Release Date: January 28, 2021


Starting an Investigation

Conducting an Investigation: 

  • Overview

  • Associations

  • Notes

  • Research

  • Files

  • Timeline

  • Conclusion

Collaboration & Alerts

Deleting, Archiving, Sharing & Exporting 

Dashboard Creation & Views

Permissions & Layouts 

Starting an Investigation 

There are 4 ways to start an Investigation in Ontic. 

  1.  Start from the 9-box Navigation. You can begin an Investigation at any time by hovering over the “Investigations Hub” option in the 9-box, then clicking “New Investigation”

  1. Start from the blue “Add” button in the top right side of your screen. Clicking “Add” > “Investigation will bring you to directly to the creation screen. 

  1. Start from a Signal. From a Feed, click on the option to “Associate Investigation” at the bottom of a signal. On the Home Page, click into a signal to see more details, and “Associate Investigation” from there. 

The value of starting an investigation from a signal is that Ontic will pull the information from that Signal into the Investigation. This means that if you have already associated an Entity to an Observation, or are beginning from a Tweet, all of that information will be available to you in the Investigation. 

  1. Start from an Entity Profile by clicking the three vertical dots below the Entity’s avatar image. Beginning from the Entity’s profile will automatically tie that Entity to the Investigation. You can always choose to remove them later on, but this is what will happen by default when you begin this way. 

Once you start an Investigation you will be guided through a creation flow. The fields in this creation flow can be configured as part of the Role Layout under Administration > Configuration > Layouts in the 9-box menu. Only certain fields are required during creation. All field inputs can be edited later on. 

Conducting an Investigation


When opening an Investigation, you will always be brought to the Overview tab. This view features the Investigation details, recent case Notes, Associations, latest Research History and Additional details widgets. To edit information in these widgets, hover near the heading, and click on the pen icon. 


Any Entity added to the Investigation upon creation will be visible in the Associations tab. All of that Entity’s approved connections will also be visible in that tab. Any Investigations that are related to that entity will also be included in this tab. 

To add a new Association, click on the blue “Add” button on the top right side of the screen. 

You can change the way that you view the Associations by clicking, “List View,” “Graph View,” or “Grid View.” 


To add a case Note to an Investigation, click “Add Note” at the top of the screen. To include date, time, location information, or tags, click the blue ‘+’ button. Click “Add” after finishing to type your note. 

The Ontic Web Clipper solution is also integrated into the notes dialog box. To activate, simply click on the Ontic Web Clipper icon as shown below.

On the next screen you will see the collection of clipped content that you have previously captured as you were surfacing the open web. The example below is a clip from Twitter with the associated url and source information. Simply select that content block and click ‘done’. That clipped content and associated metadata will automatically appear into your entity notes dialog box as shown in the images below.

To filter your Notes, click on the Filter icon on the top left side of the Notes screen. 

To filter by Analyst Notes, or Ontic Signals, click the quick filter options. Notes are searchable and can be sorted by Creation Time (which is the time that you chose when you added the Note) or Ontic Capture Time (which is the time that you entered the Note into Ontic.) 

This tab will include any Notes on Associated Entity Profiles as well as Notes added during the Investigation. 


All of the data sources that are integrated into your Ontic platform will be available from the Research tab within an Investigation. Start by choosing an Association from the left hand list to begin. Clicking on a person will automatically start the “Ontic Scan.” 

The Ontic Scan is constantly the platform for any matches between information in your Investigation and data that has previously been added to your Workspace. This means that if the Investigation is related to a vehicle with a specific license plate, and there had been Observations related to that plate one year ago, or a Live Vehicle Sighting 10 weeks ago, each of those signals would be brought to your attention by the Ontic Scan, ultimately allowing you to choose to associate them with the Investigation or not. 

If someone in your organization had already performed a type of Research on an Entity from their Profile, the Research results will be available to you inside of the Investigation without having to do an additional search. 


Within the Files section of the Investigation, you will find Files uploaded directly to the folder as well as any attachments added to Analyst Notes within the Investigation. All Investigation Report exports will automatically be saved to the folder, “Investigation Exports” in this File tab as well. 


There are 3 Timeline views available within an Investigation: 

  1. Vertical Timeline is a time-stamped audit trail of all activities done within an Investigation. 

  2. Story Timeline is an animated view of all activities related to an Investigation. 

  3. Horizontal Timeline is a way to see trends related to an Entity or Investigation over longer periods of time. 

Both the Story and Horizontal timeline allow for zooming in and out on specific periods of time, and the ability to click in on signals to see more detailed information. 


The permission to close an Investigation can be limited by a User’s role. To conclude an Investigation, navigate to the “Conclusion” tab and fill out the required fields. Clicking “Close Investigation” will cause the Status to change to Closed. 

Investigations can always be re-opened by changing a status back to a state prior to “Closed.”

Collaboration & Alerts

Team Chat 

This is the option to send instant messages within an Investigation, Entity, Signal or Research result. Team Chat includes @mention functionality (with notifications), threaded replies, and text format options. The conversations are searchable within the chat, but do not show up in Universal Search results. 

To send a chat, click on the Chat symbol on the far right side of an Investigation page. Type your messages and seamlessly collaborate with team members on Investigations. 

Note: Team chat is asynchronous at this time. Users need to click out of the chat window and click back into it to see new messages.  


Basic Investigation related alerts can be configured in Administration > Permissions > Users/Role > Notification Preferences. To set up specific automation and alerts, use the Rule Builder. In the Rule Builder, you can create rules that trigger actions based on conditions related to an investigation. 

Investigation Rules can help automate workflows and trigger alerts in Ontic to drive awareness to new investigations, status changes, new evidence or changed priority levels for investigations that you are working on in Ontic. This minimizes the need to continuously monitor the investigations dashboard to spot updates.  These alerts can be sent directly via email, mobile app, desktop notifications, or in the platform, and downstream actions can be automated.

From the nine-box, navigate to “Rules” under the “Administration” section. Under Rule types, you will see “Investigation Rules” as an option. 

From here, you will see all existing Investigation rules that have been set up, as well as whether they are active, when they were created, who they were created or updated by, and what Workspaces they are shared in. To edit an existing rule, click on the three dots on the far right side of the rule in the list and click “edit.”

To create a new Investigations rule, make sure you have selected the Investigation Rules tab and click the blue “Create Rule” button. 

Deleting, Archiving, Sharing & Exporting 

Deleting & Archiving

Investigations can be deleted or archived from the table view of an Investigation Dashboard by clicking the three vertical dots at the far right side of the Investigation.


You can also delete or archive Investigations from within the Investigation by clicking “Actions” on the top right side of your screen.  

Archived Investigations are still searchable. Deleted Investigations are not. 

Sharing & Exporting 

To share an Investigation with another Workspace, click on “Actions” at the top right of the Investigation you want to share. Click “Share.” From here, you can check the box for whichever Workspaces you want to have the Investigation be visible from.  

To export an Investigation Report, you will click on the “Actions” button and choose “Export.” This will automatically open a preview of the Report. From here, you can customize the report with your organization’s logo, a report name (note: adding a title here will not change the title of the Investigation), and Executive Summary. To Add this information, click the pen icon to the right of the title. Ensure that you click “Done” after typing the executive summary (clicking ‘x’ will not save any of your text.) 

Use the checkboxes to include or exclude certain sections of the Investigation in the report export. 

When you are ready to export, click Download PDF. The file will automatically be saved to your computer and to the Files section of your Investigation. 

Dashboard Creation & Views

To find Investigation Dashboards, go to the 9-box, hover over Investigations Hub > Existing Investigations. From the hamburger menu at the top left of your screen, you will be able to add as many Dashboards as you need. Persistent filters can be added upon Dashboard creation, and quick filters can be added to the Dashboard at any time to manipulate the breakdown of Investigations you are seeing. 

The quick filters can be added by clicking the filter icon on the left underneath the hamburger menu. 

There are 3 view options for an Investigations Dashboard. These are List View, Column View, and Metrics View. 

To switch between views, navigate to the top right of your screen and click on the small grey icons. 

Any filters you set will persist as you move from view to view. To export a report of Investigations in aggregate, click on the three vertical dots next to the 3 views and click “Export Dashboard.” From here, you will be given the option to curate a dashboard view to export.  

Permissions & Layouts

To set permissions around Investigations, you will need to update Roles (Administration > Permissions > Roles) and then assign the various Roles to each User. Within the Role, you will see a section called Investigations, where you will be able to set what each user can see/do within the Workspace. 

This is also where you will set which “Layout” the user will see. 

To create the various Layouts to choose from, you will need to go to Administration > Configuration > Layouts. Then, select “Investigation Layouts.” To create a Layout, click “Create new Template.” From here, you are able to customize the Investigation Creation Form, Overview tab, and the Conclusion tab. To Add fields, click “Add Field.” To hide fields from certain users, click the gear icon on the right side of the field and select “Hide” or “Remove.”

Don’t forget to click Save when you are done!