Investigations overview¶
Investigations are containers that organize your search queries, results, pivots, notes, and collaboration. Each investigation maintains a complete history of your analysis, making it easy to track your work and share findings with your team.
What is an investigation?¶
An investigation automatically starts when you begin a search in Iris Investigate. It contains:
- Search history: A graph of all searches and pivots performed
- Search nodes: Individual search queries with their results
- Annotations: Notes and importance markers on search nodes
- Tags: Labels applied to domains for categorization
- Collaboration settings: Sharing permissions with your group
Investigation lifecycle¶
Automatic creation¶
When you execute your first search, Iris Investigate automatically creates an investigation. You don't need to manually create or name investigations—they're created on demand.
Active investigation¶
Your active investigation appears in the Product Menu with:
- Investigation name (editable)
- Creation date
- Last modified date
- Sharing status
Investigation list¶
Access all your investigations from the Product Menu:
- Your investigations: Investigations you created
- Investigations shared with you: Investigations other group members shared
Key features¶
Search history graph¶
Navigate your investigation with a visual graph that shows:
- All search nodes and their connections
- Your current position in the investigation
- Branches representing different investigation paths
- Annotations and importance markers
For details, see Search History.
Collaboration¶
Share investigations with your group to enable:
- Team-based analysis
- Knowledge sharing
- Coordinated investigations
- Peer review
For details, see Collaboration.
Tags and annotations¶
Organize and document your findings with:
- Domain tags for categorization
- Search notes for context
- Importance markers for key findings
- Descriptions for investigations
Product menu¶
Access investigation management from the Product Menu (upper left corner):
The Product Menu provides:
- Create Investigation: Start a new investigation
- Open Investigation: Access existing investigations
- Edit Investigation: Modify name, description, and sharing
- Ad-hoc Search: Quick search without affecting current investigation
- Layout Options: Adjust panel arrangement
- Settings: Configure Iris Investigate preferences
- Tag Manager: Manage domain tags across investigations
- Return to Home: Navigate to the Iris Investigate landing page
Investigation management¶
Create a new investigation¶
- Open the Product Menu.
- Select Create Investigation.
- Enter a name and description (optional).
- Begin searching.
Edit investigation details¶
- Open the Product Menu.
- Hover over your active investigation.
- Select Edit Investigation.
- Update:
- Investigation name
- Description
- Sharing permissions
- Select Save.
Delete an investigation¶
- Open the Product Menu.
- Locate the investigation in your list.
- Select the delete icon.
- Confirm deletion.
Warning: Once you delete an investigation, you can't recover it.
Best practices¶
Name your investigations¶
Give investigations descriptive names that indicate:
- The target or subject (for example, "Phishing Campaign - Q1 2024")
- The investigation type (for example, "Infrastructure Analysis")
- The case or ticket number (for example, "INC-12345")
Add descriptions¶
Use the description field to document:
- Investigation objectives
- Key findings
- Related investigations
- Status updates
Use branches strategically¶
Create new branches to:
- Explore alternative hypotheses
- Separate different aspects of an investigation
- Organize complex investigations
- Test different search strategies
Regular cleanup¶
Periodically review and delete:
- Completed investigations
- Test investigations
- Duplicate investigations
Next steps¶
- Search History: Navigate and annotate your investigation
- Collaboration: Share investigations and export results
- Tagging Domains: Organize findings with tags