Start an investigation

Click Start Investigation. The Add Query to Investigation dialog opens.

Query Name	Enter a name for the query.
Search Query	Enter the query string.
Last 7 Days	Click to set the data range to Last Hour, Last 24 Hours, Last 7 days, Last 30 days, Last 60 days or last 90 days.
Sort by timestamp	Select Ascending or Descending.
Retrieve up to	Click to set the number of rows retrieved (100, 500, 1000, or 10,000).
Create a New Investigation	Click to create a new investigation.
Add to Existing Investigation	The Choose Investigation dropdown is displayed. Select an investigation from the list.
Run a Private Query	Select this option to add a query to an adhoc search.
Investigation Name	Enter a name for the new investigation.
Description	Enter a short description of the new investigation.
Choose Investigation

To start an investigation:

Go to Detections > Triage Rules. The Detections Rules page opens.

Click a rule to open the Details page.

Click Start Investigation. The Add Query to Investigation dialog opens.

Query Name	Enter a name for the query.
Search Query	Enter the query string.
Last 7 Days	Click to set the data range to Last Hour, Last 24 Hours, Last 7 days, Last 30 days, Last 60 days or last 90 days.
Sort by timestamp	Select Ascending or Descending.
Retrieve up to	Click to set the number of rows retrieved (100, 500, 1000, or 10,000).
Create a New Investigation	Click to create a new investigation.
Add to Existing Investigation	The Choose Investigation dropdown is displayed. Select an investigation from the list.
Run a Private Query	Select this option to add a query to an adhoc search.
Investigation Name	Enter a name for the new investigation.
Description	Enter a short description of the new investigation.
Choose Investigation

Click Add Query.