OVERVIEW

Inline search additions, a persistent investigation timeline, and record-level removal controls.Expand, refine, and document investigations without restarting their workflow

• Start new searches — including IDLink Analytics — at any point during an investigation
• Remove extraneous searches
• View a reverse-chronological timeline of searches and pivots
• Remove individual records that are not relevant

These controls help you stay in investigative flow while preserving context and methodology.

👇ADD INLINE SEARCHES

➕ Adding New Assets Inline

You can launch new searches from anywhere within the Investigations module, including:

• Results view
• Graph view
• Any active investigation workspace

This allows you to introduce additional selectors mid-investigation without restarting or losing context.

💡

Tip

If you know multiple assets are related to an investigation, start with one asset and quickly add others to expand the aperture of your analysis.

👇ADD INLINE SEARCHES USING IDLINK ANALYTICS

🔎 Supported Search Types

Both search types can be launched inline at any time.

🧭 How to Add a New Search

1. Hover over the Search icon to open the quick menu.
2. Select IDLink or Standard.
3. Select the Asset Type.
4. Enter a single Asset.
5. Configure optional advanced filters.
6. Click Add Search.

After Submission

• A notification displays the total number of records returned.
• Tables and graphs update automatically.
• The search is added to the investigation timeline.

➖ Removing a Search

You can remove a previously added search from your investigation.

This is useful if:

• The search returned zero results
• The search was added in error
• The results are unrelated
• You want to simplify your investigative narrative

What Happens When You Remove a Search

🧭 How to Remove a Search

1. Open the Tracking panel.
2. Locate the search entry.
3. Select Remove.

The workspace updates automatically.

👇VIEW TIMELINE OF ALL YOUR SEARCHES

🕒 Investigation Timeline (Tracking)

The Tracking panel provides a reverse-chronological history of your investigation activity.

The timeline:

• Persists across sessions
• Remains tied to the current investigation
• Captures investigative methodology

📊 Timeline Includes

• Searches performed
• Pivots added
• Filters applied
• IDLink depth settings
• Record counts
• Timestamps

📤 Exporting the Timeline

You can export the timeline as a CSV file. The export includes:

Common Use Cases

• Internal documentation
• Audit trails
• Methodology sharing
• Case reporting

👇REMOVE EXTRANEOUS RECORDS

🗑 Removing Records

You can remove individual records from the Detailed Results table.

Removing a record:

• Removes it from the current investigation
• Removes it from associated pivots
• Removes it from graph analysis and tables
• Does not delete it from the underlying SpyCloud dataset

When to Remove a Record

You may remove a record if:

• It contains unrelated assets
• It introduces noise
• It distorts pivot analysis

🧭 How to Remove a Record

1. Navigate to the Detailed Results table.
2. Open the options menu for the record.
3. Select Remove record.

⚠️

Record removal is permanent within the current investigation.
Bulk removal is not supported.

🔄 Workflow Benefits

Advanced controls over your Investigations allow analysts to:

• Expand investigations without restarting
• Refine scope in real time
• Remove irrelevant noise
• Preserve investigative methodology
• Export an auditable activity history
• Maintain context across sessions

Investigations remain structured, traceable, and aligned with real-world analyst workflows.