Investigate a finding
Investigations are the heart of VinTekh. Each one takes a single finding (Defender alert, Wiz finding, drift event, anomaly) and produces a complete evidence trail plus actionable recommendations with rollback plans.
Starting an investigation
Two entry points:
- From a finding: open Issues, click any finding, click Start investigation.
- From a resource: open Resources, click any resource, click Investigate on the detail hub.
There's no "blank canvas" start — every investigation needs a context. That's intentional: an investigation without context devolves into "look at random stuff", which the AI handles poorly.
What happens behind the scenes
The orchestrator runs the matching playbook (one of 12+ specialised ones — NSG broad source, AKS networking, App Service dependencies, Private Endpoint impact, Hybrid Worker, …). The playbook pulls:
- Resource inventory + 1-hop topology.
- Network evidence (NSG flow logs, effective rules).
- Change events from Activity Log (last 24-72h).
- Related findings on adjacent resources.
- Ownership (tags, group membership, CMDB).
- Framework controls touched (CIS, NIST, SOC2, PCI, ISO, HIPAA).
- MITRE ATT&CK techniques + tactics walked.
The AI then produces a strict-JSON output: summary in three voices (beginner / engineer / architect), facts (with evidence refs), assumptions, unknowns, blast radius (immediate + 2-hop + business services), and one or more recommendations.
Reading the investigation page
- Summary tabs: same conclusion, three audiences. Use beginner for SRE on-call hand-off, engineer for the implementer, architect for the design-review meeting.
- Reasoning trail: facts vs. assumptions vs. unknowns. We surface assumptions instead of hiding them so you can challenge any one before acting.
- Blast radius: immediate (1-hop), cascade (2-hop), and business services impacted if the recommendation is applied carelessly.
- Recommendations: each has confidence (0-100), naive fix, safer alternatives, pre-checks, verification, rollback plan. See Recommendations for the lifecycle.
- Evidence rail: every fact in the summary has a clickable evidence_ref pointing back to the raw data we read.
When the AI says "blocked" or "needs review"
We never silently coerce AI output. If the LLM violated a deterministic contract guard (we have 5 of them, G1-G5), or if it returned output that didn't match the strict schema, the investigation page surfaces it as a first-class state. The raw output is preserved so you can see what happened. Re-running often fixes transient issues; persistent failures deserve a bug report.
- Help home
- Getting started
- How VinTekh works
- Read-only model
- Connect a source
- Azure Reader SP
- AWS cross-account role
- GCP Workload Identity
- External ID & MAU
- SCIM 2.0 provisioning
- Investigate a finding
- Recommendations
- Service coverage
- Platform capabilities
- Troubleshooting
- Glossary
- REST API
- Admin guide
- Release notes
- Support