The Investigate dashboard allows you to view and interact with all events generated by the Zscaler ITDR Admin Portal. You can use the built-in queries or custom queries to filter the dashboard to view and interact with specific events. The Active Directory Threat Detection filter allows you to filter the events and alerts in the Investigate dashboard to view and interact with events specific to Active Directory Threat Detection. The Active Directory Threat Detection filter applies the following query to the Investigate dashboard.

(type is "itdr") or (type is "endpoint" and ((sub_type is "cbf" and cbf.is_ad_decoy_credential is true) or (sub_type in ["kerberoast", "ad_enumeration"])))

To learn more, see Applying the AD Threat Detection Filter.