Starting a Manual Incident Investigation

With the Manual Investigation feature, you can start an investigation with various filtering options. With the criteria you have selected, it is possible to find whether the other users have a suspicious email in their inbox or not.

The Incident Responder has an in-depth investigation process that takes less than a minute to find the suspicious emails.

To start a manual investigation, click on the Incident Responder > New Investigation button.

Once you click on the New Investigation button, you will go to the Incident Investigation page.

When you press Add a Filter button, you can customise your investigation query by filtering to any criteria that may be in the header, body, attachment information of an email like IP, from, to, URL, hash, and so on. See the picture below.

After you investigate the suspicious content in the inbox of the users according to any filter you have chosen, you will see if any other users have the same suspicious email.

After you have detected suspicious email within the inboxes of the other users, you can then follow two alternative ways:

You can delete the suspicious email from the user's inboxes with one click.
You can send a warning message that this email is malicious.

After sending a warning message that the email is malicious, a message such as the following is delivered to the users.

PreviousStarting an Automatic Incident Investigation NextPlaybook

Last updated 2 years ago