FP Investigation Workflow
Transform single false negative into campaign-wide detection rule
Start by entering the escalated message ID to begin investigation:
msg_12345
Click to investigate
192.168.1.1
Click to investigate
evil.com
Click to investigate
Investigation Steps
1
Search message ID to find initial threat2
Pivot to IP address to find related infrastructure3
Discover other messages using same IP4
Include/exclude messages to build campaign5
Export campaign with clustering rule