Investigations allow you to group data for reporting, compliance, or retention purposes. This section describes how to work with investigations.

Investigations are collections of process events that share a common focus. They can include details and notes, and provide a way to group data for reporting, compliance, or retention purposes. Investigations are not particular to any user, so all investigations are available to each Carbon Black EDR administrator.

It is a best practice to start an investigation whenever you begin any type of search — for example, after you discover a suspicious indicator and start searching for related process activity on your hosts.

You can create an investigation to keep an ongoing record of the scope and effects of the threat, so that you can stop it before it causes damage. There is no cost involved in creating an investigation, and if you tag process events during your search, you have a built-in record of the steps that provided the end result.

A default investigation comes with the Carbon Black EDR server installation and is always available to collect any data that you tag. The default investigation cannot be deleted, so it is best used as a repository for data that interests you but does not warrant a dedicated investigation of its own.

The first time that you open the Investigations page, the default investigation appears.