Entry by signature, by artefact, or by behavior — the operator chooses.
Investigative continuity across the retention horizon. Schema-governed lake retention, reproducible deterministic correlation, and chain-of-custody-aligned evidence preservation are preconditions of the investigation, not deliverables to assemble under deadline.
Structured contextualization at the canonical-identifier layer. Hypothesis pivots traverse signature, artefact, and behavioral entry modes without re-baselining; intel enrichment binds to the same identifiers analysts query.
Reduced verdict ambiguity and faster triage. Each alarm arrives with its rule, source telemetry, enrichment, and confidence weighting — so the first question of the shift is decision, not interpretation.
An investigation is not a single shape. Some inquiries begin from a fired rule; others from a suspect file; others from an anomalous pattern. The platform supports each entry mode as a first-class workspace path.
The Investigation Workspace exposes three entry surfaces — signature, artefact, behavior — each anchored to the same canonical event identifier substrate so an investigation initiated in one mode can pivot into another without re-baselining.
Hunters and responders work in the mode that matches the inquiry.
Before: investigation tools forced one entry shape.
An artefact lead can pivot to behavioral context without restart.
Before: mode shifts required rebuilding context.
Hypothesis-driven hunts move at human cadence.
Before: hypotheses fragmented across tools.
"Mendukung mode masuk investigasi berbasis threat signature, berbasis artefak/file, dan berbasis perilaku/anomali jaringan."
— NOGTUS Platform Specification