When a potentially malicious email is detected, Qevlar AI automatically pivots into action — investigating without predefined playbooks, dynamically querying logs, and analyzing data to uncover abnormal behavior, suspicious process executions, login anomalies, and any other relevant evidence.
This guide will help you understand how Qevlar’s email investigation process works, how to navigate the platform, and how to interpret investigation reports confidently.
The Investigation Process
Every Qevlar Email investigation begins the same way:
Alert Received → Qevlar extracts observables and content from the email alert.
Enrichment & Analysis → Observables (IPs, domains, URLs, file hashes, etc.) are enriched using:
External CTI sources – to validate and cross-check data.
Qevlar Eye (internal CTI) – to:
Render websites and identify phishing or malicious content.
Analyze attachments, images, and QR codes for malicious artifacts.
Examine email body content to classify it (Phishing, Scam, Reconnaissance, Spam, Marketing, Awareness, or Legitimate).
If Qevlar cannot reach a confident classification, the case is flagged as “Needs Corroboration,” signaling that an analyst review is required to provide additional context.
Understanding the Investigation Report
Each investigation concludes with a structured, narrative-driven Investigation Report, made up of five key sections.
1. Header / Conclusion
Qevlar can reach one of four outcomes:
Malicious: Clear evidence of harmful activity.
Not Harmful: Insufficient evidence for malicious classification.
Inconclusive: Evidence threshold not met for a clear decision.
Missing Data: Some required data sources were unavailable.
Next to the conclusion, Insight Tags (e.g. Malicious File Executed, Phishing, Malicious URL) summarize the rationale behind the outcome.
You can also view the alert that originally triggered the investigation.
2. Overview
This section provides a narrative explanation of findings — detailing key observables, the timeline of events, and the reasoning behind the conclusion.
Evidence highlights are listed to show how Qevlar reached its decision.
For example:
The email with message ID c071b4ff-0c0f-40e4-300b-08ddd55290ec was classified as malicious due to its use of financial fraud tactics involving a €40,000 request and indicators of spoofing identified through failed DKIM and DMARC checks.
3. Next Steps
Qevlar AI provides actionable recommendations, divided into two types:
Investigation Steps – Further actions analysts can take to confirm or disprove the AI’s conclusion (e.g., contacting the recipient).
Remediation Steps – Security measures to reduce future risk (e.g., blocking a sender domain, resetting a compromised user’s password).
4. Observables Table
All observables found during the investigation are listed here, each enriched with supporting data.
Expand an observable to see where it was found, enrichment sources used, and key findings.
Clickable enrichment sources may show CTI results, email samples, or website screenshots.
5. Investigation Steps
This section details every step Qevlar performed — including:
Which observables were analyzed.
Where Qevlar looked for evidence.
What insights were drawn and what new observables were discovered.
You can expand each step to review evidence sources or download associated data.
Disagree with the AI’s Conclusion?
If you believe Qevlar’s conclusion is inaccurate, click Modify Conclusion at the top of the report.
You can change the outcome and provide context on why the AI’s decision was incorrect.
This feedback loop helps refine Qevlar’s accuracy over time.
Trusted Observables
If you see an observable marked as Trusted, it means Qevlar recognized it from your organization’s context list — such as known domains, files, or VIP personnel.
Trusted observables are excluded from investigation to avoid noise.
You can add new trusted entities by:
Visiting the Context Menu, or
Clicking Mark as Trusted directly next to an eligible observable in the table.
(Note: The context feature is continually expanding to include more data types.)