Get Demo

Investigations

This document displays the functions on Incident Responder > Investigation. Users will learn how to handle Investigations and carry out Incident Response processes.

You can find the investigations that have already been initiated on Incident Responder > Investigation. The table below provides a detailed explanation of the functions on this page.

How to Start an Investigation?

Auto Investigation

Click on Incident Responder > Investigation menu to access Auto Investigation and report details.

If the analysis result of an email in the Reported Emails is determined as Malicious or Phishing, an automatic investigation is launched to search for the email within all users’ inboxes. The administrator will then decide what to do with the next steps.

Auto Investigation starts automatically by default as a result of a malicious email analysis.

When an Auto investigation or Manual investigation is started, platform admins are informed about the details of the process via email.

Starting a Manual Investigation

Click the Incident Responder > Investigation menu to start Manual Investigation and access the report details.

With the Manual Investigation feature, platform administrators can detect suspicious emails within their employees' email boxes using the criteria in the table below. After detecting these suspicious emails, it is possible to delete the relevant emails from the users' email boxes or send a warning message to the users in order to prevent damage.

When the New button on the page is clicked to start a new Investigation, the Start New Manual Investigation window appears on the screen and you can start Manual Investigation by filling in the information in the table below.

Please click the Next button to set up the filters. First, select either AND or OR criteria, and then choose the filters. Emails that match the selected filters will be listed in the investigation report.

To start an Investigation, you need one of the integrations in the Mail Configuration menu, or you need the Phishing Reporter Desktop plugin installed.

Investigation Detail Page

We will explain the Details function in the Action menu on Incident Responder > Investigation. By clicking the Details button, you can access the details of an Investigation already initiated.

After completing the steps of the Manual Investigation initialization process, you will be directed to the “Investigation Details” page. You can view the investigation details from this area. Widgets and mail details are displayed here.

Information summarizing the Investigation process can be viewed from the Widgets section.

The details are outlined in the table below.

On the left side of the Investigation Details page, you can see which folder contained the detected emails that met the search parameters. The table below includes a description of each folder's purpose.

The details of the fields in Found Users on the left menu of the report page is described in detail in the table below.

Start an Investigation through/via a Reported Email

This section explains how you can easily search for any of the suspicious emails reported to the system in the Incident Responder menu. In the left menu, go to Incident Responder > Reported Emails.

After clicking on the three dots (“︙”) under the Actions, click on the Investigate button and you can start an investigation for the reported emails. The platform automatically extracts the fields from the reported email's analysis results and defines them in the investigation filters, so you don't need to set them manually.

Video Tutorial

This tutorial explains the functions on Incident Responder > Investigation. Users will learn how to handle Investigations and carry out Incident Response processes.

FAQ

Q: Which operator (AND / OR) logic do the criteria (determined when starting the investigation) work among themselves?

A: The criteria works with either AND/OR logic, both options are supported.

Q: Can an Investigation be started on all sources at the same time?

A: Yes, Investigation can be launched on Outlook, O365, Exchange, Google Workspace and Phishing Reporter Outlook Desktop users at the same time.

Q: What happens if the scope of the Investigation is large and is not completed within the specified time frame?

A: The status of the Investigation will be Expired. However if the Investigation is completed within the specified time frame, the status will be Finished.

Q: What happens to the progress of Investigation if the user that the investigation was made on goes offline while the investigation is being done on the Outlook source?

A: If the relevant user becomes online again, the investigation continues from where it left off.

Q: Can I read emails in the mailbox of a user while I am doing an investigation?

A: No, you cannot. Platform administrators are only able to see the Subject, To, From, Sender Name and whether the relevant email has an Attachment in the details of their investigations.

Q: Can emails that are permanently deleted be restored?

A: Emails that are permanently deteled can be recovered from the "Recover Deleted Items" menu on Outlook within 14 days.

Q: How can I view the logs related to this product?

A: All logs can be accessed in the Audit menu.

Q: Can Investigation be started for Outlook Desktop users that are 'offline'?

A: No, the investigation cannot be started because the add-in will be closed when Outlook is closed. In order for Investigation to start, the user's Outlook account must be active and the add-in must be running.

PreviousIncident Responder DashboardNextIntegrations

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.