Checklist are a list of actions items located in an alert or case that must be completed by an agent.
Checklists help ensure investigators are doing due diligence before taking action.
Some [workflows buttons](doc:workflows) are only actionable once the checklist is completed.
Investigation checklists are customizable:
There is always at least one ACTIVE investigation checklist.
There is always one DEFAULT investigation checklist.
More than one checklist can be ACTIVE if they are used in alerts/cases that are in separate queues. That means there can only be one ACTIVE checklist per queue. All other checklists must be in the ARCHIVED or DRAFT state (for the same queue).
Once a checklist is created, it can be either kept in the DRAFT stated or published into the ACTIVE state.
Once a checklist is ACTIVE, it CANNOT be modified. It can only be ARCHIVED. This ensures that old checklists are never lost or deleted (ensuring the preservation of archived checklists in alerts/cases).
- In the alert or case, go to the Investigation Checklist tab:
- Fill out the required information:
Checklists are automatically saved. Once complete, some workflow buttons may appear.
Checklists can be created and customized by heading to the Workflows > Investigation Checklists tab: