Conduct an Investigation
Your Investigation setup consists of Overview, Activity, and Participants tabs.
Overview
When you create an investigation or add an event to an existing one, an event modal appears. This modal has several core components:
Incident elements | Description |
---|---|
Title | A descriptive title for the event, e.g., “Suspicious activity” |
Description | A free-text field for describing the investigation, allowing users to detail the issue being investigated, share links, update the current investigation status, and provide any other relevant information |
Severity | Denotes the severity of your incident. Select from critical, high, medium, or low |
Status | Select from any status (optional): ‘new’, ‘in progress’, ‘closed’, or ‘deleted’ |
Assignee | A user with investigations:Read or investigations:ReadAll permissions assigned to manage the investigation |
Activity
The Activity tab displays all objects and comments related to an investigation in a chat-like format, where users can be tagged. It consolidates all evidence, allowing you to visualize and adjust the timeline, share insights, and collaborate with colleagues. Various objects, such as logs, alerts, and images, are presented to help you grasp the full scope of the investigation.
Timeline objects
The timeline displays investigation events as objects, offering a clear view of the events that led to the issue and the current progress of the investigation.
Object type | Added from | Details | Event time |
---|---|---|---|
Log | Explore > Logs | Displayed in JSON format | Original log timestamp |
Alert | Incidents > Alert Explorer | Click to view alert details | Time at which the alert was triggered |
Incident | Incidents | Click to view incident details | First time an incident was triggered |
Image | Uploaded by the user | Image size is limited to 10MB. It is stored in your archive. Deleting the image from the Activity view does not delete it from archive storage. | The default event time is set to when the image is added. You may modify the time to the actual time the image represents. |
File | Uploaded by the user | File size is limited to 10MB. It is stored in your archive. Deleting the file from the Activity view does not delete it from archive storage. | The default event time is set to when the file is added. You may modify the time to the actual time the file represents. |
RUM Template | RUM Error Tracking > Error Templates > Comments | Opens a new tab with the RUM template screen; Cannot be removed from an Investigation. | Timestamp of the latest log in the RUM template |
Comment | Activity tab | Users may be tagged as part of the comments. Those tagged will receive a notification with permalink to the comment and will be automatically added as participants. | Time of the comment creation |
Objects may be edited or deleted and a shareable link (permalink) can be used to collaborate with colleagues.
Event sorting
Each object in the investigation has two timestamps, event and reporting time.
- Event time: The original timestamp of the object (e.g., logs appear according to the timestamp of the original log and alerts at the time at which an incident was triggered)
- Reporting time. The time the object was added to the investigation
Objects may be sorted in the timeline by event or reporting time, with event time as the default. Sorting the timeline by event time helps you track the chronological order of incidents, allowing you to see what happened and when. Alternatively, sorting by reporting time helps you audit the investigation process itself, showing when each object and comment was added, who contributed, and how the investigation evolved.
Reporting historic events
The activity timeline allows you to submit objects as evidence to the activity timeline and modify their time from the actual reporting time to the actual time of occurrence.
If a user adds a screenshot of a Custom Dashboard at noon to display a system error that occurred at 6:00 AM, the user may add or edit the historic event time using the bottom-left clock icon. Customize the data and time as desired.
Filters & search
Filter your investigation to view only relevant activity. For example, you may choose to view only specific objects to avoid the noise of comments or only the activity of a specific user. Use the free text search to search for a specific event.
View an event in its original context
Clicking on an object in the Activity timeline lets you view it in its original context. For instance, selecting a log will open it in the Explore screen with its original query and timeframe, enabling you to examine related logs from moments before and after the event.
Participants
The Participants tab allows you to collaborate with team members in an investigation. Investigations may be managed in private or public mode. The mode is selected upon creating an investigation and may not be changed after time.
Private mode
When you create an investigation, it is private by default and available only to the investigation owner, the assignee, and team members with investigations:ReadAll
permissions, generally reserved for managers who wish to view all investigations and track their progress.
In the Participants tab, you may invite others to collaborate in a new or existing investigation. Invitees will receive an email notification, allowing them to view and update the investigation.
Public mode
Toggle public mode to allow all team members with investigations:Read
permissions to view and collaborate in your investigation, without the need for an invitation.
Collaborate in Slack
(Optional) Add a link to a dedicated Slack channel to alert members of a parallel communication channel where they can discuss the investigation specifics. While there is no sync yet between this channel and the investigation, it may help collaborate with team members who do not have access to the Coralogix platform.
Notification emails
When you designate an investigation assignee, tag a team member in a comment, or invite a team member to collaborate in a new or existing investigation, the participant will receive an email notification, notifying them of the investigation. The notification email includes a link to open the relevant Investigation. Participants cannot opt-out of receiving these notification emails.