User Guide
Investigation Notebooks & AI Analysis
Investigation Notebooks & AI Analysis
Investigation notebooks are AI-powered "shadow agents" that automatically track your analysis workflow through searches, alerts, and detections. They provide a comprehensive timeline of your investigation activities with intelligent AI assistance for analysis, summarization, and pivot suggestions.
Overview
Notebooks transform security investigations from scattered activities into structured, AI-enhanced workflows:
- Automatic Capture - Tracks searches, alerts, detections, and manual notes
- AI-Powered Analysis - Generates queries, suggests pivots, and provides summaries
- Entity Tracking - Automatically extracts and correlates IOCs and entities
- Timeline Generation - Creates chronological investigation flows
- Team Collaboration - Share investigations with structured handoffs
- Case Integration - Auto-created for cases, mirrors lifecycle events, enriches AI summaries
- Integration Hub - Connects searches, alerts, detections, and dashboards
Core Capabilities
Auto-Capture System
When a notebook is active, it automatically captures:
Search Activities
✓ Query executed: user="john.doe" | stats count by src_ip
→ 47 results in 234ms
→ Time range: Last 1 hour
→ Top results: 192.168.1.100 (23), 10.0.0.5 (12), 172.16.1.50 (8)Alert Investigations
✓ Alert viewed: Suspicious Login Activity [HIGH]
→ Rule: Multiple failed logins from same IP
→ 12 matched events from 192.168.1.100
→ Risk Score: 85/100
✓ Alert actioned: Acknowledged as "False Positive"
→ Reason: Legitimate remote work from home officeDetection Rule Interactions
✓ Detection viewed: Lateral Movement Detection [MEDIUM]
→ Query: process_name="psexec.exe" OR process_name="wmic.exe"
→ Schedule: */5 * * * * (every 5 minutes)
✓ Detection modified: Enabled rule, adjusted threshold from 5 to 10
→ Change reason: Reducing false positives from admin activityManual Annotations
✓ Note: "Investigating potential insider threat - user has privileged access"
✓ Timeline: Initial access detected via phishing email at 14:23 UTC
✓ IOC: 192.168.1.100 marked as malicious C2 serverAI-Enhanced Features
Query Generation from Natural Language
Input: @search find all PowerShell executions with suspicious parameters
AI Output:
Generated Query: process_name="powershell.exe" AND (command_line CONTAINS "-enc" OR command_line CONTAINS "-nop" OR command_line CONTAINS "downloadstring")
Explanation: Searches for PowerShell processes with common obfuscation and download patterns
Confidence: High (based on MITRE T1059.001 patterns)
Fields Used: process_name, command_line
Expected Results: ~50-200 events in typical environmentIntelligent Pivot Suggestions
Context: Investigating failed login attempts from 192.168.1.100
AI Suggested Pivots:
1. "Check for successful logins from same IP range"
→ src_ip="192.168.1.*" AND event_type="login" AND result="success"
Rationale: Identify if attacker gained access from nearby IPs
2. "Look for password spray patterns"
→ src_ip="192.168.1.100" | stats dc(target_user) by src_ip | where dc_target_user > 10
Rationale: Detect if this IP targeted multiple accounts
3. "Find other suspicious IPs in same timeframe"
→ _time >= "2024-01-03 14:00:00" AND event_type="login" AND result="failed" | stats count by src_ip | where count > 20
Rationale: Identify coordinated attack from multiple sourcesInvestigation Summaries
AI Investigation Summary:
Investigated suspicious login activity for user john.doe from IP 192.168.1.100.
Analysis revealed legitimate remote access from approved home office location.
Key Findings:
• 15 failed login attempts followed by 1 successful login
• Source IP resolves to residential ISP in user's home city
• Login timing aligns with user's approved remote work schedule
• No privilege escalation or lateral movement detected post-login
• File access patterns consistent with normal work activities
Entities Investigated:
- Users: john.doe, admin.backup
- IPs: 192.168.1.100, 10.0.0.15
- Hosts: workstation-01, dc-01
Investigation Statistics:
- Queries Executed: 12
- Alerts Reviewed: 3
- Detection Rules Checked: 2
- Timeline Events: 8
- Investigation Duration: 47 minutes
Recommended Disposition: False Positive
Confidence Level: High (95%)
Next Steps: Update user training on VPN usage for remote work@ Commands System
Use @ commands for structured entries and AI assistance:
Entity References
@ip:192.168.1.100 # Reference an IP address
@user:john.doe # Reference a user account
@host:workstation-01 # Reference a hostname
@hash:a1b2c3d4e5f6... # Reference a file hash
@email:user@company.com # Reference an email address
@domain:malicious.com # Reference a domain name
@url:https://evil.com # Reference a URL
@file:/tmp/malware.exe # Reference a file path
@process:powershell.exe # Reference a process nameIOC Markers
@ioc 192.168.1.100 # Mark IP as indicator of compromise
@ioc malicious.com # Mark domain as IOC
@ioc a1b2c3d4e5f67890... # Mark file hash as malicious
Display:
🔴 Indicator of Compromise
IP: 192.168.1.100
Type: Command & Control Server
Confidence: Analyst Confirmed
First Seen: 2024-01-03 14:23:45Timeline Annotations
@timeline Initial access detected via phishing email
@timeline Lateral movement to domain controller observed
@timeline Malware payload downloaded from C2 server
@timeline Incident response team notified
Timeline View:
🕒 14:23:45 - Initial access detected via phishing email
🕒 14:45:12 - Lateral movement to domain controller observed
🕒 15:02:33 - Malware payload downloaded from C2 server
🕒 15:15:00 - Incident response team notifiedAI-Powered Commands
@search find all logins from suspicious IP in last 24 hours
# AI generates optimized nPL query with explanation
@pivot
# AI analyzes investigation context and suggests 3-4 follow-up queries
@summarize
# AI generates comprehensive investigation summary with findings
@alert
# Opens searchable dropdown to link specific alerts
@detection
# Opens searchable dropdown to link detection rulesIntegration with Alerts & Detections
Alert Integration
Automatic Capture When investigating alerts with an active notebook:
- Alert details automatically logged
- Rule information and matched events captured
- Risk scores and severity levels recorded
- Analyst actions (acknowledge, close) tracked
- Disposition reasoning preserved
Bidirectional Linking
From Alert → Notebook:
✓ Alert: "Suspicious PowerShell Execution" [HIGH]
→ Linked to Investigation: "PowerShell Malware Analysis"
→ 12 related events captured
→ Risk score: 92/100
From Notebook → Alert:
@alert Suspicious PowerShell Execution
→ Full alert context imported
→ AI suggests related queries based on alert IOCs
→ Automatic pivot to related detection rulesInvestigation Workflow
- Alert Triage - Notebook captures initial alert review
- Context Gathering - AI suggests queries based on alert details
- Evidence Collection - Search results automatically logged
- Decision Documentation - Disposition reasoning preserved
- Handoff Preparation - Summary generated for escalation
Detection Rule Integration
Rule Development Tracking
✓ Detection created: "Lateral Movement via WMI"
→ Query: process_name="wmic.exe" AND command_line CONTAINS "process call create"
→ Schedule: */10 * * * * (every 10 minutes)
→ Severity: Medium
→ MITRE: T1047 (Windows Management Instrumentation)
✓ Detection tested: Historical analysis over 7 days
→ 23 matches found
→ 3 true positives, 20 false positives (87% FP rate)
→ AI recommendation: Adjust threshold or add exclusions
✓ Detection tuned: Added exclusion for admin accounts
→ Updated query: ... AND NOT user LIKE "admin_%"
→ Retest results: 5 matches, 3 true positives (40% FP rate)Rule Performance Analysis
- Track rule effectiveness over time
- Monitor false positive rates
- Document tuning decisions and rationale
- Link to related alerts generated by rules
Case Integration
Notebooks are the single source of truth for case investigations. When a case has an assigned analyst, a notebook is automatically created and linked to the case. The case detail Investigation tab shows the notebook timeline directly.
Automatic Case Notebook Creation
Notebooks are auto-created in these scenarios:
- Case assignment — Assigning a case to an analyst creates a notebook (or transfers ownership of an existing one)
- Case creation with assignee — Creating a case with an assigned user auto-creates a notebook
- Auto-investigation — When auto-investigate is enabled in case settings, new cases get notebooks immediately
Case Event Mirroring
Case lifecycle events are automatically mirrored into the notebook timeline:
🔸 Status Changed — Case status changed from Open to In Progress
🔸 Assignment Changed — Case assigned to user alice
🔸 Cases Merged — Merged 2 case(s): 5 alerts, 3 entities movedThese events appear with an amber Activity icon and include metadata (previous/new status, disposition, merged alert counts). They are:
- Visible in the Investigation tab alongside search and note entries
- Included in AI summary generation for complete context
- Exported in CSV timeline exports
Unified Investigation Timeline
When a notebook exists for a case, the Investigation tab shows only notebook entries — legacy case wall entries (status changes, comments) are hidden to avoid duplication. This means:
- New case events flow through the notebook
- Searches, AI analysis, and manual notes live alongside lifecycle events
- AI summaries see everything in one timeline
Cases created before notebook integration still show the legacy wall entries as a fallback.
AI Summary with Case Context
When generating summaries (@summarize or case close), the AI receives case metadata:
- Case title and number for reference
- Severity and status for prioritization context
- Disposition (on close) for outcome framing
- Case description for investigation scope
This produces summaries that reference the case context rather than just listing raw investigation entries.
AI Summary (with case context):
Investigated Case #1234 "Suspicious PowerShell Activity" (High Severity).
Analysis confirmed encoded PowerShell commands downloading a second-stage payload
from 203.0.113.100. Case resolved as True Positive — affected host reimaged and
network indicators blocked.Timeline & Investigation Flow
Automatic Timeline Generation
Notebooks create structured timelines from your activities:
Investigation Timeline: "Phishing Attack Analysis"
Phase 1: Initial Discovery (14:23 - 14:45)
├─ [ALERT] "Suspicious Email Attachment" triggered
├─ [SEARCH] email attachments from external senders
├─ [ENTITY] suspicious@malicious.com identified
└─ [IOC] malicious.com marked as C2 domain
Phase 2: Impact Assessment (14:45 - 15:30)
├─ [SEARCH] users who opened suspicious attachments
├─ [ENTITY] 5 users identified (john.doe, jane.smith, ...)
├─ [SEARCH] process execution on affected workstations
├─ [ENTITY] workstation-01, workstation-05 compromised
└─ [TIME] Malware execution detected at 14:52
Phase 3: Containment (15:30 - 16:00)
├─ [ALERT] "Lateral Movement Detected"
├─ [SEARCH] network connections to C2 servers
├─ [IOC] 203.0.113.100 identified as C2 server
├─ [TIME] Network isolation initiated
└─ [NOTE] IR team notified, containment in progressManual Timeline Control
Add custom timeline markers for key events:
@timeline 14:23 - Phishing email delivered to 50 users
@timeline 14:52 - First malware execution detected
@timeline 15:15 - C2 communication established
@timeline 15:45 - Network isolation completed
@timeline 16:30 - Forensic imaging startedEntity Tracking & Correlation
Automatic Entity Extraction
Notebooks automatically identify and track entities from:
- Search queries and results
- Alert details and matched events
- Manual @ command references
- AI-generated content
Tracked Entity Types:
- IP Addresses - Source/destination IPs, C2 servers
- Users - Account names, email addresses
- Hosts - Workstations, servers, network devices
- File Hashes - Malware signatures, process hashes
- Email Addresses - Senders, recipients, domains
- Domains - C2 domains, suspicious websites
- File Paths - Malware locations, suspicious files
- Processes - Executed programs, system processes
Entity Panel Features
Frequency Analysis
Investigation Entities:
IP Addresses (4)
├─ 192.168.1.100 (mentioned 12 times) [IOC]
├─ 203.0.113.100 (mentioned 8 times) [IOC]
├─ 10.0.0.15 (mentioned 3 times)
└─ 172.16.1.50 (mentioned 1 time)
👤 Users (3)
├─ john.doe (mentioned 15 times)
├─ admin.backup (mentioned 4 times)
└─ jane.smith (mentioned 2 times)
#️⃣ File Hashes (2)
├─ a1b2c3d4e5f67890... (mentioned 6 times) 🔴 IOC
└─ 9876543210abcdef... (mentioned 2 times)Smart Correlation
- Click any entity to search for related activity
- AI suggests entity relationships and connections
- Visual indicators show IOC status and confidence
- Cross-reference entities across multiple investigations
AI-Powered Analysis
Query Intelligence
Natural Language Processing
Input: "Show me all network connections from compromised hosts to external IPs"
AI Analysis:
1. Identifies key concepts: network connections, compromised hosts, external IPs
2. Maps to UDM fields: event_type="network", src_host, dst_ip
3. Applies filters: dst_ip NOT IN (private_ranges)
4. Generates optimized query
Generated Query:
event_type="network" AND src_host IN ("workstation-01", "workstation-05")
AND NOT (dst_ip LIKE "10.*" OR dst_ip LIKE "192.168.*" OR dst_ip LIKE "172.16.*")
| stats count by src_host, dst_ip, dst_port
| sort -countQuery Optimization
- AI suggests performance improvements
- Recommends indexed field usage
- Identifies expensive operations
- Provides alternative query approaches
Contextual Suggestions
Investigation Patterns AI learns from your investigation patterns:
- Recognizes common threat hunting workflows
- Suggests queries based on similar past investigations
- Identifies gaps in analysis coverage
- Recommends additional data sources
Threat Intelligence Integration
- Correlates entities with known threat intelligence
- Suggests IOC lookups and reputation checks
- Identifies MITRE ATT&CK technique patterns
- Provides threat actor attribution insights
Summary Generation
When a notebook is linked to a case, summaries automatically include case metadata (title, severity, status, disposition, description) — producing context-aware summaries that reference the investigation outcome. Case lifecycle events in the notebook are also included.
Multi-Level Summaries
Executive Summary (2-3 sentences):
Investigated phishing attack targeting 50 employees. Confirmed malware
infection on 5 workstations with C2 communication to external servers.
Containment successful, no data exfiltration detected.
Technical Summary (detailed findings):
• Phishing email delivered at 14:23 with malicious attachment
• Malware hash: a1b2c3d4e5f67890... (confirmed malicious)
• C2 servers: 203.0.113.100, malicious.com
• Affected systems: workstation-01, workstation-05, workstation-12
• Network isolation completed at 15:45
• No evidence of data exfiltration or privilege escalation
Operational Summary (actions taken):
• 5 workstations isolated and reimaged
• Email security rules updated to block sender domain
• User security awareness training scheduled
• Incident response procedures followed per playbookCollaboration & Sharing
Notebook Sharing
Visibility Levels
- Private - Only you can access
- Shared - Specific users/groups with permissions
- Team - All team members can view
- Public - Organization-wide visibility
Permission Types
- View - Read-only access to timeline and entries
- Comment - Add comments and observations
- Edit - Full editing capabilities
- Admin - Manage sharing and permissions
Team Collaboration
Real-time Updates
👤 john.doe added: @ioc 192.168.1.100 (2 minutes ago)
👤 jane.smith commented: "This IP also appeared in yesterday's investigation" (1 minute ago)
👤 security.lead added: @timeline Escalated to incident response team (just now)Handoff Workflows
- Investigation Handoff - Transfer active investigation to another analyst
- Shift Change - Pass investigation context to next shift
- Escalation - Provide complete context to senior analysts
- Post-Incident Review - Share findings with broader team
Export & Reporting
Export Formats
- Timeline CSV - Chronological entries with timestamps
- Entity Report - All tracked entities with frequencies
- AI Summary - Structured findings and recommendations
- Investigation Package - Complete notebook with all context
Integration Points
- SOAR Platforms - Export to case management systems
- Ticketing Systems - Create tickets with investigation context
- Reporting Tools - Generate executive and technical reports
- Knowledge Base - Preserve investigation methodologies
Best Practices
Investigation Workflow
Starting Investigations
- Create Early - Start notebook when beginning any investigation
- Descriptive Titles - Use specific, searchable titles
- Set Visibility - Choose appropriate sharing level from start
- Capture Context - Use @timeline to document initial observations
During Investigation
- Use @ Commands - Structure important entities and IOCs
- Add Manual Notes - Document reasoning and hypotheses
- Leverage AI - Use @search and @pivot for comprehensive analysis
- Mark Key Events - Use @timeline for critical discoveries
Closing Investigations
- Generate Summary - Use @summarize before closing
- Document Lessons - Add notes about methodology and findings
- Share Results - Ensure appropriate team members have access
- Archive Properly - Close notebook with clear disposition
AI Optimization
Effective Prompting
- Be Specific - "Find lateral movement using WMI" vs "show WMI events"
- Provide Context - Include relevant timeframes and systems
- Use Domain Language - Reference MITRE techniques and IOC types
- Iterate Queries - Refine AI suggestions based on results
Learning from AI
- Review Explanations - Understand AI reasoning for queries
- Validate Suggestions - Test AI-generated queries before relying on them
- Provide Feedback - Use manual notes to guide AI learning
- Share Patterns - Document effective AI interactions for team
Team Collaboration
Sharing Guidelines
- Share Proactively - Include relevant team members early
- Use Consistent Formats - Standardize entity references and IOC marking
- Document Decisions - Explain reasoning for alert dispositions
- Maintain Context - Ensure handoffs include complete investigation state
Knowledge Management
- Tag Investigations - Use consistent naming and tagging
- Cross-Reference - Link related investigations and alerts
- Preserve Methodology - Document successful investigation approaches
- Update Playbooks - Incorporate lessons learned into procedures
Troubleshooting
Common Issues
Notebook Not Capturing
- Verify notebook status is "Active" (green indicator)
- Check permissions:
notebooks:editrequired - Ensure browser session is valid
- Refresh page if capture seems stuck
AI Features Unavailable
- Confirm meloD AI service is connected (purple indicator)
- Check AI quota/credits availability
- Verify network connectivity to AI services
- Contact admin if persistent issues
@ Commands Not Working
- Use exact syntax:
@search query textor@ip:192.168.1.1 - Ensure notebook is in Active state
- Check command dropdown appears when typing @
- Verify command completion with Enter key
Sharing Problems
- Confirm target users exist and have notebook permissions
- Check notebook visibility settings allow sharing
- Verify you have
notebooks:sharepermission - Test with simple view-only sharing first
Performance Tips
Efficient Usage
- Close Completed Investigations - Keeps active list manageable
- Use Entity Shortcuts - @ip:value faster than @entity ip:value
- Batch Activities - Group related searches before context switching
- Regular Summaries - Generate interim summaries for long investigations
System Optimization
- Limit Active Notebooks - Close or pause unused investigations
- Optimize Queries - Use AI suggestions for performance improvements
- Archive Old Notebooks - Move completed investigations to archive
- Monitor Resource Usage - Check system performance during heavy AI usage
Investigation notebooks transform security analysis from ad-hoc activities into structured, AI-enhanced workflows that improve investigation quality, team collaboration, and organizational knowledge retention.