Security Incident Response Workspace allows the Security Analysts to view the key information associated with the security incident during the incident remediation process. The key information also includes the related lists such as Observables, Threat Lookup Results, Sighting Search, Observable Enrichment, and so on.

In the classic UI, most of the orchestration actions associated with the out of the box integrations are available against the related lists. For example, Run Threat Lookup, Run Observable Enrichment, etc. are present against Associated Observables related list. Similarly Get Host Details, Get Network Statistics and so on, are available against Configuration Items related list.

When a Security Analyst performs these actions, results are populated in a different related list. For example, when a user performs Run Threat Lookup, the results are available in Threat Lookup Results table. Sometimes, results are available in multiple different tables. During this process, the Security Analysts has a disjointed and unorganized user experience in co-relating the information from multiple places.

In the re-imagined new SIR Workspace, the Investigation canvas (tab) provides all the necessary information grouped logically in one place for the Analyst to perform the investigation.