LogoLogo
Get Demo
  • đź’«NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • How to Start an Investigation?
  • Auto Investigation
  • Starting a Manual Investigation
  • Investigation Detail Page
  • Start an Investigation through/via a Reported Email
  • Video Tutorial
  • FAQ
  • Q: Which operator (AND / OR) logic do the criteria (determined when starting the investigation) work among themselves?
  • Q: Can an Investigation be started on all sources at the same time?
  • Q: What happens if the scope of the Investigation is large and is not completed within the specified time frame?
  • Q: What happens to the progress of Investigation if the user that the investigation was made on goes offline while the investigation is being done on the Outlook source?
  • Q: Can I read emails in the mailbox of a user while I am doing an investigation?
  • Q: Can emails that are permanently deleted be restored?
  • Q: How can I view the logs related to this product?
  • Q: Can Investigation be started for Outlook Desktop users that are 'offline'?

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform
  3. Incident Responder

Investigations

This document displays the functions on Incident Responder > Investigation. Users will learn how to handle Investigations and carry out Incident Response processes.

You can find the investigations that have already been initiated on Incident Responder > Investigation. The table below provides a detailed explanation of the functions on this page.

Investigation name

The name of the initiated Investigation.

Trigger

Indicates the initialization status of the Investigation. (E.g., Manual Investigation, Auto Investigation)

Status

The status information of the investigation. Filter the investigations based on the status (E.g., Finished, Expired or Running)

Date Created

The date when the investigation was started.

Expiry Date

The date when the investigation was completed.

Scan Status

A summary on how many users the investigation was completed and on how many it was not.

Progress

This is the completion status of the investigation as a percentage. When it is completed, it is displayed as "Completed".

Action

Investigation details are available here. The investigation can be stopped with the “Stop Action ■” button.

How to Start an Investigation?

Auto Investigation

Click on Incident Responder > Investigation menu to access Auto Investigation and report details.

If the analysis result of an email in the Reported Emails is determined as Malicious or Phishing, an automatic investigation is launched to search for the email within all users’ inboxes. The administrator will then decide what to do with the next steps.

Auto Investigation starts automatically by default as a result of a malicious email analysis.

When an Auto investigation or Manual investigation is started, platform admins are informed about the details of the process via email.

Starting a Manual Investigation

Click the Incident Responder > Investigation menu to start Manual Investigation and access the report details.

With the Manual Investigation feature, platform administrators can detect suspicious emails within their employees' email boxes using the criteria in the table below. After detecting these suspicious emails, it is possible to delete the relevant emails from the users' email boxes or send a warning message to the users in order to prevent damage.

When the New button on the page is clicked to start a new Investigation, the Start New Manual Investigation window appears on the screen and you can start Manual Investigation by filling in the information in the table below.

Investigation Name

The Investigation name is set and only visible to the administrator. If not changed, the name investigation will be the creation date by default

Target Users

The user(s) you will start the investigation with are determined from this field.

With the All Users option, investigation is started for all target users who installed the suspicious email reporter add-in.

With the User Group option, investigation is started by selecting specific target user groups.

With Specific Users, investigation is started on specific target users

Email Date Range

It is the date range information that emails will be scanned.

Select Sources

You can specify the source(s) for the investigation.

Duration

You can determine how long the initiated investigation will be active.

Action

As a result of the investigation, an action can be defined when the relevant email is detected. Warning labels can be sent to emails found with the Notify user only option. The message to be sent can be determined from the "Message" field. Using the Move to trash option emails found can be moved to the Trash.

With the Delete email option, emails found can be permanently deleted.

Please click the Next button to set up the filters. First, select either AND or OR criteria, and then choose the filters. Emails that match the selected filters will be listed in the investigation report.

AND / OR

Select which option you wish to start the investigation with.

Filters

Add any of the following conditions:

Header:

  • Subject: Search based on the email's subject line.

  • From: Search based on the email's sender or "from" address.

  • To: Search based on the email's recipient(s).

  • CC: Search based on email addresses in the CC field.

  • BCC: Search based on email addresses in the BCC field.

  • Sender Name: Search based on the name of the sender.

  • IP Address: Search based on the sender's IP address.

Body:

  • Keyword: Search for specific words or phrases in the email body.

  • URL: Search for specific web addresses or URLs in the email body.

  • Regex: Use regular expressions to define complex search patterns in the email body.

Attachment:

  • File Name: Search for emails with specific attachment file names.

  • File Size: Search for emails with attachments of a particular size.

  • File Extension: Search for emails with attachments of specific file types such as ".pdf, .html, .mp4"

  • SHA512: Search for emails with attachments that have a specific SHA-512 hash value.

  • MD5: Search for emails with attachments that have a specific MD5 hash value.

Investigation Detail Page

We will explain the Details function in the Action menu on Incident Responder > Investigation. By clicking the Details button, you can access the details of an Investigation already initiated.

After completing the steps of the Manual Investigation initialization process, you will be directed to the “Investigation Details” page. You can view the investigation details from this area. Widgets and mail details are displayed here.

Information summarizing the Investigation process can be viewed from the Widgets section.

The details are outlined in the table below.

Investigation Status

There are 3 different investigation statuses: 1- Running status: It means that the Investigation that has been started is continuing. 2- Finished status: It means that the investigation is completed for all users within a certain period of time. 3- Expire status: It means that the time set for investigation has expired.

Users (Could not be scanned)

The number or status of users where Investigation cannot be done for any reason.

Scanned Users

The information on how many users the Investigation was launched in total.

Emails Scanned

The information on how many emails Investigation was launched and scanned.

Duplicate

It allows an easy way to copy and recreate the investigation criteria.

On the left side of the Investigation Details page, you can see which folder contained the detected emails that met the search parameters. The table below includes a description of each folder's purpose.

Expiry Time

Indicates in which interval the investigation will run and on what date it will end. The date is specified with the Duration feature where admin can change before starting an investigation.

Found Users

The information and progress on which users the investigation was carried out and how many user inboxes were searched can be viewed in detail.

Folders

Under the Folders field, there are Inbox, Junk, Draft, Sent, Deleted Items and Others fields.

Inbox

The email that is detected in the users’ inbox after the scan.

Junk

The email that is detected in the users’ junk box after the scan.

Draft

The email that is detected in the users’ email draft after the scan.

Sent

The email that is detected in the users’ sent box after the scan.

Deleted Items

The email that is detected in the users’ deleted items after the scan.

Others

The email that is detected in the users’ other custom folders after the scan.Veritas Enterprise Vault.

Stored

The email that is detected in the Veritas Enterprise Vault after the scan.

The details of the fields in Found Users on the left menu of the report page is described in detail in the table below.

Owner

The onwer of the email box the incident is found in.

From

The email of the sender of the reported email.

To

The email of the reported email reciever.

Sender Name

The name of the reciever of the reported email.

Subject

The subject information of the reported email.

Attachment

Record of if an attachment is included in the reported email.

Source

The information on which source (Outlook, O365, Exchange or Google Workspace) the investigation was made.

Filter

If one or more of your search criteria has been met.

Status

The status of the reported email.

Trash Can (Actions)

Delete the reported email from the users inbox.

Warning Sign (Actions)

Send user a warning message about the reported email.

Start an Investigation through/via a Reported Email

This section explains how you can easily search for any of the suspicious emails reported to the system in the Incident Responder menu. In the left menu, go to Incident Responder > Reported Emails.

After clicking on the three dots (“︙”) under the Actions, click on the Investigate button and you can start an investigation for the reported emails. The platform automatically extracts the fields from the reported email's analysis results and defines them in the investigation filters, so you don't need to set them manually.

Video Tutorial

This tutorial explains the functions on Incident Responder > Investigation. Users will learn how to handle Investigations and carry out Incident Response processes.

FAQ

Q: Which operator (AND / OR) logic do the criteria (determined when starting the investigation) work among themselves?

A: The criteria works with either AND/OR logic, both options are supported.

Q: Can an Investigation be started on all sources at the same time?

A: Yes, Investigation can be launched on Outlook, O365, Exchange, Google Workspace and Phishing Reporter Outlook Desktop users at the same time.

Q: What happens if the scope of the Investigation is large and is not completed within the specified time frame?

A: The status of the Investigation will be Expired. However if the Investigation is completed within the specified time frame, the status will be Finished.

Q: What happens to the progress of Investigation if the user that the investigation was made on goes offline while the investigation is being done on the Outlook source?

A: If the relevant user becomes online again, the investigation continues from where it left off.

Q: Can I read emails in the mailbox of a user while I am doing an investigation?

A: No, you cannot. Platform administrators are only able to see the Subject, To, From, Sender Name and whether the relevant email has an Attachment in the details of their investigations.

Q: Can emails that are permanently deleted be restored?

A: Emails that are permanently deteled can be recovered from the "Recover Deleted Items" menu on Outlook within 14 days.

Q: How can I view the logs related to this product?

A: All logs can be accessed in the Audit menu.

Q: Can Investigation be started for Outlook Desktop users that are 'offline'?

A: No, the investigation cannot be started because the add-in will be closed when Outlook is closed. In order for Investigation to start, the user's Outlook account must be active and the add-in must be running.

PreviousIncident Responder DashboardNextIntegrations

Last updated 1 month ago

Was this helpful?

To start an Investigation, you need one of the integrations in the menu, or you need the plugin installed.

đź’«
Mail Configuration
Phishing Reporter Desktop