Working an investigation
Cases unify correlated alerts, evidence, notes, handoffs and the decision trail.
An investigation is the unit of analyst work. It collects every signal that supports — or contradicts — a hypothesis about an incident.
What lives on a case
- Linked alerts and the verdict that promoted them
- Timeline events (correlations, evidence collection, analyst actions)
- Analyst notes (internal SOC visibility by default)
- Handoffs between analysts with summary, open questions and recommended next steps
- Recommended response actions and their approval state
- Generated briefs and compliance evidence references
Collaboration
Each investigation surfaces a collaboration panel for notes, assignments and handoffs. The activity stream shows decision changes, status changes, assignments and approvals — every entry is timestamped with the actor's name.
Closing a case
Closing requires a decision (true positive, false positive, duplicate, expected) and a short justification. The closed-case record is immutable.
- How evidence-backed triage works
Every verdict ships with the signals behind it: source context, entities, related activity, confidence, risk and what is missing.
- False positive learning
Analysts can teach SOCPilot which alerts are false positives, duplicates or expected — every suppression is explainable and auditable.
- Incident briefs
Executive and technical write-ups generated from the investigation record.