Investigation & Analysis
Protection-Oriented Operational Review
The First Watch® platform is not intended to function as a full-scale SIEM or forensic analytics solution. Its investigation and analysis capabilities are deliberately scoped to support protection-oriented operational review — enabling personnel to understand what happened, in what context, and whether action is required.
Investigation is structured around the principle that effective operational protection depends on timely, accurate, and contextualised understanding of activity — not on data volume or analytical complexity alone.
Asset-Centric Investigation
All investigation begins with the asset. When reviewing an event or alarm, the platform provides:
- Asset identity and classification — what the system is, where it sits, and its operational role
- Current state and configuration — known software, services, network connections, and policy associations
- Historical activity — a timeline of events, changes, and policy evaluations related to the asset
This asset-centric model ensures that investigation is grounded in operational context rather than abstracted log entries.
Chronological Context
Investigation capabilities present events and alarms in chronological sequence, allowing reviewers to understand:
- What occurred before and after a specific event
- Whether related activity occurred on the same or connected assets
- Whether patterns of behaviour align with approved operations or represent deviations
Chronological context is essential for distinguishing legitimate operational activity from unauthorised or anomalous behaviour.
Structured Cross-Domain Correlation
The platform supports correlation across multiple domains within a single investigation view:
- Endpoint activity — process execution, file changes, registry modifications, USB connections
- Network behaviour — communication flows, protocol operations, policy enforcement outcomes
- PLC and industrial protocol operations — programming events, configuration changes, firmware activity
- Policy evaluations — which rules were triggered, what was allowed or blocked, and under what conditions
This cross-domain visibility enables investigators to build a coherent picture of activity spanning IT and OT layers without requiring separate tools or manual data assembly.
Time-Stamped, Attributed Data
All events presented during investigation are:
- Time-stamped — providing precise sequencing of activity
- Attributed — identifying the user, system, or process responsible
- Contextualised — linked to relevant assets, policies, and operational zones
This ensures that investigation outcomes are traceable, defensible, and suitable for operational reporting or compliance evidence.
Evidence Export
Investigation results and supporting evidence can be exported for use in:
- Operational reports
- Incident documentation
- Compliance and audit submissions
- External review or escalation
Export capabilities ensure that findings are not confined to the platform but can be shared with stakeholders as needed.
Principle: Evidence, Not Inference
The First Watch® platform presents evidence. It does not infer intent, assign blame, or automate conclusions.
Investigation capabilities are designed to support human judgement by providing clear, structured, and contextualised information. The platform ensures that decision-makers have the evidence they need — but the responsibility for interpretation and response remains with operational personnel.
This principle aligns with the platform's broader design philosophy: technology supports human authority; it does not replace it.
Investigation and analysis within the First Watch® platform provide the structured, asset-centric, and cross-domain visibility required for effective operational review. By combining chronological context, attributed data, and evidence-based presentation, the platform enables timely and informed decision-making — supporting protection without imposing analytical assumptions.