Manually Assign and Remove Indicators from Investigations

You can assign an indicator only to one investigation. Therefore, you cannot assign an indicator that already has an investigation assigned to another investigation unless you move it or remove it from the first investigation.

You can assign indicators to investigations only if the indicators have not been excluded previously with a deletion rule. See Delete Indicators Manually.

Create a New Investigation That Contains One or More Indicators

  • In the top menu, select Indicators. Select the check boxes for the indicators with the status Pending that you want to assign to the new investigation.

  • In the toolbar, select Investigate indicator, or right-click the indicator to open its context menu and select the Investigate indicator option. A new investigation is created to which the selected indicators are assigned along with an automatically generated name.

Or

  • Select the check boxes for the indicators with the status Pending that you want to assign to the new investigation.

  • Click the context menu icon next to the check box, or right-click the indicator to open a drop-down menu. Select Investigate indicator.

Add Indicators to an Existing Investigation

  • In the top menu, select Indicators. Select the check boxes for the indicators with the status Pending that you want to assign to the new investigation.

  • In the toolbar, select Add to existing investigation, or right-click the indicator to open its context menu and select the Add to existing investigation option.

  • A dialog box opens that shows a list of all investigations created and a search box you can use to find investigations according to the content of the columns in the list:

    • ID: Internal identifier of the investigation.

    • Name: Name of the investigation assigned by the analyst.

    • Status: Status of the investigation. See Format of an Investigation Tile.

    • Classification: Classification of the investigation. See Format of an Investigation Tile.

    • Assigned to: Analysis console user account to which the investigation is assigned.

  • Select the check box for the investigation to which you want to assign the indicator. Click OK.

Or

  • Select the check boxes for the indicators with the status Pending that you want to assign to the investigation.

  • Click the context menu icon next to the check box, or right-click the indicator to open a drop-down menu. Select Add to existing investigation.

After you assign a Pending indicator to an investigation, the indicator status changes to In progress until it is closed, when the status changes to Closed.

Unassign Indicators from an Investigation

An analyst can unassign indicators from the list of indicators or from the investigation to which the indicator is assigned.

In the Indicators panel, select the check boxes for the indicators you want to remove. Click Remove from this investigation. You can also select this option by right-clicking an indicator to show its context menu.

Move Indicators Between Investigations

When you move an indicator, you unassign it from an investigation and assign it to another one. This process is done in a single step:

  • In the top menu, select Investigations. Select the investigation whose indicator you want to move.

  • In the Indicators panel, select the checkboxes next to the indicators you want to move. In the toolbar, select Move to another investigation. You can also select this option by right-clicking an indicator to show its context menu.

  • A dialog box opens that shows a list of all investigations created and a search box you can use to find investigations according to the content of the columns in the list:

    • ID: Internal identifier of the investigation.

    • Name: Name of the investigation assigned by the analyst.

    • Status: Status of the investigation. See Format of an Investigation Tile.

    • Assigned to: Analysis console user account to which the investigation is assigned.

  • Select the target investigation. Click OK.

Move Indicators from an Existing Investigation to a New Investigation

If an analyst does not want to unassign an indicator before assigning it to a new investigation, they can create a new investigation and move the indicator in one step:

  • In the top menu, select Investigations. Select the investigation that contains the indicator you want to assign. Alternatively, in the top menu, select Indicators. In the side panel, select In progress. A page opens that shows all indicators that are assigned to investigations.

  • In the Indicators panel, select the check boxes for the indicators that you want to add to a new investigation. In the toolbar, select Add to new investigation. You can also select this option by right-clicking an indicator to show its context menu. A new investigation is created and all selected indicators are automatically assigned to it.