StryxlLabsStryxlLabs
Get started
Docs/Investigation panel

Investigation panel

When you click a row in the Detections list, a side panel opens with every piece of information Beacon has on that pair. This is where you spend most of your time. This page walks through every section, top to bottom, so you know what you're looking at.

Your job in here, in two words: decide. Is this pair something to worry about or not? The panel collects the evidence. You make the call with the two buttons at the bottom.

Opening the panel

Go to the Detections view. Click any row. The panel slides in from the right. You can keep scrolling the list; clicking another row replaces the contents without closing the panel.

Prefer a bigger workspace? Click Open investigation at the bottom of the panel for a full-screen view with more room for notes and the timeline.

Header

At the top of every panel you see:

  • Source IP → Destination IP : port. The two computers and the port (443 is HTTPS, 80 is HTTP, 53 is DNS). Anything else, Google it.
  • Score from 0 to 100 (the behavior score) and a severity badge (Info, Low, Medium, High, Severe). See Behavioral scoring and Severity modifiers for how these are calculated.
  • Timeline strip. A horizontal bar showing when the pair was active across your capture window. Steady dots means continuous beaconing. Bursts at odd hours are interesting.

Fingerprints

Hash codes identifying what software made the connection. If any of them match known hacker tooling, you see a red Known bad badge with the toolkit name (e.g. “Cobalt Strike”). Full explanation on Fingerprinting.

Destination context

Facts about where the traffic is going:

  • ASN and organization. The network and company that owns the destination IP. “Microsoft Corp” means it's actually Microsoft. “DigitalOcean LLC” means it's a cheap rented cloud server; anyone with a credit card can run one.
  • Country. Where the IP is geolocated.
  • Reverse DNS. If the IP has a hostname registered to it, you'll see it here. Legit services usually have recognizable hostnames; random C2 boxes often don't.
  • Registrant and network registration date. Brand-new networks (< 30 days old) are a light red flag.

Threat intel

One row per public security database Beacon checked against. Green = clean, red = flagged, gray = no data. Click a row to see the raw response. Full explanation on Threat intel.

Pattern

A human-readable summary of the behavioral markers that produced the score:

  • Periodicity and jitter.“Every 60 seconds ± 3s” is a classic beacon. “Every 5 minutes ± 2 minutes” is less suspicious. Totally random timing is usually normal user traffic.
  • Session count. How many times the pair talked during the window. A handful of calls can mean checkins; thousands can mean a constant polling loop.
  • Duration stability. Are all the calls about the same length, or does it vary wildly?
  • Byte asymmetry. Small up, large down = normal web traffic. Small up, small down = classic beacon heartbeat. Small up, occasionally large down = classic beacon receiving a command.

Explain why

The full breakdown of how the score got to its value. Every contributing signal, weighted, with direction. If you don't understand why a pair got the score it got, this is always the answer. You can read the math instead of trusting the number.

How to investigate this pair

A step-by-step playbook that tells you exactly what to do next. It's written assuming no prior experience: how to open a command prompt, which permissions you need, the exact commands to run (with your specific IP addresses already filled in), and what to look for in the output.

Follow it top to bottom. Each step either confirms the pair is suspicious (and tells you the next step) or clears it (and tells you why you can stop).

Notes

A timestamped free-text field. Write what you found, what you tried, what you concluded. When you or a teammate opens this pair in 30 days, the note is still there. Notes are visible to everyone in your workspace.

Actions: the two buttons

This is the decision you're here to make:

  • Confirm malicious. You're saying “yes, this was a real attack.” The pair is locked, the case history gets it, and (in a future release) the destination will carry elevated severity on future uploads.
  • Mark benign. You're saying “no, this is fine, it was [Windows Update / our EDR / the printer firmware / whatever].” Beacon remembers the pattern and suppresses similar pairs on every future upload in this workspace, including your teammates' uploads. See False-positive learning.

Made a mistake? Click Reset verdict from the panel and the suppression lifts. Bulk reset is under Settings → Workspace → Verdicts.

Bulk triage

Back on the Detections list, hold Shift and click rows to multi-select. A bar appears above the list with bulk Confirm and Mark benign buttons. Useful for clearing whole families of false positives at once (e.g. every pair going to a Microsoft Update IP).

Keyboard shortcuts

  • j / k: next / previous pair in the list (same as Gmail).
  • c: confirm the current pair as malicious.
  • b: mark the current pair as benign.
  • ?: pop up the full list of shortcuts.

← Previous

Severity modifiers

Next →

False-positive learning