Threat Investigation
Defend's investigation workspace gives analysts full visibility into what happened on an endpoint — process relationships, event timelines, network connections, and lateral movement — all within a single four-tab interface.
Opening an Investigation
Click any detection or alert in the dashboard to open the investigation workspace. The workspace loads all relevant telemetry from ADX for the ±30-minute window around the detection.
Process Tree
The process tree shows parent-child process relationships at the time of detection:
- Root process at the top (typically explorer.exe or a service)
- Child processes branching downward with full command lines
- Highlighted node — the process that triggered the detection
- IOC indicators — Red badges on processes with known-bad hashes or network connections to malicious IPs
The tree answers the critical question: How did this process get launched? Trace from the suspicious process up through its parent chain to understand the initial execution vector.
Event Timeline
The timeline displays a chronological sequence of all events on the device ±30 minutes around the detection:
- Process events — Create, terminate, with command lines and hashes
- Network events — Connections, DNS queries, data transfers with destination IPs and ports
- File events — Files created, modified, deleted, or renamed with full paths
- Registry events — Keys and values created or modified (Windows only)
Events are color-coded by type and filterable. Click any event to see its full attributes.
Lateral Movement Graph
The lateral movement tab visualizes connections between the affected device and other devices in your fleet:
- RDP connections (T1021.001) — Remote Desktop sessions
- PSExec/SMB (T1021.002) — Administrative share access
- SSH (T1021.004) — Secure shell connections
- WinRM (T1021.005) — Windows Remote Management
- DCOM (T1021.003) — Distributed COM calls
Each connection shows direction, timestamp, and user context. This quickly reveals whether an attacker has moved from the initial compromised device to others.
AI Attack Narrative
Jarvis generates a plain-English summary of the attack sequence:
"At 14:32 UTC, user jsmith opened a malicious Excel attachment (T1204.002) which spawned PowerShell (T1059.001) with an encoded command. PowerShell downloaded a payload from 185.x.x.x (T1105) and established persistence via a scheduled task (T1053.005). The payload then enumerated domain users (T1087.002) and attempted lateral movement via SMB to FILESERVER01 (T1021.002)."
The narrative maps each step to MITRE ATT&CK techniques and links to the relevant events in the timeline.
Investigation Actions
From the investigation workspace you can:
Triage
- True Positive — Confirmed threat, proceeds to response
- False Positive — Mark and provide feedback to improve future detection
- Under Investigation — Keeps the case open for further analysis
Respond
- Take any of the 10 response actions directly from the investigation
- Actions are logged in the response audit trail
Escalate
- Create PSA ticket — Opens a security incident ticket with detection details pre-filled
- Page On-Call — Sends an immediate page to the on-call rotation for critical issues
Collaborate
- Add investigation notes — Free-text notes for team handoff
- Assign analyst — Route the investigation to a specific team member
Hunting
Beyond investigating individual detections, Defend supports proactive threat hunting:
- Custom KQL queries — Write queries against the full ADX telemetry dataset
- Saved hunts — Save and name frequently used hunting queries
- Scheduled hunts — Run hunts on a recurring schedule and alert on new matches
- Hunt templates — Pre-built hunting queries for common threat scenarios
Next Steps
- Response Actions — Taking action on investigated threats
- Detection Rules — Creating custom rules from hunting discoveries
- Behavioral AI — Understanding anomaly scores in investigations