> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Evidence on Investigations

|                       |           |              |         |             |
| --------------------- | --------- | ------------ | ------- | ----------- |
| **Role Availability** | Read-Only | Investigator | Analyst | **Manager** |

This section displays the alarms, events, and files associated with the investigation.

On the **Investigations** page, click an Investigation to view the evidence associated to it.

<Frame>
  <img src="https://mintcdn.com/levelblue-5324744e/CjLU78CsU8yShcl7/images/usm-anywhere/Evidence.png?fit=max&auto=format&n=CjLU78CsU8yShcl7&q=85&s=aaf2e1adc6602d9a0144b52762618b94" alt="" width="500" height="573" data-path="images/usm-anywhere/Evidence.png" />
</Frame>

You can click an alarm or an event to go to the alarm or event. The asset name includes the <img src="https://mintcdn.com/levelblue-5324744e/h05grHs2-GuNWffi/images/usm-anywhere/angle-down.svg?fit=max&auto=format&n=h05grHs2-GuNWffi&q=85&s=a0a64beb4d270bfe8b453ec082ddaa00" className="inline" width="20" height="20" data-path="images/usm-anywhere/angle-down.svg" /> icon if the asset is not in the system, or the <img src="https://mintcdn.com/levelblue-5324744e/jo1779yzvGjLisJx/images/usm-anywhere/chevron-down.svg?fit=max&auto=format&n=jo1779yzvGjLisJx&q=85&s=49cdbebf7934499f2df552d32ed9aa74" className="inline" width="20" height="20" data-path="images/usm-anywhere/chevron-down.svg" /> icon if the asset has already been added to the system.

Click the <img src="https://mintcdn.com/levelblue-5324744e/h05grHs2-GuNWffi/images/usm-anywhere/angle-down.svg?fit=max&auto=format&n=h05grHs2-GuNWffi&q=85&s=a0a64beb4d270bfe8b453ec082ddaa00" className="inline" width="20" height="20" data-path="images/usm-anywhere/angle-down.svg" /> icon to access the following options:

* **Add to current filter:** Use this option to add the asset name as a search filter. See [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
* **Find in events**: Use this option to execute a search of the asset name in the Events page. See [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
* **Look up in OTX**: This option searches the IP address of the source asset in the LevelBlue LevelBlue Labs Open Threat Exchange® (OTX™) page. See [Using OTX in USM Anywhere](/documentation/usm-anywhere/user-guide/otx/using-otx-in-anywhere) for more information.
* **Add asset to system**: Use this option to create the asset in the system. See [Adding Assets](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/adding-assets) for more information.

<Note>
  Your access to these options may vary based on your user role. See [Role-Based Access Control (RBAC) in USM Anywhere](/documentation/usm-anywhere/user-guide/user-management/rbac) for more information.
</Note>

Click the <img src="https://mintcdn.com/levelblue-5324744e/jo1779yzvGjLisJx/images/usm-anywhere/chevron-down.svg?fit=max&auto=format&n=jo1779yzvGjLisJx&q=85&s=49cdbebf7934499f2df552d32ed9aa74" className="inline" width="20" height="20" data-path="images/usm-anywhere/chevron-down.svg" /> icon to access the following options:

* **Add to Current Filter**: Use this option to add the asset name as a search filter. See [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
* **Find in Events**: Use this option to execute a search of the asset name in the Events page. See [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
* **Look up in OTX**: This option searches the IP address of the asset in the OTX page. See [Using OTX in USM Anywhere](/documentation/usm-anywhere/user-guide/otx/using-otx-in-anywhere) for more information.
* **Full Details**: See [Viewing Assets Details](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/viewing-asset-details) for more information.
* **Assign Credentials**: See [Managing Credentials](/documentation/usm-anywhere/user-guide/vulnerability-assessment/credentials) in USM Anywhere for more information.
* **Authenticated Scan**: This option displays depending on the USM Anywhere Sensor associated with the asset. See [Running Authenticated Asset Scans](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/running-vuln-scan) for more information.
* **Scan with BlueApp**: This option enables you to run an asset scan through an BlueApp. See [Running Asset Scans Using a BlueApp](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/scan-with-alienapp) for more information.
* **Configuration Issues**: This option opens the Asset Details page. The Configuration Issues tab is selected in the page. See [Viewing Assets Details](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/viewing-asset-details) for more information.
* **Vulnerabilities**: This option opens the Asset Details page. The Vulnerabilities tab is selected in the page. See [Viewing Assets Details](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/viewing-asset-details) for more information.
* **Alarms**: This option opens the Asset Details page. The Alarms tab is selected in the page. See [Viewing Assets Details](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/viewing-asset-details.htm) for more information.
* **Events**: This option opens the Asset Details page. The Events tab is selected in the page. See [Viewing Assets Details](/documentation/usm-anywhere/user-guide/asset-management/asset-administration/viewing-asset-details.htm) for more information.

<Note>
  Your access to these options may vary based on your user role. See [Role-Based Access Control (RBAC) in USM Anywhere](/documentation/usm-anywhere/user-guide/user-management/rbac) for more information.
</Note>

<AccordionGroup>
  <Accordion title="Link an alarm to an investigation">
    Linking an alarm to an investigation can be done via the **Activity > Alarms** or **Investigations** page.

    **To link an alarm via the Activity > Alarms page:**

    1. Go to **Activity > Alarms**.
    2. Search for the alarm you want to add to the investigation. Refer to [Searching Alarms](/documentation/usm-anywhere/user-guide/alarms/searching-alarms) for more information.
    3. Select the checkbox of the alarm to be linked.
    4. Click **Add To Investigation**. 

           <Tip>
             You can also click the alarm entry to open the Alarm Details pane on the right. Under the **Alarm Details** section, locate the **Investigations** field, and then click the <img src="https://mintcdn.com/levelblue-5324744e/2zcwC17_yhGqZqy4/images/usm-anywhere/pencil-new.svg?fit=max&auto=format&n=2zcwC17_yhGqZqy4&q=85&s=3fe3fa0ee6ce2b44857bf81d5ab975d9" className="inline" width="24" height="24" data-path="images/usm-anywhere/pencil-new.svg" /> icon.
           </Tip>
    5. On the **Select Investigation** dialog box, enter the investigation's title or keywords to search for the investigation you want to link the alarm. Matching results are displayed below, categorized as **Opened** or **Closed** accordingly.

    <Frame>
      <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/LinkAlarmtoInvestigation2.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=e18486bd22a0bb809a2d1c203a7ba51f" alt="" width="1657" height="597" data-path="images/usm-anywhere/LinkAlarmtoInvestigation2.png" />
    </Frame>

    6. Select the investigation from the list, and then click **Apply**.

    **To link an alarm via the Investigations page:**

    1. Go to **Investigations**.
    2. Search for an investigation. Refer to [Searching Investigations](/documentation/usm-anywhere/user-guide/investigations/searching-investigations) for more information.
    3. Click on the investigation's **Title** to view its details. 
    4. Under **Evidence**, select the alarm you want to link and then click the alarm name to open its details on the right pane.
    5. Under the **Alarm Details** section, locate the **Investigations** label and then click the <img src="https://mintcdn.com/levelblue-5324744e/2zcwC17_yhGqZqy4/images/usm-anywhere/pencil-new.svg?fit=max&auto=format&n=2zcwC17_yhGqZqy4&q=85&s=3fe3fa0ee6ce2b44857bf81d5ab975d9" className="inline" width="24" height="24" data-path="images/usm-anywhere/pencil-new.svg" /> icon.
    6. On the **Select Investigation** dialog box, enter the investigation's title or keywords to search for the investigation you want to link the alarm. Matching results are displayed below, categorized as **Opened** or **Closed** accordingly.
    7. Select an investigation, and then click **Apply**.

           <Frame>
             <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/LinkAlarmtoInvestigation.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=101a24ddd9117f0207f5d4a5339e339e" alt="" width="699" height="545" data-path="images/usm-anywhere/LinkAlarmtoInvestigation.png" />
           </Frame>

           <Tip>
             You may also click **Create New Investigation** to set up a new one. See [Creating a New Investigation](/documentation/usm-anywhere/user-guide/investigations/creating-new-investigation) for more information.
           </Tip>
  </Accordion>

  <Accordion title="Link several alarms to an investigation">
    <Info>
      You can link up to 100 alarms to an investigation.
    </Info>

    1. Go to **Activity > Alarms**.
    2. Search for the alarms you want to add to the investigation. See [Searching Alarms](/documentation/usm-anywhere/user-guide/alarms/searching-alarms) for more information.
    3.  Select the checkboxes of the alarms to be linked.
    4. Click **Add to Investigation.**
    5. On the **Select Investigation** dialog box, enter the investigation's title or keywords to search for the investigation you want to link to the alarms. Matching results are displayed below, categorized as **Opened** or **Closed** investigation accordingly.

           <Frame>
             <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/LinkAlarmstoInvestigation.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=12066a2a2a0a8b43ec6d3b3e9aaabebf" alt="" width="1664" height="674" data-path="images/usm-anywhere/LinkAlarmstoInvestigation.png" />
           </Frame>
    6. Select the investigation, and then click **Apply**.

    <Tip>
      You may also click **Create New Investigation** to set up a new one. See [Creating a New Investigation](/documentation/usm-anywhere/user-guide/investigations/creating-new-investigation) for more information.
    </Tip>
  </Accordion>

  <Accordion title="Link an event to an investigation">
    1. Go to **Activity > Events**.
    2. Search for the event you want to add to the investigation. Refer to [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
    3. Select the checkbox of the event to be linked.
    4. Click **Add To Investigation**.

    <Tip>
      You can also click the event entry to open the Event Details pane on the right. Under the **Event Details** section, locate the **Investigations** field, and then click the <img src="https://mintcdn.com/levelblue-5324744e/2zcwC17_yhGqZqy4/images/usm-anywhere/pencil-new.svg?fit=max&auto=format&n=2zcwC17_yhGqZqy4&q=85&s=3fe3fa0ee6ce2b44857bf81d5ab975d9" className="inline" width="24" height="24" data-path="images/usm-anywhere/pencil-new.svg" /> icon.
    </Tip>

    5. On the **Select Investigation** dialog box, enter the investigation's title or keywords to search for the investigation you want to link to the event. Matching results are displayed below, categorized as **Opened** or **Closed** investigation accordingly.

    <Frame>
      <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/LinkEventtoInvestigation.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=4ae43de71813633cc54a2f6c48a812a0" alt="" width="1670" height="561" data-path="images/usm-anywhere/LinkEventtoInvestigation.png" />
    </Frame>

    6. Select the investigation from the list, and then click **Apply**.

        

    <Tip>
      You may also click **Create New Investigation** to set up a new one. See [Creating a New Investigation](/documentation/usm-anywhere/user-guide/investigations/creating-new-investigation) for more information.
    </Tip>
  </Accordion>

  <Accordion title="Link several events to an investigation">
    <Info>
      You can link up to 100 events to an investigation. 
    </Info>

    1. Go to **Activity > Events**.
    2. Search for the events you want to add to the investigation. Refer to [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
    3. Select the checkboxes of the events to be linked.
    4. Click **Add To Investigation**. 
    5. On the **Select Investigation** dialog box, enter the investigation's title or keywords to search for the investigation you want to link the events. Matching results are displayed below, categorized as **Opened** or **Closed** investigation accordingly.

           <Frame>
             <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/LinkEventstoInvestigation.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=8199ac2d229fd93c534d0e3ab7a9638b" alt="" width="1860" height="620" data-path="images/usm-anywhere/LinkEventstoInvestigation.png" />
           </Frame>

        
    6. Select the investigation from the list, and then click **Apply**.

    <Tip>
      You may also click **Create New Investigation** to set up a new one. See [Creating a New Investigation](/documentation/usm-anywhere/user-guide/investigations/creating-new-investigation) for more information.
    </Tip>
  </Accordion>

  <Accordion title="Remove a link from an investigation">
    1. Go to **Investigations**.
    2. Click the title of an investigation to display its details.
    3. In the **Evidence** section, locate the alarm or the event that you want to remove from the investigation and click the <img src="https://mintcdn.com/levelblue-5324744e/9HhQ6wK11ydctaHc/images/usm-anywhere/unlink.svg?fit=max&auto=format&n=9HhQ6wK11ydctaHc&q=85&s=7bdce050a469ba492349be8686810a7a" className="inline" width="20" height="20" data-path="images/usm-anywhere/unlink.svg" /> icon.

    <Frame>
      <img src="https://mintcdn.com/levelblue-5324744e/p5UzS6lF8PHAvIQV/images/usm-anywhere/UnlinkInvestigation.png?fit=max&auto=format&n=p5UzS6lF8PHAvIQV&q=85&s=6fab07f8f7e67a24ee0f80ca28f705c0" alt="" width="491" height="567" data-path="images/usm-anywhere/UnlinkInvestigation.png" />
    </Frame>

    4. When prompted to confirm the action, click **Remove**.
  </Accordion>

  <Accordion title="Remove a link from alarms or events">
    1. Go to **Activity > Alarms** or **Activity > Events** depending on if you want to remove an alarm or an event.
    2. Search for the alarm or event you want to remove. Refer to [Searching Alarms](/documentation/usm-anywhere/user-guide/alarms/searching-alarms) or [Searching Events](/documentation/usm-anywhere/user-guide/events/searching-events) for more information.
    3. In the details pane, locate the Investigation field and then click the <img src="https://mintcdn.com/levelblue-5324744e/2zcwC17_yhGqZqy4/images/usm-anywhere/pencil-new.svg?fit=max&auto=format&n=2zcwC17_yhGqZqy4&q=85&s=3fe3fa0ee6ce2b44857bf81d5ab975d9" className="inline" width="24" height="24" data-path="images/usm-anywhere/pencil-new.svg" /> icon.
    4. Select the investigation from which you want to remove the link.
    5. Click **Unlink From Investigation**.

           <Frame>
             <img src="https://mintcdn.com/levelblue-5324744e/xZonsgZH8SxEQ1Gk/images/usm-anywhere/unlinkfrominvestigation_thumb_0_60.webp?fit=max&auto=format&n=xZonsgZH8SxEQ1Gk&q=85&s=1d4f2d26bc24f31e8dd2b33d5a58cc19" alt="" width="92" height="60" data-path="images/usm-anywhere/unlinkfrominvestigation_thumb_0_60.webp" />
           </Frame>
    6. In the confirmation dialog box, click **Unlink**.
  </Accordion>

  <Accordion title="Add a file to an investigation">
    You may add a file with a maximum size of 100 MB.

    **To add a file to an investigation**

    1. Go to **Investigations**.
    2. Click the title of an investigation to display its details.
    3. In the **Evidence** section, click **Select the file from your desktop** or drop your file in the section.

           <Frame>
             <img src="https://mintcdn.com/levelblue-5324744e/hGVHHYKCDZJyJiMa/images/usm-anywhere/Evidence_AddFile.png?fit=max&auto=format&n=hGVHHYKCDZJyJiMa&q=85&s=6493e2a5639797b9921a60603b39e4fb" alt="" width="500" height="471" data-path="images/usm-anywhere/Evidence_AddFile.png" />
           </Frame>
    4. Select the file and click **Open**. 

       The added file is placed under the **Files** section.

    <Note>
      If you want to open the added file, simply click the filename. To remove the file from the investigation, click the <img src="https://mintcdn.com/levelblue-5324744e/9HhQ6wK11ydctaHc/images/usm-anywhere/trash-alt.svg?fit=max&auto=format&n=9HhQ6wK11ydctaHc&q=85&s=2a750f9ee3d6466fc6799984309cddf0" className="inline" width="24" height="24" data-path="images/usm-anywhere/trash-alt.svg" /> icon. When prompted, click **Remove**.
    </Note>
  </Accordion>
</AccordionGroup>