Sent, Deleted Items and Others fields.
Inbox
The email that is detected in the users’ inbox after the scan.
Junk
The email that is detected in the users’ junk box after the scan.
Draft
The email that is detected in the users’ email draft after the scan.
Sent
The email that is detected in the users’ sent box after the scan.
Deleted Items
The email that is detected in the users’ deleted items after the scan.
Others
The email that is detected in the users’ other custom folders after the scan.Veritas Enterprise Vault.
Stored
The email that is detected in the Veritas Enterprise Vault after the scan.
The details of the fields in Found Users on the left menu of the report page is described in detail in the table below.
Email
The email addresses of the users who were investigated
User Status
The user's online or offline status information.
Duration
The information on the length of time it took to scan the user's email.
Last Seen
The information of the last time the user was active in the platform.
Scan Status
The information that the investigation is continuing, completed or stopped.
Source
The information on which source (Outlook, O365, Exchange or Google Workspace) the investigation was made.
Progress
The total number of emails detected in the selected time period and how many of them have been scanned.

Start an Investigation through/via a Reported Email

This section explains how you can easily search for any of the suspicious emails reported to the system in the Incident Responder menu. In the left menu, go to Incident Responder > Reported Emails.
After clicking on the three dots (“︙”) under the Actions, click on the Investigate button and you can start an investigation for the reported emails.

FAQ

Q: Which operator (AND / OR) logic do the criteria (determined when starting the investigation) work among themselves?

A: The criteria work OR with each other.

Q: Can Investigation be started on all sources at the same time?

A: Yes, Investigation can be launched on Outlook, O365, Exchange, Google Workspace and Phishing Reporter Outlook Desktop users at the same time.

Q: What happens if the scope of the Investigation is large and is not completed within the specified time frame?

A: The status of the Investigation will be Expired. However if the Investigation is completed within the specified time frame, the status will be Finished.

Q: What happens to the progress of Investigation if the user that the investigation was made on goes offline while the investigation is being done on the Outlook source?

A: If the relevant user becomes online again, the investigation continues from where it left off.

Q: Can I read emails in the mailbox of a user while I am doing an investigation?

A: No, you cannot. Platform administrators are only able to see the Subject, To, From, Sender Name and whether the relevant email has an Attachment in the details of their investigations.

Q: Can emails that are permanently deleted be restored?

A: Emails that are permanently deteled can be recovered from the "Recover Deleted Items" menu on Outlook within 14 days.
A: All logs of xxx log type can be accessed in the Audit menu.

Q: Can Investigation be started for Outlook Desktop users that are 'offline'?

A: No, the investigation cannot be started because the add-in will be closed when Outlook is closed. In order for Investigation to start, the user's Outlook account must be active and the add-in must be running.
Copy link
On this page
How to Start an Investigation?
Auto Investigation
Starting a Manual Investigation
Investigation Detail Page
Start an Investigation through/via a Reported Email
FAQ
Q: Which operator (AND / OR) logic do the criteria (determined when starting the investigation) work among themselves?
Q: Can Investigation be started on all sources at the same time?
Q: What happens if the scope of the Investigation is large and is not completed within the specified time frame?
Q: What happens to the progress of Investigation if the user that the investigation was made on goes offline while the investigation is being done on the Outlook source?
Q: Can I read emails in the mailbox of a user while I am doing an investigation?
Q: Can emails that are permanently deleted be restored?
Q: How can I view the logs related to this module?
Q: Can Investigation be started for Outlook Desktop users that are 'offline'?