Re: Automatically linking between New investigation to alert entity

Idanar · Posted 12-18-2022 02:55 AM

Dear community,

There is a way, as an administrator in visual investigator (10.8) to create an automated process that when a user (investigator) starts an investigation it will automatically be related to the entity he just working on?

Right now the user is:

1. Opens an alert

2. Select "start investigation" disposition

3. after saving the case has been opened and needed to be related manually to an object.

4. Search the entity he wants the case to be related to.

5. click save.

It seems that it could be another way, much easier, to do so...any ideas?

Thanks!

_austin_ · Posted 12-20-2022 12:23 AM

Hello,

The current behavior of a disposition that creates an investigation (or links to an existing investigation) is to create a link between the investigation and the subject of the alert, and not a link from the investigation to the alert object itself. The rationale was that the investigator is investigating *the subject*, not just the information identified in the alert and that is the relationship that matters when looking at the network. There is a link between the alert and the subject so you can traverse from the case to the alert if you need to.

That was the guidance provided by product management at the time. You are not the first person to expect a link between the investigation and the alert, and there is a story in the background to add the flexibility you are asking for.

Best regards

Idanar · Posted 12-20-2022 01:54 AM

Thanks for the answer @_austin_

Best regards

Automatically linking between New investigation to alert entity

Re: Automatically linking between New investigation to alert entity

Re: Automatically linking between New investigation to alert entity

Read the Report