Investigation Overview
The Investigate section of the Cado platform is where you analyze imported evidence, explore events, and build understanding of what happened during an incident. An Investigation is the container that groups related evidence items (for example, disk images and logs) and provides tabs for analysis.
Across the Investigate pages you’ll find:
- Overview — a high‑level summary of the investigation including investigator activity, key events, potentially compromised users/assets, and MITRE ATT&CK categories.
- Insights — dashboards that surface key events, data sources, event types, indicator matches, and ATT&CK coverage to guide pivots.
- Automated Investigation — an ML‑ranked narrative of what occurred, including trigger, verdict, suspected compromised assets, and a curated timeline of significant events.
- Timeline Search — a powerful, faceted and query‑driven interface for deep‑dive analysis across all events and fields.
- Evidence — a focused view to track each evidence item and its processing status, with controls to manage items.
- Files — an explorer for navigating file systems and opening artifacts extracted from evidence.
- AI Investigator — explains suspicious scripts/binaries/documents by describing behaviors like payload downloads or persistence.
Next steps
| Goal | Page | What you’ll learn |
|---|---|---|
| Get hands‑on with a safe sample case | Getting started example (CTF) | Import a prebuilt dataset and walk through core analysis workflows end‑to‑end. |
| Read the machine‑generated narrative | Automated Investigation | Understand triggers, verdicts, suspected assets, and a curated timeline of key events. |
| See what’s in your data at a glance | Insights | Explore key events, data sources, event types, indicators, and ATT&CK coverage. |
| Hunt precisely across all events | Timeline Search | Use facets and advanced query syntax (fields, ranges, AND/OR/NOT) to filter results. |
| Track and manage inputs | Evidence | View each evidence item and its processing status; manage items as needed. |
| Inspect artifacts on disk | Files | Navigate file systems and open artifacts linked from events. |
| Orient quickly in a case | Overview Tab | See investigator activity, key events, impacted users/assets, and ATT&CK mapping. |
| Explain a suspicious file’s behavior | AI Investigator | Generate plain‑English analyses of scripts. |
| Create/maintain investigations | Managing investigations | Create, update, delete investigations and review processing pipelines. |