Investigation tracking enables you to track how a detection is reviewed and resolved with the ExtraHop system.
Before you beginUsers must have limited write privileges or higher to set a detection status, assign a detection, or leave investigation notes.
- The Acknowledged or Closed status does not hide the detection.
- The investigation status can be updated by any privileged user.
- Optionally, you can configure investigation tracking with a third-party system.
- If you are currently tracking investigations with a third-party system, you will not see ExtraHop system investigation tracking until you specify it in the Investigation Tracking Administration settings.
To track an investigation, complete the following steps:
- Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
- At the top of the page, click Detections.
- Click Actions from the lower-left corner of the detection card.
Click an investigation status to add it to the detection.
Option Description Acknowledge The detection has been seen and should be prioritized for follow-up. In Progress The detection has been assigned to a team member and is being reviewed. Closed - Action Taken The detection was investigated and action was taken to address the potential risk. Closed - No Action Taken The detection was investigated and required no response.
Click Track Investigation… to set the investigation
status, assign the investigation to a user, and add notes that are displayed on
Selecting None in the Track Investigation dialog box removes the status from the detection, but the previously added assignee and investigation notes remain visible.