Quick Actions
The field context menu provides three quick actions at the top:- Copy Field — Copy the field name to the clipboard.
- Copy Value — Copy the field value to the clipboard.
- Use in Search — Start a new search pre-populated with the field and value.
Investigation
From any field, you can launch investigative workflows:- Recent Alerts with this Field — Find other alerts that share the same field value, helping identify patterns or repeat activity.
- Explore Field — Open the field value in the Explore view for deeper analysis.
- Follow-On Searches — Run a basic, advanced, or temporal search using the field value as a starting point.
External Lookups
Fields that contain recognisable indicators (IP addresses, domains, file hashes, etc.) can be sent to external intelligence platforms directly from the context menu. The available platforms are detected automatically based on the indicator type.Indicator Lists
You can add or remove field values from Indicator Lists directly from the context menu. Lists are categorised by type:| List Type | Description |
|---|---|
| Blocklist | Known malicious indicators to block. |
| Allowlist | Verified safe indicators to suppress alerts. |
| Watchlist | Indicators under active monitoring. |
| IOC | Indicators of compromise from threat intelligence. |
Custom Actions
If your organisation has configured Custom Actions, they appear in the field context menu under Execute Action. Custom actions receive the field name and value as input, allowing you to build automated response workflows that operate on specific indicators.Field Actions
Field-level actions allow analysts to create rules based on specific field values:- Create Temporary Aggregation Rule — Create a short-lived aggregation rule that groups future alerts matching this field value. Useful for suppressing noise during an active investigation.
- Create Aggregation Rule — Create a permanent aggregation rule based on the field.
- Create Correlation Rule — Create a correlation rule that links alerts sharing this field value.