Strixl LabsStrixl.Labs
Get started
Docs/Investigation panel

Investigation panel

The investigation panel is where you spend most of your time. It's the detail view for a single source/destination pair, and it's designed around the decisions an analyst actually has to make.

Getting there

Click any row in the Detections view. The panel opens alongside the list so you can keep scrolling without losing your place.

Layout

Header

The pair (source IP, destination IP, destination port), the score, and the severity badge. Below that, a timeline strip showing when the pair was active across the capture window.

Fingerprints

JA3 and JA4 for TLS, JA4H for HTTP, JA4X for X.509 certs. Each fingerprint shows the hash, a decoded prefix where applicable, and badges for known-bad matches and rarity. See Fingerprinting.

Destination context

ASN, organization, country, reverse DNS, registrant, and the network's registration date. The kind of context you'd otherwise pull from four different lookup tools.

Threat intel

One row per feed queried, each marked green (clean), red (hit), or gray (unknown). Expand a row to see the raw response. See Threat intel.

Pattern

A summary of the behavioral markers: periodicity and jitter, session count, duration stability, byte asymmetry. Enough for you to form a hypothesis about what the traffic represents without leaving the panel.

Explain why

The full scoring breakdown. Every axis that contributed, weighted, with the exact direction. If the engine flagged a pair and you don't understand why, this is where to look.

Notes

A timestamped notes field. When you come back to a case in 30 days, your past self has already left you the context. Notes are workspace-visible; your teammates can see what you've written.

Actions

Three buttons at the bottom:

  • Confirm malicious: mark the pair as a true positive. Contributes to the engine's pattern learning and highlights matching fingerprints on future uploads.
  • Mark benign: dismiss this pair. Suppresses future pairs matching the same pattern across your workspace. See False-positive learning.
  • Open investigation: full-screen view with more space for notes and the timeline.

Bulk operations

From the Detections list, hold shift and click to multi-select rows. Bulk confirm or dismiss from the action bar that appears above the list. Use this for obvious benign traffic (like Windows Update pairs that score high on regularity alone).

Keyboard shortcuts

  • j / k: next or previous pair in the list
  • c: confirm malicious
  • b: mark benign
  • ?: show the full shortcut list

← Previous

Severity modifiers

Next →

False-positive learning