Investigate Pane Overview
The Investigate Pane in the SenseOn platform is the primary workspace for reviewing, analysing, and responding to security cases. Designed to streamline investigation workflows, it offers case management tools, detailed timelines, contextual visualisations, and actionable response options—all in one place.
Key Functions of the Investigate Pane
The pane is divided into several functional areas to help you understand threats quickly and take effective action:
1. Case Management
Efficiently track and manage the lifecycle of each case:
-
Case Prioritisation
High and critical scoring cases are automatically prioritised and surfaced, ensuring attention is focused where it’s needed most. -
Case States
Update the status of cases as investigations progress, which helps tracking key metrics such as MTTR: Open: Default state for new cases.In Progress: Case is actively being worked on.In Review: Case is under peer or managerial review.-
Closed: Case has been resolved. -
Outcome Categorisation
When closing a case, assign an outcome to assist with metrics and model tuning: True Positive: Confirmed malicious.Benign True Positive: Unusual but not malicious.-
False Positive: No actual threat. -
Investigation Notes
Add comments or notes to document your findings, decisions, or handover context.
2. Case Investigation Workflow
Investigate incidents more efficiently with built-in intelligence and structured data views:
- SenseOn AI Case Summary
Every case includes an automatically generated summary offering produced by the SenseOn AI LLM: - Root cause analysis
- High-level impact description
-
Key entities involved
-
Observations Timeline
A chronological, to-scale view of observations contributing to the case. Helps you: - Understand the sequence of events
- Correlate related activities
- Identify dwell time or spread patterns
3. Knowledge Graph
Explore the relationships between entities involved in a case using an interactive visual graph:
-
Entity Relationship Mapping
View how users, processes, endpoints, and destinations interact. -
Process Tree Integration
Drill into any observation to trace a process’s full execution lineage. -
Collaboration Tools
Add comments to specific elements in the graph for shared context across your team.
4. Telemetry Record Analysis
Advanced users can access the raw telemetry behind each observation:
- Inspect low-level details like file paths, data transfers, registry changes, command lines, or parent-child process relationships.
- Pivot into Hunt Lab for comprehensive granular reviews of observed activity
5. MITRE ATT&CK Mapping
Each observation is mapped to an least one appropriate MITRE ATT&CK technique:
- Understand the adversary’s likely objectives and tactics.
- Use this to correlate detections with known attack chains or threat actor behaviour.
6. Active Response Options
Where supported, respond directly to threats from the Investigate Pane:
-
Isolate Device
Immediately remove a compromised device from the network. -
Kill Process
Terminate malicious or suspicious processes before they can escalate. -
Delete File
Remove known malicious files from affected endpoints. -
Remote Session
For advanced users, open a remote session to: - Pull forensic artefacts (e.g. file contents, hashes)
- Run custom diagnostic commands
- Apply containment rules (e.g. firewall changes, removing persistence mechanisms)
Best Practices
- Always update the case state and outcome when closing to ensure accurate threat metrics and SOC reporting.
- Use the SenseOn AI to kickstart investigations.
- Use the Observations Timeline to understand event sequencing and kill chain progression to reduce time to resolution.
- Leverage the Knowledge Graph to trace process trees, lateral movement or uncover hidden entity relationships.
- Add notes or comments for cross-team visibility and case handover clarity.