Dashboard User Guide: Investigation Examples

This page is a template for documenting end-to-end triage workflows against your own Logster deployment. The triage loop is the same for every detection; the worked examples that follow the template should be filled in with real findings from your environment once you have enough history to draw from.

The triage workflow template

Every investigation in Logster follows the same nine-step loop:

Glance at Summary. Is total_attacks > 0 in the last 30 minutes?
Jump to Hosts. Sort by max_attack_probability. Pick the worst-looking card.
Open Recent Attacks. Find the most recent inference for that host.
Open Inference Detail. Read attack_prob, confidence, and the event table. Does the event sequence tell a coherent story?
Open Process Tree. Walk the tree up to the root. Is the ultimate parent normal (explorer.exe, services.exe) or unexpected?
Check Endpoint Insights. Does this host normally run this user, this binary, this network destination? If everything is new, confidence in the alert goes up.
Check TTPs in Analytics. Is a specific MITRE technique dominating right now? If so, pivot to it and look for other hosts showing the same pattern.
Record your verdict. POST /feedback with is_true_positive: true or false and a short note.
Close the loop. If it was a real attack, escalate to response. If it was a false positive, the feedback you just recorded is what will make the next model version better.

Worked example template

Copy the structure below for each real incident you document. Fill in the TBD placeholders from the actual investigation. Do not include fabricated scenarios — either use a real incident (with identifying details sanitized) or leave the example blank until one is available.

Example 1 — `<short descriptive title>`

TBD: add a one-sentence scenario description. For example, "A workstation shows up on the Hosts view with a high max_attack_probability after a suspected phishing email."

Step 1 — Summary

TBD: describe the signal you noticed on the Summary tiles. - Total attacks: <n> - Max attack probability: <value> - Any other KPI that caught your attention

Step 2 — Hosts

TBD: which host card stood out and why? - Hostname: <hostname> - Severity: <LOW | MEDIUM | HIGH | CRITICAL> - max_attack_probability: <value> - attack_count: <n>

Step 3 — Recent Attacks

TBD: which inference did you click into? Include: - inference_id - Approximate time relative to the incident - attack_prob, confidence - ttp_techniques list (as returned by your deployment)

Step 4 — Inference Detail

TBD: transcribe the event table that contributed to the window. Group events by type (process, file, network, script, syscall) and keep the timeline order. Do not fabricate events; copy from the real inference.

<TBD — real event list from the inference>

Step 5 — Process Tree

TBD: describe the tree shape. Include: - Root process (e.g. explorer.exe, services.exe, sshd) - The suspicious chain from root to leaf - Whether the chain is consistent with a known attack pattern

<TBD — real process tree excerpt>

Step 6 — Endpoint Insights

TBD: what did Endpoint Insights show for the host in the same time range? Note anything abnormal: - User activity: <TBD> - Privilege levels: <TBD> - Top files touched: <TBD> - Network destinations: <TBD> - Command lines: <TBD> - Process relationships: <TBD>

Step 7 — Analytics

TBD: what did the TTP distribution and trend panels show? - TTPs trending up: <TBD> - Trend direction: <up | down | stable> - Any cross-host correlation?

Step 8 — Record the verdict

TBD: actual curl command used to record the verdict. Do not include real alert IDs, analyst identities, or internal notes in documentation — sanitize before publishing.

curl -X POST http://<host>:8080/feedback \
  -H 'Content-Type: application/json' \
  -d '{
    "alert_id": "<TBD>",
    "is_true_positive": <true|false>,
    "notes": "<TBD — sanitized summary>",
    "analyst": "<TBD>"
  }'

Step 9 — Close the loop

TBD: what was the outcome? Containment actions, IOCs pivoted on, any follow-up work for the detection engineering team.

Example 2 — `<short descriptive title>`

TBD: add another worked example covering a different pattern — for example, lateral movement across multiple endpoints, or a false positive that required tuning the threshold. Follow the same nine-step template above.

Example 3 — `<short descriptive title>`

TBD: add another worked example.

Escalation patterns at a glance

TBD: this cheat sheet should be populated from the real verdict history in your deployment once you have enough feedback to identify recurring patterns. Leave blank rather than guessing.

Pattern in Inference Detail	Usual verdict
`<TBD>`	`<TBD>`
`<TBD>`	`<TBD>`
`<TBD>`	`<TBD>`

Where to go next

Dashboard GUI — complete reference for each dashboard view.
API User Guide — the REST API that POST /feedback comes from.
Troubleshooting Guide — if a detection does not look quite right.