Outstanding questions

• can an investigation have a special relationship with one single alert?
• does this ONLY happen if you create an investigation from an alert details page?
• should we store the reference to this alert explicitly? should it be derived from the "origin" field or an explicit alert relationship field?
• how does this relationship compare to any other related alerts for this investigation? what about other related "events" that aren't alerts, but that have been deemed as "special" in some way?

Answers as of 16-Oct-2024

• can an investigation have a special relationship with one single alert?

Yes, and this designation only happens via the "origin" field

• does this ONLY happen if you create an investigation from an alert details page?

Yes, for now.

• should we store the reference to this alert explicitly? should it be derived from the "origin" field or an explicit alert relationship field?

We are deferring this conversation until it comes up as necessary. For now, the "origin" field controls the relationship.

• how does this relationship compare to any other related alerts for this investigation? what about other related "events" that aren't alerts, but that have been deemed as "special" in some way?

Related alerts are calculated on the fly for a given investigation, for now.