Skip to main content

Investigation Overview

The Investigate section of the Cado platform is where you analyze imported evidence, explore events, and build understanding of what happened during an incident. An Investigation is the container that groups related evidence items (for example, disk images and logs) and provides tabs for analysis.

Across the Investigate pages you’ll find:

  • Overview — a high‑level summary of the investigation including investigator activity, key events, potentially compromised users/assets, and MITRE ATT&CK categories.
  • Insights — dashboards that surface key events, data sources, event types, indicator matches, and ATT&CK coverage to guide pivots.
  • Automated Investigation — an ML‑ranked narrative of what occurred, including trigger, verdict, suspected compromised assets, and a curated timeline of significant events.
  • Timeline Search — a powerful, faceted and query‑driven interface for deep‑dive analysis across all events and fields.
  • Evidence — a focused view to track each evidence item and its processing status, with controls to manage items.
  • Files — an explorer for navigating file systems and opening artifacts extracted from evidence.
  • AI Investigator — explains suspicious scripts/binaries/documents by describing behaviors like payload downloads or persistence.

Next steps

GoalPageWhat you’ll learn
Get hands‑on with a safe sample caseGetting started example (CTF)Import a prebuilt dataset and walk through core analysis workflows end‑to‑end.
Read the machine‑generated narrativeAutomated InvestigationUnderstand triggers, verdicts, suspected assets, and a curated timeline of key events.
See what’s in your data at a glanceInsightsExplore key events, data sources, event types, indicators, and ATT&CK coverage.
Hunt precisely across all eventsTimeline SearchUse facets and advanced query syntax (fields, ranges, AND/OR/NOT) to filter results.
Track and manage inputsEvidenceView each evidence item and its processing status; manage items as needed.
Inspect artifacts on diskFilesNavigate file systems and open artifacts linked from events.
Orient quickly in a caseOverview TabSee investigator activity, key events, impacted users/assets, and ATT&CK mapping.
Explain a suspicious file’s behaviorAI InvestigatorGenerate plain‑English analyses of scripts.
Create/maintain investigationsManaging investigationsCreate, update, delete investigations and review processing pipelines.