Skip to content

Investigate Pane Overview

The Investigate Pane in the SenseOn platform is the primary workspace for reviewing, analysing, and responding to security cases. Designed to streamline investigation workflows, it offers case management tools, detailed timelines, contextual visualisations, and actionable response options—all in one place.

Key Functions of the Investigate Pane

The pane is divided into several functional areas to help you understand threats quickly and take effective action:

1. Case Management

Efficiently track and manage the lifecycle of each case:

  • Case Prioritisation
    High and critical scoring cases are automatically prioritised and surfaced, ensuring attention is focused where it’s needed most.

  • Case Scoring
    Each case carries three scores that together describe how the platform assessed the threat:

  • Severity — overall danger level of the activity (Critical, High, Medium, Low)
  • Confidence — how certain the platform is that the activity is genuinely malicious (High, Medium, Low)

  • Score — a composite numeric value (0–100) combining severity and confidence, used for sorting and filtering

  • Case States
    Update the status of cases as investigations progress, which helps tracking key metrics such as MTTR:

  • Open: Default state for new cases.
  • In Progress: Case is actively being worked on.
  • In Review: Case is under peer or managerial review.

  • Closed: Case has been resolved.

  • Outcome Categorisation
    When closing a case, assign an outcome to assist with metrics and model tuning:

  • True Positive: Confirmed malicious.
  • Benign True Positive: Unusual but not malicious.

  • False Positive: No actual threat.

  • User Assignment
    Cases can be assigned to a specific analyst. Use assignment to distribute workload across your team and to make shift handover clear. Assigned cases appear in the assignee’s personal queue on the Overview.

  • Investigation Notes
    Add comments or notes to document your findings, decisions, or handover context.

2. Case Investigation Workflow

Investigate incidents more efficiently with built-in intelligence and structured data views:

  • SenseOn AI Case Summary
    Every case includes an automatically generated summary offering produced by the SenseOn AI LLM:
  • Root cause analysis
  • High-level impact description

  • Key entities involved

  • Observations Timeline
    A chronological, to-scale view of observations contributing to the case. Helps you:

  • Understand the sequence of events
  • Correlate related activities
  • Identify dwell time or spread patterns

3. Knowledge Graph

Explore the relationships between entities involved in a case using an interactive visual graph:

  • Entity Relationship Mapping
    View how users, processes, endpoints, and destinations interact.

  • Process Tree Integration
    Drill into any observation to trace a process’s full execution lineage.

  • Collaboration Tools
    Add comments to specific elements in the graph for shared context across your team.

4. Telemetry Record Analysis

Advanced users can access the raw telemetry behind each observation:

  • Inspect low-level details like file paths, data transfers, registry changes, command lines, or parent-child process relationships.
  • Pivot into Hunt Lab for comprehensive granular reviews of observed activity

5. MITRE ATT&CK Mapping

Each observation is mapped to at least one appropriate MITRE ATT&CK technique:

  • Understand the adversary’s likely objectives and tactics.
  • Use this to correlate detections with known attack chains or threat actor behaviour.
  • Click any technique name to open the MITRE ATT&CK technique lookup, which shows the full technique description, sub-techniques, and known threat actor associations directly within the platform.

5a. Evidence Management

The evidence panel within a case lets you attach and track supporting artefacts gathered during your investigation:

  • Upload files — attach screenshots, memory dumps, log extracts, or any other artefact relevant to the case
  • Link observations — manually link additional observations from the Experience module to a case if they are related but were not automatically grouped
  • Add external references — record links to external threat intelligence sources, ticket numbers, or documentation
  • Evidence notes — annotate each piece of evidence with context to assist teammates or for later review

Evidence is retained with the case and included in any case export.

6. Active Response Options

Where supported, respond directly to threats from the Investigate Pane:

  • Isolate Device
    Immediately remove a compromised device from the network.

  • Kill Process
    Terminate malicious or suspicious processes before they can escalate.

  • Delete File
    Remove known malicious files from affected endpoints.

  • Remote Session
    For advanced users, open a remote session to:

  • Pull forensic artefacts (e.g. file contents, hashes)
  • Run custom diagnostic commands
  • Apply containment rules (e.g. firewall changes, removing persistence mechanisms)

Best Practices

  • Always update the case state and outcome when closing to ensure accurate threat metrics and SOC reporting.
  • Use the SenseOn AI to kickstart investigations.
  • Use the Observations Timeline to understand event sequencing and kill chain progression to reduce time to resolution.
  • Leverage the Knowledge Graph to trace process trees, lateral movement or uncover hidden entity relationships.
  • Add notes or comments for cross-team visibility and case handover clarity.