icon-itdr.svg
ITDR

Understanding the Investigate Module

The Investigate module in Zscaler ITDR allows you to track, analyze, and manage all events generated by the decoys. The Investigate page provides a single dashboard that allows you to visualize all events, decoys, Decoy Connectors, and App Connectors, along with a graphical representation of how these entities are connected to each other and to the Zscaler ITDR Admin Portal.

Viewing Events on the Dashboard

All events generated by deployed decoys are populated on the ITDR dashboard, along with the graphical representation of how they are connected to other components. To view and manage events from the dashboard, click Investigate.

On the dashboard, you can see the following components to interact with:

  • Alerts Area: This section shows the graphical representation of all events and the components to which they are connected.
  • Filters: This section allows you to filter the events shown in the alerts area using queries and predefined time ranges. You can build complex queries using the purpose-built query language. To learn more, see Understanding and Building Queries.
  • Dashboard Customization Options: You can use various options to customize the dashboard to filter events based on level of details, threat level, decoy type, etc.
  • Timeline: The timeline bar allows you to manually filter the events that were generated over a specific time period. In addition, you can visualize how the events were generated sequentially.

To learn more, see Understanding the Zscaler ITDR Dashboard.

Interacting with Events and Components

You can interact with all events and components on the dashboard to access more details. You can also take actions on attackers and devices.

Accessing the Details

You can view details of the events and other components such as decoys, attackers, Decoy Connectors, ITDR Admin Portal, etc. by clicking the respective component on the alerts area of the dashboard. You can also obtain additional details about the event or component to perform an in-depth analysis by clicking the View Extended Details button on the details pane. In the Extended Details window, you can access details on the events or components relating to:

  • ThreatParse: Provides information about the attack-based MITRE ATT&CK framework along with a risk score in plain English. To learn more, see Viewing the ThreatParse Details.
  • Chronology: Provides a temporal overview and heatmap of the attacker's activities. To learn more, see Viewing the Attack Chronology Details.
  • Event Logs: Provides detailed log information the events associated with an activity. To learn more, see About Event Logs.

To learn more, see Viewing the Details Pane and Viewing Extended Details.

Taking Actions From the Dashboard

In addition to providing in-depth details to analyze attacks, the ITDR dashboard allows you to take actions on events, attackers, or devices. To take action, click the component on which you want to take an action, and select a preferred action from the Actions menu on the details pane. The actions that you can take include:

  • Containment using Zscaler's solutions or third-party solutions
  • Mark an event or attacker as safe
  • Block IP addresses of attackers
  • Delete an attacker from the ITDR dashboard

To learn more, see Taking Action from the Dashboard.

You can also automate these actions by configuring orchestration rules. To learn more, see About Orchestration Rules.

Related Articles
Understanding the Investigate ModuleUnderstanding the Zscaler ITDR DashboardUnderstanding and Building QueriesViewing the Details PaneTaking Action From the Dashboard